[conspire] linux antivirus?
rick at linuxmafia.com
Thu Sep 11 19:37:32 PDT 2003
Quoting Blue Boar (BlueBoar at thievco.com):
> I can think of three answers: 1) That's the way it installed out of the
And then you turn it off. Or add a line to /etc/hosts.deny.
> It demonstrates my point that, yes, dumb Linux users/admins do exist.
Let's be really clear about this: If you run a bunch of network
daemons, leave them exposed to the Internet, and ignore security
advisories and urgently recommended updates for five-plus months, your
system _will_ get root-compromised. But:
The most-important point: This would happen with or without the
existence of malware. Remember, the "worms" you wrote about were merely
ways of 'sploiting larger numbers of netblocks more quickly.
> So why didn't they patch them?
Irrelevant. The point is that they basically nullified their own system
security. Calling that a malware problem is missing the point.
Please note that Red Hat, Inc., with its complimentary one-machine
subscription to RHN, has of late made it extremely difficult for even
grossly incompetent admins to screw up that way. Now, it's difficult to
_avoid_ getting security updates. (That's not to mention the default
netfilter script introduced after RH 7.3.)
> Could it be that, yes, some set of Linux users will exhibit
> behaviour that helps out the Linux malicious code?
See above: Their failure to protect their own asses helped _exploits_
against their machines, in the same way that leaving all your doors and
windows open with jerrycans of gasoline piled against your doorstep
would help arsonists. Those exploits were a dead-certainty with or
without the malware. The latter was merely _automation_ of the 'sploits.
The malware thus added nothing to the situation other than causing
system compromise to happen a bit sooner than otherwise.
> That question was not whether they deserve sympathy, it's whether an
> enviornment that supports a nice, healty collection of malicious code can
> exist on the Linux platform.
1. Although you're changing the subject from what I was saying, that's OK.
2. See above: Nope, it's not.
> Yes, that would be my definition of "root service", a network service
> running as root...So the shellcode was running as root. Sorry if my
> terminology wasn't clear.
That's not "popping a root service" in any meaningful sense: That's
just a garden-variety buffer overflow without privilege escalation. Not
clever, not surprising -- and nothing really to do with malware.
Rick Moen This space for rant.
rick at linuxmafia.com
More information about the conspire