LinuxSA Mailing list archives

  From: Alan Kennington <akenning@dog.topology.org>
  To  : newton@atdot.dotat.org
  Date: Tue, 30 Mar 1999 14:20:58 +0930

Re: Viruses

Mark,

About them viruses uner linux (and other unixes), obviously
any multi-user machine with severely limited powers for
ordinary users will not be as vulnerable as an old-style
Mac or Atari ST or MS/DOS machine where the person in front
of the monitor was always "root".

But if an invader can "get root", then there are even more
places to hide than in the single-user machines, in a sense.

For instance, one could hide in a kernel module executable,
or in the kernel, or in any of the zillions of scripts that
get run by root on start-up or at other times.

I.e. the only thing that makes a unix system safer than
a single-user machine is the root password -- or a bug
in a binary which is run as root.
If this obstacle is overcome (as in the 1989 March?
internet worm), then anything can be done.

In my opinion, a worm is a million times worse than a virus.
It can get into vast numbers of machines very quickly
over the net.
So it is no comfort at all to know that it is "only a worm".

There was a theory at the time fo the internet worm
that the creators were planning to wipe out everyone's disks.
This is supported by the fact that the worm vector programs
had multiple slots for bringing in more software, indicating
that there was a plan to add more processes to the existing
set (the worm was serveral processes, not just one).

This could very likely have resulted in wiping all machines
int he world of the two vulnerable OS types.
But it seems that the worm may have escaped during testing.
That was real luck! Because when it escaped it was
relatively benign, and had some bugs which casued
it to be easy to detect.

Now the next time someone finds a "way in" over the net,
the same thing could happen all over again, but this time
they might not release it until it's fully developed and tested.


------------
But to answer your question, nope, the invaders have not broken
into my machines yet.
But there's an eerie silence out there.....

Cheers,
Alan Kennington.

PS.  Today, it seemed like some root nameservers crashed,
and www.internic.net crashed apparently, and some other
wierd things happened on the net.

-- 
Check out the LinuxSA web pages at http://www.linuxsa.org.au/
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject