[conspire] (forw) Re: Thanks For the Linux Virus Article

Rick Moen rick at linuxmafia.com
Mon Jun 15 20:16:45 PDT 2009


----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Mon, 15 Jun 2009 20:16:17 -0700
From: Rick Moen <rick at linuxmafia.com>
To: rookcifer <rookcifer at gmail.com>
Subject: Re: Thanks For the Linux Virus Article

Quoting rookcifer (rookcifer at gmail.com):

> Just wanted to say thanks for the research you put into the Linux
> virus article.  Whenever I encounter Windows trolls looking to spread
> FUD about the lack of "Linux market share" your article is the first I
> link them to.  It's hard to believe there are so many self proclaimed
> "security experts" out there who buy into the "market share" notion.
> They refuse to look beyond the single user paradigm of Windows
> computing (and are the same people often telling users to disable
> UAC).
> 
> Keep up the good work.

Will, thank you very much for the really nice note!

It really wasn't very difficult to write the substantive part of that
page.  The difficult part was actually arriving at the astonishing
judgement that all of the commercial antivirus sites' information on the
subject was borderline useless.  Maybe I'm just not cynical enough, but, 
the more I looked at the Sophos, Symantec, Trend Micro, etc. pages
about, say, Lupper, the more I realised that they were chock-full of
data that didn't _matter at all_[1], and had nothing about what _does_
matter.

Researching Lupper, the gob-smackingly obvious, #1 question to me was
exactly the one they almost always said _nothing at all about_:  How
does this particular bit of malware come to be activated?  Under what
circumstances, via what mechanism, by whom doing what?

So, in each case, I had to sit down and carefully sift through upstream
postings until I found the answers.  For worms (the only malware for *ix
that's actually ever been interesting), it's always one or more obsolete
version of a buggy network daemon.  So, for each, I did a small timeline 
thing:  Bug discovered/announced/patched on date X, worm-exploited on
date Y, consequent delay Y-minus-X months after discovery.  Which 
inevitably proved to be either a ludicrously long period, or concerned a
ludicrously improble piece of software (such as still running BIND8 at
the end of 2002).

http://linuxmafia.com/~rick/faq/index.php?page=virus#virus5 looks like
it's still the only comprehensive rundown on that subject on the
Internet -- which is really a bit sad.

What's even more sad is the implicit assumption of the commercial
anti-malware vendors that nobody cares how, under what circumstances, by
what mechanism, by whom a particular bit of ill-advised code comes to be
executed -- presumably because the larger assumption is that everyone's 
computer is out of control and nobody should ever be expected to try to
become accountable for what processes he/she chooses to run.  It's more 
remunerative to just sell them cruddy "protective" software, instead,
you see.

[1] Worse, what they say tends to be actively harmful:  They advise
people with root-compromised Linux computers to use measures short of a
CERT-style wipe and reinstall -- which is just not OK, and is doing them
no favours.  But, of course, again, they're selling such non-favours as
security products.


----- End forwarded message -----




More information about the conspire mailing list