Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
big dealbig dealPosted Apr 8, 2006 17:12 UTC (Sat) by JoeBuck (subscriber, #2330)Parent article: Crossplatform virus - the latest proof of concept And virus companies can hire someone to write a "triple threat" "virus", one that will infect x86 Mac executables as well, provided that a user can be fooled into running the thing. It's just not significant. I suppose when one of these things gets polished enough to release in the wild, the virus company with the best ties to the black hat who created the virus will have a competitive advantage. That's an issue that needs investigation.
(Log in to post comments)
big deal Posted Apr 8, 2006 17:51 UTC (Sat) by nix (subscriber, #2304) [Link] They get to bloat their `viruses detected' counts a bit more this way, too.
unlikely Posted Apr 8, 2006 18:56 UTC (Sat) by copsewood (subscriber, #199) [Link] AV researchers obviously have an interest in seeing what blackhats can do before the latter release viruses into the wild. However, cooperating beyond this level of passive observation, e.g. by offering incentives of any kind to get blackhats to write viruses would, if ever found out, result in much too great a loss of reputation with their customers on which the anti-virus business is based to be worth any competitive advantage that might otherwise have resulted. Would you ever buy anti-virus products from a company that you knew had cooperated with black hats to the point of offering incentives to them ? How could you trust such products not to do bad and deceptive things on your system if the ethics of the AV vendor had been compromised in this way ?
If your answers, like mine are no and you couldn't, then don't
unlikely Posted Apr 9, 2006 23:06 UTC (Sun) by Tashlan (guest, #17277) [Link]
While not exactly what you are arguing, the AV vendors lack of response to Sony's Rootkit comes to mind.
Sony root kit and Back Orifice Posted Apr 10, 2006 9:13 UTC (Mon) by copsewood (subscriber, #199) [Link] They have enough trouble keeping up with malware supplied by cracker-culture conformant black hats. When people who look like white hats suddenly behaved like black hats this exploited a blind spot which got such malware under the AV radar for a while. This is not an entirely new problem for the AV community. What is the difference between remote control programs which are malware (e.g. Back Orifice) and those which are legitimate but very unobtrusive to the machine being remotely controlled in normal use ? I think the best answer I can give to this is based on the assumed intentions of the suppliers of such products. This criteria is also going to be very unsatisfactory from the POV of the AV community, who would naturally want to be able to use less subjective criteria, but what alternatives do they have ? This kind of problem is why Windows AV or Linux rootkit scanners can only ever be a small part of an overall security solution.
big deal Posted Apr 8, 2006 23:09 UTC (Sat) by sbergman27 (subscriber, #10767) [Link] It'll work, too. Remember when Linspire started offering an anti-virus product via Click'n run? They had to offer something, since their users were demanding it. As everyone knows, the *first* thing involved in internet security is running good anti-virus software. (I mean, *everybody* who is computer savvy knows that! Right?)
If you run a computer, then you're gonna have computer viruses. (And AdWare and SpyWare and whatever else the victims will agree to stomach without fleeing the platform.) That's just a fact of life in this new technologically advanced world and you have to be ready for them.
It would never occur to most people who got started off on Windows that it is possible for a platform to be resistant to security threats in the first place. (Their computer geek nephew confirms this.)
The media (and don't forget the computer geek nephew) has been too thorough in its reporting of computer viruses for them to think otherwise.
God save us from ignorance masquerading as wisdom!
big deal Posted Apr 8, 2006 23:59 UTC (Sat) by smoogen (subscriber, #97) [Link] Having installed anti-virus software is a requirement in so many procedures, I lost count. There were several times where someone would tell me we couldnt run Linux on a machine because it didnt have anti-virus software available. Thankfully that falls by the wayside when one can get clamav or similar tools
big deal Posted Apr 9, 2006 2:48 UTC (Sun) by lutchann (subscriber, #8872) [Link] It's also required by my liability insurance, which isn't surprising. I'm sure that's to reduce the risk of me being unable to meet contractual obligations for a client due to a virus infection that destroys data, ties up my time fixing things, etc.
The more surprising requirement for the insurance was to maintain a firewall that not only blocks unauthorized inbound connections but unauthorized outbound connections from both servers and workstations. Since that's how all my internal networks are already set up it wasn't a big deal for me, but it was nice to see my insurer paying attention to things like that.
egress filtering? Posted Apr 9, 2006 23:21 UTC (Sun) by man_ls (subscriber, #15091) [Link] You block unauthorized outbound connections? This means that you have to "authorize" outbound connections to every new port? For me this is a waste of time; malware can connect via port 80 to whatever server it wants, and I may want to connect to remote ports for new protocols, server administration, etc. My internal networks are definitely not set up like that.
egress filtering? yes! Posted Apr 11, 2006 15:51 UTC (Tue) by lutchann (subscriber, #8872) [Link] You're right, which is why I don't allow connections via port 80 to just any server. All allowed outbound connections from my internal networks are fully specified by source host, destination host and destination port; for the most part this is limited to allowing only connections to a client's servers or VPN endpoint, plus my local DNS and NTP servers. This reasonably well isolates all my internal networks from each other and the Internet, which conveniently solves a lot of problems that IT departments tend to bring up when you request VPN access to their network.
a bit excessive Posted Apr 11, 2006 16:06 UTC (Tue) by man_ls (subscriber, #15091) [Link] So, what do you do when you have a problem in the network and need to look something up on the web?
a bit excessive Posted Apr 11, 2006 16:34 UTC (Tue) by lutchann (subscriber, #8872) [Link] I have other networks here besides those I consider "internal"--everything with Internet access is in a DMZ-type network, so laptop+wireless works fine for web and IM. But from the perspective of the internal networks where all the real work goes on, the DMZ is as untrustworthy as the open Internet.
McAfee makes a Linux AV product Posted Apr 9, 2006 22:31 UTC (Sun) by pr1268 (subscriber, #24648) [Link] Being a University student, I get the privilege of using the campus-wide license for McAfee Antivirus. Since I only use Linux, I was thrilled to discover that not only does McAfee make a Unix version (works on Linux, FreeBSD, HP-UX, AIX, and Solaris), but also that the University I attend provides this version alongside their Windows/Mac offering. I suppose the only down side is that this is presumably a corporate/enterprise version. It's not like I could walk into $COMMERCIAL_RETAILER and pick up a Linux copy... :-(
McAfee makes a Linux AV product Posted Apr 10, 2006 15:49 UTC (Mon) by rickmoen (subscriber, #6943) [Link] pr1268 wrote:Being a University student, I get the privilege of using the campus-wide license for McAfee Antivirus. Since I only use Linux, I was thrilled to discover that not only does McAfee make a Unix version (works on Linux, FreeBSD, HP-UX, AIX, and Solaris), but also that the University I attend provides this version alongside their Windows/Mac offering. I suppose the only down side is that this is presumably a corporate/enterprise version. It's not like I could walk into $COMMERCIAL_RETAILER and pick up a Linux copy... :-( Something for you to ponder: One of the glories of running Linux is that you can avoid the need to run unauditable code with significant privilege (and can avoid running it at all, in many cases). But here, you're pretty much proposing to run with root-user authority a proprietary, binary codebase from a proprietary-software vendor whose business integrity, along with almost all of its competitors, is already specifically subject to question, concerning the Sony rootkit scandal (a point Schneier made quite eloquently, at the time). And you're thrilled about this? Me, I'd go to great lengths to avoid exercising that option. Rick Moen
McAfee makes a Linux AV product Posted Apr 11, 2006 0:50 UTC (Tue) by drag (subscriber, #31333) [Link] Exactly!
All of these products seem to me to have a proven security track record.. A bad track record, that is.
These things have openned up holes in root in the past for potential attackers.
If I worked somewere that required certain types of anti-virus stuff to be installed, I'd install it... in a chroot'd environment seperate from everything else and do my best to figure out how to make it work as a regular user through trickery or some VM or whatnot so that I could have it functional, yet seperate.
Although I doubt that would be to popular among management...
In light of the threats that viruses can pose I think that Gnome and KDE should look at integrating open source, passive, antivirus protection.
Things like having email scanning with Evolution similar to how it supports anti-spam scanning. Files being downloaded could be then scanned.
Or maybe integrate it with the FAM support so that files being added to the home directory will be scanned automaticly irregradless of their source. I don't think that this should be hard to do and ClamAV will probably work very well.
This should, I figure, be optional and turned off by default.
This should provide assurance to new users and also prevent situations were Linux user "A" finds funny picture and text and sends it to Linux user "B". Linux user "B" thinks it's funny and sends it to Windows user "C". Windows user "C" then becomes infected from virus sent to them from Linux user A and B, which then goes on to infect everybody else's windows PC including customer's. Of course the virus doesn't affect the Linux users at all, but that's not realy that wonderfull that they sent a Windows user a attatchment that does.
big deal Posted Apr 9, 2006 6:18 UTC (Sun) by cate (subscriber, #1359) [Link] Are not chkrootkit and rkhunter our ''antivirus'' ?
not enough to say you're just the messenger Posted Apr 9, 2006 16:01 UTC (Sun) by copsewood (subscriber, #199) [Link] Yes and ClamAV. It's not enough for a platform just to prevent threats to itself directly, unless it's only a client/desktop/workstation. If a Linux/Unix installation is used as a mail server, file server or router to relay and replicate (e.g. as in list email) messages sent between less well secured systems, then those like myself who are responsible for these servers need to take steps to avoid these being a part of the malware transmission problem even if we are just the messenger and not the sender. In principle this is very much the same kind of issue as applies to those running open mail relays which are not originating spam, but which by relaying and replicating it are disguising the origins of it and making the problem worse for the recipients. If one of my Mailman email lists receives a virus and replicates it, this is part of my problem, even if the virus is incapable of executing on my Linux server.
The same argument also applies to those responsible for routers which are carrying impossible source network addresses within IP packets used to carry out DDOS attacks to disguise the zombies responsible.
If handed a lemon, make lemonade Posted Apr 10, 2006 15:33 UTC (Mon) by rickmoen (subscriber, #6943) [Link] cate wrote:Are not chkrootkit and rkhunter our ''antivirus''? They are -- and the characteristics that make them so are the reason I've long advised people that they're in deep trouble if they use such things as anything but an afterthought double-check of separate, primary measures. The best answer to any (e.g.) manager who want you to run "antiviral" software on Linux/BSD/etc. is that you already are -- and point to your setup of AIDE, Samhain, Prelude-IDS, or your other preferred flavour of file-based IDS. You needn't mention that such aren't exactly what they had in mind, but in fact are a lot more useful. What they don't know won't hurt them, and will help you. Rick Moen
big deal Posted Apr 10, 2006 8:53 UTC (Mon) by NAR (subscriber, #1313) [Link] It would never occur to most people who got started off on Windows that it is possible for a platform to be resistant to security threats in the first place.Yes, it's possible. Theoretically. Well, probably there are actual platforms out there without any exploits in the wild, but who would care to write a virus for VMS, that 10 sites that still use it doesn't justify the effort. I think Linux is still not that widespread to make it a popular target, but I seem to remember a Linux-specific worm reported here at LWN last year. And don't forget that the very first Internet worm was a UNIX-specific one abusing a bug in sendmail... I think it wouldn't be wise to believe that "I'm using Linux, therefore I'm safe".
Linux virii Posted Apr 10, 2006 11:53 UTC (Mon) by man_ls (subscriber, #15091) [Link] Nor is it wise to start shopping for an antivirus, just because Linux virii are theoretically possible. There are many good practices in security which should protect you better.
big deal Posted Apr 10, 2006 16:25 UTC (Mon) by carcassonne (guest, #31569) [Link] If you run a computer, then you're gonna have computer viruses.I use Linux (SuSE 9.3/10.0) and do not run any anti-virus of any kind. And I use Firefox and get e-mail with kontact. I sometimes download source code from reputable GNU sites. Do you mean that my computer is de facto infected ? Do you have the web pages/documents describing in ample details how such a Linux system is de facto infected ? Thanks for the information !
|
|||||||||||