[conspire] linux antivirus?

Rick Moen rick at linuxmafia.com
Thu Sep 11 19:37:32 PDT 2003 

Quoting Blue Boar (BlueBoar at thievco.com):

> I can think of three answers: 1) That's the way it installed out of the 
> box,

And then you turn it off.  Or add a line to /etc/hosts.deny.  

> It demonstrates my point that, yes, dumb Linux users/admins do exist.

Let's be really clear about this:  If you run a bunch of network
daemons, leave them exposed to the Internet, and ignore security
advisories and urgently recommended updates for five-plus months, your
system _will_ get root-compromised.  But:

The most-important point:  This would happen with or without the
existence of malware.  Remember, the "worms" you wrote about were merely
ways of 'sploiting larger numbers of netblocks more quickly.

> So why didn't they patch them?

Irrelevant.  The point is that they basically nullified their own system
security.  Calling that a malware problem is missing the point.

Please note that Red Hat, Inc., with its complimentary one-machine
subscription to RHN, has of late made it extremely difficult for even
grossly incompetent admins to screw up that way.  Now, it's difficult to
_avoid_ getting security updates.  (That's not to mention the default
netfilter script introduced after RH 7.3.)

> Could it be that, yes, some set of Linux users will exhibit 
> behaviour that helps out the Linux malicious code?

See above:  Their failure to protect their own asses helped _exploits_
against their machines, in the same way that leaving all your doors and
windows open with jerrycans of gasoline piled against your doorstep
would help arsonists.  Those exploits were a dead-certainty with or
without the malware.  The latter was merely _automation_ of the 'sploits.

The malware thus added nothing to the situation other than causing
system compromise to happen a bit sooner than otherwise.

> That question was not whether they deserve sympathy, it's whether an 
> enviornment that supports a nice, healty collection of malicious code can 
> exist on the Linux platform.

1.  Although you're changing the subject from what I was saying, that's OK.
2.  See above:  Nope, it's not.
G
> Yes, that would be my definition of "root service", a network service 
> running as root...So the shellcode was running as root.  Sorry if my 
> terminology wasn't clear.

That's not "popping a root service" in any meaningful sense:  That's
just a garden-variety buffer overflow without privilege escalation.  Not
clever, not surprising -- and nothing really to do with malware.

-- 
Cheers,
Rick Moen                                        This space for rant.
rick at linuxmafia.com

More information about the conspire mailing list