[conspire] linux antivirus?

Rick Moen rick at linuxmafia.com
Thu Sep 11 20:10:57 PDT 2003 

Quoting Blue Boar (BlueBoar at thievco.com):

> Thank you.  Apologies for introducing myself by disagreeing with you. 

Disagreeing is your absolute right, and not the least offensive, let me
reassure you!

> I mean "why don't you discuss them, since they are the examples of
> 'successful' linux viruses in the wild" not "your linux virus list is 
> incomplete."

1.  They are not in the wild.
2.  They are not successful.
3.  And there's also that verbosity problem.

> No, it means that I personally was in contact with a number of people who
> were infected in the wild [....]  If you're curious, the bait was that
> they were attached to (in some cases apparant) 0-day exploits that
> required root to run.

To re-post the Moen Family Antivirus regimen:

1.  Don't run untrustworthy software.   <===
2.  Don't run software that autoruns untrustworthy software on your behalf.
3.  Have recovery plans for when sundry mishaps happen. 

ASCII arrow indicates the place those people (very obviously) shot
themselves in the foot with a rocket-propelled grenade.  I mean, c'mon:
Running code from anonymous WAR3Z D00DZ?  With root authority?  Please.
Be serious.

> They would still infect your files if you didn't run them as root.

More precisely, they would infect the UID's files.  Obviously, before
you'd be so extravagantly reckless as to run such code, you would either
set up a sacrificial system or at the bare minimum a quarantine user
login to run it under.

> So what about that makes them not worms that spread between hosts?

1.  On a statistical basis, they don't, and never did.  I analyse my
Linux Internet server logfiles on an ongoing basis, and have for the
past ten years.  Ramen, 1i0n, Red Worm, Adore, Cheese, lpdw0rm, and
Slapper, even a month after release in each case, were almost completely
unfindable.  (A harmless curiosity, too, but that's not the point.)

2.  Here, I'll set up a "Linux worm that spreads between hosts":  It'll
be an i386 ELF binary that I mail out to random people with an e-mail
saying "Please run the attached binary as root."  A non-negative integer
number of people will do so on i386 Linux boxen, and it will carry out
its sole function, which is to mail itself out to random people with an
e-mail saying "Please run the attached binary as root."

Now, you would say that's a stupid example because it requires the user
to do stupid things.  Oddly enough, I would say exactly the same thing
about your examples.

> So?  Generally speaking, worms don't do that.

So they do not "take over (infect) the local machine" in the sense you
quoted from my essay.  They act remotely.  

You stated that this is a counterexample to what you quoted from my
essay.  No, it is not.

> >Please note that I address that matter comprehensively in
> >http://linuxmafia.com/~rick/faq/#virus3 .
> 
> If I thought you had explained it there to my satisfaction, I wouldn't have
> asked. :)

Whoops!

I'm sorry, but this conversation will rapidly come to an end, after
this.  You've just said the magic words:  You've stated that you don't
understand something I've FAQed, and want to argue about it.  Sorry,
that signals the end of the conversation.  Right about here:


OK, son, let's cut the crap.  I'm short of time, and you -- Mr.
Runs-Everything-With-Root-Authority-And-Talks-About-Viruses-In-Zero-
Day-Sploits -- are wasting it.  

> Depends what you mean by "autorun".

No reasonable person would call the bullshit you posted following that
"autorunning".

> Are there no Linux MUAs that allow users to launch attachments if they 
> choose? 

Go find one, sonny.  I've looked at a very large percentage of the 115,
but I'm not fscking well going to do your homework for you.

> So... you think that users get smarter when they switch to Linux?

I have a better question:  Are you going to try to understand what I
actually wrote?

And so on.  Sorry, I have no time for this crap, and am shitcanning it.


And you've just pissed me off to the point that I am going to don my hat
as listadmin for a moment:  "Blue Boar", you're going to have to
resubscribe with something that appears to be a real name.  And no, I'm
fscking well not going to define what a real name is, nor am I imposing
this as an overall list policy.  This is just for you.  Enjo, nor am I
imposing this as an overall list policy.  This is just for you.  Enjoy!

-- 
Cheers,     Founding member of the Hyphenation Society, a grassroots-based, 
Rick Moen   not-for-profit, locally-owned-and-operated, cooperatively-managed,
rick at linuxmafia.com     modern-American-English-usage-improvement association.

More information about the conspire mailing list