Slashdot Mirror
Is the Unix Community Worried About Worms?
jaliathus asks: "While the Microsoft side of the computer world works overtime these days to fight worms, virii and other popular afflictions of NT, we in the Linux camp shouldn't be resting *too* much. After all, the concept of a worm similar to Code Red or Nimda could just as easily strike Linux ... it's as easy as finding a known hole and writing a program that exploits it, scans for more hosts and repeats. The only thing stopping it these days is Linux's smaller marketshare. (Worm propagation is one of those n squared problems). Especially if our goals of taking over the computing world are realized, Linux can and will be a prime target for the worm writers. What are we doing about it? Of course, admins should always keep up on the latest patches, but can we do anything about worms in the abstract sense?" Dispite the difficulties in starting a worm on a Unix clone, such a feat is still within the realm of possibility. Are there things that the Unix camp can be learning from Code Red and Nimbda?
I'm waiting for someone to write a worm that's cross-platform and exploits just about everything.
That'd be a big worm, though. And it's about time that Microsoft stops hogging the worm marketshare!
Do you like German cars?
Just say NO to closed-source products.
It seems like it would be a stupid answer to this question being as UNIX code is generally cleaner than Windows code. My understanding is that the hackers are just trying to exploit weaknesses. The best solution for that is to not have weakness. And if you do, fix it (patching, etc). It seems that most viruses are written for MS products (ie Outlook) anyway, but being as UNIX programs or opensource programs are pretty clean and tight, there's not that worry.
I don't think there really is anything to be done differently....
What smaller marketshare? Check out the Netcraft survey if you don't believe me. I think better programming is the reason we aren't seeing any worms targetted at linux web servers.
-- Give me ambiguity or give me something else!
By having many releases of Linux distros at various times, when you get the most recent version you are up to date on protection (whatever that may be). On the other hand, M$ does not bother to incorporate their patches in later CDs of their OS. For example, the Oct 2000 patch was not incorporated in a w2k/iis server sold this summer. It's only 9 months later...
Being a computer geek does not releive you of aneed to use good grammar. It's "dEspite"..
No one runs *nix as root.
Unless you have root, you can't do much damage to a system.
It's impossible to get root on a *nix system without permission, because it is designed that way.
The UNIX world already had a worm that recursively exploited security holes and spread, back in 1988.
THAT was the worm to learn from, not Code Red!
Worms aren't just a Microsoft thing. You should know(remember?) that the first worm ever written infected many *NIX systems (and the net in general) quite badly.
The only thing stopping it these days is Linux's smaller marketshare.
That, and the fact that MOST *nix users/admins tend to be a bunch of computer dorks, like us, and will be sure to stay up to date on security concerns, or at the very least, clean their system of the worm in a timely fashion.
Don't Tread on Me
Even if Linux gained market dominance, it wouldn't quite be the monoculture that Windows is. There are many distributions of Linux, which put important files in different places. This isn't insurmountable but it does make writing a worm capable of running rampant a wee bit harder.
Also, it's my experience that (for now) people who set up Linux to run on the net are a little bit more clueful than NT administrators. NT seems to encourage the idea that any moron can run it because it's point and click. This isn't true; it takes more work to effectively admin an NT box than a Linux box.
There have and will continue to be worms. Worms are most successful at any point of monoculture. (sendmail; bind; IIS) The solution, then, is not dominance... but diversity.
People are never as simple as their stereotypes. This applies equally to Christians, Muslims, and Emacs-lovers.
I for one close all ports that I don't need to be open. At work this means my linux box listens on zero ports. I don't execute code that people send me in emails (though no one sends my linux executable stuff just MS Crap (people are wiser than that)) If I do open a port I update update update. 'nuff said. Most these worms exploit known bugs that MS users haven't heard about but the patch has been out for months.
Remove the spam reference to email
Or any other form of auto-updater. Remember, Code Red and Nimda used holes that were patched months ago.
Patch the holes that are inevitable. Patch them early.
Certainly! First, that such worms affecting Microsoft servers are very good for Unix/Linux business! :-)
Secondly, that 'integrating' everything under the sun into the OS leads to security holes and maintenance problems.
Finally, that Open Source is better in terms of the actual number of security holes - which will certainly decrease over time (which is apparently not the case with Microsoft products).
186,282 mi/s...not just a good idea, its the law!
Galileo: "The Earth revolves around the Sun!"
Score: -1 100% Flamebait
Worm propogation is more of an \Theta(2^n) problem, given an infinite pool of vulnerable, unaffected machines.
I thought it was Nimda....
Could blame the spellchecker, but admin spelled backwards? Come on....
i dont beleive we should be AS worried as all the windoze users out there. It's the *nix users who are creating the horrible virii (or so im guessing due to "elitist" status of many *nix users) of which windoze machines "just happened" to be suceptable to. we obviously should continue to keep security tight in case of future intrusions.
Don't run daemon's that are know to have buffer overflows. Bind, sendmail, NFS, LPRng come to mind. If you must run them, research either replacements in bind,sendmails case (djbdns,qmail,postfix) or proper setup in NFS and LPRng's case.
Further, don't run daemons that send a unix password in plain text over an untrusted network (ie the internet).
Finally, run a firewall to limit access if your box is on the internet or on a DMZ.
Just read this and protect yourself.
This is a pretty pathetic ask/.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
UNIX/Linux has already been hit with worms. It's no more difficult. The Lion worm that affected bind a few months (9?) is a good example.
Dispite the difficulties in starting a worm on a Unix clone, such a feat is still within the realm of possibility. Are there things that the Unix camp can be learning from Code Red and Nimbda?
sure right now there are almost no linux virii but if it ever does gain widespread acceptance you can be sure the virus writers will target it...
THere should be an antivirus program for linux... the only problem being, who wants to write a program that may never be used?
I suppose there would be enough time to write it when the viruses start appearing..
then again, perhaps i'm overestimating the self-preservation instincts of the script-kiddies
sigs are for suckers
if I see one more person write virii instead of viruses. Virii is not a word!
Not only does linux have a smaller market share, but there's also so many varieties and configurations that writing one that can attack a significant portion of that marketshare would seem quite difficult. Add to that that Linux users tend to be better informed on these things, and its less likely to find vulnerable systems. Most importantly, any infected boxes would probably soon become obvious to the admin, and it would be fixed. There's really no excuse for Code Red to still be propagating.
--
"Karma can only be portioned out by the cosmos." - Homer Simpson [1F10]
that people who run different Unix platforms (Linux included) are typically more aware of potential security holes that their applications/OS may have. People usually are subscribed to Cert's mailing list, and although the advisories come out after the initial uncovering of a worm/virus/exploit, the people who take care of these boxes have a good idea of what's installed on their boxes, and know where to look for more proactive administration. I think a big reason why Microsoft software is a target that seems to be much more affected (not only that it is a bigger market-segment share) is that its users are normal users, not your everyday 1337 user, so they will not necessarily know what's wrong with their system (let alone what's installed) until something bad happens to their system. So I'm not sure it's a question of are we vulnerable in the Unix world, but the question should be, how much more aware are we in the Unix world OF potential exploits, or even how much less aware might we be?
/pj
Security is only an illusion, we can't be 100% secure without sacrificing our privacy and/or confort; even then that won't guarantee our security. Ask yourself this, is it easier to destroy or to create?
I say we should do the same thing as U.S. does with terrorists. Find the worm writers and beat them to a pulp. We'll make them our bitch.
It's hard to not be "one of those smug Linux geeks" this week. However, my Linux- FreeBSD-lovin' friends, our day will come if we don't keep watching out for ourselves. Keep your eyes open and your ports closed.
Unfortunately, doing constructive work (i.e., fixing the security hole) is always more difficult than doing destructive work (e.g., rm -rf /). But worm/virus writers seem to have plenty of time on their hands...
Dont spite me ...
The only thing stopping it these days is Linux's smaller marketshare.
I thought apache had a majority share of the web server market. One that has been hit by worms, and those worm writers usually choose IIS despite it's smaller market share.
It could be because IIS has more exploits...
Being a nitpicker does not relieve you of the need to spell properly (releive?), use correct spacing (aneed?), or punctuate correctly (is it . or ...?).
Yeah. It was the classic example that we studied in my Computer ethics class. Sounds sort of like the nimd worm in that it had four different methods of spreading. The only thing that stopped it from being even worse than it could have been was a programming error that caused it to fill up memory and eventually cause the infected machine to crash.
science is a religion
yes it effects us Linux people!!!!!
Okay, here I go, proving my lack of server programming skilz: is it really so hard to prevent buffer overflows? Why does the length of a URL (for example) ever cause a server to crash?
It seems like every time you get input from the outside, you would only accept it in segments of a known length, and whatever was longer would just wait for the next "get" or whatever. At least this is the case in my (obviously limited) socket programming experience. So when some program is hit with a buffer overflow error, does the team of programmers smack their collective head and say "d'oh"?
Back in ancient Persia they would tie someone to a boat and pour honey on his stomach. They would also leave some meat. And add the maggots and other cute little lifeforms. In the space of a few weeks they would eat the victim alive.
That's one way to solve the problem.
Worms are not a new phenomenon. What new can we learn from Code Red et al that we shouldn't have learned already? The lesson, as always, to sysadmins is basically, keep your patches up to date; to developers, don't write buggy code. (Particularly code with silly errors like buffer overflows. C'mon, folks, bounds checking!)
Yes, I know it's not really that simple, but in many ways, it is.
"This message is composed of 100% recycled electrons."
Now, this doesn't alleviate all the problems of course, because even with "normal user" access a person can still do some damage. The web pages are probably owned by that normal user, so with normal access a person could alter your content. The normal user could set up cron jobs for himself such that he attacks other machines later, and thus you can still get propigation without root. So this still leaves open the possiblity of having DNS attacks (since being a part of the attack doesn't require root privilieges, just any user will do.) But it doesn't really leave any way to mess up the target machine permanently. You couldn't alter the httpd program, for example, since it isn't owned by the same user as the user ID it runs under.
At worst, you lose the web pages themselves, but most likely you have those copied over from some other location as part of your "I'm going to edit in a scratch area and then install these changes for real after I try them out" technique.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Microsoft has delayed the XBox.
I submitted this as a story but apparently it's not juicy enough (rejected).
Where are we going and why am I in this handbasket?
Since there are so many different distributions of Linux compiled with different versions of gcc, different optimization flags, etc., does this make life hard for "binary only" worms? The thinking being that to exploit a garden variety buffer overrun in a controlled way, one probably needs a highly specialized worm code. So even if the same version of some vulnerable software is installed on different Linux distributions, one may be attacked by a particular instance of a worm, while the other one is not. Or that a hand-compiled version of a critical piece of software is less likely to be infected by a worm, provided some non-standard compiler settings are chosen?
Is this a significant effect which limits the spread of worms on Linux?
Lets face it Linux comes and has come with ipchains and now iptables for firewalling and many other UNIX flavors have similar features. Linux and the UNIX community think about things like proxy firewall combinations, where Windows is only now starting to think about this. It is not until the release of XP (or the anticipated release as it is not out) that windows is by default including a firewall.
People in the unix community also tend to be more aware of what is going on on their system. They have logs and there are tools to view them.
While I do not dismiss the possiblity that if Linux / UNIX got to be as popular as windows then there would be more 'attempts' I think that because of the nature of Linux you would have a much harder time of spreading a worm like code red.
A good UNIX administrator is going to spend time in configuring his web server and securing it. If they do not think about this then they are no good.
If you are wondering how secure your computer is try these two site. They'll help, but don't try this at work or you may piss off your admins. https://grc.com/x/ne.dll?bh0bkyd2 or http://scan.sygatetech.com/
Only 'flamers' flame!
Certainly the robust UNIX security model is one reason we haven't seen as many worms. The strategy of creating a separate "www" or "http" user to run Apache, a "db" user for the database, etc., is common and very wise. If somebody co-opts your web server, at least it can't wipe your db. It still has weaknesses -- it's sometimes necessary to grant more permission to certain users/processes than you might like, and it requires a lot of vigilance from sysadmins, but it works quite well.
I wonder if there isn't a way of generalizing this to allow more sweeping, more generalized expressions of security rules. A UNIX install has soooo many little apps, and so many points of contact for everything, it's sometimes hard to say "I want all apps that could access X to have permissions Y, or go through acces point Z." TCP wrappers are a good example of the kind of thing I'm talking about -- they provide a single point of access and control for all things TCP, and they make it much easier to set up very broad rules that you know cover all possible cases.
Am I making any sense here? How might an OS take on this issue in the general case? It seems like one next logical step for UNIX security.
Microsoft systems are more susceptable to worms(IMHO) because the level of compter knowledge is way higher for Unix users that it is for Microsoft users. I mean this sincerely, and not just as flamebait.
Consider how many Unix users would actually just open their emails and run attachments blindly. I would venture that there are a ton more Microsoft users that actually do just that!
Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
there have been worms exploiting *nix boxes, I think that the biggest difference is that running a *nix box u HAVE TO KNOW WHAT U DOING, not like Windows system that u just mark a couple of checkboxes to make a system secure. Unix let u specify exactly which services the computer will be offering on a network, and as long u keep those services secure u make lot for the security of the system. If u left unused ports open u can become a target of some exploit...
Also, most of the sys admins on the *nix world are reading about security issues related to their systems to protect them, while a lot of the sys admins of windows systems (at least the ones i know) dont do it...
Being worried on ur system and the way it is working is a big thing on Unix world.
what difficulties?
whenever an inexperienced user brings up a redhat 7.0 or lower box on our network, it is exploited within 12 hours. within 24 hours i have received email from admins on other networks informing me that the redhat box has been probing their network. 1 minute later i have informed yet another user that it takes more to do my job than booting off of cd and following instructions on the screen.
someone out their has already taken advantage of the various vulnerabilities found in older distros.
lessons learned? i am reminded of something my brother told me:
Having your own box appeals to the pioneer spirit: your own plot of land to develop as you please, fighting off the savages, protecting from the elements.
In other words, every time you run software which other people will somehow have access to (users running desktop software, server software connected to the internet , etc) you will need to constantly monitor and upgrade that software.
-f
www.blackant.net
Let's not forget that what was probably the first worm, the Morris Worm, was released on Unix machines. I don't remember the year, but it was in the early days of the Internet when about all there was out there was Unix and VMS. The lesson that the Unix community took away from this and other incidents was that they needed to secure their machines and tighten up code. The point here is that no system is immune. When I first started out in the Internet field, almost all attacks were launched against Unix and VMS machines because that's about all that was hooked up to the Net on a constant basis. So, don't get smug just because Micrsoft is victimized today. After MS dies a firey death, something else will become the dominant system on the net and that will be the most attacked system.
Do you really think Microsoft OSs are the first to encounter a worm? They've been around longer than Microsoft. And why would it be any harder to infect a Linux box? Unless your refereing to the a) general lack of functionality and robustness and b) the fact that it's mostly techno geeks running Linux that are a bit more educated on internals and security than the average Windows user (they have to be in order to get anything to work). If your counting those 2 points, then yes, it might be easier.
basically, back in the day worms only affected UNIX systems because they were pretty much the only systems that were networked and mult-user. Hence, you could write a worm on a major UNIX system and it's affects could be felt for all the users on that system. These worms took knowledge of UNIX and usually programming in c. Today's script kiddies are "writing" viruses using virus generation programs to dump out a lame vbscript to affect outlook users. I think many of the older "hackers" have lost interest in the whole scene or have gone out and gotten high paying software jobs. The major reason for this is because the orginial worms were written by hackers to show off & display weaknesses in UNIX system. Now, script kiddies write virus to show off, but also to cause damage to tons of people. It takes a great deal less of skills to point out the weakness in windows ... it's just not built for security by design, it's built for usability.
...wouldn't the actual OS security features be the biggest factor (i.e., forced logins and priv levels vs. global access for all)?
Can someone explain this in terms that a retard like me can understand?
My debut novel AMITY now available: http://jeremydbrooks.c
Rembember the Ramen worm? So, yes, it is more than a possibility.
Thankfully I trust Apache more than I trust IIS. Also the marketshare thing does help and the fact that Red Hat now disables every network service by default helps. We are safer but by no means in the clear. We just have to keep our eyes open and our systems patched.
I suspect the lack of worms is:
Fortunately the default installs of most of the mainstream distributions are getting more secure as time goes by. And while RedHat traditionally isn't quite as easy to set auto-updating up for as Debian is, it's still pretty easy to keep up with the security patches for it. I'd really like to see the package maintainers package at least some of the more traditionally insecure packages (*Cough*Bind*Cough*) in ultra-paranoid configurations, say, statically compiled and chrooted. It hasn't been enough of an irritation for me to go do it myself though.
We all pretty well know, though, that security is more what the user does with the OS rather than how inherently "secure" the OS is out of the box. FreeBSD is by reputation one of the most secure OSes available but I could take that thing and install a bunch of servers with holes in them and be no better off than if I was running Windows 2000 doing the same thing.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
If I recall correctly, Linux' marketshare among webservers is around 40% (Apache has 61%), while Windows' is around 25%. Considering that worms spread among servers, and that among the top webservers there are lots of Linux but barely Windows, worms "should" spread much easier under Linux/Apache than under NT/IIS.
Several studies from Netcraft to Securityspace show you, that neither IIS as webserver nor NT as OS is the most popular among InternetServers.
ms
Hello. How are you?
I send you this tarball in order to have your opinion.
Evil is the money of root.
If someone goes through the trouble of downloading/buying Linux and setting it up as a public server they're probably a lot more computer literate than most windows users. They certainly would understand the need for patches and probably read some kind Linux news site to keep up.
Now if Linux had windows' market share, it would have to come pre-installed with a new PC and not require the user to do much more than just use the GUI. Which is fine as far as I'm concerned, but we can also assume a Linux dominated universe would be full of unpatched servers too.
Maybe untreated Windows exploits are heading toward exinction. Its easy access to the internet that has created such a huge market for anti-virus software. Maybe we'll start seeing Windows shipping with an MS or a third party patch manager in the near future. Or something like NAV with a patch checker. "No viruses found, you are open to these attacks, please goto this URL to download the patches."
linux has got the market share of smart users. now it must expand and get stupid ppl to use it too. this means the new wave of linux admins will but dumb ass ppl who don't know how to sort their boxes out and worms will also infest linux as well so that we will also look like stupid windows users just cos we use linux because of these dumb ass ppl.
Why do you think it's harder to create a *nix worm? I mean the basic principles of worm propagation work under any platform if there are any security holes. Certainly *nix does occasionally suffer from security vulnerabilites, if perhaps less than Windows. Look at the ramen worm that was going around recently. I STILL get scans on my box for that vulnerability. Certainly the scale is less dramatic because of the fewer *nix systems out there, but it's not like writing a worm for unix is somehow more difficult than for windows.
This sig has been temporarily disconnected or is no longer in service
I am very concerned about UNIX/Linux worms. Not only is it possible, but it is probable. As much as I dislike Microsoft, they DO release security fixes for their products, usualy before a worm is written to exploit the vulneribilities. The same goes for Linux, BSD, and any other activly maintained operating system. So why are these worms causing so much trouble? Because the average user has no idea how their OS works, and no clue about security. With the recent advancements in user-friendlyness, the same thing goes for Linux too. For example, the statd worm family, which had rooted every insecure RedHat machine in 24.*.. With matters like this, it is not the OS that matters. It is the user/admin of the OS being clueless about security. Until users learn how to apply security patches, and learn to keep up with the latest security news, these things will be commonplace. I sincerely hope that this recent outbreak of particularly nasty worms will get more users and admins interested in keeping their machines secure.
Is it that the username might be 8 unicode (or other multi-byte format) characters?
Just a quick hunch...
There have already been a few Linux worms:
One thing pointed out in most of the cases is that there had been patches out for at least a few months that would have protected the computers from attack (Just like Nimda). It just goes to show that it isn't just Windows admins/users who don't keep up-to-date on security.
If all you have are silver bullets, everything looks like a werewolf.
If someone doesn't patch their Windows systems why would they patch their Linux systems? Doesn't matter if the patch is out 2 seconds after the bug is revealed if the admin doesn't take notice and act.
Worms are definitely a problem on all platforms. But the *nix world has a bigger advantage over the Windows world. In our world, code is written with lots of thought towards quality and strong design. Windows, well, is questionable. Certainly *nix has exploits, but those that exist require a GREAT deal more skill to exploit than those that exist for Windows. Therein lies our safety net.
Most people who have the skill to code worms for more secure and robust *nix platforms are probably mature/responsible enough through their experience to not do something so utterly foolish. However, if they do decide to do so, they end up trying to do a positive thing for the community! (Anyone remember those Linux worms that FIXED the exploits they took advantage of before moving onto the next box and cleaning themselves up?) Besides, look at the very few malicious worms we have seen for *nix platforms. They didn't last long. The OSS community has a VERY quick response time to big problems and the admins are generally more skilled and knowlagable about applying patches.
I say, let's enjoy this while we can. It's kind of amusing to see MS admins scurry around, trying to stick fingers in all the leaks. It's risky to say "it serves them right", but that's for only weighing mundane factors in deciding what platform to use. And for those companies that reject OSS products, well, they get what they deserve for thinking "stuff that doesn't come from a company mustn't have any quality". Pah. Worms with the scale of NT aren't a concern for us. Let's parade this around as a reason to support and use open software.
Why bother.
In the real world, the way you become immune to diseases is to get them or get vacinated. Maybe we need to take this model and apply it to computer security.
How about forming a company, call it WormCo, that will take standard distribution of various flavors of Unix and Linux, let a group of hackers have at them, and then have a second team that creates the vacine - i.e. patch(s) - for that worm or virus.
This company will be funded by subscriptions from the folks that want to keep there servers safe and secure. The staffing will come from a crew of permanents (who will try to break systems and create the patches for the worms and viruses that they and others discover), and by crew of virus writers that get to play in the sandbox and get a bounty for every worm or virus they create.
IIS does have a smaller market share in terms of commercial websites out there. However, there are lots of clowns at home on DSL or cable who are running win2k.
Many people run IIS without knowing it, so i think there are much more vulnerable machines out there than just the webservers.
Granted, IIS probably does have more exploits, but the real problem is that windows users usually aren't on top of patching them up. There are plenty of exploits out there that exploit linux, but there aren't as many issues because admins patch regularly, and the smaller market share.
Captain_Frisk
Actually, it would probably be easier to attack UNIX with a worm. There are more UNIX machines out there than Windows machines, and most of them are probably just as poorly maintained in regards to security.
So why don't people write more UNIX worms? I think the first big problem with a UNIX worm is the portability problem: getting a worm that runs well on all of the different CPUs, UNIXes, Linux distros, etc. out there would require a pretty basassed coder. Anyone good enough to do so probably wouldn't waste his time on a worm since he could get paid obscene amounts of money for coding something more productive.
On a more positive note, I think worms generally target Windows because computer users in general don't really like Windows. Jokes about Windows being unstable/buggy/insecure/slow have gone from being a subsect of geek culture to a repetitive theme in popular culture. People run Windows mostly out of necessity, because it is the only desktop OS that provides access to a large variety of commercial software, and runs on cheap, non-proprietary hardware. People who use UNIX do so because they want to, and they like doing it; therefore they are less likely to produce something as randon as a worm. (I am leaving crackers/s'kiddies out of this as they have far different motivations.).
I think several approaches will help us combat the spread of worms on Linux/BSD/OSS:
Default installations should not enable services that listen on external interfaces. You should have to know enough to re-enable these services securely.
Agents such as the RedHat Network updater should be common (and FREE!). You should be able to specify what services you're interested in checking regularly and automatically (those that you've enabled) and have any remote root exploit patches found for those services applied automatically (if you want.)
An open source IDS might also be useful, only if it's updated quickly & by a trusted group. In conjunction with the agent, it's checklist would certainly be able to be updated quicker than a patch.
Finally - what about a distributed reporting system agent? It should reside on a system and get it's checklist from an external source. If it finds a known worm attack, it can send out a quick update to a centralized database alerting them to the fact. If the ISP's would work with us, they could regularly scan that database for their address space and make the necessary adjustments. Sort of like a Seti@Home system for ratting our your infected network neighbors.
Some of these ideas, I know, are a bit of a reach (especially the last one, imagine the abuse potential!), but the first three could definitely be done and done right by the security-conscious *nix community.
I'm not sure on the statistics, but I'd imagine the primary vector for the recent worms are infectable IIS servers, my thought being that they are servers and that they have large resources availible to spread the worms.
:)
Something admins learn (or should) in sysadmin 101 is that you disable things you don't use. Alot of the traffic I see from infected servers comes from IIS installations that aren't even running a website.
Here is my jab at all you MSCE's and the like out there: Most unix admins (currently anyway) know that you have to keep the software up-to-date and take an active interest in learning about the newest threats. My own, private, personal experience is that NT admin's don't, as a group, have the same "do it yourself" culture. As if that wasn't enough qualification, alot of NT admins DO know their schtuff inside and out, they deserve raises
Microsoft IIS contains many blatant holes and ridiculously insecure default settings. Their nearest competitor (Apache), which just happens to have double their market share, hasn't had a hole of this type discovered since 1997.
If Apache can accomplish this while still running on over 60% of the web servers out there I think it's obvious the blame lies squarely with Microsoft and statements such as "anyone else in their position would be having these problems too" are just plain silliness.
When printing strings in sprintf, use "%.*s" to enforce a maximum size on the output. snprintf does the same thing, but you actually get to be a little sloppier, because you don't have to worry about the individual pieces.
What is a problem for IT is an even greater problem for agriculture. Rice and corn diversity have greatly decreased, which leads to serious risks, putting especially developing coutries in danger. One parasite/desease could destroy the entire harvest.
Of course, large companies like Monsanto deny this and keep pushing their products and binding customers with highly dubious tactics, like their terminator technology (sounds familiar?).
- Andreas
While client market share for Windows is undisputed, Apache has close to 60% of the web server market. I haven't received a single readme.exe attachment.
Current Nimda stats are:
26900 attempts on 2 servers.
Apache (on *n*x, anyway) is not vulnerable to worms in the same way IIS is since it runs as notroot.somegroup. The only thing an Apache web server worm (on *n*x) could do is muck up the web server.
*n*x mail clients don't (at least yet) do a
file this_attachment
if file is ELF, or a.out
chmod +x this_attachment
execve this_attachment.
This isn't to say *n*x is immune. Just why Win* is not. Not because of market share.
www.dedserius.com
VB != VisualBasic
You could call it marketshare.. but the worm problem really isn't about an OS.. it's about individual applications and technologies.. the environments the worm can flourish in. A cross platform worm is entirely possible.
As for our 'goals'.... who's goals are those? Who wants linux everywhere? Use the right tool for the right job. If MS actually made something that was better for a job, I'd use it. (IF.. big IF)
Oh, wait, you say there has been a big UNIX worm already? I didn't know that, I've only been a UNIX guru for 3 months. Thanks for the tip!
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
But if I don't run Apache as root, my kernel module replacement CGI script won't work!
So you're talking about a worm that will connect to machines that are owned by different people and execute arbitrary code on those machines. This is still not right to do, and I'm sure the FBI would not smile upon this behaviour.
Also consider the possibility of simple error. If I write a "White Hat" worm intending to make things better for people, but wind up hurting them, how "White Hat" is my action?
The biggest obstacle, AFAICT, is making solid security Ease-Zee.
Certainly many commercial outfits haven't successfully solved this problem yet and there are still plenty of opportunities for spoofed trojans with fake internal certifications.
I mean, when I download a package, it usually contains its own references to valid signatures, etc. Or, the md5 signature is kept in another file, but on the same ftp server.
Better are package maintainers that digitally sign their products. I'd like to see more of that, maybe in conjunction with multiple certifying authorities that can verify the signator's credentials. I don't need a system that compromises the anonymity of me or the package writer - just something that verifies that a package originated with a consistent unique individual.
Do modern CD distros of GNU/Linux and other OS come with anything like a set of multiple certifying authorities where package writers can register signatures in multiple places to minimize the chances that a fake can be passed off on innocent downloaders?
"Provided by the management for your protection."
(God I hate having to defend Microsoft!) Properly configured, IIS runs as a user other than the administrator, and scripts under IIS run as yet-another-non-administrator user. This is one step ahead of how most Apache installations are run.
Still, I'd rather run AOLserver.
It is harder (not impossible) to make worms for linux for the reson that linux/unixes are different from each distribution. Unlike MS which has 2 standard distrubutions. This inconsisenty helps keep linux free from easy to program worms. because say apache can be located in /usr/bin or /var/http /usr/local/apache etc. There are no real standards where these files are placed. Also most of these tools like apache run as a Non Root user. so if they break in there is a very limited amount of damage they can do to the system. Plus New Distros of Linux like Redhat 7.1 comes with a firewall utility that can be setup at startup thus allowing those extra ports you dont know about to be closed Windows in contrast dosent have a firewall yet. and IIS server basicly runs as administrator so if you get in you have a good controol of the OS.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
maybe that should be a standard service? add the ports exploited to tarpit.rc ..
of course that wouldn't solve much but it would be something to start with.
then maybe watch for the originating server, and bring those suckers down thru an exploit (likes of back-orifice). but then you would have to be armed with something that can do that which means that a script kiddie can get their hands on it too. s/he then brings you down. we bring each other down. the entire internet is down. we have no problem. no worm propogation... 'it is one of those n square problem' -- well no more!!
Microsoft software is well spread _and_ practically uniform. Only one architecture is supported.
:) Linux becomes widespread it will still be less suspictable to virii and worms thanks to the wide variety of architectures, kernels, configurations.
Even if (or when
Rest easy. Yes Unix can have worms and in fact it has happend.
This worm was fixed about as quickly as possable. The only real problem was getting the fix out as the worm had sereously disrupted the primary means of getting the patch out.
The time delay for Microsoft patches is a great deal longer and is due to develupment delays not distrubution delays.
There is also a delay due to NT admin fears the patch may disrupt the system. I doupt this is a realistic fear but I have heard it once or twice. I think this is more or less the end result of the ignorence Microsoft premotes amoung NT admin. That ignorence is probably responsable for more problems than the software itself.
In short once a worm is created once known it should be a short time before bug fix.
But not blindly....
The reality is worms are a low likelyhood. You should stand ready for a whole range of issues worms are in the bag.
Viruses are even less likely and nearly impossable. However IF we go getting paranoid about worms to the exclusion of all else... Viruses viruses viruses... becouse we are looking the other way.. won't you feel dumb..
Keep an eye do the maintanence, read the logs, read slashdot, bug trap and so on.. keep an eye on the issues related to your system.
Worms aren't the only problem. They are an issue. They aren't the only issue.
Just don't get cought with your shorts down.
And... don't wait for someone to fix it... yeah it'll happen in 10 or 20 minuts (vs the 10 to 20 days for Microsoft) but as we learnned with the last Unix worm..
Min 1. You learn about defect
Min 2. You look for someone fixing it
Min 3. You find someone
Min 4. You wait
Min 5. You wait
Min 6. It's done.. you download
Min 7. Your still downloading
Min 8. Hmm the network seems a bit slow.. your still downloading
Min 9. Why is the network slow?
Min 10. Your crashed... you got the worm before you got the patch... you lose try again..
If someone fixes it first.. horray... if not.. don't wait...
However rember this stuff requires a major deffect in the system to work. It'll only effect one platform and only one version of that platform.
(With Linux it'll hit many distrobutions unless it's a distro screw up and not a real software defect..)
I don't actually exist.
anyone have any more?
another "quality" nivelo9 comment
You see, outside of the *nix world, there are things other than servers and sysadmins - they have these things called USERS.
With no guarantee of any given system calls, any given system libraries, any given applications, any given directory structure, any given TCP/IP stack, any given version of any given implentation of any given service, any given architecture or any given dialect of any given scripting language, worms have a limited scope to work with.
The "Original" Internet worm was so dangerous, because at that time there was less diversity. Certain standard daemons were virtually guaranteed to be running, for example, built from basically the same source.
Therein lay the danger for Unix - without diversity, a single virus or worm can cause untold damage. If it can affect one machine, it can affect many.
(Biologists have woken up to the same lesson. For years, it was preached that simple systems were more stable than complex ones, but it was learned the hard way that that was not the case. Biodiversity offers protection, because it inhibits the spread of hazards. By making it non-trivial for an infection to pass on, you could guarantee that real-world viruses were self-limiting in scope.)
Linux is relatively safe from virii and worms, for that same reason. There is sufficient diversity to ensure that propogation is non-trivial. The very "irritation" that turns away so many is Linux' greatest shield. With Windows, it's trivial to infect a registry, because there is only one and there's a standard way to access it. Linux has many "registries", and much code that people use won't be registered anywhere at all.
Then, there's libraries. Windows 9x uses certain very standard libraries. If it's a 9x OS, you know what you can expect. For Linux, you've got elf & a.out formats, libc5, glibc 2.0/2.1/2.2, XFree 3/4, Bind 4/8/9 (or any number of alternative resolvers, including the one built-in to glibc), etc. You really don't know what to expect.
Scripting languages? There's no telling WHAT anyone'll have. The only thing you can be sure of is that there will be a
To stay resident, the virii or worm also has to find a place to stay. Not easy to do, with Linux. With Windows, you've a choice of FAT16 or FAT32. Oh, and maybe NTFS, if you're using NT. With Linux, you could be using almost anything. Sure, people will probably use what's installed as standard, as FS migration is non-trivial, but that still leaves ext2, ext3, reiserfs or XFS, all of which one distribution or another uses.
Finally, there's security within Linux. But which security are you using this week? There's GRSecurity, LSM/SELinux, RSBAC, POSIX ACLs, various other ACL implementations, socket ACLs, and any combination of the above.
Oh, and that's not including intrusion detection software, honeypots, firewalls, and all sorts of other similar code.
In short, you can envisage a worm or virus which affects Red Hat 6.2 / Intel distributions that use the standard libraries and kernel. But you can't have a worm or virus which affects ALL running Red Hat Linux boxes - the variation is just too great. It gets much worse when you talk of all Linux boxes, and many many orders of magnitudes of absurdity greater when you talk of all POSIX-compliant UNIX kernels.
To answer the original question of "is the Unix community worried about worms", the answer is "that depends on how homogenious any person's network is". The "worry" level will probably be about the same as the homogeniety level.
As for the community at large, the answer is probably "no". The community at large has such a high level of diversity that there is no single threat which could affect every system (or even a significant fraction of them).
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I've read many times on /. about people who bought a shiny new desktop or laptop computer with Win2K installed that had IIS running from the factory setup. Most users don't even know what IIS is, let alone know if it's running on their new machine.
I'd think this is more prevalent than bad Windows admins.
As you point out, UNIX worms have existed in the past which (at a very high level) looked and behaved similarly to these recent Windows worms. Such a thing could easily happen again; while the quality of UNIX security (and Linux security, too) is heads and shoulders above that of Windows, there are still root exploits for various UNIXes being posted regularly to security mailing lists, and in fact recently our local geek community over here in the bay area noted a slew of attacks (manual, it looked like, not by worm) on Linux systems, trying to exploit a known buffer overflow bug in identd.
That is not to say, however, that we cannot learn from the more recent worms. If nothing else, the sheer scale of the traffic and number of hosts involved puts fighting these beasties into a different domain. Mainstream use of the internet is at an all-time high, and the average competence of those running the internet is at an all-time low. Look, for instance, at @Home's incompetent response to Code Red, and at all of the hosts which still do not have the IIS security hole plugged, months after the attacks commenced, despite a security patch having been offered by Microsoft for any and all to use. This is what we can learn from, and we'd better do it quick before we find ourselves having to learn on the fly.
-- TTK
Most *nix users I know take an active role in the administration of their machines and are generally more educated in computers than MS product users. This alone makes it more difficult to create a general havoc exploit such as CodeRed and Nimda, let alone the fact that people were coding and developing *nix OS's before MS was a twinkle in Bill's eye. Thus, if a worm were to be made, the very nature of *nix's is a defense in and of itself, because the OS has forced the 'home user' to become more aware and knowledgeable about the beast of a machine they are using instead of taking everything for granted(the very reason *nix is not in every household and most likely never will be)...people don't want to come home from a long day of work and have to THINK about maintaining their computers...they want the quick and easy way out...which just so happens to have a quick and easy way to enter/attack...but that is the tradeoff for ignorance...and as we say...it is bliss.
"Just Smile and Nod." --Huck
I think that it would be *possible* to write a worm targetting Linux machines right now, but it probably could never spread as quickly as the recent MS-specific worms we've seen. Even though many (most?) Linux distributions come with some relatively serious security flaws out-of-the-box, Linux is still a "geek OS". The average Linux user hopefully knows enough to apply most of the critical security updates, and won't be running too many unneeded services. Add to that the fact that while growing, there still aren't *that* many systems out there running Linux, and I'd say that the density of vulnerable Linux boxes out there is so low that a worm would have a difficult time spreading.
As far as the future goes, though, unless the various distributors become more and more security conscious (I believe that they are doing this), we may be at risk. Doing such things as running potentially vulnerable services as their own userid, turning off unneeded ones, and only opening ports with an actual service that needs it open to the outside may seem like common sense to hopefully all of us, but these are things that distributions should automatically do for the newbie users.
It's only software!
Capabilities rock my world and provide the capability (pun not intended) for the sort of no-nonsense secure-by-default security that people dream of these days. I don't know how effectively they can be added to the linux platform in general, since we have a lot of existing software that could break given a sufficiently odd change to the general security model. But, capabilities are a good start for creating and maintaining a secure-by-default future for Linux. Pervasive use of capabilities would make me very happy, since then I might actually have some control over what programs will actually be allowed to DO!
relevant capabilities link
In the last 2 years I've had Linux boxes attacked via rpc, telnet, named, and FTP. All have set up shop on the affected machine and started the business of broadcasting themselves to the masses. The latest was an Adore attack which is harder to detect because it installs itself as a kernel module and does not show up to (even a non-hacked) ps. The Linux world is just a vulnerable to attack as MS, you probably just don't notice it because the attackers are (at least a little) more sophisticated...
.... is that our IT department still thinks
that everyone is running Microsoft software
on their office computers.
Like a Weather service doesn't need any *real*
computation to predict the weather, instead
of playing catch up with the slow proof-
reader of your next interoffice memo.
Toon Moene, g77 maintainer.
Perhaps these mystical "worm-writers" like the Linux OS. Maybe they want to destroy Microsoft's reputation so some other OS can take over.... there's one way to get ahead by making the public loose faith in the competition.
How quickly we forget that Linux too is vulnerable.
Just take a look at the number of attacks on port 111 trying to exploit unpatched RH 6.1 systems. We're not immune either!
According to the guys at the Honeynet project the average lifespan of an unpatched RH 6.1 box is 3 hours.
Remember Lexington Green!
What we may wish to develop is diversity. If any single computer/operating system/web server comprises a majority of the network, then a single worm can substantially destroy that network. This is the reason people write worms for Windows.
We are pretty sure that monocultures are not good for long-term survival. For example, one can have a monoculture lawn, but there is high price to pay in maintenance. Such a lawn will not naturally prosper. Likewise, a network mainly comprised of Windows machine is too much of monoculture to naturally survive. The prize for writing a worm is so great that people will look very hard for an exploit.
The people who buy windows machines must realize that they are trading survivability and safety for convenience. This is a perfectly legitimate trade off. The problems arise when those same people start complaining that the computers are not secure. No computer is secure, and you made the choice to be less secure by buying into the dominant culture. If you made that choice out of ignorance, it was still a choice.
So, if Linux becomes the dominant species, we may or may not be in the same mess. If there is an exploit that is common to all implementations, then nothing is different. If each implementation has suitably unique vulnerabilities, then a worm will not have the disastrous effects that we have all come to know in the MS dominated industry. Please not that basis of any argument must assume that vulnerabilities exist and they will be found. It is a fallacy to assume, a priori, that one OS is inherently more secure.
In a sense, the value of open source may not be the perceived scarcity of security holes, but the rapid and diverse evolution of related but disparate products. We see the value of this with the release of Windows XP. The crackers have exploits written upon its release, while the public remains defenseless until MS can fix the problems.
It is interested to contemplate that a wide variety of less secure products may make the overall Internet a more secure and robust environment.
Apache is the leading web server in market share.
Absolute Market share is not the reason Unix web servers have fewer worms.
Market share of stupid users running web servers and poor security design in IIS and NT is.
From WiredNEWS May 22, 2001 (emphasis mine)
The worm that sent Max to jail was programmed to close a security hole that was being exploited by another worm that was on the loose at the time.
Systems infected with Max's worm downloaded a software patch and automatically repaired the security hole that would have allowed the malicious worm to comprise the system. That's a good thing.
But Max's worm, which he developed by reprogramming the malicious worm, also left a secret backdoor in all the systems it penetrated. That's the bad part.
Someone else probably said so already but I'll take the risk of being redundant. The truth of the matter is that the vulnerabilities of systems is based almost entirely on maintenance. Code Red is a great example of this because long before the breakouts there were fixes in place to close the hole that Code Red needed to propagate. Code Red was so big because lazy or ignorant sysadmins failed to properly maintain their systems. *nix users are much more anal about having all the latest patches installed so I bet a majority of the *nix boxes out there tend to get exploits closed in a timely manner. This means that the holes are closed before someone has time to write a worm for that hole. Heh, ?worm holes?. I know its possible to run a relatively secure windows box if you keep up with maintenance. I know because I keep some windows boxes running without suffering attacks, but the key to my sucess has been keeping up with updates. Again the point here is maintenance. I think as Linux moves into the hands of more casual users, it too will have many machines all over the place that are not properly maintained, and when that time comes it too will have its fair share of attacks.
Slashdot is an anagram for Has Dolts, and I am Dolt number 468543
I'm much more worried about rabies and distemper.
A site that is running Apache can also spread nimda. If the site that is served by Apache is served in some idiot's development environment under IIS, and the site is moved out to an Apache server, the nimda worm that embeds itself as a javascript in the web pages, can be spread from the Apache server (duh!). This also only works, if you move the .eml file with the html file.
I'd say there's nothing to worry about in most of North America and Europe. We've got some reasonable laws requiring the inspection of meat at slaughterhouses, so the risk is minimal. Your biggest risk is probably contracting some form of E. coli due to poor meat handling at restaurants etc.
Oh, *computer* worms. Well, that's a bit different...
It's only software!
...and when the doctor said I didn't have worms anymore, that was the happiest day of my life.
- Ralph Wiggum, Windows Admin
http://www.wired.com/news/technology/0,1282,46964, 00.html.
Hello?
Ramen? 1i0n? Adore? Sound familiar? It's far from the "realm of possibility" - they've already been done. And these worms haven't been eliminated, either. I work in network security, and I see SunRPC scans and DNS scans, and a whole slew of different kinds of scans on my network *several times an hour*. Yes folks, *hour*.
The fact is, people are running unpatched systems. And yes, a good majority of these systems are running Linux. The fact that the scans aren't letting up says that administrators:
A) Are too ignorant to know there's a problem
B) Too ignorant to fix the problem
C) Don't give a shit.
The thing is, the Open Source community is quick to act on these security problems and crank out a fix. In the case of Microsoft, the worms are usually a lot more destructive, thus, they receive more attention.
It's quite sad when people can't patch a two-month old exploit, however.
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
Now that would be an achievment. If you found a hole in Linux/BSD and found one in Windows (no biggie), then try for either platform. And have that platform try for either platform. Nimda, from what I understand, took a step in this direction in that it went out with e-mail and http.
About the only worry I have about worms is all the impact on the network as a whole and the PITA my job is whenever one gets out.
People write the MS worms because an NT security hole is easier to find than a linux security hole. Besides, most of the people who know of the linux security holes probably are developers, who wouldn't want their name tarnished by releasing a malicious virus. As long as linux holes are patched before the hackers find out about them, linux will stay one step ahead. MS, on the other hand, has very visible security holes and none of the programmers there worry about finding them. Thus, they only release fixes after considerable damage has been done.
On my win box, I use ZoneLabs personal firewall software. Is the worm problem as easy to resolve as putting a layer between the ports and the software that maps process names to types of port interactions? Taking into account that once the worm has compromised the box, it would need to either overcome this counter-measure or co-opt an approved app.
well, apache has a huge market share, but seems to not have the enormous security holes that IIS has.
now, some have said it's complexity and perhaps hacker malevolence towards MS. probably that's part of the reason.
but my background is the life sciences (biochemistry)-and i've always wondered how to model the situation in the software world by analogy with nature.
with open source you have tens of thousands of people scrutinizing the source code-kind of DNA repair mechanisms that keep on the molecular level. you have a plethora of distributions, variations on a general model.
the closed-source projects have fewer people checking problems on the small scale. and since they are backed by huge companies with good marketing departments and moderately well paid programmers you have a few overly complicated applications to choose from, not a plethora of distributions.
so open source has better proofing mechanisms on the small close, a better DNA repair system so to speak. on the large scale of populations, it has a strong tendency toward being shaped by natural selection (a friend of mine once told me LINUX was easy to screw with because you could spot holes in the security just be looking at the code-but this is a strength, because the hole will be spotted EVENTUALLY and you might as well patch it sooner than later).
closed source projects have spottier records when it comes to proofing, because they don't have the numbers, even if the ones that do it are full-time in their endevours. they don't have the immediate penalties for having security holes either, so they built up over time like deleterious mutations. in addition, a closed source company isn't going to produce multiple versions of the same application, so there isn't the same level of natural selection. of course, you do have rival operating systems like the MacOS, windowz, and OS/2 or what not, but there aren't a dozen windowz distributions floating around-you're basically stuck with XP or 98 or whatever you have.
-razib
NO gods, NO governments, NO [OPTION]....
Is the Unix Community Worried About Worms?
If some of you hardcore *nix users would take showers more often than major holidays this wouldn't be an issue.
Those of us who have to sit in stuffy cubicles within a 10' radius of you thank you for your consideration of this matter.
No one runs *nix as root.
Unless you have root, you can't do much damage to a system.
It's impossible to get root on a *nix system without permission, because it is designed that way.
You don't need to be running as root for worms to propogate themselves. One of the first worms ran amok through *nix machines in the early 90's, and was written by Robert Morris Jr. (son of Robert Morris Sr. at the NSA).
If you haven't read the Cuckoo's Egg by Cliff Stoll, you should. Not much about worms, but the last chapter deals with the one I mentioned above.
OddManIn: A Game of guns and game theory.
Actually I think it's one of those e^n problems. It's exponential, not polynomial.
Despite having seen it stated several times here, the RTM internet worm of 1988 was NOT the first worm. It wasn't even the first worm to crash machines, or the first network distributed attack...
In 1980 Xerox Parc published a paper called 'Notes on the "Worm" Programs -- Some Early Experience with a Distributed Computation' by John F. Shoch and Jon A. Hupp. This describes some WORM programs that were written at Xerox PARC and used for useful things. Unfortunately an error in one of their programs caused a lot of dead machines.
I think that the BITNET christmas card "virus" of December 1987 predates the Morris Worm of 1988. This was more of a trojan than a worm, but when you ran the "card" it mailed itself to everyone it could.
Neither of these was Unix based.
Z.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
I'd be worried about something like Nimbda. All adbministratorbs are, Cliff.
Are you drunk? The li0n worm hit a lot of linux/unix machines back in january. We're not immune to worms or viruses. We never have been, we never will be. Imho, our security is better than microsoft's, but that does not make us immune to exploits. If you're just realizing this now, you better wake up from your drunken stupor.
If you had super powers, would you use them for good, or for awesome?
- Linux has a greater variety of software. Look at mail servers; we have exim, postfix, qmail and sendmail. A vulnerability in one cannot (easily) be exploited in another. The single largest target is Apache, which is by far the most popular web server software (with good reason; it is of very high quality). However, Apache has had almost no serious security flaws that I can think of; most exploits against Apache have exploited password sniff attacks or poorly secured applications hosted on the system, not targets for worms.
- On similar notes, even if linux/Unix takes over the world, there is likely to be a greater diversity of OS versions. At the current time, I can't see linux wiping out Solaris and AIX for a few years; I can see them coexisting and hopefully taking back ground from Windows, however.
- Even if linux takes over, wiping out proprietary Unix, there are still likely to be different hardware architectures in use (eg, x86, Itanium, Sledgehammer, SPARC, PPC, S/390) limiting the impact of a worm. By contrast Windows is x86 only (at the current time, although Itanium may come in soonish) which provides easier spreading of worms.
- While many MS server programs run as system or equivalent "super-user" type user ID's, many linux programs spend most of their time running as a non-privileged user (eg, apache runs as nobody or www, qmail runs as various uid's). Thus, the effect of an exploit is greatly lessened. The use of tools like chroot can also help lessen any impact (although chroot is not a foolproof solution).
- *nix worms have already hit; Solaris had the sadmind worm, linux had lion. They hit for the same reasons Code Red hit; unpatched systems. These had less impact, but it has to be asked whether that was due to lower market share or better security policies of administrators.
There is the potential for these worms to hit, but I think the general architecture of linux and the diversity in applications should help to lessen the impact of such worms.The reason that there are many more worms and virii written for Windows than Linux, aside from the easy target Windows makes, is one of motive. Nerds like us refer to Bill Gates as 'the borg' and Linus Torvalds as a 'benevolent dictator.' The nomenclature speaks for itself really. Linus good. Bill Gates evil. That's the mindset of most people competant enough to write worms in the first place, so is it any great surprise whom they target?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
About the time the "I Love You" virus got loose, I had to upgrade a client's machine to Windows 98 for a particular consulting job. As you may or may not know, Win98 had a bad idea known as the WSC ("Windows Scripting Component" )['xcuse me if I am not remembering the name right, btw] installed and turned on by default. Like a good sys admin concerned with security, I had disabled the WSC and thus when most of the Outlook attacking virii came by, the client was safe.
That's not the trouble, however.... About a year later I had to install another M$ tool on that system that isn't even directly related to Internet usage... and without alerting me or giving me the option to stop it, the damn installer updated the WSC and turned it back on -- essentially opening up that workstation to attack. Which translates to the fact that some M$ updates are insalling what amounts to a back-door on unwary user's systems.
Fortunately a client noticed something different on one of the app tool screens, which led us to discovering the reactivation of the WSC. Net result: one less client on a MS-based workstation, one sys admin even more committed to an M$ free world.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
sudo apt-get update && sudo apt-get update
This post was compiled with `% gec -O`. email me if you need the sources
I saw such a worm which had grabbed root on a Chinese box running an old, old unpatched Sun OS and came in two parts.
Few things:
The worm was written in really lame Perl (fantastically verbose) so the coder was no genius. Just needed to find unpatched boxes.
From the comments in the code, I doubt the creator was Chinese, which in turn left me wondering whether there ever was a real Chinese Hack attack
There should be two layers of protection between us and this phenomenon -someone tell me where I'm wrong.
First - every one of these exploits presumably overflows a C language buffer in some variation of read(). Why does C allow this? Why don't we build a better libc to fix this?
Second - Intel chips since the 286 have included domain memory management - Memory segments are supposed to be classified as DATA,STACK,TEXT, etc. How is it possible for an app to write to TEXT? Shouldn't the worst that the broken libc is able to do be to crash the app? Why don't OSs use this feature?
Please someone tell me how worms are possible today...
Pat Niemeyer,
pat@pat.net
Click here or here.
I think one of the reasons that Linux/BSD/etc are more resiliant than MS OS's is that there is much more diversity in the open-source gene pool. There are so many Linux distros, BSD variants, installation options, etc. that a worm might have a hard time propogating for very long, due to the high variablity among servers.
MS OS's, on the other hand, install to almost exactly the same configuration every time, and users don't usually bother to change many options. And there are only a handful of MS OS's, compared to open-source land.
In the wild, hybrids seem to be more resistant to disease, more adaptable, and generally hardier. Linux/BSD are mutts.
I'll probably get moderated to oblivion but what the hell.
,"Lets all focus on discredeting the linux O/S by revealing every exploit we can find for it"
Reason why there are so many exploits for windows is due to the high # of linux zealots out to prove it's a big POS.
If Bill Gates one day told his staff
Well this is what linux zealots have done to MS for years. Do you realize what kind of chaos the linux community has caused for the average IT guy?
Case in point, the nimba virus. I spent the better half of my day cleaning it from a friends machine. It was based on code red, which I think was american in origin. Yet the terrorist took the source code, did a few changes and released it. Had there not been 20,000 linux zealots out there looking for the exploit in the first place, none of this ever would have happened.
Just consider your penguin lovin butts lucky up until now, one of these days some MS zealots are gonna do to you what you've been doing to 90% of the computer using world.
Being smart is not a license to cause destruction.
--toq
Error: Unjustified statement. Requires backup evidence.
What? Uh, Apache (99% of apache servers are unix) has THREE TIMES the market share that Windows IIS has, and there haven't been any apache worms floating around.
Q: If someone wanted to bring down web servers, why are they attacking the one with smaller market share?
A: Because it is a piece of crap and easily cracked
Nimda backwards is Admin
Nimbda backwards is Adbmin
http://www.linkdj.net/
A peer of mine is a sys admin for a group of debian machines. Once a week he runs apt to automatically get all the security updates and install them.
This is a one liner for him. According to him, it will even download an updated ftp package, stop the ftp daemon, install the new package, then restart the daemon -- all while he twiddles his thumbs and thinks about lunch.
With that kind of automated maintenance, the window between the discovery of an exploit and the patching of the server is quite small.
Even without the beauty of apt, most unix distros generally have better packaging then windows. Unix was designed to be able to be updated frequently and incrementally (without reboots too!). Because of this I think it will be always easier to apply hotfixes/patches to a unix machine than to a windows machine.
Following these steps, I think that distributions will be fairly safe from any discovered server vulnerabilities, and probably most client-side ones, as well.
Next question.
Especially if our goals of taking over the computing world are realized, ...
Be careful. Putting thoughts like that in writing are what got Bill Gates in trouble.
No wait, I've just remembered: he got away with it. Never mind.
To make it impossible for a worm to infect a system you need an architecture to prevent this. Linux never knew any serious viruses because they were blocked by the rights restrictions of the kernel. The new problem is that a worm doesn't need to care about these restrictions. If we look at code red, it just needs to connect to the target in a standart manner (port 80) and already has full controll over the server.
Lets face it. Linux is as vulnerable as MS products. There is no general way to prevent this. The only way to limit the spreading of worms are more severe rights restrictions. For example only rw rights for the stack(I can`t believe this isn`t possible), restrict the program to modify itself, more options in setting rights...
Seriously, isn't this exactly why Linux should NOT conquer the desktop? At least this way we know where most worms are heading for (and we know we're relatively safe).
well, a lot of the problem rests in the fact (for viruses), a person has to click a link in their email which starts up a given program that uses the particular file type. In windows, ppl click on links, regardless of the fact that they are files or not, automatically: the rule is: if it is highlighted, CLICK IT! The difference with *nix systems, is that most file types are not necesarily associated with a given program, and links in emails (to files) need to be saved in order to viewed... Also, when a lot of viruses check address books, in winbl0ws it is standard, and in *nix it is not, and therefore harder to access. finally, files on winbl0ws contain the macros for a given progam, and are equivalent to executables. That is not that case for files for *nix: you cant run them from a browser!
BSD is for people who love UNIX. Linux is for those who hate Microsoft.
OpenBSD strives to prevent holes in the first place before releases. If the linux development cycle would strive to make more "stable" stable releases than the ones that come out now this could be a much smaller concern. Linux's bazaar style development of "release early release often" has major weaknesses in the "Are you sure all the holes are plugged? department".
Buffer overflows, printf overflows and the like are a systematic problem. Rather than trying to fix each instance (which is still a good idea), there's an additional safety net in the form of the StackGuard compiler, and the Immunix GNU/Linux distribution. It fixes the problem systematically by checking for stack smashing.
http://www.immunix.org
The ISO images are mirrored at ibiblio.org
I really wish that Red Hat would buy them, fund them, or incorporate their changes.
1) Install (patches|updates|hotfixes) immediately. Preferrably, run a tool that handles this task semi-automatically, or if you're brave, completely automatically.
2) Don't run servers as (root|Administrator|God). Create an account for each server and run it as that user. However, have root own the binaries, configs, docs, and sundry associated with the server. Distributors should handle this.
3) [For distributors] Don't turn things on by default. People won't realize they're running them. If they want it, they'll turn it on themselves.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
That's one of the biggest advantages of open source, if there's an exploit, ANYONE can find it. If there's a problem, ANYONE can fix it. Also the much more organized way of doing things on Linux, and the lack of marketing propaganda (Microsoft would rather make more money than be secure), really keeps worms from going very far on Linux. Plus with tools like apt-get and autoslack (slackware's distribution upgrader), Things are much easier to upgrade on a large scale.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Shut her down Taco man, it's all noise here now.
Worms are not always a bad thing for either *NIX or Windows systems. See for example, this link
I don't really know how to state what I'm thinking, more than saying... if an open source program is needed, but is not being built correctly(i.e. potentially dangerous code from lazy programmers), anyone can take the code, and improve upon it. It's not re-writing the whole thing, it's taking the good, throwing the bad, and Evolving the program.
Closed source programs/OS's tend to Grow the program. Building perhaps good code, on top of poor code. Noone has the time/opportunity to spend a few days cleaning, it's all about the bottom line here.
...of course, I've been wrong before.
"...I'll need guns" --Chow Yun-Fat in 'Replacement Killers'
When I used to boot my box to windows (which I haven't done for a while) I used to run the windows update program occasionally, but it always seemed to want to download megabytes and megabytes of stuff.
Whereas, with debian, I feel quite happy doing apt-get update; apt-get upgrade every so often. And the update downloads never seem excessively large.
Most people using a *NIX machine are not doing so as the root user!
Anytime you are on a Win9x machine, and most of the time you are on a home WinNT/2k/XP machine - you are logged in as root!
This leads to many exploits from the inside that couldn't happen to a *NIX machine with regular users.
I think this is *NIX's strongest security point.
Fried
STRENGTH IN DIVERSITY!
Linux runs on more architechtures than any other OS. Granted most folks run on an x86 but my box that faces the world is a ppc. Obviosly binaries compiled for the masses won't get too far on my server. And no worm coder in their right mind would compile the binaries for ppc linux thanks to the N^2 problem. If you run linux on a SGI Octane, Indy, Indigo; Sun Sparc, UltraSparc, 3/60; Mac G3/G4/PPC, se/30, 68040; DEC Alpha, cisco 2501, IBM zSeries whatever you are helping to thwart the threat of a linux worm.
Something else you can do is run Labrea . I just started playing with it and it's the coolest white hat security program I've seen. Not only will it slow the spead of any worm that scans subnets, but it will also mess with any script kiddies scanning you IP blocks. Take a look at it especially if lots of folks in you shop run II$.
"Build a system even an idiot can use and only an idiot would want to use it."
I really love the "my answer to a Linux exploit is apt-get update" posts. Nothing like trusting a completely automated process to solve all of your problems. All it would take is a nice little bit of malicious code in some header to fuck a bunch of people over. If you're not going to review the code before you install it why the fuck are you so anal about using open source software?
I'm a loner Dottie, a Rebel.
The article asked about guarding against worms in principle. Diversity is, in principle, more healthy than monoculture, specifically in the area of resistance to infection.
As other posts have mentioned, there are several worms currently active in the world of UNIX. They don't make the kind of news that Windows worms make because today's UNIX world is not a monoculture. If you find a vulnerability in a Windows system, chances are very good that the next Windows system you find will have the same vulnerability. That's not true when you substitute "UNIX" for Windows, or "Linux", or "Red Hat", or even "Red Hat N.M".
The same vulnerability will sometimes exist across Unices, but writing an automated process that successfully jumps from one flavor of UNIX to another is still tough. You have to either know in advance what kind of system you're infecting, or write your code so that it can run just about anywhere (hard to imagine much beyond a basic Bourne shell script that will do so reliably, and even then...).
Yet another strike in favor of open, diverse methods as opposed to closed, monolithic ones. Sure it's confusing sometimes, but fortunately it's even more confusing for the bad guys and their evil robots.
Here is how Rickard Oberg, creator of JBoss, avoids worms through use of EJBs.
The best way to avoid becoming a worm-hosting platform is to use good design and coding practices and to audit existing and new code (OpenBSD-style).
I spend countless hours studying others' code in the evenings. Although I don't consider myself an auditor, I like to examine basic and often-overlooked things like array and pointer usage. Most of the "bugs" I uncover are very subtle and usually don't affect the operation of the software at all (though they might as one small step in a complex, deliberate attack). An interesting side effect to this boring work is that I sometimes find faster or shorter ways to do things.
IMO, this kind of work is ideal for newbies who want to get involved but aren't skilled hackers yet. While many of us who code every day like to "read" code quickly, newbies must actually concentrate on understanding the significance of each character.
An even better way to audit is to explain some piece of code to an outsider, perhaps a nonprogrammer, line-by-line. They'll likely ask you some stupid questions, but you'll be surprised how many subtle bugs this can uncover that you'd never find otherwise. Oh yeah, and if you have a girlfriend who wonders WTF you do in front of that comp all night, this is one way to bring her closer to you. :-)
Regarding protecting the Linux community from known worms, virii, etc:
Might it be cost-effective for the Linux community to maintain a site which one could invoke to probe one's own system? Knowledgeable and conscientious (and trustworthy) Linux hackers could maintain an up-to-date array of automated exploits of known security problems.
This seems to me to be technically non-trivial but still quite possible.
The admin of any Linux system could invoke the system and then receive a report of the results... maybe the report could include suggested patches and system configuration changes.
maybe that should be a standard service? add the ports exploited to tarpit.rc ..
of course that wouldn't solve much but it would be something to start with.
You are right - next time, the worm author might do something different just to make sure LaBrea isn't nearly as effective. For instance, by keeping track of how long it's taken to do it's job, the worm may just abort the thread if it takes, say, 20 seconds to send over part one of the exploit. LaBrea becomes a small slowdown then.
There's not a 'real' answer to stoping worms and the sort, except for administrator vigilance. No matter what OS you use as a server platform (or a mix of things, like my network), ya gotta be quick with the patches and vigilant with security.
As for reversing attacks, etc - there's some severe problems there. You are attacking someone else's hardware - even if the script kiddie may be controling it, they may be on someone else's machine doing it remotely. screw up that person's box, and you might have a problem. (Of course, there's other ethical issues here - I'd really like to just view it all as 'self defense' when you throw an attack back at an attacker online. Unluckly, there's no real presidence for that, I'm not sure there should be!)
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
Good lord we're myopic. One of the first internet worms that ever got famous was the Morris worm, released in 1988. It attacked SunOS and VAX/VMS boxen.
The reason MS is struggling with it now is because the *nix folks have had about 15 years to work this problem and close the loopholes. We know what to look for.
--
You sure got a purty mouth...
The possibilities of some odd hole in FreeBSD or Linux are there, but both do inheret the legacy of being hacked on and secured for close to 30 years that Unix already has.
Remember the Morris Worm? That was Unix-based.
Unix-based systems inheret MUCH more knowledge about network security issues than Windows has. I've seen too many comments on security holes in Windows by Unix systems people to the like of, "we stopped doing/fixed those things X years ago", where X is a decent integer (i.e., 1-20).
Or any other form of auto-updater. Remember, Code Red and Nimda used holes that were patched months ago.
No way - this is a very bad solution for security. While at first this would seem to be an absolutely good idea, in reality there's a number of really nasty security problems here.
First, it convinces you to be lax about security. I mean, if the Auto-updater is handling the job, you probably won't check it out too closely since it's not nessisary. But with patches sometimes comes new holes, and new procedures for properly securing a box. These are jobs that require human intervention.
Second, a new class of exploit comes along - using whatever proceedure you can make work, upload a new patch to the ftp server with some less than obvious holes in it. Sure, someone is going to spot it - maybe hours, maybe a couple of days, but it WILL get spotted. As admin, will you know if your box was one that grabbed the bad stuff? (Note, I said upload it to the ftp server, that's not the only exploit - various redirection techniques could be used too.) If tons of people moved to the auto-update idea, there'd be the potential for a lot of exploited boxen quickly.
And third, there's the issue of reviewing patches / updates. Sure, lots of people have viewed them. If it's security related, you should be viewing them too, or at minimum the 'readme' or equivalant.
Fourth, what update time are you planning? Once a month? Once a week? Daily? If it's less than daily, then you've got a problem - of you do grab a buggy version, that gives someone time to attack. And if it's a week before you check again, that means they've got pleanty of time to use your machine as a base to launch more attacks from. Plus, once they have the machine, you may only THINK you are still doing updates ;-) (It's always better from the attacker's standpoint to make things seem just fine and dandy :-P )
I'm sure there's a lot more that could be added to this list - this is just the problems off the top of my head. But those problems alone are enough to really screw things up.
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
I sincerely doubt we'd seem a very infectious worm like NIMDA even if Linux were a very common OS. A NIMDA style worm that propates via email clients and web servers faces a bigger uphill battle in the Linux world than in the IIS world. For starters, there are way more semi-incompatible Linux distributions floating around - it wouldn't be uncommon to find a RH 6.x server would it? There's more variation in web servers, too: Apache, WN, thttpd and others all have a presence. That means that the web server vector has barriers to propagation, one buffer overflow won't cause every web server to become a propagation vector. One IIS buffer overflow cause the Code Red worm. There is more hardware variation: Linux runs on x86, SPARC, Mips and Alpha CPUs. Shellcode to run on all 4 architectures would be difficult if not impossible. There are *vastly* more email clients in common use in the Linux world than in the Windows world: mailx, pine, elm, mutt, Netscape Communicator, balsa (?), etc etc. These various email clients don't share a common scripting language, address book, or even a common format for saved mail. Most if not all of them don't "launch" executable attachments. This would lend resistance to the Linux population.
In short, the monoculture of MSFT products (IIS, Outlook, Win32 and x86) is probably at fault for the Code Red, SirCam and NIMDA problem, not mere popularity.
Then use ATL's windowing support instead.
<sarcasm>Yes, I've always preferred highly macro based toolkits making extensive use of templated classes and multiple inheritance. The result is so easy to debug and read!</sarcasm>
ATL has some things going for it when you compare it to MFC. I'm just not sure that's the best benchmark.
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
Windows is the easiest place to start, and gives people a touchy-feely familiarity to starting out in Internet services.
But, professionals want more. The big boys don't use Windows, at least not in a high-exposure critical-service sense. Professionals tend to choose tools which can be configured more securely, and more dependably. Professionals also tend to know how to set up and take care of their servers.
So, Windows is that learning step for many would-be IT/IS admins, similarly to how Fisher-Price is great provider of learning tools for child development. But, to measure comparitive market share of Windows against Unix-type systems is like comparing the market share of Fisher-Price to Volvo. Are they really in the same category?
That said, it isn't surprising that Windows is both an easy target and a 'soft' target for worm/virus attacks. The impact, well, isn't huge, though. If someone figured out how to compromise Unix machines on the same order, THEN you'd be feeling the effect as REAL services started to fail (e.g. telecommunications, banking services, etc.).
--Phil
(God I hate having to defend Microsoft!)
Then don't.
Properly configured, IIS runs as a user other than the administrator
Ahh, OK. Now, what do you define as properly configured? Default installation? Don't think so. The fact that you can make it secure does not mean that it is secure by default, which was the original poster's point.
This is ones step ahead of how most Apache installations are run.
Sorry, your qualifier makes this an idiotic statement. Properly configured, Apache will run scripts as another user as well.
Incoming_Worm > /dev/null
A worm that overpowers apache and executes code on my machine as user 'nobody' (The user my apache runs as) really doesn't concern me. I suppose it could delete most of my /tmp partition.
"The only thing stopping it these days is Linux's smaller marketshare. (Worm propagation is one of those n squared problems)"
:)
What this coward means is that the only thing stopping apache from having a major server-side infection is the fact that it's used twice as much as IIS. Sure, a client/server worm would have a larger target in Windows, but all the IIS server worms could have gotten twice the serverspace if they used an apache hole. Of course, some day a cross-platform worm will come out and then we could be screwed
They that quote Benjamin Franklin on liberty and safety deserve neither.
Most internet connected computers when hosed
in 1988 during the Morris worm. But it was
mostly just universities and few military.
On NT, a blank password is perfectly valid for remote login. A better idea would be to enforce strong passwords via group policy objects.
>much. After all, the concept of a worm similar to Code Red or Nimda >could just as easily strike Linux ... it's as easy as finding a known
>hole and writing a program that exploits it, scans for more hosts and
>repeats. The only thing stopping it these days is Linux's smaller
>marketshare. (Worm propagation is one of those n squared problems).
>Especially if our goals of taking over the computing world are
>realized, Linux can and will be a prime target for the worm writers.
>
>
Where do *MORONS* like this guy come from?!? Shouldn't he be busy
re-infecting the Windows PC he's using by clicking on a attachment
or something?
It's clear he knows nothing about Linux,BSD or Unix, nor how programs
work/interact with each other under these OS's. If he did,he wouldn't
have bothered posting nonsense about how "worm similar to Code Red or
Nimda could just as easily strike Linux..."
What a load of bullshit.
That's right: marketshare doesn't matter. And here, I'm taking "marketshare" to mean either (a) the number of servers sold or (b) the number of servers running.
The reason why marketshare doesn't matter: every server connected to a TCP/IP network is "touching" every other server connected to that network. Marketshare has no bearing on which servers can possibly infect which other servers in a population, only connectivity does. Essentially, the "population" of unix servers on the internet all "touch" one another, just like the population of all IIS servers "touch" one another.
That said, it hasn't really been a banner year for Linux/Unix/BSD worms. We've seen adore, l1on, cheese, ramen, sadmind/IIS, lpdw0rm, and x.c. Absolutely none of these worms ripped through the Linux/Unix/Solaris/BSD population. This is indisputable. The question is why does one population have resistance, while the other doesn't? I think the answer is diversity on four levels:
So long as Lowley's good character is not compromised by some prankster, I will sleep easy.
(Sorry to those whose youth literature was empty without Lowley the Worm's presence).
And that is what will hurt linux users the most when the first well-written worm arrives in a world with enough linux boxes.
Since so many assumes it is so safe, the suprise will shake the foundation hard, I think.
On the other hand, with the non-trusting environment (in a good way), it is hard to imagine any great damage done... and well, that is my point I guess.
And don't trust that every Linux user is a nerd, professional or interested enough. For the first thing it is slowly hitting the average guy with the red hats and whatnot. And also a lot of companies switch to Linux for obvious reasons, but they still have the same morons or worse trying to administrate the boxes. Lots of hosting companies run Linux because it sounds good and it has a quality ring to it - which is true - but they don't know sh*t about the system, and in many cases they just want to grab the money.
I think that many/most of them are alright though - so far...
The Linux community and any other unix community for that matter should be worried. Not necessarily for worms or virusses, but for the problems they cause even when they hit microsoft boxes.
We have had some pretty mild worms sofar. Wait till a really bad one hits and all our linux, freebsd, sun, whatever boxes come to a grinding halt because of server load, or network load, or...
We actually need to start planning infrastructure dimensions with worm, virusses and ddos attacks in the back of your mind. Dont plan for a 50% peak, plan for a 500% peak..
Cor
Because somebody can. I can blindly trust some anonymous person somewhere who knows that I can't check him; or I can trust a fellow developer, who will get expelled from Debian if he tried to "fuck a bunch of people over" (i.e. accountability.) At least 3 or 4 people see any change that goes into any major program, and any number of people can look at the code, at any time. If you put a back door in, you will be found out, sooner or later, and people will know who did it.
You forgot quotes around "products".
Most of the scriptkiddies probably use Win9X, and AFAIK IIS hates everything but NT kernels, so it should be much easier to get Apache than IIS to run under Win9X. Ease of access is not the reason either.
What's left? I'd venture two guesses:
Try out fish, the friendly interactive shell.
Good question! I'm sure somebody will supply you with the answer some day!
Lets see... Using UNIX... And... My biggest worries are:
* Did I bring coke for lunch today?
* Where are my glasses?
* I have the latest distros right?
So no, I'm not. But the NT admin in the cubicle over is pissing his panties.
I love UNIX.
Is the worms community worried about penguins?
In the last couple years, Microsoft has been starting to get the idea that security is important. As I understand it, COM+ has many more features dealing with security than COM does. Unfortunately there is a massive installed base of COM applications that will take years to replace.
As long as the Open Source world continues to maintain focus as to what is really important, and not get lazy, then those projects will continue to be secure and powerful.
hgh
What these worms, Code Red, Code Blue, and now Nimda REALLY underscore for me is the value of having a heterogeneous operating environment. It's just not good practice to run entirely one OS/web server/email client. At least different operating environments will have DIFFERENT flaws, so when one of these worms goes around, at least somebody can still get work done.
:)
Not that I really get any work done
The people who admin Unix boxes tend to know more about services/permisions/vulnerabilities etc...,
because Unix has a more expanded history in terms of hacking. Unix/Linux is more a real
network operating system than NT/2000 what I rather call a operating system with full network support.
A Unix machine setup by a unknowable admin is actually more dangerous than a default setup NT machine,
because a knowable hacker hide his presence, and download/compile/install any software without any user
intervention at the machine (by example: it's possible to download any software using a perl ftp script)
1:- Windows has the largest footprint, so it attracts more viri/worm editors. Linux is becoming more popular so
it evident is will attract more worm by time (Given the example the Ramen, Li0n worm, more worm are to be expected)
2:- Windows has more integrated features is often pointed as the reason behind those worms,
but actually Unix has more features that can potentially be misused. Unix has not (jet?) had such dissasters as Code Red, Minda worm.
The reason for this: there are more diversed key applications in Unix each maintained by it's own teams versus The microsoft way where
everything is integrated in such a way, that every application can have access to the same tools/features in the os.
Thereby a lot of vulnerabilities affect Windows in a general sense (Let's take the infamous MDAC vulnerability,
first found in the Access/ODBC Office suite, was shortly after found also to affect IIS), than Unix vulnerabilities
3:- Most services in Windows run as localsystem which is actually full system access. The inability to change this without breaking Windows,
make Windowa rather insecure. An example is the Code Red worm, which exploits the IIS service before the service execute itself as IUSR.
The concept of a Sandbox/Virtual/Chrooted environement almost unknown in NT/2000.
4:- A lot of services depend on other services, thereby making it difficult to turn down unsafe services. I think in this case on
disabling network bindings, causing to disable Net Logon, Workstation, and some other services. Also turning RPC services off is not easy,
and I've actually been forced to reinstall Windows 2000, because I couldn't start several services again in Windows 2000. Microsoft did't
document these services/dependencies/ports that these use very well, and modifying those setting can affect other services like browsing
doesn't work anymore, cut and paste gone etc...
5:- several services run on SMB ports: authentication, filetransfert, browsing, domain replication, etc... Thereby making it difficult to
filter on ports. Microsoft is tending to lay security depend on the applicationlevel than on lower levels. The problem is when the
applicationlevel fails there's any lower level security possibility to protect your network. NT is in operating system permission
design good and better than Unix, but only on the system level, not on the network level.
Not sure if anyone else already mentioned this, but it's a good point.
We need to form sites with more than ms bashing and howtos. This would be a really good for showing what we, the open source cominity, is about.
Even more, it would be smart for say, Red Hat, to develpo such a system. Offer some of it for free, such as portscanning/version checking, but offer more in a pay service, automatic upgrades withc prompts, offer other solutions, programs that run in cron to automaticaly test the system, check compoments vs Red Hats database (file size, version, bug info, etc).
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
Hasn't anyone ever heard of...
l10n
Adore
Ramen
Et al? These things are rampant and generally attack older Bind, lrpng, or wuftpd (Damn those rappers and their shitty FTP server!). Run up2date or whatever your distro uses and you won't get them. Just like running Windows update on an IIS box, really...
That doesn't make the slightest bit of sense. Apache has 2 or 3 times the marketshare that IIS (including derivitives like PWS) has. An Apache exploit comperable to the IIS one would rip through the network like fire and could easily take down the majority of servers. One of the reasons that this hasn't happened is that Apache was coded far more carefully than IIS. Annother important reason is that Apache servers are not a monoculture. Apache runs on many different CPU arch's and many different OS's preventing the "One True Shellcode" from working (not that a worm coulnd't have a library of shellcode for many different platforms) Permissions on UNIX hosts tend to be slightly more sane out of the box as well, not great but better than the competition.
There have been several RedHat (not Linux or Unix in general) worms recently, but they just weren't that obnoxious (not that there weren't quite a few fire-and-forget RH6.x boxen around). RedHat isn't making the same mistakes again, RH7.x doens't turn on every installed service by default and optionally can setup firewalling rules that protect your machine from attack. Mandrake has a "make secure" button that does a pretty good job of locking a machine down and distro's like Debian try to err on the side of security whenever possible.
I'm rambling but Unix servser are generally more hostile to attacking worms than other environments. Any monkey can setup an IIS server but the results tend to be slipshod. Any monkey can setup an Apache server as well but the results tend to fair better when exposed to the open cesspool of the Internet.
Blargh
-- Remember: Wherever you go, there you are!
it's easier to damage a windoze machine and remain unrecognized. you start an attack from a computer, that can be easily traced back to the attacker, so you have to infect a couple of server before anyone realizes, that you did something nasty.
linux servers have plenty of logfiles and almost every administrator knows how to deal with them.
maybe they don't know how to write linux-worms - but even if they do, they are afraid of beeing traced back.
Linux and WinNT/2K/XP have pretty much the same security models.
:)
That model is the ACL (Access Control Lists) model. No, I don't mean that in the NT sense, but the more general sense, of attaching some user permission data on every object.
This model is a failure on the Windows platform, and what many *nix users fail to realize - is that it is a failure on the *nix platform as well.
This model is far from the principle of least prievelege, and code gets a LOT more privelege than it needs. Even the restrictions that are placed on programs are placed in fail-open ways using chains of error-prone conditionals, and often by the program itself, and it may fail to do so.
What is the alternative, you ask?
Pure capability systems. Mathematically provable systems that do NOT attach user lists to objects, and do NOT use error-prone if-conditional chains.
Such systems allow implementing the principle of least privelege, they allow fail-close restriction of code, by handing it the exact capabilities it needs to run.
Such systems also allow more fine-grained, more flexible security, AND with higher-performance, and more simplicity. They do all these WITHOUT having to trust the webserver or MP3 player software to place constraints on itself properly, and WITHOUT requiring a security-killer thing like a super-user for standard system operation.
How do capability systems do all these great things, you ask? Well - they are simply a much smarter way for systems to operate. Instead of each process having a large set of actions it can request the OS to take, each process holds a set of 'capabilities' (Think of them as open file descriptors that are never actually open()'d or close()'d). Such capabilities represent access to a specific object. In order to communicate with another process, you need to hold a capability to talk with that process. If that capability includes the right to send capabilities as well, it means you can hand your capabilities to that other process, too. In order to play sound, you need a capability to write to the sound device.
All of this is simply implemented as method calls on the capability object, much like a file descriptor. Some capabilities are implemented by the kernel, some by other processes, implemeting high-level objects. The important thing about capabilities is that they are a necessary and sufficient condition to access an object.
Capabilities provide for fine-granulity highly-flexible high-performance (the only test is that a capability is valid) security systems that are not only much more flexible, and faster, but are also PROVABLY MORE SECURE than ACL systems, and are much more powerful, and even simpler to implement correctly (consider the tests needing to take place, compared to the *nix way of the chained if conditionals required to see if a process is not restricted from some resource access).
In summary, as long as we all use ACL systems, be those Windows or *nix, we should fear worms, viruses, and other security hazards.
When pure capability systems get the attention they deserve, and we as users get running systems, we will be able to lay our eyes off bugtraq, and remove worry from our sysadmin heart
Does anyone remember an internet worm approx 1993 that took down the whole net?
Thanks,
LB
The number of users an operating system can obtain is finite. Each operating system can choose from the same pool of users. I see people saying 'yeah, but unix admins are geeks, they generally keep their machines patched'. At the moment, yes thats true for the most part. Once those windows admins (if at all) decide to switch, I can guarantee you they will neglect their machines just as much as they do now. Then *poof* some worm is rocking the internet just like nimda and code red, but this time its not because of microsoft.
I'm not worried. Apache runs as user "www" on my machine. User www doesn't have access to anything not even the apache bins or logs or anything else for that matter.. It's a standard apache installation at that. The misconception that this could happen on a unix clone type of system is quite laughable nowadays. It's even more laughable on a system like openbsd, freebsd, linux, netbsd, basically all of them.
However, it's possible but the way the worm would have to be written and executed would only work on some systems and then you'd have to have someone dumber than dirt to exploit it in some non-standard, weird condition that a dumb user wouldn't be able to create such a condition if they tried. The reason you don't see any major Unix worms is simply because the effort involved and the payoff; ie: having your worm spread over internet isn't worth it. Your worm will probably affect very few machines if any at all.
It's not about market share because Unix has always had the major market share on servers and on the desktop front I really wish people would stop fighting for such a thing, the software just isn't there yet. Unix on desktops is a new thing.
Hello? Ramen? 1i0n? Adore? Sound familiar?
Thank you. I was beginning to think that I was the only person here who still had a functioning long-term memory.
The linux world has just as much of a worm problem as the win32 world. Maybe even more: after all, your average installation of win2k or winME doesn't run IIS (or many net-listening daemons at all), whereas every official release of redhat ever made is trivially rootable out of the box in its default installation.
The lesson I learned the hard way from 1i0n: don't run sendmail. (Use postfix or qmail.) Don't run BIND. (Use djbdns or, um...something.) And whatever you do, never allow a "UUNet Certified Firewall Engineer" to configure and install your Checkpoint FW-1. And yes, virginia, there are such things as linux worms, and restoring 1,825 different index.html files from your backup tapes is a lousy way to spend a saturday afternoon.
News for Nerds. Stuff that Matters? Like hell.
LIKE I SAID BEFORE, VBA IS NOT FUCKING AVAILABLE UNDER LINUX. Its windows people doing it to themselves fool. They kill their own.
Reasons why Unix Operating System rarely get attacked (note: none of these mention unix being invulnerable)
/home/$u when you're not root in Unix. Quite a bit harder.
:o)
1. File Permissions. On windows anyone can install software. Try doing that in other places then
2. User friendliness. Even though the unix command line is generally easier to use than DOS, it's still not very welcoming. Or try telling a BDU (Brain Dead User) that ed, the standard editor, is better than M$-Word. 24 bytes program baby!
3. Respect and Time. Respect because most Unix users won't try to hack another's machine. If they do, they'll notify the user and the developper for who's software they found a hole in. Time because it takes less time to hack in a windows box than a unix one so why bother... we're all lazy
Why don't the same people who waste their talent attacking domestic web sites use their energy to attack Islamic web sites? You can still prove your talent and do the world a favor at the same time! Show those Islamic fucks a thing or two.
Just a few thoughts..
.. free testing by serious geeks!
I think that these worms are doing some things that no-one has touched on yet... in a more abstract sense.
1)Firstly they are keeping microsoft software at the top of the news in just about every country where it counts.. (Can you say mindshare?).
2)They are testing the software. In biological terms... an organism has to out evolve its preditors... or it gets wiped out. So far microsoft is winning.
3)They are testing the infrastucture and personel. Quite a few systems admins in microsoft shops will be getting a lot of disaster managment experience out of this. And I am sure they will be getting to know the inner working and configuration options a lot better.
Linux could learn a lot from this.
As I see it... the organism with the most potential preditors is going to be the strongest!
Where is the stable of linux viruses?
Obviously there are reasons.. lack of market share being a major one...
So here are a few ideas for linux...
Rather than closing linux up and putting more firewalls inplace... open it up and allow any weak software to be exploited...
Start competitions to write Linux viruses
Remember
Start a page where all the distros are rated for their tolerance to virus and worm attack.
Build a server that runs every know virus for linux and set it so people can submit their box to it for testing... Should make sure all the older software is replaced and patched!
We have to remember that the internet and any network in general must be considered a hostile place... there is no point building a firewall between the company intranet and the "wild" internet. Then pretending you can trust everyone inside the firewall and thus relaxing your standards...
Firewalls are a red herring!
If there are no disaster management procdures and no regular testing of both system and personel... you are kidding yourself.
So think about some of the value in using worms and viri as a system test tool... shame there are more for windows than linux isnt it.
But most of all make the system stronger!
"... every time I open my mouth some of my stupid escapes!"
I don't have to reboot my new Linux (or OpenBSD or FreeBSD) servers to patch them.
Building out a new and cleanly installed NT/Win2000 server can take upwards of 15-20 reboots just to get to a stable platform to begin working with.
To apply three hypothetical Linux patches in one day, six hours apart, would take less than 5 minutes total time and require no reboots. NT would require probably 20 minutes (if local to server) and **three reboots**. That gets old.
Please don't say "UNIX" and then put the linux penguin up next to it. That's almost as pathetic and misleading as "(small print)red hat (huge print)LINUX 9.0".
...Or is it just that people don't count Solaris as Unix? Sadmind spread itself by scanning for a known vuln, just as Code Red did. It just happened to also attack IIS servers.
One day, Linux desktop is everywhere, Mr. John Doe, being one of the billions happy Linux user, used kdesu to install a very popular game sent from his good friend Bob, called "Shoot ya boss!". Apparently, this game is just what it says but underneath, besides providing entertainment to our dear John, it will also go through all the files in John's Linux desktop for every email address it could find, then assuming John's identity, send to some of those emails containing a copy of this game with a sincere message, and the others a random copy of John's collection of files asking for "advice". As it happened, the game also is setuid root and starting sniffing John's (and probably now many other victims') network for anything interesting, and of course, a backOrfice is also installed for the sake of convinience...
Who dares to say this *won't* happen?
Unless users stop using the root account or equivalent as their user account.
Why? Traditionally, PC platform allows users to change the system, applications settings at will, including installing and uninstalling masses of applications and gadgets. *IF* Linux/Un*x are to be their next desktop, then one day, I believe, the above criteria must be matched, or will be made to match, by the user.
You'll see the problem is if you are to allow the user such as freedom, then virii/worm infection are bound to be happened, even with decent security protection *available* on every Linux/Un*x boxes - If security gets in the way of letting people doing what they want to do, people are just going to turn it off for good.
Can you expand on this anymore? I don't understand your logic at all.
If someone wants a remote root shell on my machine they'll need to have root's private SSH key. Even if they know the password is "hottomatosoup".
systems was in the 80s... there's a lot higher
eye on this form of hole in most mail systems
under linux. Sure a weakness could creep into
a popular system like sendmail (and has before)
but personal observation suggests that any kind of
wide-reaching worm is less likely to affect the
somewhat heterogeneous linux market...
What linux (and similar systems) lack actually is
the "aggressively 'intelligent'" approach to email such as exchange uses - runnable scripts within email tend to be limited...
I've been hit by a "worm" under Linux. Basically, it was less a worm and more just an automated exploit system. The program would scan boxen for an older bind exploit, and if found, would gain entry, backdoor the box, install itself (and the necessary trojan rootkit) and start scanning some more. It was hardly intelligent (just a shell script and some script kiddie sploits) but it worked.
The reason these aren't as prevalant under Unix is the fact that it's hard to push a precompiled binary when there are so many flavors/architectures of unix. Under windows, a single hacked DLL will work on all x86 Windows boxen (which a vast majority NT boxes are) where under Unix you have Linux, *BSD, Solaris, AIX, HP/UX, etc, most of which run on several different architectures which are not binary compatible. You can't even rely on shell scripts or perl because you would need the right versions, etc. The lack of solid standards under Unix, while a curse at times, is in this case a blessing.
In any auto-update system, there is a single point of failure... but it is not the server that hosts the update packages, it is the computer that signs the packages! If you compromise the file server, you can destory the signed packages, but you cannot insert your own malicious packages without compromising the computer with your OS provider's public key.
And this signing computer can be ultra secure. It doesn't have to be on the network at all; a CD writer would be sufficient. It doesn't have to be running an architecture or operating system remotely related to anything else, just something capable of running GPG. You could have it loaded to the brim with intrusion detection software, you could have the entire OS on read-only media, you could do all sorts of things that just can't be done on all the random computers out on people's desks.
Auto-updating does introduce the possibility that a malicious employee could introduce trojan packages... but they could be doing that right now, just as easily, just a little more infrequently. "seineew era sreenigne epacsteN", anyone?
Nimda was sort of a best practices of Virus/Worm writing, because it had the behavior of both.
It would infect executables, or web files. It could spread by the infected executables on shares, or by people browsing to infected web servers using old versions of IE. It also tried to scan the network looking for vulnerable IIS servers, as well as trying to email itself the same way Sircam did.(i.e. it included an SMTP piece)
The point is that it was written to try multiple vectors of attack, such that it's chances of finding a vulnerable machine were much higher.
The only thing that slowed it was that the Code Red incident had caused many, if not most, people to install the latest patches on their machines.
Another example, the sadmind worm effected both IIS and Solaris boxes.
I guess the point is, try to build diversity and the world just builds a better worm/virus writer.
P.S. The cluefulness of the general Linux administrator is actually pretty low as it tends to be primarily popular with inexperienced college students.
It also doesn't take much work at all to effectively admin an NT box. But most NT admins also have other priorities put upon them by their corporate bureaucracies.
I've discovered a potential security hole
that exists in about 45% of all linux machines.
It's massive... potentially destructive to linux
and at this time with the available tools could
be used to do many many many things to a linux
distribution.
Data collection.
Random destruction.
Introduction of trojan virii.
The list goes on.
I'm actually afraid to say anything because
it's not an easy fix at all.
Who do I contact?
Friends don't let friends buy Compaq's. (Dell/Gateway... same same) You want a good computer? Build it yourself.
I'm very worried. even though I'm using free systems exclusively, I am *still* a victim of the various microsoft worms.
:-)
all of my systems - both online system and the ADSL home machine - are constantly hammered with windos attacks. large parts of the net were noticeably slowed down during the recent worm attacks and at my day job, windos worms take up a considerable share of my time even though we don't use windos for anything serious (some office communication, but all the servers in my department are solaris or Linux).
I'm very worried that something (the windos OS) can be so widespread AND so vulnerable that even those who don't use it are affected by its unbelievable shortcomings.
worm authors: in the next one, please include a function that'll shut down the windos machine. put it into the autostart folder. instant internet cleaning. idiot-free net for a week or so.
Assorted stuff I do sometimes: Lemuria.org
I've often thought that all daemons/services running on a system should run in their own chroot'd environment when available (not just ftp). Everything from mail to pop to echo.
Also, every service app (preferabbly all apps period) should be distributed with a list of what system calls it's allowed to perform and what files/directories it's allowed to read/write from/to. Likewise, all distributions should be based off of NSA's SecureLinux to take advantage of this list.
On a semi-related note, I'd even like to see a system where the entire chrooted environment is encrypted. Only services allowed to access these directories are given the secretkeys/tokens (maybe something kerberos-like) that allow them to read/write to these diretories. This would allow for systems where even the system administrator may not be trusted by users (to the extent that the sysadmin didn't modify the kernel, anyway).... for example if the secret key for a user's home directory is their password... then only the user, when he logs in, will be able to decode his files.
All this of course isn't a replacement for good programming practices. But I think it's a good failsafe, in case the usual measures don't stop the bad programs.
#!/bin/sh
/dev/null
/tmp/apt-update.XXXXXX`
# Keep the apt cache current
apt-get update >
# Update the dselect cache from the apt cache
TEMPFILE=`mktemp
apt-cache dumpavail > $TEMPFILE
dpkg --update-avail $TEMPFILE
rm $TEMPFILE
# Remind admin to keep the system current
apt-get dist-upgrade -u --trivial-only
The possible downside of this script is that you'll get notified whether there are any updates available or not. I think that's good (I like getting informed about that the script is still working), but others may not like this.
Cheers //Johan
Installed the Bubblemon yet?
Given the open source community's focus on fixing discovered problems, quality, and the like, I am really not worried about worms/virii. Hacks/attacks of services, those I sweat a little more..
Where do you want to be, What are you doing to get there.
In the 70s, the Morris worm, remember.
But, unlike Microsoft, we learned. There haven't been because we've realized that security is not point-and-click but actually takes brains to implement.
There is the very cool Rule-Set Based Access Control System, which allows you to erect any access control model you can think of (and write a module for, if it's really custom).
My exception safety is -fno-exceptions.
And beyond the problems with the C API, buffer overflows or other related memory problems are possible if a coder makes any mistakes concerning pointer arithmetic, array sizes, printf()-style formatting, sign mismatch on arithmetic, etc, etc.
The fact is that C is just not a good language for writing secure applications (or indeed, most any applications, IMHO).
Nevertheless, until a mature alternative is available (probably Java, although it is only a marginal improvement), secure applications must be written in C, because while C does not provide you any help in terms of reliability or security, it is at least possible to insure that your application is safe if you are willing to expend the effort in design and follow the current best common practices for writing secure applications.
Please do use chroot(), setuid(), and drop permissions though. ;)
I guess disconnecting every Unix box from the net would solve the problem in that very few Unix boxes would get worms. Of course, not having a working internet anymore could be a bit of a handicap, sort of takes the sting out of not being able to connect to it...
Got time? Spend some of it coding or testing
I've seen several reactive programs on FreshMeat which respond in various ways to attacks like CodeRed (finding and emailing the administrator is typical), and similar PHP packages released through various sites.
I've also seen several which fight back (note the lack of URLs at this point) and one system which uses spare machines to absorb TCP connects from infected hosts and keep them alive to gobble up sockets on the attacker and lock down the attacking threads.
It wouldn't be a big step from there to send back a payload which locks down the attacker, which then waits to be attacked so it can respond in turn.
Got time? Spend some of it coding or testing
I work as web dev. & sys admin. at a magazine publishing house. Before I run any content on the site I send it to an editor. Hey, the grammar,syntax, spelling and style are important whether you're writing for silicon or carbon based interpreters.
I'm not really a web designer, I just play one on the Internet.
Well you seem to have a great deal of knowledge as to the origin of all of the windows exploits. You must be a 'real' expert. Consider this, as tech support for a major Canadian ISP, I daily talk to people with infected IIS machines, they have NO CLUE what IIS is or if they are running it. Should they be running Win2K or NT probably not. Should IIS be running by default on their machines? definitly not!!
Code Red and Nimda are easy exploits because Microsoft does little to provide security in their OS's or any of their work. MS focuses far too much on glitter & glamour.
Your 'Case In Point' itself further goes to show the ineptitude of MS with repsect to security. _IF_ Nimda (which appears to be) is a slightly modified version of Code Red, then what did MS do with their 'patch' obviously not much. If MS gave half a damn about security Nimda would NEVER had existed.
If you spent half a day 'cleaning' your friends machine, did you spend even half a minute teaching them about security of their now 'clean' machine? Is it still running IIS? Did they even know it was running? Why if they are not competant enough to clean their own machine are they using W2K? Did you 'give' them a copy to try out? Do they still open executable e-mail attachments? Is Windows Scripting host still available to Outlook or Outlook Express? After cleaning their machine did you then visit 'Windows Update' to apply other neglected security patches? If you are acting as sysadmin for them now, were you then a negligent sysadmin prior to their system being infected?
You might consider how revealing your comments can be about your own level of intelligence, before posting.
What's old, clunky, and insecure about inetd?
"The price of freedom is eternal vigilance." - Thomas Jefferson
2 comments you made really stuck out.
>>Why if they are not competant enough to clean their own machine are they using W2K?
First off, mr. phone jockey, this friend is a med student, not a CS student. Tell you what, next time your bleeding from the gut, just ask one of your tech support buddies to fix you up.
>>You might consider how revealing your comments can be about your own level of intelligence, before posting.
You might consider what shame you bring down on your country by leading into the canuck stereotype of "All canucks are egotistical assholes"
Actually, a Kids in the Hall skit said it best, "Without your queen, your just americans" I think you hit your head one too many times with a hockey stick you hosehead.
Anyways, slashdot is a democracy, and protected by free speech, we're supposed to comment on articles, and each others post. Not throw personal insults at one another.
--toq