VIRUSES for LINUX will COME
|
Author | Content |
---|---|
MESMERIC Dec 09, 2004 11:53 AM EDT |
mark well my words
dont sleep into a false sense of security. cross-platform cross-browser spoof attacks are already possible image lib vulnerabilities keep re-appearing realplayer has a new security vulnerability (affects any OS) if java new vulnerability is true - it also affects any OS then the popularity of messaging programs in Linux - could be a channel for distribution. whatever you might say - that the damage will be mitigated because Linux users don't run as root is not the point the damage is done - private documents uploaded, or important files corrupted before i would laugh when "newbies" complained there was no Norton Anti-Virus for Linux now I am thinking - maybe we should have online software protection soon. (please dont start on about IPtables or compile your own chkroot-kit package; not everyone migrating to Linux are network administrators) |
phsolide Dec 09, 2004 1:40 PM EDT |
Yeah, yeah. Take a number. Line forms to the rear. I've been reading predictions of Unix (and now Linux) VIRUS DOOM since 1990, in print, in usenet and now on the web. Geez, you can get the source to a pretty portable sh-script virus in the PostScript of http://cm.bell-labs.com/cm/cs/who/doug/v101.ps, and it's been in print since 1988. What will it take for you MSFT apologists to realize that Windows has some peculiar "features" that make it a hotbed for viruses and worms: 1. Hardware monoculture - x86 CPU, with IDE drives. 2. Software monoculture - pick a "market", and you've basically got 1 version (IIS 6, Outlook, Windows XP) 3. Tradition of single-user systems - don't bother to deny this, or append any "yeah buts". It's true. 4. Poor design of Outlook, Outlook Express and Internet Explorer, including ActiveX, execution of attachments, etc etc 5. Grotestque complexity. Gee whiz, in testimony in the Anti-trust trial, MSFT executives admitted to arbitrarily complicating APIs to prevent reverse engineering. See also DCOM, OLE. None of these is really true for linux/Unix. The hardware base has always been fractured with a significant number of non-x86 CPUs involved. In any given "market", a load of alternatives get used (Mozilla, Firefox, Konqueror, Dillo, lynx, even IE inside WINE as one example). Unix and now linux has a tradition of multi-user systems. By design and by convention, files get some minimum access level. Different "owners" of files prevent arbitrary modification. ActiveX, by MSFT's own design, never has worked on anything other than windows, and Windows executables are very bizarre and not readily executed by other OSes. Come back when you have substatntive arguments, rather than antique troller's FUD. |
MESMERIC Dec 09, 2004 3:58 PM EDT |
Will links do?
http://secunia.com/multiple_browsers_window_injection_vulner... (not all browser but most)
http://jouko.iki.fi/adv/javaplugin.html (hush hush from Sun)
http://news.zdnet.co.uk/internet/security/0,39020375,3918020... (from your Linux friendly Kaspersky)
http://secunia.com/advisories/12219/ (patched)
http://www.eeye.com/html/research/advisories/AD20041001.html (unpatched) is that good FUD enough for you? grow up. all I am urging is that Linux users prepare themselves it will come - cross.platform viruses if we have some monitoring software till then - any attack will be mitigated or completely stopped. Another thing If I was in the business of FUDing LXer would be the last place I would be posting my concern. now go to bed. (and damn i hate when people can't think for themselves and just go into "standard answer" mode .. do they do it unconsciously? thought only robots possessed artificial intelligence) |
phsolide Dec 09, 2004 4:09 PM EDT |
Yeah, that's FUD all right. Most of it's from "anti-virus" firms who have a most definite conflict of interest, and operate in a shady industry. The other links are from security firms, who also have a bit of conflict of interest. And I have thought for myself - I've been thinking about this problem for years: http://www.users.qwest.net/~eballen1/virefs.h What I've thought is exactly what I posted above: Windows (and to some extent Macintosh) are one of the few platforms where viruses will be more than a mathematical curiosity, for all the reasons above. The "Windows is most popular" argument doesn't cut any soap with me, either. There's as many or more Linux users now as their were MS-DOS users during the 1989-1990 height of the DOS file virus plagues. Linux hasn't had a major network worm since 2002, while MSFT servers have had plagues of Sasser, MSblast, etc etc etc, and Outlook users have had an uncountable infinity of mass mailing viruses. The record speaks for itself: any attempt to FUD up a Linux anti-virus market should be regarded with extreme caution. |
MESMERIC Dec 09, 2004 4:25 PM EDT |
The "Windows is most popular" refutal is another standard template of an answer.
we all know the Apache vs IIS security debate. firstly what I am saying that all your points are well known. in fact its kinda embarrassing hearing them again. now - we have all those warnings the only way forward is to demonstrate whether they can be truly exploited on Linux OS or not. now that is going to be tough. not all security warnings are kind enough to supply demo code. again those vulnerabilities are *not* Linux - they are cross platform. people use javascript (phishing exploit) on their browsers people use plugins on their browsers .. Java / Real / Flash (we didn't have plugins before) I don't want to wish there was a site that could demonstrate the exploit say placing a file or running a script from in my /home directory - cos then yeah it would be too late. |
phsolide Dec 09, 2004 6:46 PM EDT |
Sorry, I mistyped the hyperlink: http://www.users.qwest.net/~eballen1/virefs.html |
peragrin Dec 10, 2004 2:35 AM EDT |
Those 'Vulerabilites" at most can be minor phishing scams. You can't get any significant attacks with those. Also if you design a virus, and trojan setup for windows, and a linux browser downloads that image, it doesn't do anything. The same is true for the reverse. Also note not every windows machine that a server sees is really a windows machine, because a percentage of browsers running linux, change identities. This is why i don't worry about attacks that CAN happen cross platform, unless it uses a cross platform runtime system(java, etc) |
MESMERIC Dec 10, 2004 3:27 AM EDT |
exactly java - cross platform runtime again let me re-emphasize cross-platform exploits here not Linux-borne virus that is verging pretty much on the impossible for desktops the only flaw in my argument is that I lack sufficient protocol / scripting and Linux programming knowledge to emulate or demonstrate such attack so my concerns can be seen as unfounded panic ... but is it really? let's leave JVM aside (perhaps the easiest way to have a true cross-platform virus) I ask anyone with true in-depth technical knowledge to check this: can buffer-exploits in Linux be made to run arbitrary code? when a browser connects to a website what are the priviledges? for example - a plugin does it have a +x flag? Well my libflashplayer.so does -rwxr-xr-x users libflashplayer.so The kaffeine plugin also -rwxr-xr-x root kaffeineplugin.so And all plugins shared by RealPlayer (/usr/local/RealPlayer/plugins) all have the same -rwxr-xr-x Now that could be a fallacy of my settings, my distro, my lack of security skills. So what of the newcomers less technically inclined or minded? Can a website through a buffer exploit make linux execute arbitrary code? is my question. I fear the answer is yes - that is what buffer exploits are all about. OK so here is the scenario malicious website (hacked infected or not) exploits a new plugin it is aware of the operating system by simple sniffing for each OS - it pipes down and execute an specific script. this script replicates itself in a hidden folder .mozilla say or the .kde/Autostart or the equivalent for other window managers or any init script stupidly left with the wrong priviledges it could go on exploiting any other vulnerability - if you have a server running - great! it could try and infect any ELF stupidly installed locally in the home folder and chmodded as 777 further it can automate most internet applications if emails can be automated then send the IP of the infected server to all those in your address book (just grep for @) if not then telnet to a mailserver most telnet are disabled - fine - automate a login to a specially setup webmail server or webmail server from an infected windows machine now send everyone in the history of caches and addressdb and mboxes an email with http:||192.123.12.12 (which will be another infected server) restart the process. am I being that far-fetched?? I am not here to win arguments. I am here to investigate a real concern - and I believe I have reasonable Linux experience though far from a guru. If my scenario can be proved extremely flawed - fine .. if I am ever challenged with the same points, I can deflect the "FUD" as one put it - and make the newcomers more relaxed about Linux. If my scenario is indeed possible - then it is time Linux distros , Linux vendors, open source contributors look more seriously into the dangerous of plugins. |
MESMERIC Dec 10, 2004 3:38 AM EDT |
Looking back
I got mixed up about the priviledges
-rwxr-xr-x means only root can write to it, read it or run it otherwise users can execute it just. but that being channel for an exploit it will act as a user is inside your machine which means do anything at user level I just want to settle this either way. |
peragrin Dec 10, 2004 5:56 AM EDT |
Two things your permissions are wrong, as only root can write to that particular file. other files require the permission of the User infected. Also you may use KDE, but I don't have it installed, and Dave other there doesn't even use a DE but instead uses screen, and emac's. Now how can that virus that affects you, can affect me or Dave? Becuase Linux is spread out so much even though one person is vulernable doesn't every linux user is. Side note: I checked out secunia's website. i did the tests and got two different results, on the same computer, and the same browser. if I click on the link that says I block pop-ups I am affected, if I click on the link that says I don't block pop-ups then I am NOT. it doesn't matter whether firefox is actually blocking pop-ups or not. So if you check Secunia's website, there are things that work and things that don't(view source). The hole exsits but you have to trick people into going to their bank, amazon, ebay, etc from YOUR website. You have to have javascript enabled, and you have to have certain other things in place before you use this for malicous intent. It's not as easy as they want you to believe. |
MESMERIC Dec 10, 2004 6:53 AM EDT |
scenario:
say number of Linux desktops increased to: 20% worlwide so naturally most of these people will not be your vi / emacs/ fvwm2 fans. they will be utterly clueless people migrating from the microsoft windows world. doctors, lawyers, students, schools, charities, niece nephew auntie and granny was too presented with a "safer" Linux OS easier to use and with lots of eye-candy switched on. the phishing exploit is harmless (apart from stealing your credit card details) my concern is plugins. please answer me (someone) those 80% of Linux users - the new users: with their gnome and kde desktop with their konqueror or mozilla-firefox with plugin enabled realplayer with an exploit or flash with an exploit or java virtual machine suddenly have an unpatched buffer-over flow exploit can a website: * Run arbitrary code remotely via a buffer exploit - through the plugins? That one step - is suffiencient to make the birth of the first cross-platform virus a reality. Man I wish I didn't mention the phishing exploit as that is distracting to the real issue here: the wide-spread use of plugins and their vulnerabilities. |
MESMERIC Dec 12, 2004 6:08 AM EDT |
Noone came up with an answer.
But I've been thinking of a solution. If at least web-browsers with their plugins, IM and email clients were to be sandboxed. Any threat would be mitigated. Networking Games is another issue. But sandboxing that would severely hamper performance, or the incentive for the industry to consider Linux as a good gaming platform. I'd take the risk and not have that sandboxed. That would be going too far. |
TxtEdMacs Dec 12, 2004 8:25 AM EDT |
I do not play games very much either on a local machine or networked. However, my son has been active and when playing on networked machines for the most popular games he was telling me they were almost uniformly linux based servers due to their superior performance. That was about two years ago, since he is living on campus and out of state playing fewer games I cannot say that continues to be the case. However, given the larger capacity of Linux servers and the performance being the paramount issue for gamers I suspect that is still the case. |
dave Dec 12, 2004 8:50 AM EDT |
I think there is a good case for running your browser and mail program in a chroot jail, although the idea does present new usability problems. The jail could be configured as default by the distribution, and each new user created on the system would gets it own private jail in which to run potentially problematic programs. The problem with it is, however, that then the programs would not be able to make use of the files on the system. So forget uploading files via web forms or offering attachments from your Desktop in Thunderbird or Evolution. dave |
MESMERIC Dec 12, 2004 9:44 AM EDT |
Linux Server are so much better for gaming that companies such as Valve and Blizzard
have no qualms in writing up a server-engine for Linux but releasing no Linux client. http://www.thepetitionsite.com/takeaction/190498263 http://www.blizzpub.net/petition/ Games is a very sad area for Linux. With a lot of hidden politics involved. That deserves a different thread altogether. I almost gave up hope for Linux gaming. Thanks Dave, I've been thinking the same today about the jail. What to do with the transfer of files - my answer was a bit impulsive but it would be good if Linux is prepared before any real danger starts plaguing the universal adoption of plugins. That would come as very sweet news for Microsoft - which of course would blow the thing up beyond all proportion with their pretty effective PR machine (after all they even influence Linux websites!) Once Mac had some silly trojan - something to do with mp3's I can't recall well but remember the hype was such that people were made to believe a Melissa for Mac's was created (People are naive and technophobes after all) http://www.wired.com/news/mac/0,2125,63000,00.html MS always played dirty Why should they stop now at their one biggest single threat: Linux ? I wouldn't be surprised if they join forces with Sun to let a first poly-platform Java virus happen. "Aww come on - you shouldn't be so suspicious ..." "Sir, I am paid to be suspicious." - Gene Hackman & Wilford Brimley, the Firm (1993) |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!