regularly scheduled paranoia. Was: Re: Anti Virus

[foodog]

Nancy Sollars wrote:
...
> Id like to see proof of concept mechanics to see how stealthing would work &
> how the apparent apache viiri effects all other binaries cuz it must run as
> root to be able to do what is claimed.

For stealthing see innumerable rootkits, adore, t0rn or kis for
example.  I recall reading about lkm-like behavior without loading
modules - probably in one of the last two releases of Phrack, but I'm
not positive (will try to locate).  As for running as root, that's the
joy of the script kiddie vector: tell them it requires root and they'll
oblige.  When they break into another system and import their
tools'n'toys they'll also run as root.  

Suppose nmap is trojaned:
$ nmap -sS -O kickme.dim.org

Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
You requested a scan type which requires r00t privileges, and you do not
have them.

QUITTING!

> Since each linux system differ's quite substancially from the other creating
> a viiri that would be effective is practically zero ... proof of concept in
> europe show'd that getting a viiri in to some system setups is not a problem
> but when you start patching the kernel and having your daemons running as
> users and not root forget it..

Li0n showed that even shoddy code specifically aimed at only one
distribution can spread.  IIRC, there wasn't any technical reason to
restrict it to Redhat systems.  I agree that Linux users are
*potentially* in a much better position to defend, I just haven't run
into many people with an appropriate level of paranoia.

It seems like targeting elf executables is a good choice for a virus
author.  I await the verdict of people crafty with disassemblers to
decide how portable this one is.  It would make sense to package such a
virus with a working exploit if your goal is to spread far and wide.

Steve
> 
> Nige