regularly scheduled paranoia. Was: Re: Anti Virus
Nancy Sollars
plug-discuss@lists.plug.phoenix.az.us
Fri, 8 Mar 2002 01:31:47 -0700
----- Original Message -----
From: "foodog" <foodog@uswest.net>
To: <plug-discuss@lists.plug.phoenix.az.us>
Sent: Thursday, March 07, 2002 3:37 PM
Subject: Re: regularly scheduled paranoia. Was: Re: Anti Virus
> Nancy Sollars wrote:
> ...
> > Id like to see proof of concept mechanics to see how stealthing would
work &
> > how the apparent apache viiri effects all other binaries cuz it must run
as
> > root to be able to do what is claimed.
>
> For stealthing see innumerable rootkits, adore, t0rn or kis for
> example. I recall reading about lkm-like behavior without loading
> modules - probably in one of the last two releases of Phrack, but I'm
> not positive (will try to locate). As for running as root, that's the
> joy of the script kiddie vector: tell them it requires root and they'll
> oblige. When they break into another system and import their
> tools'n'toys they'll also run as root.
>
> Suppose nmap is trojaned:
> $ nmap -sS -O kickme.dim.org
>
> Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
> You requested a scan type which requires r00t privileges, and you do not
> have them.
>
> QUITTING!
>
> > Since each linux system differ's quite substancially from the other
creating
> > a viiri that would be effective is practically zero ... proof of concept
in
> > europe show'd that getting a viiri in to some system setups is not a
problem
> > but when you start patching the kernel and having your daemons running
as
> > users and not root forget it..
>
> Li0n showed that even shoddy code specifically aimed at only one
> distribution can spread. IIRC, there wasn't any technical reason to
> restrict it to Redhat systems. I agree that Linux users are
> *potentially* in a much better position to defend, I just haven't run
> into many people with an appropriate level of paranoia.
>
> It seems like targeting elf executables is a good choice for a virus
> author. I await the verdict of people crafty with disassemblers to
> decide how portable this one is. It would make sense to package such a
> virus with a working exploit if your goal is to spread far and wide.
>
agreed on the above totally ...
i guess having the openwall and hap patches in ones kernel and build all
binaries using a bounds attack fixed gcc is classed as paranioa..
Paranoid as ever 3 full glibc's and gcc's Nige ...
> Steve
> >
> > Nige
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>