[Nottingham] Safer by design or just overlooked? (Was: Gameover Zeus (GOZ) and Cryptolocker malware rackets)

Martin martin at ml1.co.uk
Thu Jun 12 11:20:26 UTC 2014 

On 12/06/14 08:50, Jason Irwin wrote:
> On 11/06/14 17:58, Andy Smith wrote:
>> CryptoLocker works by walking through the user's documents on
>> accessible drives. On Linux, all your important (user-contributed)
>> documents are about as likely to be writeable by your user as on
>> Windows I suspect.
> That's what I was thinking as well. I doubt AppArmor/SELinux would spot
> it as the user could be doing a batch job to update stuff.

Once whatever malware is running as the user, then it can do whatever is
allowed for that user...

AppArmor/SELinux shouldn't let ANY malware run in the first place
because that 'new' software would not be known and so should have no
permissions to do anything.

However, that's all fine and good but a nightmare to administer unless
you are running a locked-down single function appliance... Ideal for LXC
(containers)...


>> The best defence against CryptoLocker is probably backups that
>> aren't mounted locally.
> I was thinking that. rsnapshot etc.

Provided they are versioned BACKUPS rather than just a mirror copy that
gets overwritten...


> Martin - would the mighty, mighty BTRFS allow one to roll-back to the
> unencrypted version of the file? My guess is this would need to be done
> from a live CD.

If you had a read-only snapshot already taken. Don't know that there are
any tools yet to roll back the copy-on-write transactions. Shoudl be
doable from the send/receive utility code...

There's also nilfs or logfs that support complete rollback?


> One would also need to check .bashrc etc to make sure the malware hadn't
> queued itself to run again.

And no other commands/scripts were subverted. Hence the *nix permissions...


The greatest weakness is the (lack of security awareness of the) operator...

Cheers,
Martin

-- 
- ------------------ - ----------------------------------------
-    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg

More information about the Nottingham mailing list