Slashdot Mirror
Is the Unix Community Worried About Worms?
jaliathus asks: "While the Microsoft side of the computer world works overtime these days to fight worms, virii and other popular afflictions of NT, we in the Linux camp shouldn't be resting *too* much. After all, the concept of a worm similar to Code Red or Nimda could just as easily strike Linux ... it's as easy as finding a known hole and writing a program that exploits it, scans for more hosts and repeats. The only thing stopping it these days is Linux's smaller marketshare. (Worm propagation is one of those n squared problems). Especially if our goals of taking over the computing world are realized, Linux can and will be a prime target for the worm writers. What are we doing about it? Of course, admins should always keep up on the latest patches, but can we do anything about worms in the abstract sense?" Dispite the difficulties in starting a worm on a Unix clone, such a feat is still within the realm of possibility. Are there things that the Unix camp can be learning from Code Red and Nimbda?
What smaller marketshare? Check out the Netcraft survey if you don't believe me. I think better programming is the reason we aren't seeing any worms targetted at linux web servers.
-- Give me ambiguity or give me something else!
The UNIX world already had a worm that recursively exploited security holes and spread, back in 1988.
THAT was the worm to learn from, not Code Red!
Worms aren't just a Microsoft thing. You should know(remember?) that the first worm ever written infected many *NIX systems (and the net in general) quite badly.
The only thing stopping it these days is Linux's smaller marketshare.
That, and the fact that MOST *nix users/admins tend to be a bunch of computer dorks, like us, and will be sure to stay up to date on security concerns, or at the very least, clean their system of the worm in a timely fashion.
Don't Tread on Me
Even if Linux gained market dominance, it wouldn't quite be the monoculture that Windows is. There are many distributions of Linux, which put important files in different places. This isn't insurmountable but it does make writing a worm capable of running rampant a wee bit harder.
Also, it's my experience that (for now) people who set up Linux to run on the net are a little bit more clueful than NT administrators. NT seems to encourage the idea that any moron can run it because it's point and click. This isn't true; it takes more work to effectively admin an NT box than a Linux box.
There have and will continue to be worms. Worms are most successful at any point of monoculture. (sendmail; bind; IIS) The solution, then, is not dominance... but diversity.
People are never as simple as their stereotypes. This applies equally to Christians, Muslims, and Emacs-lovers.
Or any other form of auto-updater. Remember, Code Red and Nimda used holes that were patched months ago.
Patch the holes that are inevitable. Patch them early.
Just read this and protect yourself.
This is a pretty pathetic ask/.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Unfortunately, doing constructive work (i.e., fixing the security hole) is always more difficult than doing destructive work (e.g., rm -rf /). But worm/virus writers seem to have plenty of time on their hands...
The only thing stopping it these days is Linux's smaller marketshare.
I thought apache had a majority share of the web server market. One that has been hit by worms, and those worm writers usually choose IIS despite it's smaller market share.
It could be because IIS has more exploits...
Yeah. It was the classic example that we studied in my Computer ethics class. Sounds sort of like the nimd worm in that it had four different methods of spreading. The only thing that stopped it from being even worse than it could have been was a programming error that caused it to fill up memory and eventually cause the infected machine to crash.
science is a religion
Okay, here I go, proving my lack of server programming skilz: is it really so hard to prevent buffer overflows? Why does the length of a URL (for example) ever cause a server to crash?
It seems like every time you get input from the outside, you would only accept it in segments of a known length, and whatever was longer would just wait for the next "get" or whatever. At least this is the case in my (obviously limited) socket programming experience. So when some program is hit with a buffer overflow error, does the team of programmers smack their collective head and say "d'oh"?
Now, this doesn't alleviate all the problems of course, because even with "normal user" access a person can still do some damage. The web pages are probably owned by that normal user, so with normal access a person could alter your content. The normal user could set up cron jobs for himself such that he attacks other machines later, and thus you can still get propigation without root. So this still leaves open the possiblity of having DNS attacks (since being a part of the attack doesn't require root privilieges, just any user will do.) But it doesn't really leave any way to mess up the target machine permanently. You couldn't alter the httpd program, for example, since it isn't owned by the same user as the user ID it runs under.
At worst, you lose the web pages themselves, but most likely you have those copied over from some other location as part of your "I'm going to edit in a scratch area and then install these changes for real after I try them out" technique.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Its "relieve."
Its "a need."
ahem....
-Restil
Play with my webcams and lights here
Lets face it Linux comes and has come with ipchains and now iptables for firewalling and many other UNIX flavors have similar features. Linux and the UNIX community think about things like proxy firewall combinations, where Windows is only now starting to think about this. It is not until the release of XP (or the anticipated release as it is not out) that windows is by default including a firewall.
People in the unix community also tend to be more aware of what is going on on their system. They have logs and there are tools to view them.
While I do not dismiss the possiblity that if Linux / UNIX got to be as popular as windows then there would be more 'attempts' I think that because of the nature of Linux you would have a much harder time of spreading a worm like code red.
A good UNIX administrator is going to spend time in configuring his web server and securing it. If they do not think about this then they are no good.
If you are wondering how secure your computer is try these two site. They'll help, but don't try this at work or you may piss off your admins. https://grc.com/x/ne.dll?bh0bkyd2 or http://scan.sygatetech.com/
Only 'flamers' flame!
Certainly the robust UNIX security model is one reason we haven't seen as many worms. The strategy of creating a separate "www" or "http" user to run Apache, a "db" user for the database, etc., is common and very wise. If somebody co-opts your web server, at least it can't wipe your db. It still has weaknesses -- it's sometimes necessary to grant more permission to certain users/processes than you might like, and it requires a lot of vigilance from sysadmins, but it works quite well.
I wonder if there isn't a way of generalizing this to allow more sweeping, more generalized expressions of security rules. A UNIX install has soooo many little apps, and so many points of contact for everything, it's sometimes hard to say "I want all apps that could access X to have permissions Y, or go through acces point Z." TCP wrappers are a good example of the kind of thing I'm talking about -- they provide a single point of access and control for all things TCP, and they make it much easier to set up very broad rules that you know cover all possible cases.
Am I making any sense here? How might an OS take on this issue in the general case? It seems like one next logical step for UNIX security.
Microsoft systems are more susceptable to worms(IMHO) because the level of compter knowledge is way higher for Unix users that it is for Microsoft users. I mean this sincerely, and not just as flamebait.
Consider how many Unix users would actually just open their emails and run attachments blindly. I would venture that there are a ton more Microsoft users that actually do just that!
Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
what difficulties?
whenever an inexperienced user brings up a redhat 7.0 or lower box on our network, it is exploited within 12 hours. within 24 hours i have received email from admins on other networks informing me that the redhat box has been probing their network. 1 minute later i have informed yet another user that it takes more to do my job than booting off of cd and following instructions on the screen.
someone out their has already taken advantage of the various vulnerabilities found in older distros.
lessons learned? i am reminded of something my brother told me:
Having your own box appeals to the pioneer spirit: your own plot of land to develop as you please, fighting off the savages, protecting from the elements.
In other words, every time you run software which other people will somehow have access to (users running desktop software, server software connected to the internet , etc) you will need to constantly monitor and upgrade that software.
-f
www.blackant.net
Let's not forget that what was probably the first worm, the Morris Worm, was released on Unix machines. I don't remember the year, but it was in the early days of the Internet when about all there was out there was Unix and VMS. The lesson that the Unix community took away from this and other incidents was that they needed to secure their machines and tighten up code. The point here is that no system is immune. When I first started out in the Internet field, almost all attacks were launched against Unix and VMS machines because that's about all that was hooked up to the Net on a constant basis. So, don't get smug just because Micrsoft is victimized today. After MS dies a firey death, something else will become the dominant system on the net and that will be the most attacked system.
Fortunately the default installs of most of the mainstream distributions are getting more secure as time goes by. And while RedHat traditionally isn't quite as easy to set auto-updating up for as Debian is, it's still pretty easy to keep up with the security patches for it. I'd really like to see the package maintainers package at least some of the more traditionally insecure packages (*Cough*Bind*Cough*) in ultra-paranoid configurations, say, statically compiled and chrooted. It hasn't been enough of an irritation for me to go do it myself though.
We all pretty well know, though, that security is more what the user does with the OS rather than how inherently "secure" the OS is out of the box. FreeBSD is by reputation one of the most secure OSes available but I could take that thing and install a bunch of servers with holes in them and be no better off than if I was running Windows 2000 doing the same thing.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I think that people could probably find exploits in Apache, Sendmail, etc... probably a lot easier since they can scan the sourcecode. From what I have read though, most of these worms & virii are not very complicated and are using relatively easy to exploit holes in M$ products. Most of these holes exist since M$ is trying to make life easier on the user by doing work behind the scenes (such as automatically calling an IE dll to render an HTML email). As work continues on desktop environments such as GNOME and KDE, I think that it is not unreasonable to expect to see exploits in those products being used. But since M$ products dominate the desktop market, I expect to find most people writing worms&virii for M$ environments.
Now accepting sig suggestions.
If someone goes through the trouble of downloading/buying Linux and setting it up as a public server they're probably a lot more computer literate than most windows users. They certainly would understand the need for patches and probably read some kind Linux news site to keep up.
Now if Linux had windows' market share, it would have to come pre-installed with a new PC and not require the user to do much more than just use the GUI. Which is fine as far as I'm concerned, but we can also assume a Linux dominated universe would be full of unpatched servers too.
Maybe untreated Windows exploits are heading toward exinction. Its easy access to the internet that has created such a huge market for anti-virus software. Maybe we'll start seeing Windows shipping with an MS or a third party patch manager in the near future. Or something like NAV with a patch checker. "No viruses found, you are open to these attacks, please goto this URL to download the patches."
Why do you think it's harder to create a *nix worm? I mean the basic principles of worm propagation work under any platform if there are any security holes. Certainly *nix does occasionally suffer from security vulnerabilites, if perhaps less than Windows. Look at the ramen worm that was going around recently. I STILL get scans on my box for that vulnerability. Certainly the scale is less dramatic because of the fewer *nix systems out there, but it's not like writing a worm for unix is somehow more difficult than for windows.
This sig has been temporarily disconnected or is no longer in service
Is it that the username might be 8 unicode (or other multi-byte format) characters?
Just a quick hunch...
If someone doesn't patch their Windows systems why would they patch their Linux systems? Doesn't matter if the patch is out 2 seconds after the bug is revealed if the admin doesn't take notice and act.
Worms are definitely a problem on all platforms. But the *nix world has a bigger advantage over the Windows world. In our world, code is written with lots of thought towards quality and strong design. Windows, well, is questionable. Certainly *nix has exploits, but those that exist require a GREAT deal more skill to exploit than those that exist for Windows. Therein lies our safety net.
Most people who have the skill to code worms for more secure and robust *nix platforms are probably mature/responsible enough through their experience to not do something so utterly foolish. However, if they do decide to do so, they end up trying to do a positive thing for the community! (Anyone remember those Linux worms that FIXED the exploits they took advantage of before moving onto the next box and cleaning themselves up?) Besides, look at the very few malicious worms we have seen for *nix platforms. They didn't last long. The OSS community has a VERY quick response time to big problems and the admins are generally more skilled and knowlagable about applying patches.
I say, let's enjoy this while we can. It's kind of amusing to see MS admins scurry around, trying to stick fingers in all the leaks. It's risky to say "it serves them right", but that's for only weighing mundane factors in deciding what platform to use. And for those companies that reject OSS products, well, they get what they deserve for thinking "stuff that doesn't come from a company mustn't have any quality". Pah. Worms with the scale of NT aren't a concern for us. Let's parade this around as a reason to support and use open software.
Why bother.
IIS does have a smaller market share in terms of commercial websites out there. However, there are lots of clowns at home on DSL or cable who are running win2k.
Many people run IIS without knowing it, so i think there are much more vulnerable machines out there than just the webservers.
Granted, IIS probably does have more exploits, but the real problem is that windows users usually aren't on top of patching them up. There are plenty of exploits out there that exploit linux, but there aren't as many issues because admins patch regularly, and the smaller market share.
Captain_Frisk
Actually, it would probably be easier to attack UNIX with a worm. There are more UNIX machines out there than Windows machines, and most of them are probably just as poorly maintained in regards to security.
So why don't people write more UNIX worms? I think the first big problem with a UNIX worm is the portability problem: getting a worm that runs well on all of the different CPUs, UNIXes, Linux distros, etc. out there would require a pretty basassed coder. Anyone good enough to do so probably wouldn't waste his time on a worm since he could get paid obscene amounts of money for coding something more productive.
On a more positive note, I think worms generally target Windows because computer users in general don't really like Windows. Jokes about Windows being unstable/buggy/insecure/slow have gone from being a subsect of geek culture to a repetitive theme in popular culture. People run Windows mostly out of necessity, because it is the only desktop OS that provides access to a large variety of commercial software, and runs on cheap, non-proprietary hardware. People who use UNIX do so because they want to, and they like doing it; therefore they are less likely to produce something as randon as a worm. (I am leaving crackers/s'kiddies out of this as they have far different motivations.).
But it's not, in web server market share. Last time I looked, Microsoft had under a third of the market.
The basic problem is that it's a very complex task to make things look and feel simple to the end user. Because of that, the Microsoft server is a great deal more complex than Apache. And it exposes more services, which to an Apache user would be installed on a case by case basis. Note that the problems we've seen in IIS are generally caused by auxillary stuff like the Index Server. That exists to make things easy, yes. But it also increases complexity, and whenever complexity goes up, the possibility of there being holes goes up even more.
Hope that helps.
D
Very good virus protection is already available for Linux. Check out AVP.
load "linux",8,1
While client market share for Windows is undisputed, Apache has close to 60% of the web server market. I haven't received a single readme.exe attachment.
Current Nimda stats are:
26900 attempts on 2 servers.
Apache (on *n*x, anyway) is not vulnerable to worms in the same way IIS is since it runs as notroot.somegroup. The only thing an Apache web server worm (on *n*x) could do is muck up the web server.
*n*x mail clients don't (at least yet) do a
file this_attachment
if file is ELF, or a.out
chmod +x this_attachment
execve this_attachment.
This isn't to say *n*x is immune. Just why Win* is not. Not because of market share.
www.dedserius.com
VB != VisualBasic
You could call it marketshare.. but the worm problem really isn't about an OS.. it's about individual applications and technologies.. the environments the worm can flourish in. A cross platform worm is entirely possible.
As for our 'goals'.... who's goals are those? Who wants linux everywhere? Use the right tool for the right job. If MS actually made something that was better for a job, I'd use it. (IF.. big IF)
The biggest obstacle, AFAICT, is making solid security Ease-Zee.
Certainly many commercial outfits haven't successfully solved this problem yet and there are still plenty of opportunities for spoofed trojans with fake internal certifications.
I mean, when I download a package, it usually contains its own references to valid signatures, etc. Or, the md5 signature is kept in another file, but on the same ftp server.
Better are package maintainers that digitally sign their products. I'd like to see more of that, maybe in conjunction with multiple certifying authorities that can verify the signator's credentials. I don't need a system that compromises the anonymity of me or the package writer - just something that verifies that a package originated with a consistent unique individual.
Do modern CD distros of GNU/Linux and other OS come with anything like a set of multiple certifying authorities where package writers can register signatures in multiple places to minimize the chances that a fake can be passed off on innocent downloaders?
"Provided by the management for your protection."
Rest easy. Yes Unix can have worms and in fact it has happend.
This worm was fixed about as quickly as possable. The only real problem was getting the fix out as the worm had sereously disrupted the primary means of getting the patch out.
The time delay for Microsoft patches is a great deal longer and is due to develupment delays not distrubution delays.
There is also a delay due to NT admin fears the patch may disrupt the system. I doupt this is a realistic fear but I have heard it once or twice. I think this is more or less the end result of the ignorence Microsoft premotes amoung NT admin. That ignorence is probably responsable for more problems than the software itself.
In short once a worm is created once known it should be a short time before bug fix.
But not blindly....
The reality is worms are a low likelyhood. You should stand ready for a whole range of issues worms are in the bag.
Viruses are even less likely and nearly impossable. However IF we go getting paranoid about worms to the exclusion of all else... Viruses viruses viruses... becouse we are looking the other way.. won't you feel dumb..
Keep an eye do the maintanence, read the logs, read slashdot, bug trap and so on.. keep an eye on the issues related to your system.
Worms aren't the only problem. They are an issue. They aren't the only issue.
Just don't get cought with your shorts down.
And... don't wait for someone to fix it... yeah it'll happen in 10 or 20 minuts (vs the 10 to 20 days for Microsoft) but as we learnned with the last Unix worm..
Min 1. You learn about defect
Min 2. You look for someone fixing it
Min 3. You find someone
Min 4. You wait
Min 5. You wait
Min 6. It's done.. you download
Min 7. Your still downloading
Min 8. Hmm the network seems a bit slow.. your still downloading
Min 9. Why is the network slow?
Min 10. Your crashed... you got the worm before you got the patch... you lose try again..
If someone fixes it first.. horray... if not.. don't wait...
However rember this stuff requires a major deffect in the system to work. It'll only effect one platform and only one version of that platform.
(With Linux it'll hit many distrobutions unless it's a distro screw up and not a real software defect..)
I don't actually exist.
I've never seen an Apache server running as root (except for the initial start-up process). Even in my greenest sysadmining days, I never set up Apache to run as root. And believe me, I did some dumb-ass things.
With no guarantee of any given system calls, any given system libraries, any given applications, any given directory structure, any given TCP/IP stack, any given version of any given implentation of any given service, any given architecture or any given dialect of any given scripting language, worms have a limited scope to work with.
The "Original" Internet worm was so dangerous, because at that time there was less diversity. Certain standard daemons were virtually guaranteed to be running, for example, built from basically the same source.
Therein lay the danger for Unix - without diversity, a single virus or worm can cause untold damage. If it can affect one machine, it can affect many.
(Biologists have woken up to the same lesson. For years, it was preached that simple systems were more stable than complex ones, but it was learned the hard way that that was not the case. Biodiversity offers protection, because it inhibits the spread of hazards. By making it non-trivial for an infection to pass on, you could guarantee that real-world viruses were self-limiting in scope.)
Linux is relatively safe from virii and worms, for that same reason. There is sufficient diversity to ensure that propogation is non-trivial. The very "irritation" that turns away so many is Linux' greatest shield. With Windows, it's trivial to infect a registry, because there is only one and there's a standard way to access it. Linux has many "registries", and much code that people use won't be registered anywhere at all.
Then, there's libraries. Windows 9x uses certain very standard libraries. If it's a 9x OS, you know what you can expect. For Linux, you've got elf & a.out formats, libc5, glibc 2.0/2.1/2.2, XFree 3/4, Bind 4/8/9 (or any number of alternative resolvers, including the one built-in to glibc), etc. You really don't know what to expect.
Scripting languages? There's no telling WHAT anyone'll have. The only thing you can be sure of is that there will be a
To stay resident, the virii or worm also has to find a place to stay. Not easy to do, with Linux. With Windows, you've a choice of FAT16 or FAT32. Oh, and maybe NTFS, if you're using NT. With Linux, you could be using almost anything. Sure, people will probably use what's installed as standard, as FS migration is non-trivial, but that still leaves ext2, ext3, reiserfs or XFS, all of which one distribution or another uses.
Finally, there's security within Linux. But which security are you using this week? There's GRSecurity, LSM/SELinux, RSBAC, POSIX ACLs, various other ACL implementations, socket ACLs, and any combination of the above.
Oh, and that's not including intrusion detection software, honeypots, firewalls, and all sorts of other similar code.
In short, you can envisage a worm or virus which affects Red Hat 6.2 / Intel distributions that use the standard libraries and kernel. But you can't have a worm or virus which affects ALL running Red Hat Linux boxes - the variation is just too great. It gets much worse when you talk of all Linux boxes, and many many orders of magnitudes of absurdity greater when you talk of all POSIX-compliant UNIX kernels.
To answer the original question of "is the Unix community worried about worms", the answer is "that depends on how homogenious any person's network is". The "worry" level will probably be about the same as the homogeniety level.
As for the community at large, the answer is probably "no". The community at large has such a high level of diversity that there is no single threat which could affect every system (or even a significant fraction of them).
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
not to mention that unix operates on a different paradigim than windows. this paradigm operates on all levels from program design (automatic execution of arbitrary code sent to you from an arbitrary source) to genreal security within unix (the concepts of a single user with administrative rights which the user does not always operate as).
-- john
I think that it would be *possible* to write a worm targetting Linux machines right now, but it probably could never spread as quickly as the recent MS-specific worms we've seen. Even though many (most?) Linux distributions come with some relatively serious security flaws out-of-the-box, Linux is still a "geek OS". The average Linux user hopefully knows enough to apply most of the critical security updates, and won't be running too many unneeded services. Add to that the fact that while growing, there still aren't *that* many systems out there running Linux, and I'd say that the density of vulnerable Linux boxes out there is so low that a worm would have a difficult time spreading.
As far as the future goes, though, unless the various distributors become more and more security conscious (I believe that they are doing this), we may be at risk. Doing such things as running potentially vulnerable services as their own userid, turning off unneeded ones, and only opening ports with an actual service that needs it open to the outside may seem like common sense to hopefully all of us, but these are things that distributions should automatically do for the newbie users.
It's only software!
How quickly we forget that Linux too is vulnerable.
I'm much more worried about rabies and distemper.
No one runs *nix as root.
:) ).
No, they don't. But many, many daemons and other long-lived processes run as root.
A quick scan of the processes on my machine right now shows kdm, X, kppp, pppd, cupsd and a few others.
On our production servers at work, resin runs as root - I have been reliably informed that it has to (at least, I assume our systems team are reliable - they were rather upset when two of us demonstrated ftping a file onto the server that allowed arbitrary commands to be run
Just because there's no-one sat at the machine, launnching xterms and applications as root, doesn't mean that there isn't a whole bunch of stuff running as root. A single buffer overrun exploit in a network-aware daemon running as root, and your machine is wide open, if you're not behind a firewall.
Cheers,
Tim
It's official. Most of you are morons.
Hello?
Ramen? 1i0n? Adore? Sound familiar? It's far from the "realm of possibility" - they've already been done. And these worms haven't been eliminated, either. I work in network security, and I see SunRPC scans and DNS scans, and a whole slew of different kinds of scans on my network *several times an hour*. Yes folks, *hour*.
The fact is, people are running unpatched systems. And yes, a good majority of these systems are running Linux. The fact that the scans aren't letting up says that administrators:
A) Are too ignorant to know there's a problem
B) Too ignorant to fix the problem
C) Don't give a shit.
The thing is, the Open Source community is quick to act on these security problems and crank out a fix. In the case of Microsoft, the worms are usually a lot more destructive, thus, they receive more attention.
It's quite sad when people can't patch a two-month old exploit, however.
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
Now that would be an achievment. If you found a hole in Linux/BSD and found one in Windows (no biggie), then try for either platform. And have that platform try for either platform. Nimda, from what I understand, took a step in this direction in that it went out with e-mail and http.
About the only worry I have about worms is all the impact on the network as a whole and the PITA my job is whenever one gets out.
Is the Unix Community Worried About Worms?
If some of you hardcore *nix users would take showers more often than major holidays this wouldn't be an issue.
Those of us who have to sit in stuffy cubicles within a 10' radius of you thank you for your consideration of this matter.
Despite having seen it stated several times here, the RTM internet worm of 1988 was NOT the first worm. It wasn't even the first worm to crash machines, or the first network distributed attack...
In 1980 Xerox Parc published a paper called 'Notes on the "Worm" Programs -- Some Early Experience with a Distributed Computation' by John F. Shoch and Jon A. Hupp. This describes some WORM programs that were written at Xerox PARC and used for useful things. Unfortunately an error in one of their programs caused a lot of dead machines.
I think that the BITNET christmas card "virus" of December 1987 predates the Morris Worm of 1988. This was more of a trojan than a worm, but when you ran the "card" it mailed itself to everyone it could.
Neither of these was Unix based.
Z.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
- Linux has a greater variety of software. Look at mail servers; we have exim, postfix, qmail and sendmail. A vulnerability in one cannot (easily) be exploited in another. The single largest target is Apache, which is by far the most popular web server software (with good reason; it is of very high quality). However, Apache has had almost no serious security flaws that I can think of; most exploits against Apache have exploited password sniff attacks or poorly secured applications hosted on the system, not targets for worms.
- On similar notes, even if linux/Unix takes over the world, there is likely to be a greater diversity of OS versions. At the current time, I can't see linux wiping out Solaris and AIX for a few years; I can see them coexisting and hopefully taking back ground from Windows, however.
- Even if linux takes over, wiping out proprietary Unix, there are still likely to be different hardware architectures in use (eg, x86, Itanium, Sledgehammer, SPARC, PPC, S/390) limiting the impact of a worm. By contrast Windows is x86 only (at the current time, although Itanium may come in soonish) which provides easier spreading of worms.
- While many MS server programs run as system or equivalent "super-user" type user ID's, many linux programs spend most of their time running as a non-privileged user (eg, apache runs as nobody or www, qmail runs as various uid's). Thus, the effect of an exploit is greatly lessened. The use of tools like chroot can also help lessen any impact (although chroot is not a foolproof solution).
- *nix worms have already hit; Solaris had the sadmind worm, linux had lion. They hit for the same reasons Code Red hit; unpatched systems. These had less impact, but it has to be asked whether that was due to lower market share or better security policies of administrators.
There is the potential for these worms to hit, but I think the general architecture of linux and the diversity in applications should help to lessen the impact of such worms.Were you dropped when you were little? Your conclusions are pretty ridiculous. You're equating that open source projects must be of higher quality because there are more people working on them. Completely ignoring the fact that not all programmers have the same capabilities. To use your natural selection analogy in a correct fashion, corporate development houses have to operate within margins. This means they have to produce a product garnering so much return for so much effort. Thus the developers they have are very highly skilled because it does not make economic sense to have a bunch of shitty programmers. If good programmers produce bad software it is usually a management issue. Non-professional developers are a much wider swath of skill levels. Most aren't good programmers in any sesne while others are exceptional usually do to professional training and experience. The other aspect anyone has to regard is reliability. Are you going to wager mollions of company dollars on the work of volunteers with schedules that are impacted by their own jobs and even at times school? Well you probably would because you're mentally retarded.
I'm a loner Dottie, a Rebel.
Click here or here.
I think one of the reasons that Linux/BSD/etc are more resiliant than MS OS's is that there is much more diversity in the open-source gene pool. There are so many Linux distros, BSD variants, installation options, etc. that a worm might have a hard time propogating for very long, due to the high variablity among servers.
MS OS's, on the other hand, install to almost exactly the same configuration every time, and users don't usually bother to change many options. And there are only a handful of MS OS's, compared to open-source land.
In the wild, hybrids seem to be more resistant to disease, more adaptable, and generally hardier. Linux/BSD are mutts.
Error: Unjustified statement. Requires backup evidence.
Following these steps, I think that distributions will be fairly safe from any discovered server vulnerabilities, and probably most client-side ones, as well.
How exactly is my reply offtopic? Moderators on crack again, I suppose. My point was this:
Someone will write a worm that attacks not only Windows, but all variants of Unix as well. It will keep a database (or even download the information temporarily from a website) of exploits.
My point was that it would be a big (as in file size) worm, and then I added a little bit of humor at the end.
Do you like German cars?
I really love the "my answer to a Linux exploit is apt-get update" posts. Nothing like trusting a completely automated process to solve all of your problems. All it would take is a nice little bit of malicious code in some header to fuck a bunch of people over. If you're not going to review the code before you install it why the fuck are you so anal about using open source software?
I'm a loner Dottie, a Rebel.
Don't be a fucking moron by insisting that a bunch of developers looking at code is going to default make a better project. You seem to ignore all of the open source software which just sucks fucking dick. All of the core GNU tools were written by professional code writers who knew what they were doing. The more brains on the ball as you say solve no problems if none of the people know what they're doing. Where do you think people who know what they are doing get their experience from? Sorry but school don't teach you shit about real programming.
I'm a loner Dottie, a Rebel.
maybe that should be a standard service? add the ports exploited to tarpit.rc ..
of course that wouldn't solve much but it would be something to start with.
You are right - next time, the worm author might do something different just to make sure LaBrea isn't nearly as effective. For instance, by keeping track of how long it's taken to do it's job, the worm may just abort the thread if it takes, say, 20 seconds to send over part one of the exploit. LaBrea becomes a small slowdown then.
There's not a 'real' answer to stoping worms and the sort, except for administrator vigilance. No matter what OS you use as a server platform (or a mix of things, like my network), ya gotta be quick with the patches and vigilant with security.
As for reversing attacks, etc - there's some severe problems there. You are attacking someone else's hardware - even if the script kiddie may be controling it, they may be on someone else's machine doing it remotely. screw up that person's box, and you might have a problem. (Of course, there's other ethical issues here - I'd really like to just view it all as 'self defense' when you throw an attack back at an attacker online. Unluckly, there's no real presidence for that, I'm not sure there should be!)
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
Or any other form of auto-updater. Remember, Code Red and Nimda used holes that were patched months ago.
No way - this is a very bad solution for security. While at first this would seem to be an absolutely good idea, in reality there's a number of really nasty security problems here.
First, it convinces you to be lax about security. I mean, if the Auto-updater is handling the job, you probably won't check it out too closely since it's not nessisary. But with patches sometimes comes new holes, and new procedures for properly securing a box. These are jobs that require human intervention.
Second, a new class of exploit comes along - using whatever proceedure you can make work, upload a new patch to the ftp server with some less than obvious holes in it. Sure, someone is going to spot it - maybe hours, maybe a couple of days, but it WILL get spotted. As admin, will you know if your box was one that grabbed the bad stuff? (Note, I said upload it to the ftp server, that's not the only exploit - various redirection techniques could be used too.) If tons of people moved to the auto-update idea, there'd be the potential for a lot of exploited boxen quickly.
And third, there's the issue of reviewing patches / updates. Sure, lots of people have viewed them. If it's security related, you should be viewing them too, or at minimum the 'readme' or equivalant.
Fourth, what update time are you planning? Once a month? Once a week? Daily? If it's less than daily, then you've got a problem - of you do grab a buggy version, that gives someone time to attack. And if it's a week before you check again, that means they've got pleanty of time to use your machine as a base to launch more attacks from. Plus, once they have the machine, you may only THINK you are still doing updates ;-) (It's always better from the attacker's standpoint to make things seem just fine and dandy :-P )
I'm sure there's a lot more that could be added to this list - this is just the problems off the top of my head. But those problems alone are enough to really screw things up.
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
I sincerely doubt we'd seem a very infectious worm like NIMDA even if Linux were a very common OS. A NIMDA style worm that propates via email clients and web servers faces a bigger uphill battle in the Linux world than in the IIS world. For starters, there are way more semi-incompatible Linux distributions floating around - it wouldn't be uncommon to find a RH 6.x server would it? There's more variation in web servers, too: Apache, WN, thttpd and others all have a presence. That means that the web server vector has barriers to propagation, one buffer overflow won't cause every web server to become a propagation vector. One IIS buffer overflow cause the Code Red worm. There is more hardware variation: Linux runs on x86, SPARC, Mips and Alpha CPUs. Shellcode to run on all 4 architectures would be difficult if not impossible. There are *vastly* more email clients in common use in the Linux world than in the Windows world: mailx, pine, elm, mutt, Netscape Communicator, balsa (?), etc etc. These various email clients don't share a common scripting language, address book, or even a common format for saved mail. Most if not all of them don't "launch" executable attachments. This would lend resistance to the Linux population.
In short, the monoculture of MSFT products (IIS, Outlook, Win32 and x86) is probably at fault for the Code Red, SirCam and NIMDA problem, not mere popularity.
A worm that overpowers apache and executes code on my machine as user 'nobody' (The user my apache runs as) really doesn't concern me. I suppose it could delete most of my /tmp partition.
fictional reprint
A peer of mine is a sys admin for a group of Windows 2002 machines. Once a week AutoWindowsUpdate runs to automatically get all the security updates and install them. This is a check box for him. According to him, it will even download an update to IIS, stop the WebPublishing service, install the update, then restart the service -- all while he twiddles his thumbs and thinks about lunch. With this kind of automation, who knows what kind of holes and backdoors M$ is automatically installing for him, and who knows what data it's sending back? And how does he know that it's not installing a new worm? </fictional reprint> Oh wait, I forgot. It's differnet when Linux does something.
Vintage computer games and RPG books available. Email me if you're interested.
Most internet connected computers when hosed
in 1988 during the Morris worm. But it was
mostly just universities and few military.
That's right: marketshare doesn't matter. And here, I'm taking "marketshare" to mean either (a) the number of servers sold or (b) the number of servers running.
The reason why marketshare doesn't matter: every server connected to a TCP/IP network is "touching" every other server connected to that network. Marketshare has no bearing on which servers can possibly infect which other servers in a population, only connectivity does. Essentially, the "population" of unix servers on the internet all "touch" one another, just like the population of all IIS servers "touch" one another.
That said, it hasn't really been a banner year for Linux/Unix/BSD worms. We've seen adore, l1on, cheese, ramen, sadmind/IIS, lpdw0rm, and x.c. Absolutely none of these worms ripped through the Linux/Unix/Solaris/BSD population. This is indisputable. The question is why does one population have resistance, while the other doesn't? I think the answer is diversity on four levels:
Heh...leave it alone for a month or so (because it's running so well, you don't bother to think about upgrading), and have that be a month with a lot of changes to GNOME/KDE (assuming you're one of the folks who enjoys one, or both of those) -- THEN you'll see some big download sizes.
BUt you're generally right. Incremental updates to Debian are fairly small - I generally don't see more than 500k-1meg per session - more if I leave it longer (and MUCH larger in the above circumstance of both GNOME and KDE being upgraded!).
Because somebody can. I can blindly trust some anonymous person somewhere who knows that I can't check him; or I can trust a fellow developer, who will get expelled from Debian if he tried to "fuck a bunch of people over" (i.e. accountability.) At least 3 or 4 people see any change that goes into any major program, and any number of people can look at the code, at any time. If you put a back door in, you will be found out, sooner or later, and people will know who did it.
Yes, I know all of these points. I also know that any sys admin worth his salt would never use one. A real sys admin would have a test box, preferably a test lab, and would test each and every patch before ever DREAMING of putting it in a production envrionment. A real sys admin would also, even after doing said testing, never install off of a third party server. Too untrustworthy. What I was attempting to point out was that if Microsoft did the exact same thing, and I mean EXACTLY, /. would be up in arms.
I'll also point out that I highly doubt that even 95 percent of the Linux User community could competently 'check [the source] out if need be.' There's a big leap between hello world, understanding c/c++ and understanding whatever networking protocol is at hand.
Vintage computer games and RPG books available. Email me if you're interested.
Hasn't anyone ever heard of...
l10n
Adore
Ramen
Et al? These things are rampant and generally attack older Bind, lrpng, or wuftpd (Damn those rappers and their shitty FTP server!). Run up2date or whatever your distro uses and you won't get them. Just like running Windows update on an IIS box, really...
That doesn't make the slightest bit of sense. Apache has 2 or 3 times the marketshare that IIS (including derivitives like PWS) has. An Apache exploit comperable to the IIS one would rip through the network like fire and could easily take down the majority of servers. One of the reasons that this hasn't happened is that Apache was coded far more carefully than IIS. Annother important reason is that Apache servers are not a monoculture. Apache runs on many different CPU arch's and many different OS's preventing the "One True Shellcode" from working (not that a worm coulnd't have a library of shellcode for many different platforms) Permissions on UNIX hosts tend to be slightly more sane out of the box as well, not great but better than the competition.
There have been several RedHat (not Linux or Unix in general) worms recently, but they just weren't that obnoxious (not that there weren't quite a few fire-and-forget RH6.x boxen around). RedHat isn't making the same mistakes again, RH7.x doens't turn on every installed service by default and optionally can setup firewalling rules that protect your machine from attack. Mandrake has a "make secure" button that does a pretty good job of locking a machine down and distro's like Debian try to err on the side of security whenever possible.
I'm rambling but Unix servser are generally more hostile to attacking worms than other environments. Any monkey can setup an IIS server but the results tend to be slipshod. Any monkey can setup an Apache server as well but the results tend to fair better when exposed to the open cesspool of the Internet.
Blargh
-- Remember: Wherever you go, there you are!
IIS runs as a user other than the administrator, and scripts under IIS run as yet-another-non-administrator user
This is wrong. IIS runs as LocalSystem, which pretty much has full rights to the local machine, and more privs than Administrator for certain things.
There's a good reason for this -- It needs system access so that it can use security impersonation and run scripts as the local user (IUSR_foo or who ever's logged in). The problem is, if someone finds a bug before the user identity is switched, they've owned the machine.
(I think IIS 5 does support non-System users, but you lose the ability to impersonate someone else.)
Whenever I hear the word 'Innovation', I reach for my pistol.
A real sys admin would have a test box, preferably a test lab...
A real sysadmin has to deal with budgets, and can't buy jack. A real sysadmin will then play BOFH and utter the phrases: "Oh, I'm sorry, your files were wiped out, that's too bad. Here, hold this cable, Mr. Boss. Oh, well, I guess had I a couple of test boxes I would have known not to plug a Cat 5 patch directly into 110VAC. Sorry."
Ahem. Sorry for the lapse into fantasy, go on about your business.
--J(K) DOS is like Unix in exactly the same way that a pinto is like an aircraft carrier.
In any auto-update system, there is a single point of failure... but it is not the server that hosts the update packages, it is the computer that signs the packages! If you compromise the file server, you can destory the signed packages, but you cannot insert your own malicious packages without compromising the computer with your OS provider's public key.
And this signing computer can be ultra secure. It doesn't have to be on the network at all; a CD writer would be sufficient. It doesn't have to be running an architecture or operating system remotely related to anything else, just something capable of running GPG. You could have it loaded to the brim with intrusion detection software, you could have the entire OS on read-only media, you could do all sorts of things that just can't be done on all the random computers out on people's desks.
Auto-updating does introduce the possibility that a malicious employee could introduce trojan packages... but they could be doing that right now, just as easily, just a little more infrequently. "seineew era sreenigne epacsteN", anyone?
Nimda was sort of a best practices of Virus/Worm writing, because it had the behavior of both.
It would infect executables, or web files. It could spread by the infected executables on shares, or by people browsing to infected web servers using old versions of IE. It also tried to scan the network looking for vulnerable IIS servers, as well as trying to email itself the same way Sircam did.(i.e. it included an SMTP piece)
The point is that it was written to try multiple vectors of attack, such that it's chances of finding a vulnerable machine were much higher.
The only thing that slowed it was that the Code Red incident had caused many, if not most, people to install the latest patches on their machines.
Another example, the sadmind worm effected both IIS and Solaris boxes.
I guess the point is, try to build diversity and the world just builds a better worm/virus writer.
P.S. The cluefulness of the general Linux administrator is actually pretty low as it tends to be primarily popular with inexperienced college students.
It also doesn't take much work at all to effectively admin an NT box. But most NT admins also have other priorities put upon them by their corporate bureaucracies.
I guess disconnecting every Unix box from the net would solve the problem in that very few Unix boxes would get worms. Of course, not having a working internet anymore could be a bit of a handicap, sort of takes the sting out of not being able to connect to it...
Got time? Spend some of it coding or testing
I've seen several reactive programs on FreshMeat which respond in various ways to attacks like CodeRed (finding and emailing the administrator is typical), and similar PHP packages released through various sites.
I've also seen several which fight back (note the lack of URLs at this point) and one system which uses spare machines to absorb TCP connects from infected hosts and keep them alive to gobble up sockets on the attacker and lock down the attacking threads.
It wouldn't be a big step from there to send back a payload which locks down the attacker, which then waits to be attacked so it can respond in turn.
Got time? Spend some of it coding or testing
Exactly! And through such time-honored methods, a real sysadmin would GET his test boxes! At the very least, a real sysadmin would put all of the pros and cons into an email to somebody with Authorith, and get a cya email back. :-)
Vintage computer games and RPG books available. Email me if you're interested.
Tens of thousands of people that work on Linux? Right. You can name lots of shitty closed source programs as well as open source ones. The original contention was that open source is somehow naturally superior to closed source. That's like saying your product is 100% more effective than sugar pill.
I'm a loner Dottie, a Rebel.
I wasn't suggesting corporate development schemes were the greatest, just discounting the suggestion that open source is naturally superior to closed source development. Just because it is your personal favourite doesn't mean it's better. By the same token you can compare Japanese and American manufactured cars and spout off that one is inherently better than another. The fact that you and another dude had the same kneejerk reaction just makes me sad. Now I realize how many people sit back and believe the FUD open source developers use against the FUD of closed source developers. Pot, kettle, black.
I'm a loner Dottie, a Rebel.