[conspire] A bit more on that "worm"

Rick Moen rick at linuxmafia.com
Sat Nov 12 00:23:31 PST 2005


Quoting Ryan Russell (ryan at thievco.com):

> The attack vector is cross-platform, but doesn't the worm itself consist 
> of a Linux ELF binary?

Checking the news reports a little further, it seems that /tmp/lupii (
which turns out to be a recycled slight variant of Slapper, by way of
"pud" by contem at efnet) is indeed an IA32 Linux ELF binary -- _today_.
Other architectures and OSes would seem to be just a 5 second compile
away. 

McAfee et alii would then undoubtedly call that a different worm and give
it some imaginative name to better promote themselves -- but it'd be
substantively the same damn thing.


My own view is that what's important is the vulnerability, not (e.g.)
whether or not someone happens to have already compiled an automated
attack tool tailored for your own OS on your own CPU architecture.

That is, malware is _not_ a security problem; malware is a secondary
_after-effect_ of a security problem.

That observation will probably strike you, me, and most people on this
mailing list as bloody flippin' obvious ;-> , but I'm tempted to append
that to my lexicon page (http://linuxmafia.com/~rick/lexicon.html)
as Moen's Third Law of Security -- in part because I keep encountering
pointy hairs who Just Don't Get that basic point.

Reminds me:  I recently added
http://linuxmafia.com/~rick/lexicon.html#enopatch :


  -ENOPATCH

  Laconic expression meaning "You have failed to include substantive,
  relevant content, among all that verbosity."

  The expression was originally coined by Alessandro Suardi [link] on 
  the Linux kernel mailing list on 2003-01-13, pretending for 
  humourous effect to post a parser error advising a correspondent 
  he'd forgotten to attach his intended source code patch. 
  ("Error: no patch".) Subsequent posters have used it in its current, 
  figurative sense, e.g., Randy Dunlap's response [link] to Luke 
  Kenneth Casson Leighton's meandering advocacy post [link].

I _try_ not to blither like that.  ;->





More information about the conspire mailing list