David F. Skoll wrote: > The Morris worm did not propagate via file sharing or e-mail;
That's not entirely true. The Morris worm used multiple techniques to infiltrate a system, one of which was a common "hole" that sendmail systems used which allowed an external sender to specify a file or program as the recipient of a message. That was ONE of the mechanisms that the worm used to inject code into a target system. That vulnerability was actually still a default sendmail config for some systems as late as the mid-90's. But I specifically remember the scramble among the sendmail community, at the time, due to that vulnerability. And then being shocked to inherit a SunOS 4 box (running Sun's sendmail derivative), in 1995, that was still vulnerable to it. Keep in mind that the reason the sendmail vulnerability was there wasn't that no one knew about it. It was that "the vulnerability is only in theory, no one has actually done it yet". It was a somewhat widely known back-door that was often used by sysadmins for their own productivity. > That's why I don't think viruses will be anywhere near the problem in > UNIX-like systems compared to Windoze. One thing people tout about the reason Unix-like systems aren't as vulnerable is the idea of protected separation between permission entities on Unix-like systems. The flaw in this thought is that you don't need to run as root in order to be a spam/virus bot. All you need is to be able to: a) run a control channel (ex: an irc client) for receiving commands and data from your controller b) submit messages to a local outgoing mailer as though it's legitimately sending outgoing messages, or connect on outbound port 25 and submit messages directly to whomever will take them. That's not a terribly difficult program to write and run on a Unix-like system. Any user-id can run it, pretty much. And lord knows that Unix-like systems DO get remote code execution vulnerabilities every so often. As I just said, these don't require root exploits, they just require an exploit to _ANY_ user-id. If I can find the latest ssh vulnerability, bind remote code vulnerability (had one of those in the last year or so, didn't we?), etc. then I could certainly add that to a tool box of infection techniques. And don't think that this only gets done by people seeking publicity for having broken into Linux systems ... it wasn't that long ago that these techniques were being used to put up warez mirrors wherever they found a vulnerable machine (in 2003, we had one pop up on one of our servers, due to a VERY fresh ssh exploit). Hell, just a couple of months ago, I had to blacklist our own secondary web server here because that currently OS patched, currently apache patched, securely configured sendmail install, was generating spam. How? Because of an improperly paranoid/secured cgi or php script installed not by the sysadmin, but by one of the many webmasters for the hosted departments (ie. people who didn't have root access). How much harder would it be to imagine a widely adopted script which is unintentionally allowing an adversary to specify the raw message, and thus send out executable attachments? Lack of cynicism and diligence on the part of the cgi/php coder. Lack of cynicism and diligence on the part of the webmaster. Lack of cynicism and diligence on the part of that particular sysadmin (that machine wasn't scanning its own outbound email to track spam, viruses, nor unusual traffic patterns). And the Unix-like box was suddenly spewing email that it shouldn't have been. Spam now. But not impossible for it to have been some form of malware. What Unix-like systems have going for them IS NOT privilege separation, it is that the *nix culture is much more aggressive/responsive when it comes to generating patches for vulnerabilities ... getting them out more frequently than Windows service packs. But that depends upon the diligence and cynicism of the sysadmin. And that diligence and cynicism, when carried at a healthy level, includes running AV software even on Unix-like systems, even for messages to/from Unix-like users. After all, ANY user, windows or mac or linux or even solaris, can be dumb/absent-minded/gullible/etc. enough to click on the wrong attachment, and it only takes doing that _once_. But for those Unix-like systems run by naive sysadmins, you find that they may not take all of the necessary precautions against various intrusions because they assume "Linux isn't vulnerable" or "Linux isn't yet high enough on the radar to be a target" or "it's only a target for people seeking publicity" or (the wost of all) "it's only a theory, no one has actually done it yet". And that lack of cynicism will be exactly what makes their systems vulnerable. Just as it was for the sendmail exploits that were used by the Morris worm. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
