On Wed, 1 Nov 2000, Derek D. Martin wrote:
> Windows machines are vulnerable too, though the kinds of attacks to which
> they are vulnerable are a smaller subset of those to which Linux is
> vulnerable.
I would phrase it as: The types of attacks to which Windows machines are
vulnerable tend to be different from the types of attacks Linux machines are.
Your typical script-kiddie Linux attack tends to target a known hole in a
program which has not been fixed on the machine in question, or a known
mis-configuration in the distribution in use. Once they penetrate the security
layer, they replace system binaries with their own trojans. These trojans (1)
hide evidence of the compromise and (2) open up back doors to allow access to
the attacker in the future. What happens next depends on the attacker and the
script in use: Some just want to break in to machines to say they have, other
want to do things like run IRC bots, still others want to host a DDoS attack.
Your typical script-kiddie Windows attack tends to target a "feature" of the
Microsoft software installed, or a known hole in the third-rate shareware the
user is running. It then adds one more mystery program to the list of regular
mystery programs already running on the system. Typically, the payload of
these attacks is much more single-minded then your average Unix exploit,
because Windows doesn't offer the powerful remote access that Unix does.
Common payloads include delivering a virus infection or running a DDoS node.
True remote control payloads (like Back Orifice) are less common because they
require the attacker to do more work.
On Wed, 1 Nov 2000, Derek D. Martin wrote:
> It's important that you familiarize yourself with what processes are
> running on your machine, so that you can tell at a glance when something
> is running which shouldn't be.
Unfortunately, one of the first things your typical root kit does is replace
/bin/ps and /bin/ls with trojans that filter out the malicious programs.
I've also heard or seen of exploits which tamper with the shell, more and
less, the RPM database, and even the C library.
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
