Home > About > Articles
The virus entries in the challenge
were fun and good for a bit of a laugh, but they illustrate serious
issues in computer security.
Entry 1 is a classical social-engineering
attack. It relies on the recipient to perform some kind of action to
activate the malicious software. Now clearly, Entry 1 has little chance
of spreading, because the actions which the user must take involve several
steps, would immediately arouse the suspicions of experienced Linux users,
and would be beyond the capabilities of novice users.
The reason social-engineering attacks are so successful on Microsoft
platforms, especially Microsoft Outlook, is that the kind of thing you
need to trick the user into doing is very simple---typically a single
mouse-click. True, many installations pop up warning dialogs for
"potentially dangerous" actions, but novice users are used to many such
dialogs, and probably just dismiss them as a matter of course.
Nagging the user is not a substitute for security.
Entry 2 is a "mutation" of entry 1.
It is somewhat nastier in that it tries to install itself in your
cron table and re-execute the malicious code periodically.
Mutations are interesting for the following reason: Most commercial
anti-virus software relies on signatures to detect viruses.
Such signatures are next to useless in the face of easily-mutated
viruses. In fact, the whole idea of a signature database which must
be updated periodically is a huge scam. It is designed simply to ensure
a steady flow of revenue to anti-virus vendors.
Signatures cannot detect brand-new viruses, and usually fail
to detect mutated viruses. Blocking all executable attachments at the server
and using software which does not allow its data files to contain executable
content are far more effective than any possible signature-based detection
Signatures fail in the face of new viruses, and are designed solely
to ensure a revenue stream for anti-virus vendors.
Entry 3 also relies on tricking the
recipient into performing an action. The action (running lynx and feeding
the output to a shell) is not obviously malicious, however, and one popular
Linux software creator actually recommends a similar action to install its
software. Therefore, I consider Entry 3 the closest thing to something which
could actually spread.
Entry 3 is interesting also because the actual viral code comes from a
central server. This allows the virus author to track the spread of
infection. By modifying the URL to contain more information, he could
even track the names of people who are infected.
On the other hand, a central-server approach makes it much easier to
track down the person responsible for a virus, and also introduces a
single point of failure in the propagation mechanism.
Entry 3 is interesting also because it purports to install a security
fix for a serious problem. If the URL had looked like it came from
a legitimate site, people might be tempted to run the command.
For example, the following URL looks like it points to Microsoft:
but it does not...
Note that popular "web bugs" use a similar mechanism to allow marketers
to track the recipients of SPAM e-mail. This is why I recommend reading
your e-mail in a non-HTML mail reader, or at the very least, a mail reader
which does not automatically fetch URLs.
Beware of automatic-execution of remotely-fetched content. Beware
even of mail readers which automatically fetch content off the Internet.
Entry 4 is simply a hoax. It was mailed
from a machine owned by Via Networks in France.
Hoaxes are interesting because for a while, there were many virus hoaxes
circulating on the Internet. Because people are so used to Windows machines
being infected by viruses, these hoaxes can cause almost as much damage
as real viruses. They also serve as advertising for anti-virus
vendors, who must be fairly satisfied with their marketing potential.
If you can't trust your software, even hoaxes can be as damaging
as real viruses
Entry 5 was a real attempt at an
exploit, and it had a very good chance of succeeding. It may well
have compromised my machine, although the chances of propagation
beyond that were fairly slim.
Software diversity makes it harder for viruses to propagate.
But even UNIX users cannot be complacent. If I hadn't upgraded
Pine as soon as I heard about the vulnerability, and if I hadn't been
suspicious of the e-mail, I could well have fallen victim to the
exploit. Nevertheless, I still believe that mass-mailing viruses are
almost impossible under Linux, because Entry 5 was a carefully-target
exploit aimed at me by someone who knew my software setup.
David F. Skoll