-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday 13 January 2003 09:47, Kevin Anderson wrote:
> I don't agree with this. Most worms run code, and before it can run, it
> needs to be loaded by the OS. And antivirus should step in at that point.
> At least in theory.
not even in theory. =/ once a process has root priveleges there is very little
one can do. a very simple and fairly common exploit is to open a remote shell
that has root privs. if one of your active daemons has some sort of
vulnerability that allows execution of code or a command, this is quite
trivial to do. so the active intrusion is actually committed by a program you
trust. and once that intrusion has been made, all there is a shell which can
be used to execute other fairly normal (albeit w/root priveleges) commands.
now, with root one can stop antivirus/worm software, unload kernel mods (or
worse yet, load them), etc...
the most effective automated antivirus type defense would require being a
kernel module, a LOT of intelligence and would have to filter all activity on
the box (network, process and file). this would cause a noticeable drain on
resources, be circumventable by anything with root privs and still not be
able to catch many of the possible attacks.
bottom line: you won't prevent a worm getting on your box with the sort of
software that kills computer viruses. and once you box is compromised, it's
really quite too late and it's time to reinstall. in some cases, the worm
deposits a very predictable and well known set of files that can be cleaned
up and the attacker may not have taken advantage of his newly won resources.
but it's really quite hard to know for sure.
no, the true solution is what Trevor mentioned: keeping up with security
patches. and yes, today's autoupdaters are pretty damn reliable, at least
when it comes to security updates, so that's a great step forward. much
better than catching the beast after the damage is already done.
firewalls, IDS's, judicious allowance of root privs and only running the
services you need also help quite a lot. all of those are preventative
measures that really do work.
if this wasn't the case, things like firewalls and IDS's wouldn't the shiznet
on servers and all those security people would be urging you to put antivirus
software on them to protect against attacks.
> Slapper ran code. Lion ran code. It didn't come and go, it came, and sat
> running, and running, and running. AV software could and would catch it.
again, too late. if it's running, it's game over. it's trivial to have a
payload randomly rename pieces of itself, let alone utter a kill -9 on your
antivirus software. also, it's non-trivial to lock down potential abuses of
regular system resources without seriously hampering legitimate usage.
> The transfer of the code to the system may be undetected originally, but it
> would be caught when it tried to run.
therein's the problem: the original intrusion is often done by running
malicious code. if you can't detect that, the intruder has all sorts of
opportunity to do nasty things. unless, of course, you aren't going to allow
even root to shut down your AV software and you're going to set it up to
assume that any program that isn't running right now is a virus.
# ls -l
SillyPutty AntiVirus: Potential worm activity has been identified.
> (excepting a rootkit).
hrm? how would this be different?
i'm curious: have you played with rootkits or other cracking "tools" much?
> How many machines are still running Slapper, for example?
too many...
> And will until it is cleaned from their system. Even if I accept that a
> worm moves faster than
> AV updating a DAT file (and I'm not sold on that),
there was a paper doing the rounds in the infosec community last year that
showed mathematically how a worm that utilizes some half-decently intelligent
algorithms could sweep across the 'Net in a matter of minutes. code red
wasn't lucky, math is just very powerful. but even in a more tame scenario of
several hours, will your AV software co be able to notice it, study it,
create a reliable fingerprint, and have it on your system within a few hours
of it launching on the 'net? highly, highly doubtful. these things usually go
undetected for longer than that.
> I'd still rather see the
> issue resolved by AV software 10 days after the initial attack than not at
> all.
if people are going to use and keep up their AV software, then why not more
useful approaches that actually work to prevent the problems? of course, AV
software is so successful on the relatively tame email virus that we hardly
ever see those around on the 'net...
> Rootkits are cool. I played with a Windows rootkit once, and it was the
> coolest thing I had ever seen.
heh... just don't say that outloud in front of anyone who's serious in the
infosec world. rootkits, at least the sort that you can get easily off the
net (and especially ones for windows), are usually considered the toys of the
incompetant (scriptkiddies) and are subjects of general derision.
i think you'd love the infosec game, though.. you really should check it out.
be prepared to do a lot of learning and listening because there are some
frighteningly brilliant people out there who have a lot to teach. you may
find whole new worlds out there....
> Linux has tripwire which may not prevent a rootkit from being installed,
> but it should help detect it's presence after the fact.
yes.
> Though I think rootkits are less common on Windows than Linux.
historically because UNIX is a nicer target and because the windows
architecture doesn't lend itself to rootkits as nicely as UNIX does. a simple
backdoor program is usually more effective on win32. win32 is pretty boring
over the 'net, though many find it quite proffitable =/ exciting and profit
are not always linked in the world of computer intrusion...
> I updated an RPM for RH7.2 a few months ago, and it kyboshed the admin
> tools for my mail server. Nothing serious, but it was annoying... Apache
> was updated, and it rendered some links to our webserver invalid (It
> deleted the links. (ln -s linkname, not the pages)). Sure, that affects
> only me, but both the mail package and the RPM were developed specifically
> for that version of Red Hat.
you replace files that belonged to the apache rpm? that's ... odd =) you are
right that even package managers aren't unbreakable, but they do have the
benefit of not randomly falling apart. it usually takes some conspiring with
the operator (and yes, i've occassionally been that operator ;)
- --
Aaron J. Seigo
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43
"Everything should be made as simple as possible, but not simpler"
- Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+I45r1rcusafx20MRAk/rAJ9Dc6qkUvwzMTbkKdr822vo51n40ACdFt2r
qwQg1dHgDgnd8yon8jDg0b8=
=Irh8
-----END PGP SIGNATURE-----
