| |||||||||||||
|
| |||||||||||||
complacency?complacency?Posted Jan 29, 2004 6:44 UTC (Thu) by freethinker (guest, #4397)In reply to: complacency? by zone Parent article: Just another Microsoft worm There is nothing inherent about Linux that would prevent an identical worm from spreading through it. Well, yes, there is. It's called a user account. If you don't do email or other risky things as root, the worm may spread, but its teeth will be pulled; you won't get "a keystroke logger, a spam relay, and an open port which can be used to feed arbitrary code into the compromised system", because your user account can't do any of that. My understanding is that, in Windows, you're root all the time. Or at least, malware can hack its way up to root with all the security holes that Microsoft won't fix because it would mean discontinuing spiffy features.
(Log in to post comments)
complacency? Posted Jan 29, 2004 8:38 UTC (Thu) by anselm (subscriber, #2796) [Link] It is certainly possible for a malicious executable to install akeystroke logger in your X session, or a spam relay on a non-privileged port, using only the privileges of your user account. It could also try to exploit any of the well-known local root holes to obtain administrator privileges. Complacency is misplaced.
complacency? Posted Jan 29, 2004 14:33 UTC (Thu) by freethinker (guest, #4397) [Link] ...I was not aware of the first two issues. Can anyone provide more details or a link to information on dealing with these risks? Thanks.
complacency? Posted Jan 29, 2004 15:36 UTC (Thu) by hppnq (subscriber, #14462) [Link] The two observations are rubbish, but anyway, here you can find some information on securing X.There might be more up-to-date information elsewhere of course.
complacency? Posted Jan 29, 2004 18:49 UTC (Thu) by oak (guest, #2786) [Link] Magic cookies prevent only *other* users and remote users from spying your X session.If a program is run within your X session, it can do above described things. Without X session program can still open unpriviledged port to network and start relaying stuff coming from elsewhere. Untrusted binaries really should be sandboxed. I've myself thought to try out Systrace ported from BSD to Linux when I've got time (just google for systrace).
complacency? Posted Jan 29, 2004 19:54 UTC (Thu) by pflugstad (subscriber, #224) [Link] Actually, you'd still get the spam relay, and you'd still get the open port, as the ports opened were not reserved ones (somewhere in the 3000 range IIRC). And someone else addressed the keylogger issue.Nothing this worm did really required Admin access on Windows - Admin access just made it easier. And nothing this worm did couldn't be trivially targeted at a Linux box instead of Windows. And I can trivially think of ways for it to set itself up to be auto-executed the next time the user logged in (.bash_login, .bashrc, .xsession, and so on). Imaging mailing someone a statically linked exec that when executed forks itself into the background (maybe doing something fun in the foreground to distract the user) then saves itself somewhere in the users home dir as something innocuous (such as an emacs autosave file) then stuffs a call to restart itself into .bashrc or .xsession. Then it goes on to open up the same ports MyDoom does ( and do the exact same things, including mailing itself to others. With a little bit of careful coding, this is easily done and could probably be easily hidden as well. The moral of this story is that there is NOTHING preventing a virus just like MyDoom from working on a Linux box just as easily as on a Windoze box, even running as a normal user. The thing that makes MyDoom really work is naive users and poor mail tools that make it way to easy to execute something. Nothing inherent to Windows helps it. As Linux moves into the Desktop, we have to be even more careful that we keep making it hard for users to do stupid things, no matter how much they complain. A real sandbox type environment for mail tools to use would help a lot as well.
|
|
||||||||||||