Re: please kindly get back to me

Re: please kindly get back to me

[Hank Leininger]

On 2002-06-03, J Sloan <joe@tmsusa.com> wrote:

> The thing with linux/unix "virii" is, they
> are actually for the most part trojans -
> they've been in labs for years, the problem
> is that there is no suitable transport vector!

> You'd have to dupe an unwitting superuser
> (now there's a dangerous combination) into
> running the "virus" by hand - sort of like
> the "honor system" virus....

...You mean like, get them to run './configure' ?[1][2]
...Or installing an RPM with trojanned binaries or install-time scripts,
without checking a signature?[3]

Unfortunately that's all too easy.  Viruses, no.  Malware, you bet.  We
can't get too complacent while laughing at the virus phenomenon.

[1] http://marc.theaimsgroup.com/?l=bugtraq&m=102233939226053&w=2
    http://marc.theaimsgroup.com/?l=bugtraq&m=102285523803434&w=2
[2] They don't have to do this as root, either.  If they do it from an
    account that can escalate privileges (i.e. is allowed to su or sudo)
    then it's game over anyway, albeit with more steps.
[3] And of course signatures are useless if the signer was owned first.
    Probably major distros are reasonably safe[4], but not Joe Random who
    produces packages and distributes them...
[4] They're not out to get you; they've already got you:
    http://www.acm.org/classics/sep95/

--
Hank Leininger <hlein@progressive-comp.com>
ALL YOUR BASE ARE BELONG TO KEN THOMPSON

[OT] Re: please kindly get back to me

[J Sloan]

Hank Leininger wrote:

>On 2002-06-03, J Sloan <joe@tmsusa.com> wrote:
>
>  
>
>>The thing with linux/unix "virii" is, they
>>are actually for the most part trojans -
>>they've been in labs for years, the problem
>>is that there is no suitable transport vector!
>>    
>>
>
>  
>
>>You'd have to dupe an unwitting superuser
>>(now there's a dangerous combination) into
>>running the "virus" by hand - sort of like
>>the "honor system" virus....
>>    
>>
>
>...You mean like, get them to run './configure' ?[1][2]
>...Or installing an RPM with trojanned binaries or install-time scripts,
>without checking a signature?[3]
>
>Unfortunately that's all too easy.  Viruses, no.  Malware, you bet.  We
>can't get too complacent while laughing at the virus phenomenon.
>  
>
Complacency is never a good idea - however,
let's give credit where credit is due - it's orders
of magnitude more difficult to do something like
this against a unix system - most script kiddies
will go for the easy targets (microsoft) instead

Joe

>  
>

Re: [OT] Re: please kindly get back to me

[Alan Cox]

On Tue, 2002-06-04 at 19:36, J Sloan wrote:
> Complacency is never a good idea - however,
> let's give credit where credit is due - it's orders
> of magnitude more difficult to do something like
> this against a unix system - most script kiddies
> will go for the easy targets (microsoft) instead

Each of the major viruses has probably got one author singular.

There are ways of making systems much more resistant to attack including
viruses. Things like RSBAC and the NSA security modules help you get
into a situation where this kind of stuff doesn't occur

	User1 gets a virus
	User1 owns a binary root users
	Root gets the virus
	Splat

Because with a trust model it goes instead

	User1 geta a virus
	User1 owns a binary root users
	User1 virus patches the binary

	Root is refused permission to run the binary because it no 	longer has
a high enough integrity

Even before that the lack of people checking GPG keys on RPM and other
packages is disturbing. 

Alan