[Wolves] Linux viruses

Ron Wellsted ron at wellsted.org.uk
Mon Dec 6 23:23:08 GMT 2004


On Mon, 2004-12-06 at 18:13 +0000, Stuart Langridge wrote:
> On 6/12/2004, "Chris Ball" <chris at mnemonik.net> wrote:
> 
> >I consede defeat on this subject, before we get technical, you are
> >exactly right of course, but then there are a lot of "bot" type viruses
> >with the sole intention of rooting the box to form ddos nets or spam nets.
> 
> I agree entirely. Note, though, that they don't actually need to root
> the box; they just need access to any account that can open a port to
> receive incoming commands and an outgoing port to send spam or network
> traffic to a DDoSed host. The Apache www-data account I mentioned (and
> other "unprivileged" accounts under which daemons run, like
> "nobody") can do this in most default configurations (and in most
> "secure" configurations, too, I imagine).

It is too easy to get a false sense of safety with Linux.  While there
are very few viruses which target Linux, we can very safely assume that
this will change with increasing popularity.  It is also possible the
l33t will see Linux as a bigger challenge (I can just see the message on
IRC, ¨any script kiddy can 0wn a wind0ze box, u kan only 0wn a linux box
if you are truly l33t¨)

The ¨don´t run as root¨ argument is good practice, however there are
known bugs with certain kernel versions which can result in privilege
escalation for local users, allowing them to run their programs run as
root.  Also it is not helped that most Linux systems have some very
powerful programming tool installed on them (gcc/perl/python etc.), thus
greatly aiding the cracker once they have gained entry (cue David´s
story of a Brazilian script kiddy from Friday (a real expert would have
avoided detection)).

It would not be to difficult to imagine a linux based botnet as the
number of systems increase.  At present, most linux boxes are operated
by reasonably savvy people, who will keep the systems patched and
updated. With mass adoption, people who don´t know what they are doing
will be given access to a component of a WMD.

A case in point:  Over the weekend I was with the outlaws, they have a
Windows XP SP2 system on a cable modem.  The AV was up to date, the
firewall was on with only the normal (outbound) exceptions. They had
been applying updates whenever a reminder appeared in a popup window
from IE.  I found about 70-80 items of spyware on the system, several of
which where known to be capable of downloading other programs (botnet
anyone?).  I cleaned the system up and gave them a short but frightening
lecture on spyware.  I also installed Firefox as the default browser.

Sleep well.

-- 
Ron Wellsted
http://www.wellsted.org.uk
ron at wellsted.org.uk
N 52.567623, W 2.137621
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: This is a digitally signed message part
Url : http://mailman.lug.org.uk/pipermail/wolves/attachments/20041206/2971a220/attachment.bin


More information about the Wolves mailing list