Slashdot Mirror

Here's a link to the Sophos webpage with more detail, and a whitepaper which you can download if you fill in some contact details.

Doesn't matter, IMO, the content shouldn't have been in a final shipping product in the first place.

Now companies need to start looking into buying insurance to protect against this. After all, how much coding did the embedded version of Hot Coffee take? Compare that to the amount of legit code and you see that an unethical person could put something into the program before release and hold that over the company for blackmail purposes or revenge if they ever get fired. I don't think this is something that's as easy to protect against as one might think. http://www.sophos.com/pressoffice/news/articles/20 02/06/va_nimda_korea.html Even Microsoft missed some code when shipping a product. Scanners and automated tools are only as good as the information they're told to look for. An individual programmer set on adding some content (or sloppy about removing a joke) could cost a company a lot of money. Maybe not that much in terms of fines ($11k is still a lot of money, especially for smaller companies), but in terms of consumer faith and reputation.

We have been using Symantec for years now. I finally was getting sick and tired of all the bloat that it contained and was not interested in going to version 10 becuase it required MS SQL, etc to run the backend database.

I did some heavy research and found Sophos. Sophos is strictly a B2B organization, support is fast 24/7 and the product is solid and rocks.

We have rolled it out -EASY (BTW we have about 250 workstations).

When our users got it, it was like getting a brand new PC for them.

I will never go back to Symantec.

And obviously, I forgot to give the link to the original Sophos article:
http://www.sophos.com/pressoffice/news/articles/20 06/05/erazer.html

Protection * Download virus identity (IDE) file

No, for real protection download a Linux distro

We installed Sophos PureMessage for UNIX about a month ago on our postfix SMTP gateways. The performance has been outstanding and provides web management user interfaces. Note that we specifically chose an AntiSpam/AntiVirus solution for our SMTP gateway servers different from our enterprise AntiVirus solution (we run McAfee GroupShield on Exchange and McAfee Enterprise 8i on our desktops and servers).

Since a UNIX server is not an option (though the web management interface may change that), you might want to take a look at PureMessage for Exchange:
http://www.sophos.com/products/es/gateway/pm-windo ws-exchange.html

Sophos offers a 30 day evaluation:
http://www.sophos.com/products/eval/

BTW, prior to Sophos PMX, we were using SpamAssassin.

We installed Sophos PureMessage for UNIX about a month ago on our postfix SMTP gateways. The performance has been outstanding and provides web management user interfaces. Note that we specifically chose an AntiSpam/AntiVirus solution for our SMTP gateway servers different from our enterprise AntiVirus solution (we run McAfee GroupShield on Exchange and McAfee Enterprise 8i on our desktops and servers).

Since a UNIX server is not an option (though the web management interface may change that), you might want to take a look at PureMessage for Exchange:
http://www.sophos.com/products/es/gateway/pm-windo ws-exchange.html

Sophos offers a 30 day evaluation:
http://www.sophos.com/products/eval/

BTW, prior to Sophos PMX, we were using SpamAssassin.

Interestingly, Sophos recently had a similar issue. An update to its antivirus software caused Mac OS X computers to delete system files or move them to a quarantine folder. And the best part? The "infection" that this update was supposed to prevent was a proof-of-concept that is not even in the wild.

http://www.sophos.com/pressoffice/news/articles/20 06/02/inqtanafix.html

One would think that all vendors would take note of competitors' mistakes and carefully test updates before publicly deploying them, if for no other reason than to maintain their reputation. What good is anti-virus software that does more damage than it prevents?

We have a penalty for blatant ignorance. This results in a two year internet privilege suspension and an additional beating around the ears with an Internet for Total Fucking Dummies book. PLease step away from the keyboard and assume the position!

Symantec Antivirus Center
Computer Associates Virus Information Center"
McAfee Virus Library
Kaspersky Virus Encyclopedia
Panda Software Virus Encyclopedia
Sophos virus analyses
BitDefender Virus Encyclopedia

For those that will argue that these search engines do not behave as the article requested; it is simply a matter of searching for the right symptoms. If you accurately describe the behavior of the virus, all of these search engines give you the answer.

The fact of the matter is that the very best solution is simply to use a commercial antivirus solution. If you are infected with a 0hour virus, simply wait an hour and run the update utility. Such a product will at least see the virus and tell you its name, even if it is unable to clean it. Worst case you have to use a bootable CD-ROM OS to catch/clean it.

At my company, we've had at least two virus infections before definitions were released. We worked through symptoms and used stuff like HijackThis! and Process Explorer to find out what was going on, plus a few of the PS Tools to get rid of it and Bart's PE to clean-room the system to remove persistent files. It took our virus vendor a week to come up with definitions, but a few others had them earlier and we could use their online or free versions to clean the systems.

Generally, when we get a suspicious file, it goes to VirusTotal first. If any of the 20-or-so listed AV vendors have a definition for the virus, you can usually find some information about it (at least a name) and from there figure out how to clean it. If nobody has a definition, next stop is Norman Sandbox to figure out what the beastie does, at least from a high-level point of view. If nothing else, it will probably give you a mutex that you can create to block execution/further infection, and sometimes it even gives you a clue as to what the virus would be or if it's a variant of something else. I found that we had a new variant of W32/Sality based on its mutex, which was one version number incremented from the info available online.

If there are no hits after that, there are some more things you can try, but they're mostly shots in the dark. Unless you can un-UPX the file and do some serious reverse-engineering on your own, you probably have to wait for a definition or post your symptoms in a newsgroup or forum and hope someone can help.

One good thing about VirusTotal is that it submits your sample to AV vendors (if you give it permission) so they are alerted and can start to develop definitions. It's difficult to find contact info for some vendors, but McAfee, ClamAV, CA and others have places you can submit a sample, you would do well to try them all if you have non-sensitive information in an infected file.

Not very long ago, when the Kama Sutra (Nyxem.E, MyWife, whatever) worm was released to the world it seemed to take absolutely forever to find anyone with a solution for the removal or even the detection of the thing.

• Kaspersky (I think) - which seems to use GMT for their times,
  
• Symantec - I don't know what timezone they use.

Not very long ago, when the Kama Sutra (Nyxem.E, MyWife, whatever) worm was released to the world it seemed to take absolutely forever to find anyone with a solution for the removal or even the detection of the thing.

• Kaspersky (I think) - which seems to use GMT for their times,
  
• Symantec - I don't know what timezone they use.

http://www.sophos.com/pressoffice/news/articles/20 06/02/macosxleap.html
Is this the same?
They say it's a worm...

Sophos posted an advisory as well.
http://www.sophos.com/virusinfo/analyses/osxleapa. html

Even in the realm of OS X, is this exploit really all that new or exciting? Not having gotten my hands on a copy of this, I don't know how it works, but it seems similar to the proof-of-concept from nearly two years ago, which exploited issues in the Finder with handling file extensions vs. type/creator codes (IIRC, the proof was an application with type code 'APPL' and extension .mp3, which made the Finder display it as an MP3 but treat it as an application when clicked).

This URL would seem to provide some hints about how to check whether you're infected.
It mentions some registry keys that the worm sets up.

http://www.sophos.com/virusinfo/analyses/w32nyxemd .html

Hello,

A bit of searching came up with the following free or trial versions of anti-virus programs which are capable of detecting and removing Win32/MyWife (née CME-24):

Alwil - Avast! 4 Home Edition (free for personal non-commercial use)
ESET - NOD32 trial version (30-day evaluation)
Grisoft - AVG Free Edition (free for personal non-commercial use)
Kaspersky Lab - Anti-Virus Personal 5.0 (30-day evaluation)
McAfee - VirusScan (30-day evaluation)
Microsoft - Windows Malicious Software Removal Tool (KB890830) (free)
Panda - Titanium Antivirus 2006 (30-day evaluation)
Sophos - Anti-Virus (30-day evaluation)
Symantec - W32.Blackmal@mm Removal Tool (free)
Trend Micro - PC-cillin Trial Version (30-day evaluation)

I'm certain other readers will look up and post links to additional vendors, too. Ob-disclaimer: I happen to work for one of the companies listed above, so there.

Regards,

Aryeh Goretsky

Hello,

A bit of searching came up with the following free or trial versions of anti-virus programs which are capable of detecting and removing Win32/MyWife (née CME-24):

Alwil - Avast! 4 Home Edition (free for personal non-commercial use)
ESET - NOD32 trial version (30-day evaluation)
Grisoft - AVG Free Edition (free for personal non-commercial use)
Kaspersky Lab - Anti-Virus Personal 5.0 (30-day evaluation)
McAfee - VirusScan (30-day evaluation)
Microsoft - Windows Malicious Software Removal Tool (KB890830) (free)
Panda - Titanium Antivirus 2006 (30-day evaluation)
Sophos - Anti-Virus (30-day evaluation)
Symantec - W32.Blackmal@mm Removal Tool (free)
Trend Micro - PC-cillin Trial Version (30-day evaluation)

I'm certain other readers will look up and post links to additional vendors, too. Ob-disclaimer: I happen to work for one of the companies listed above, so there.

Regards,

Aryeh Goretsky

Sophos is one commercial vendor who distributes an anti-virus client package for the Mac. They also offer their server component for Mac, providing update and remote install/upgrade services. Sophos For OS X. While there are only a few viruses/worms/trojans in the wild at this time that can infect OS X, anti-virus software, for instance on a Mac based file server, can help protect machines running other operating systems.

In this geeks opinion, any OS that defaults the primary user on the system with super user access is going to be at least somewhat more prone to attack. Nasty critters enter systems quite often via way of email attachments, and the common users attraction to shiny things. No scripted-auto-execute-attachment-on-view hack to poorly written email clients is needed, nor is any privilege escalation exploit. The human behind the keyboard will perform that task for us. This is something that is very reasonably taken advantage of with OS X (as with Windows). In a business environment one would hope this has been addressed properly.

As for other remote exploits, SANS top 10 list for Mac OS X.

Mac OS X is far from un-exploitable. It's just not the biggest target on the battlefield... but getting bigger every day

I'm a daily Linux user. I also have a G4 under my desk running OS X, and have quite a bit of respect for the work Apple has done with Darwin (not so much with Aqua).

...Is he right, and what actual products exist for OS X that would protect against infections?

As a long-time Linux advocate, I must admit to a little Schadenfreude in the latest WMF exploit, however as a responsible member of the security community, I think we have to take this problem very seriously.

Whilst Microsoft may indeed publish an official patch in the next few days, they have no way to push it out to all the vulnerable systems. Savvy admins may have already applied the unofficial patch, and kudos to them.

However, the biggest problem is the great masses of unpatched systems that will never receive an official or unofficial patch. For them, I am afraid the only solution is a fix which exploits the vulnerability to patch the system automatically. If this is not done, it will exacerbate the problem of DDOS botnets and Spam relays, making life even worse for the rest of us.

Experienced security people will recall this has been done before. I suspect this may be the only way to patch enough of the vulnerable systems that won't be protected either by Microsoft's efforts or those of a competent admin. Any takers?

http://www.sophos.com/virusinfo/analyses/w32tilebo tcr.html

Tell these people they need decent AV software. The annoying fill-your-screen-with-popups stuff isn't that way because the programmers are inept, it's that way by design.

Cheap AV programs with an inferiority complex (i.e. the ones you buy in boxes at PC World) pop up a lot of crap to try and make you believe they're constantly protecting you against a barrage of threats that would otherwise steal your passwords, buy a Ferrari on your credit card, rot13 your mailbox, and sleep with your wife. If they didn't, a lot of users might think "but I never see this thing actually doing anything" when their first year's subscription is up and Norton tell them it'll be another $whatever for more updates.

Good software doesn't have anything to prove. It just sits there very quietly getting on with its job.

Lastly never ever interrupt any full screen application unless the world is ending.

Maybe not even then. If I'm playing Quake 4 when the final trumpet sounds, I'm happy to go without being interrupted by a "Warning: world is ending" pop-up box.

According to Microsoft, the new anti-virus application known as Windows OneCare Live is 'like taking your PC in for a tune up at the service station'.

No they arent:

http://www.theregister.co.uk/2005/11/10/sony_drm_u nmasked/

http://sophos.com/pressoffice/news/articles/2005/1 1/stinxe.html

It has multple OS support!!! It almost became an obsession to have as many OS's an my network as possible just to see sophos on them all:-)

I just loved the .ide downloading, so small are these files, so we run in full paranoid mode (every 20 minutes) the client machines check with OUR central server for updates. Our main server (FreeBSD) also checks for ide updates every 20 minutes and monthly for the main updates. Our users never know Sophos is there, it just works. Piping emails through it via AMaViS was too easy.

Since we still have w95,w95osr2,w98se machines aswell as FreeBSD server, XPpro and 1 mac, Sophos has become the simplest solution for us. They have not yet said they are dropping support for w95, hope they don't.

Wish they would let home users have it free, the world would become a better place. So can you add Sophos to the voting poll?? and not have it hidden in other.

The really annoying thing is that Sophos don't include AntiSpyware as part of it.

think of the the amount of scammers that would go out of business

when there is so much money in it, its never gonna stop until we kill the disease, not treat the symptoms

But it's been a while since we've had a good/effective worm.

In the virus top-10 7 out of 10 spots are variants of the (self-updating, turning your machine into a spam-zombie) MyTob worm, accounting for 39% of infections (excluding any that the virusscanner can't pick up because MyTob will stop it from updating itself). That's fairly effective. MyTob accepts commands from a channel on IRC (of course) and usually makes your zombie machine send out a lot of spam.

Can't assume an attack's going to be over the network. Could just as easy be a trojan. They do tend to be single threaded. All of which is a bit beside the point.

But what would the trojan do? Would it simply run a program just to crash it? That seems kind of pointless. The point isn't that threads don't die. It's that it's impossible for an attacker to use this in any meaningful way.

However, until someone tries to crack it in earnest and out in the wild then we can't be sure that nothing has been overlooked.

It HAS been tested in earnest. Applets are an example of an area where the Java security model is in effect. There was exactly ONE semi-successful virus (see: Strange Brew), and it was only able to spread on systems where the Security Manager was not in effect. i.e. Your standard desktop applications. There is one other issue that I'm aware of, but it was a flaw in the JVM->Native mapping (specifically the JavaScript support). On a fully code-managed system, this is impossible.

Trust me, crackers would LOVE to use Java for malware. Unfortunately (for them), no one has yet managed to break the Security Manager.

The question is whether the language is the proper place to add such protection.

Whoa! Hold up there! The protection is not in the language. It's in the platform. The Java Language is independent from its platform, and provides very little in the way of security features. However, the Platform is as secure as it gets, no matter *what* language you use in it. Python, Ruby, BeanShell, JavaScript and many other languages have been made to work on the Java Platform.

Remember, your OS/CPU combination are one type of platform. Java is higher level platform that solves many of the issues with previous platforms.

Granted, you need an OS that does its job properly, but then a buggy java runtime would have the same problems as a buggy OS.

It's far easier to prove the correct execution of Java Bytecode than it is to prove the security of today's OSes. In fact, even the most secure OSes (e.g. OpenBSD) have been shown to have root exploits. You can't do that in Java. You just can't. There's no ledge on which you can grab a purchase. The best you can hope for is something like the TENEX flaw which allowed programs to hook into the paging notifier to check if something was paged from disk. By aligning the password characters with the end of the page and swapping the next page out to disk, an attacker was able to know that a password character was correct based on if a page fault happened.

Of course, security has moved on quite a bit from there, so I seriously doubt such flaws would be present.

I think there's a lot to recommend the idea of letting the OS handle security

If Java is the OS, it WOULD be handling security.

One of the BSDs, OpenBSD I think, demonstrates how well this can work. Currently it has zero outstanding security advisories and a policy of full disclosure.

You can't get much better than that.

Yes, yes you can. You can have an OS *never* have a root exploit, or even a critical exploit. Java can do that. Think, with all the J2EE servers running out there, and all the webbrowsers with Java installed, how many have experienced major flaws in the Java architecture or VM? The answer is a resounding ONE. (The one I described above.) Even programming flaws in J2EE systems fail to lead to system security issues like gaining root access. Usually, it's a matter of allowing web clients access to data they shouldn't have. (That's a whole other problem unrelated to system design.)

And C's parameter passing mechanism is secure so long as the programmer always checks buffer lengths.

And Java's is secure even if the programmer DOESN'T check buffer lengths. "ArrayOut

Let me add to that. I keep track at the following sites:

http://rssnewsapps.ziffdavis.com/tech.xml

http://www.microsoft.com/technet/security/bulletin /secrss.aspx

http://www.mozilla.org/news.rdf

http://feeds.dshield.org/news.xml

http://www.sans.org/newsletters/newsbites/rss/

http://www.sophos.com/virusinfo/infofeed/tenalerts .xml

You can get the OPML of my feed list at http://www.shokk.com/opml.opml

RIAA's own virus

I can't RTFA (stupid Websense), but the original Sophos press release doesn't shed much light on their methodology. I don't have any clue on how they arrived at their 12-minute "half-life", but I think I trust SANS ISC much more. At least, I'm fairly sure they don't have a commercial interest in raising anxiety about instantaneous system infection.

Sophos http://www.sophos.com/ have been doing a linux version of their commercial AV software for years. Weve used it to impliment virus scanning of emails and network file stores.

There is also Sophos AV, which supports Windows, MacOS X, NetApps, Linux on Intel and Alpha, FreeBSD, HP-UX, AIX, Solaris, Tru64 UNIX, SCO, OS/2, OpenVMS, and NetWare. I had never heard of them until going to college, where Sophos was their "mandatory AV product" for all students, and haven't heard of them since. But I was pretty impressed by their product. Of course, I've gotten exactly one virus in my entire life, and it was a harmless DOS-era boot-sector virus acquired from a friend, so I was impressed mainly by how lightweight Sophos is. And obviously its supported-OS list is pretty remarkable.

There is also Sophos AV, which supports Windows, MacOS X, NetApps, Linux on Intel and Alpha, FreeBSD, HP-UX, AIX, Solaris, Tru64 UNIX, SCO, OS/2, OpenVMS, and NetWare. I had never heard of them until going to college, where Sophos was their "mandatory AV product" for all students, and haven't heard of them since. But I was pretty impressed by their product. Of course, I've gotten exactly one virus in my entire life, and it was a harmless DOS-era boot-sector virus acquired from a friend, so I was impressed mainly by how lightweight Sophos is. And obviously its supported-OS list is pretty remarkable.

• Mac Cowhand-A.
  "Mac/Cowhand-A is a proxy Trojan for the Mac OS X platform. The Trojan may copy itself to the user's Preferences folder. In order to run itself on startup, the Trojan may add itself to the user's Startup Items. The Mac/Cowhand-A Trojan horse allows remote hackers to use an infected computer as a proxy to connect to the internet. By using the Trojan hackers can disguise their real location because the connection can only be traced back to the infected computer." Appeared in April 2005.
• http://www.sophos.com/virusinfo/analyses/aplsfromr a.html
  "AplS/Fromr-A is an OS X AppleScript Trojan that attempts to delete all files recursively in the user's home directory." Appeared in 2004.
• MP3Virus.Gen
  "Dubbed MP3Concept (MP3Virus.Gen), the Trojan horse exploits a weakness in Mac OS X where applications can appear to be other types of files, according to the company. Intego told MacCentral today that the code is hidden in the ID3 tag of the MP3 file. The code will only activate when clicked, but once it is, Intego warns the Trojan horse has the potential to delete all of a user's personal files; send an e-mail message containing a copy of itself to other users; and infect other MP3, JPEG, GIF or QuickTime files." Appeared in 2004.

Note that these viruses exploit some of the same classes of vulnerabilities seen under Windows. The first one relies on a MacOS X hole that allows any unprivileged program to specify that a program should be run at startup. The second comes from implicit script execution. The third is a file type spoof. Those are all very similar to Windows attacks.

Note that these are all "Mac features", not "UNIX features". Apple put in "ease of use" features without considering security, just like Microsoft.

• Mac Cowhand-A.
  "Mac/Cowhand-A is a proxy Trojan for the Mac OS X platform. The Trojan may copy itself to the user's Preferences folder. In order to run itself on startup, the Trojan may add itself to the user's Startup Items. The Mac/Cowhand-A Trojan horse allows remote hackers to use an infected computer as a proxy to connect to the internet. By using the Trojan hackers can disguise their real location because the connection can only be traced back to the infected computer." Appeared in April 2005.
• http://www.sophos.com/virusinfo/analyses/aplsfromr a.html
  "AplS/Fromr-A is an OS X AppleScript Trojan that attempts to delete all files recursively in the user's home directory." Appeared in 2004.
• MP3Virus.Gen
  "Dubbed MP3Concept (MP3Virus.Gen), the Trojan horse exploits a weakness in Mac OS X where applications can appear to be other types of files, according to the company. Intego told MacCentral today that the code is hidden in the ID3 tag of the MP3 file. The code will only activate when clicked, but once it is, Intego warns the Trojan horse has the potential to delete all of a user's personal files; send an e-mail message containing a copy of itself to other users; and infect other MP3, JPEG, GIF or QuickTime files." Appeared in 2004.

Note that these viruses exploit some of the same classes of vulnerabilities seen under Windows. The first one relies on a MacOS X hole that allows any unprivileged program to specify that a program should be run at startup. The second comes from implicit script execution. The third is a file type spoof. Those are all very similar to Windows attacks.

Note that these are all "Mac features", not "UNIX features". Apple put in "ease of use" features without considering security, just like Microsoft.

Sophos seems to think there's a few and I'm sure a quick google will find something more ;)

Amusingly, there seems to be a few nice worms for linux. There also seems to be a nice one that hits both
freebsd and linux. Granted you have to be running a pretty old and crusty versions of the kernel and apache, but Windows people aren't the only ones who don't update ;)

Of course nothing is as bad as the numbers for Windows but to say that your completely safe is pure arrogance. We must never forget that FUD is a 2 way street leading to Ignorance Lane and Mindless Zealotry Ave.

Sophos seems to think there's a few and I'm sure a quick google will find something more ;)

Amusingly, there seems to be a few nice worms for linux. There also seems to be a nice one that hits both
freebsd and linux. Granted you have to be running a pretty old and crusty versions of the kernel and apache, but Windows people aren't the only ones who don't update ;)

Of course nothing is as bad as the numbers for Windows but to say that your completely safe is pure arrogance. We must never forget that FUD is a 2 way street leading to Ignorance Lane and Mindless Zealotry Ave.

Sophos seems to think there's a few and I'm sure a quick google will find something more ;)

Amusingly, there seems to be a few nice worms for linux. There also seems to be a nice one that hits both
freebsd and linux. Granted you have to be running a pretty old and crusty versions of the kernel and apache, but Windows people aren't the only ones who don't update ;)

Of course nothing is as bad as the numbers for Windows but to say that your completely safe is pure arrogance. We must never forget that FUD is a 2 way street leading to Ignorance Lane and Mindless Zealotry Ave.

Yep

http://www.sophos.com/spaminfo/articles/dirtydozen 05.html

In 2004, these top 12 countries produced the most world-wide spam according to Sophos:

1. United States 42.11%
2. South Korea 13.43%
3. China (incl Hong Kong) 8.44%
4. Canada 5.71%
5. Brazil 3.34%
6. Japan 2.57%
7. France 1.37%
8. Spain 1.18%
9. United Kingdom 1.13%
10. Germany 1.03%
11. Taiwan 1.00%
12. Mexico 0.89%

Others 17.8%

http://www.sophos.com/spaminfo/articles/dirtydozen .html

The description at Sophos (an AV firm) might be easier on the brain (i.e. not get anyone's grammar hackles up).

Troj/BankAsh-A

I just clicked the link and it downloaded the EXP/Phel-A virus (only when I use IE, not Firefox). Sophos Anti-Virus picked it up and gives this advisory.

If Sophos isn't mistaken, the Secunia site is infecting visitors with viruses?!

I use Sophos Anti-virus - and it alerts on the cached copy of the test page as containing a virus/exploit EXP/Phel-A:

http://www.sophos.com/virusinfo/analyses/expphela. html/


EXP/Phel-A detects files that exploit the HTML Help Control Vulnerability which affects systems installed with Microsoft Windows XP Service Pack 2.

This vulnerability allows arbitrary code execution on the vulnerable system by bypassing security constraints established by the operating system.

While that will prevent SPAM that originates in China, you may want to re-think your strategy.

According to this report, most of the spam comes from North America, with thanks to Zombie PCs.

Twelve Step TrustABLE IT:
Virtualised Linux Standard Base (VLSB)
in Virtual Demilitarized Network Zones (VDNZ)
from Trusted Build Agents (TBA)

Back in August 11, 1998, Microsoft's Vinod Valloppillil and Josh Cohen released a memorandum titled Linux OS Competitive Analysis: The Next Java VM?, in which they predicted that Linux would become ubiquitous as a services platform. However, the title of the paper could be even more prophetic.

Consider the following.

[1] It is well known that Linux is quite portable, in fact only NETBSD comes close to the number of hardware platforms supported.

[2] What is less well known is that the Linux kernel has even been ported to run on itself, as client for a virtual Monitor platform, and even to run virtualised on other operating systems including Win2K and XP.

[3] Other operating systems, such as BSD and Sun's Solaris can also use a compatbility layer to run applications compiled for Linux directly, without the need for virtualisation.

[4]The Linux Standard Base Mission Statement is to

To develop and promote a

set of standards that will increase compatibility among Linux distributions and enable software applications to run on any compliant system. In addition, the LSB will help coordinate efforts to recruit software vendors to port and write products for Linux.

[5] The above standard also defines a generic subset of the standards for each hardware platform as a source level application interface. In fact for an application to be certified for the LSB it must be tested on two of the plaforms supported by the LSB, one chosen at random by the testing body. Following the standard, it's not that difficult a job to write portable C and C++ code : Write once, compile for each platfom.

[6] The GNU Compiler Collection's future GCC 4.0 Release Series now divides the task of compiling into two stages based around Static Single Assignment trees. It should be possible to use the new GCC front ends to compile each language into a SSA tree that represents the common generic subset of the Linux Standard Base: [5].The resulting SSA tree for a build could be dumped into files, analogous to Java's JVM intermediate format, and then complied to native code for the target platform: Write once, run everywhere.

Be it open or closed source, every binary or script you execute represents a risk. It is possible to introduce hostile code at any point along the build chain, before the point where the binary is checksummed and the result digitally signed.

[7] It is possible to use constraints built into any Linux or Unix like operating system to isolate and restrict what a binary executable has access to or can do. Even without employing SELinux's manditory access controls or chroot/jail'ed environments, it is possible to run a process under a different user identity and group identity. Unix servers have used this te

See the following:
Sophos.com link

For some reason, I actually see this one doing quite a bit of damage... if the infected users are running firewall software, though, it should prevent it from spreading widely (since they will probably not accept connections on the port it opens to serve http from)

One of my favourite anti-spam sites (including the name) is What's the bloody point?? I especially like bait number 8 featuring Miss Maureen Adje Charlse only surviving daughter v Norman Gorman Smith-Bidet III & Gonad McDangle.

No problem there for law enforcement, as the bulk of spam is coming from the US anyway...