MyDoom (was: Test)

bscott at ntisys.com bscott at ntisys.com
Tue Feb 3 20:33:29 EST 2004 

On Mon, 2 Feb 2004, at 1:45pm, michael.odonnell at comcast.net wrote:
>>>  This is going to happen; it is only a question of when.
>
> Although I (think I) get Ben's general point it seems to me that there
> haven't yet been enough VPLs ported to Linux to facilitate the
> creation/spread of any truly virulent malware.

  Well, it depends on how you define "truly virulent".

  MyDoom is not a virus; it is a simple worm.  It does not exploit any
exposures in particular software (such as Microsoft Outlook); it depends
entirely on the user (1) saving the attached ZIP file, (2) extracting said
ZIP file, and (3) running the extracted executable.  Even on a very "open"  
system, this would still require several mouse clicks.

  Point being: The security flaws being attacked by MyDoom are in humans,
not in software.  Blaming a "Virus Propagation Language" is really not
accurate.

> Isn't it true that most of the malware that's plaguing the Net either
> relies heavily on all the mis-features (like automatic blind execution of
> content) added to the various Microsoft applications in the name of
> "convenience" ...

  Actually, no.  While there certainly is malware in the wild that does
target specific exposures like that, a good deal does not.  MyDoom depends
entirely on user stupidity.  Blaster attacked a buffer overflow (FOSS is
hardly immune to those).  Ditto Slammer.  There really isn't anything
inherently worse or better about Microsoft vs FOSS in these.

  While I believe FOSS *does* have advantages over Microsoft in the security
area, none of the recent major malware has attacked anything where those
advantages mattered.  Your typical malware of late does one or more of the
following:

  (1) Exploits user stupidity, such as a social engineering attack to get
      the user to run the malware ("Trojan horse" distribution).
  (2) Exploits coding errors (like buffer overflows -- not design flaws
      like Outlook) to inject new program code into a system.
  (3) Exploits poor security defenses (such as no firewall, weak or
      empty passwords, etc.).
  (4) Exploits unnecessary privileges held by users (e.g., users who do
      everything with "Administrator" or "root" rights).

  All of those are equally possible under Linux.  Your average Linux system,
today, is less vulnerable to these attacks, but that is because your average
Linux system operator is smart enough to defend against them.

> ... or else they exploit vulnerabilites on a scale that's only possible as
> a result of the Microsoft monoculture?

  As I said, I'm pretty sure that Unix shell script would be pretty
portable.  Do a global-replace of Microsoft Windows with any recent Linux or
BSD distribution, and I'm fairly sure the MyDoom-for-Linux worm would work
just as well as the MyDoom-for-Windows worm did.

> I think there's still too much variablity in the non-Microsoft parts of
> the world to make feasible the construction of malware.

  That makes a difference for attacking things like buffer overflow attacks
(although the Lion worm, which attacked a specific release of Red Hat Linux,
didn't have much trouble finding vulnerable machines).

  However, for anything that relies on "Trojan horse" distribution (which
includes classic "worm" and "virus" malware), using a script language like
Perl, Python, or even the Unix shell, should be fairly portable.

> ... we don't yet have sufficient infrastructure for any virulent examples.

  I think the biggest thing going for Linux right now is that the average
Linux system tends to be a lot better managed then the average Microsoft
system.  Linux doesn't have the hordes of clueless that Microsoft does.  
That means a Linux system is more likely to be behind a firewall, kept
current with updates, used with an unprivileged accounts for "user" tasks, 
and so on.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |

More information about the gnhlug-discuss mailing list