New Massive Botnet Twice the Size of Storm (Dark Reading)
The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa."
Posted Apr 7, 2008 14:09 UTC (Mon)
by quickening (guest, #14807)
[Link] (10 responses)
Posted Apr 7, 2008 15:07 UTC (Mon)
by Cader (guest, #51459)
[Link] (9 responses)
Posted Apr 7, 2008 15:29 UTC (Mon)
by skvidal (guest, #3094)
[Link] (4 responses)
Posted Apr 7, 2008 15:59 UTC (Mon)
by elanthis (guest, #6227)
[Link] (2 responses)
Posted Apr 7, 2008 16:13 UTC (Mon)
by skvidal (guest, #3094)
[Link] (1 responses)
Posted Apr 10, 2008 16:29 UTC (Thu)
by AnswerGuy (guest, #1256)
[Link]
If that's your point then you are missing the point. Please point to any case studies that describe real-world usage of SELinux on desktop (and workstation) systems and which exemplify how SELinux has actually helped.
(That's just one part of your assertion. I contend that I haven't seen SELinux help with this class of problems and even if SELinux is capable of implementing meaningful measures for desktop users that its complexity precludes widespread use).
The second part of your assertion is that "other tools" (and OSes) cannot address these problems. Read about systrace and then review a few dozen other approaches (LIDS, AppArmor, GRSecurity patches, RSBAC, SMACK, LOMAC, etc) and show how each and every one of them is incapable of helping in the ways that you claim SELinux could.
My point is that SELInux is inherently complex (read this if you care to disagree. It's actually among the better summaries that I've read!) I disagree with those who claim that SELinux is only highlighting underlying complexity. The fact is that SELinux *adds* layers of complexity by introducing concepts (objects, labels, types and domains, classes, roles and subjects, and permissions ... with different sets of permissions for each class) that simply don't exist in the UNIX model. Creating a security policy for a specific application suite requires details knowledge of that application's internal architecture (must make sure that all its components end up in commonly accessible domains and classes and that each has the necessary permissions to access each other subsystem with which they interact). SELinux adds -Z flags a significant number "standard" UNIX/Linux commands such as ls and ps. That's a purely arbitrary switch designation chosen because none of the common utilities in question happened to use it.
As someone who has worked as a sysadmin for over a decade, and professionally taught advanced systems administration classes, I think I have a pretty solid basis to form an opinion regarding a system's complexity. I have a very good idea of how long it would take to teach someone to be minimally functional (not even truly competent, just minimally functional) in the use of SELinux.
I can teach the basics of reading strace output (and in capturing it from running daemons, writing strace wrappers, and even using the obscure /etc/initscript) in about two hours. The pre-requisite to that about one hour covering the basic system call process life cycle (fork(), execve(), exit(), wait()/waidpid(), SIGCHLD, etc.).
In that time I could probably just barely cover a conceptual overview and terminology primer for SELinux. (In one of my classes taught around the time that RHEL4 was just being released it cost about an hour of class time just demonstrating how to bypass SELinux during the standard "recover from a lost root password" exercise; SELinux doesn't secure your system against booting with init=/bin/sh --- but it does add some cumbersome obscurity to it unless you also add selinux=0).
Posted Apr 7, 2008 16:14 UTC (Mon)
by copsewood (subscriber, #199)
[Link]
Posted Apr 7, 2008 15:40 UTC (Mon)
by philipstorry (subscriber, #45926)
[Link]
Posted Apr 7, 2008 19:12 UTC (Mon)
by allenp (guest, #5654)
[Link] (2 responses)
Posted Apr 7, 2008 20:23 UTC (Mon)
by wertigon (guest, #42963)
[Link] (1 responses)
Posted Apr 8, 2008 5:39 UTC (Tue)
by muwlgr (guest, #35359)
[Link]
I'm shocked! Yet another article about infected computers which does not once mention the one thing they all have in common - Windows.
New Massive Botnet Twice the Size of Storm (Dark Reading)
New Massive Botnet Twice the Size of Storm (Dark Reading)
Let me start by saying I hate Windows too...
But Storm (and presumably Kraken) wasn't spread by a flaw in Windows.
Unless dumb users is a flaw.
A Linux user could just as easily install a trojan and run it as a normal
user. A script that puts something in the desktops startup could run
undetected by a lot of people.
New Massive Botnet Twice the Size of Storm (Dark Reading)
Well, to be fair. A linux user running selinux might have a somewhat harder time doing this.
There are many many advantages of selinux for combating things like this botnet.
I've not always been thrilled with selinux but it does certainly help deal with crack like
this.
New Massive Botnet Twice the Size of Storm (Dark Reading)
How does it help? SELinux policies for desktop users, including most corporate desktop users,
allow any general process to run and have network access. The targeted policies lock down
risky client apps that are known to the policy (the system-install Firefox, for example) but
not apps the user installed into their home directory (including a user-downloaded Firefox
binary).
The super restrictive SELinux policies that would actually solve these problems aren't in use
because even corporate users have at least one or two custom in-house apps that they need to
run, and figuring out how the heck to give those things proper permissions in SELinux is still
way too hard for the average IT idiot to figure out.
New Massive Botnet Twice the Size of Storm (Dark Reading)
Creating policies really isn't that difficult. There are a number of good beginner guides to
making selinux policies for specific apps and uses.
The point is that selinux helps this problem in ways that other tools/oses cannot.
SELinux: Excessive Complexity and Lack of Utility
"The point is that selinux helps [with] this problem in ways that other tools/oses[sic] cannot."
Jim Dennis
New Massive Botnet Twice the Size of Storm (Dark Reading)
Not sure yet that Selinux is useful for general purpose desktop computing or IT research
computing where end users need 50 general purpose applications and another 50 which few other
people use but which need to be changed on a daily basis. Selinux might be useful for locking
down a server application the resource requirements of which can be carefully studied and
monitored, but most end users have no idea which files they need to execute and which files
and ports these executables need to be able to access in which (read/write/delete/modify)
modes. Most end users are also likely never to want to acquire this knowledge. I can imagine
some end users who only ever use software in a standard distribution and single distribution
repository where the selinux policies are maintained by all the application packagers, whom
selinux would theoretically be able to help. But when they have to install a new device driver
or any unpackaged application that requires the tar/make/configure dance they will be well and
truly blocked and then they are likely to get fed up and use a system that isn't so well
locked down.
The problem Selinux will probably never solve is knowing the difference between low level
access from users doing what they know they want to do and low level access happening as a
result of attacks that users didn't want to happen.
Perhaps having a selinux protected main system plus virtual machines usable for quick and
dirty application installs but to which no important data is entrusted would go further, but
this still doesn't solve the device driver installation requirement where low level access is
needed.
New Massive Botnet Twice the Size of Storm (Dark Reading)
I'd agree, except...
Until Windows Vista the security of Windows was poor. Most people run as administrator. They
are forced outside the basic OS to fetch new applications, and therefore the trustworthiness
of those applications may well be lower.
By comparison, the average Linux user is not running as administrator, so a "silent install"
is far less likely. And 99% of all software they will use comes from repositories owned and
maintained by the distribution, so the issue of trust is easier to address. Indeed, gpg
signatures are used to help ensure that trust in many cases.
Yes, the user can sudo to root and install malware from any random website.
And yes, you could hack the repository and inflict malware that way (albeit requiring a major
operation to do so).
But the fact is that the design and organisation of most Linux distributions makes it far less
likely, even if it were level-pegging with Windows in user terms, that a user would install
malware.
Linux is still just as vulnerable to social engineering attacks as Windows is ("install this
codec to view our quality p0rn!"), but has a distinct advantage in defending against the less
determined or convincing attacker.
(Vista hopes to change this somewhat, but its uptake rate has been too low to know if it has
been successful in doing so yet.)
New Massive Botnet Twice the Size of Storm (Dark Reading)
Ummm... Time out.
I just changed the name of an executable to hello.jpg and rigged
up a little html file with "hello.jpg" as the target of an <img>
tag and of an <a> tag. When I point Firefox at it, the <img>
renders as a broken image. The <a> looks like a link, but when
clicked on, it renders a page containing just the pathname to
the hello.jpg file. To get the thing to execute, I have to
deliberately download it, save it to a file, and then manually
execute it.
400,000 Windows boxes have been cracked by an executable
masquerading as an image, while Linux and Firefox appear immune
to the same attack. Further, the trick of appending
".jpg .exe" to
an executable has been known practically forever and Windows
is still vulnerable to it. It's not exclusively dumb users.
It's a bad design combined with naive users.
Paul Allen
New Massive Botnet Twice the Size of Storm (Dark Reading)
Actually, this has to do with MIME-types, and is a browser flaw, not an OS-flaw.
Try serving that same jpeg with whatever the executable MIME-type is (application/executable
maybe?) and you'll see Firefox do what it normally does to executables. I can see a user
clicking "execute" here...
New Massive Botnet Twice the Size of Storm (Dark Reading)
Had you ever tried to check your suggestion by yourself ? Firefox and Seamonkey do not offer
"open by default" or "execute" for downloadable executable files. Under Windows, at least.