Don't Forget That Worms Happen Everywhere

← Back to Stories (view on slashdot.org)

Don't Forget That Worms Happen Everywhere

Posted by CmdrTaco on Wednesday August 15, 2001 @06:34AM from the stuff-to-think-about dept.

friday2k writes "Securityfocus has a nice column on Worms and their origin in 1988. It explains what everybody should never forget. We have dealt with *NIX worms (Sadmind, li0n, ...) and they will come back again. Maybe then the MS fanatics will laugh and say: didn't we always tell you Open Source is insecure (too?) ..."

13 of 391 comments (clear)

different cultures... by webmaven · 2001-08-15 07:02 · Score: 5, Insightful

I think that the real reason that MS systems were hit so hard by Code Red and it's descendents is that there is a real difference in the culture of the respective developer communities.

There is no reason why all those home systems and corporate desktops should have IIS running in the first place. There is also no reason (generally) for a home linux system to be running, say, BIND or wu-ftpd.

So why does Microsoft encourage the installation of unneccessary software on it's systems, and why doesn't it make it easier to not install those services in the first place?

It comes down to culture. Unix-like operating systems are minimalist and modular, because the development communities appreciate elegant code (not neccessarily elegant interfaces).

Whereas Microsoft prizes a DWIM (Do What I Mean) approach, which encourages adding functionality 'just-in-case', as Microsoft seems to think that actually asking a user to install a component is a failure on their part.

In the long run, elegant, minimalistic code is easier to understand, and therefore easier to secure (examples are Sendmail vs. qmail, or BIND vs. djbdns).

--
The real Webmaven is user ID 27463. I don't rate an imposter, because my ID is such a lame-ass high number.
Not quite by matty · 2001-08-15 07:58 · Score: 4, Insightful

If as many people tried to comprimise UNIX systems as often as they do Microsoft systems, you can bet that we'd be seeing some pretty serious UNIX viruses.

Your basic premise is correct that there are more people trying to break MS systems than Unix/Linux systems, but U/L will never be as vulnerable for a number of reasons:

1.) There are several flavors of Unix and dozens/hundreds of distributions of Linux, not to mention all the different version numbers of each of those. This would dramatically impede the spread of any worm. Almost every MS-based site has IIS 5.0 and it is this homogeneousness the allows things like Code Red to spread so quickly and effectively.

2.) Unix/Linux systems in general are easier and safer to patch. Almost every MS patch requires a system restart and it is not at all unusual for the patch to break something else. I have never had a security update break anything on my Debian systems, nor have I ever had to restart the whole system. The service updated (such as the recent Horde/IMP updates) is restarted and the user doesn't even know, even if he/she is using the system at that moment (I know this because I did it as a test case here at work. Someone was reading their email on our IMP system while I upgraded the system. Yeah, a bit dangerous, but we're a small company and no one would have gotten in trouble. Regardless, she didn't even know anything had happened).

3.) Security holes are much more frequent on MS systems. We all have heard about the fact that the last known remote root exploit for Apache was over 3 1/2 years ago. There have been a few security patches since then, but nothing nearly so troublesome as Code Red. I read somewhere that there have been over 40 serious holes in IIS this year alone, although I don't remember where I read it and it may be apocryphal.

Bottom line is that while it may be true that if as many people who are attacking MS systems starting attacking Unix/Linux systems, we might see more issues on U/L, it is also true that Unix & Linux are better engineered from the start, easier to upgrade and more varied, all of which make them much more secure inherantly than MS solutions.

Cheers...........
It is all about the Admins by cansecofan22 · 2001-08-15 06:49 · Score: 4, Redundant

No matter if it is a DOS attack or a worm or any other kind of attack. No matter what OS you are supporting and using if you as an Admin dont have the proper service packs and updates installed then your OS will be a victim sooner or later. Having competinent people running the shop is where it is all at. If you look at the latest worms, Red Hat's and MS's, they could BOTH be avoided by updating software.

Sorry about the spelling, I really need to get a spell checker plugin for /. posts!

--
"If ignorance is bliss, why aren't there more happy people in the world?"
Don't forget Morris! by HiredMan · 2001-08-15 06:58 · Score: 5, Funny

On November 2, 1988 the "Morris Worm" was unleashed on the net. It jumped from college to college (that was most of the net then) and, because of a bug in the code, would reproduce itself within the machine until it ran the machine into the ground as it tried to infect others.

Imagine Code Red in which almost all servers are NT/IIS and there is no web, no central authority, no "experts"...
It caused the Inet as it was to cease to function. People had to pull their boxes off-line to keep from getting repeatedly infected.

The confusion and panic that followed lead to the creation of CNet and was the start of most of the big, early Inet security organizations that exist today.

<old codger>
You young whippersnappers don't know from worms. We used to create worms on punch cards and you had to mail them around to get infected! Those were the days!
</old codger>

I suddenly feel old and have to go lie down....

=tkk

--
Bill Gates - Creationist?!?
If that happens... by SpanishInquisition · 2001-08-15 06:49 · Score: 5, Funny
We just have to claim that Linux worms :
- are faster
- are more portable
- use less ressources
- can be more easily modified since you have access to the source
- Aren't tied to a single vendor
That should make the point of the superiority of Linux worms over Windows worms and end all the FUD.
--
Je t'aime Stéphanie
It can happen by huh_ · 2001-08-15 06:47 · Score: 5, Insightful

You all say that Unix admins know more, or that open source programs have patches out faster, but what about all those people who know little about linux and install it. They can just as easily leave their computers unpatched, running 24/7 using some cable provider. More and more people are trying out linux, it doesn't mean all of them are smart. So of course the same thing can happen.
1. Re:It can happen by Rick+the+Red · 2001-08-15 07:30 · Score: 5, Insightful
  
  You're absolutely right, which is why it's just as important for Linux distributions to come locked down tight as it is for Windows distributions to come locked down tight. Microsoft isn't listening; are RedHat and the others?
  Also, Microsoft is supposed to be open to XP configuration changes by the hardware vendors. Does that extend to default security settings? If so, we can only hope that PC Magazine and the rest will rate new computers on how secure they are out-of-the-box. Are Dell, Compaq, Gateway, and the others listening? Is the computer press listening? If I know Dells come secure but Gateways ship Microsoft-default-wide-open, I'll recommend Dell to my friends and family. If I know Debian comes secure but RedHat installs wide open I'll recommend Debian. But only if I know, and I'll only know if the press does their job and tells me.
  This is a social problem, not a technical problem, and it requires a social solution. That means that everyone in the society must play their part -- the companies, the press, and the consumers. If Microsoft won't be a good citizen, bad on them. But why should they be a good citizen if their enemies are not, and especially if their friends are not?
  
  --
  If all this should have a reason, we would be the last to know.
Code Red by briggsb · 2001-08-15 06:47 · Score: 5, Funny

Talked about his experience as a worm. In the interview here. It has some advice for newer worms and viruses.
except by linuxpng · 2001-08-15 06:43 · Score: 5, Insightful

don't most UNIX admins need to know something about the OS other than the size of the install base therefore actually patching their security holes in a reasonable amount of time. Let's not forget the issue is NOT microsoft's security hole. All oses have that, it's that the userbase is not up to date on installing the security fixes. We just hope everyone who bashes MS will patch their own holes come unix worm time.
Sendmail? Elegant? Minimalistic? by alispguru · 2001-08-15 08:46 · Score: 5, Funny

In the long run, elegant, minimalistic code is easier to understand, and therefore easier to secure (examples are Sendmail vs. qmail, or BIND vs. djbdns).
That's the first (and hopefully only) time I ever hope to see the words "elegant", "minimalistic", and "Sendmail" together in the same sentence.

--

To a Lisp hacker, XML is S-expressions in drag.
I'm a heretic, baby by kisrael · 2001-08-15 06:58 · Score: 5, Insightful

I'm not a very close observer to any of these things, but it seems like the recently noticed telnetd exploit has really screwed over more sites than Code Red has, which seems more of a bandwidth hog. I mean, a years-old simple string buffer overflow giving root access on so many linux boxes is inexcusable for people trying to "sell" Linux on its general security and reliability...

--
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
1. Re:I'm a heretic, baby by The+Troll+Catcher · 2001-08-15 07:28 · Score: 4, Insightful
  
  Of course, the very fact that you're running telnetd at all means you don't give two craps about security.Do you have ANY IDEA how easy it is to sniff passwords from telnet? I tell you, it's scary. When someone rooted a box here a while back, I looked thru the sniffer log and found working root passwords for a number of HP-UX machines here...
NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO! by leonbrooks · 2001-08-15 15:03 · Score: 4, Informative
No matter what OS you are supporting and using if you as an Admin dont have the proper service packs and updates installed then your OS will be a victim sooner or later.

"Sooner or later" is effectively a LIE because whether it's sooner or it's later makes a huge difference in securityville. You're also ignoring the ``quality'' of the intrusion (such as carte blanche versus mere DoS).

Me for later, much later. While I could do even better, I use Mandrake 8.0 for production work. It's a bit bleeding edge in some ways - and I pay for that - but it comes with two massive advantages over many Linux distros: it installs reasonably securely unless you tell it not to (warns you when you install world-visible services and if you choose a "high security" install even disables those), and it can automagically update itself. Debian users in particular have long had these comforts.

All Linuces have at least five huge additional advantages over Windows:
1. There are significantly less holes to start with, because (among other reasons) they are generally implementation mistakes rather than systemic design flaws; and
2. If a hole opens, the damage that can be done is less because you don't automatically get ring-zero (better than administrator/root) privs; and
3. Patches tend to come out sooner and often involve no more than restarting a single service rather than downing the whole machine; and
4. Tricks like chrooting the whole service, and/or using the immute bit (chattr +i) plus running with a kernel incapable of removing it (patch or capabilities) and a chattr program/syscall that rings bells and flashes lights instead of ch'ing the attrs, and/or one-way capabilities patches are simple to do; and
5. Most distros arrive with secure remote administration, so dealing with a widespread attack (successful or not) is much easier; and (-:
6. for Win 9X/ME in particular :-) distinction is actually made between superuser and mere mortals
Yes, administration makes a big difference, but all OSes are a loooooong way from interchangeable when it comes to vulnerability.
--
Got time? Spend some of it coding or testing