Re: [SAGE] virus threat/software on Unix/Linux

[Chuck Yerkes <chuck+sage@snew.com>]

Woah, this got long.  But I won't rescind it.

Quoting Mario Obejas (obejas@phylum.esn.us.ray.com):
> Our community tends to hate this discussion but ....
> 
> Surely I'm not the only support person who's recently been asked about the 
> subject line.  Management is asking why we don't run anti-virus software on our 
> Unix boxen. 
> 
> My viewpoint: 
> Management sees Blaster/SoBig damage and asks what can we do to prevent this.
> The question is reasonable. Windows world here uses Symantec Anti-Virus for 
> continuous protection. Management view is that there ought to be someting similar 
> on Unix. 

Every machine that can get Virii needs to/must/has to run some software 
runs on anything that's coming to the machine (via mail, network, floppy,
USB attached disk, firewire disk, etc).

It DOES make sense to protect (outlook^*) users at the mail gateway.
And there are several commercial and non-commercial tools out there
to do that.

(I say Outlook specifically because Outlook is almost unfailing in
its role as a virus runtime environment, its ability for RUNNING
attachments by default, for FINDING attachments in clearly broken
MIME - even to reassembling parts, and MS's use of proprietary (and
undocumented) TNEF attachments that scanners have a tough time seeing
as attachements).  There are AT LEAST 7 different versions and behaviours
of Outlook which makes catching things that much more work.  Declare
Outlook a security risk and ban it (as at least 1 Fortune 100 I know of
has done) and you reduce your risk profile.)

Back to scanning:
There are many AV scanners that run at gateways - checking mail, and
http acquired data that can/should be run.

Notable is the SPEED with which we've seen things things get out.
AV companies have to GET the worm/virus, figure out it's identifiers
and get that into their data files.  Then administrators have to
GET these data onto their systems and ideally the users' systems.

When something hits the great homogeneity of todays Internet, with
millions of computers sitting wide open to links as fast as we wanted
our managers to buy us 10 years ago - we see infections of HUNDREDS of
thousands of machines in just a few hours.


As far as viruses and Unix:
We'll it's a different game.
Users can't write to disk blocks (boot blocks, etc).
Users can't write to most of the machine.
Our MUA's don't execute files coming it.

Things like MacOS X can have a default user and make it easy for
users who are admins to do things as themselves.

Dragging an app to /Users/local/ requires no extra auth.

This is done because / and /Users (and lots of other / dirs) are
group admin and are WRITABLE by admin.

Things means an evil programming running as a user on a Mac
*can* write in some nasty places.  Writing over perhaps an app
that root will run later.  Which is an entry point.

It's just a matter of time.

That said, MS gets credit for a virus that worked on MacOS X (a Unix)
in it's Entourage program.


Unix doesn't have the history of worms/viruses (dozens of new ones
come out each month for Windows).

> I'm not aware of active scanning products for Unix/Linux specific viruses. 

You can't scan for things that aren't really identified.
I've recovered systems that have been broken into (I get
called AFTERwards too often).

We have clear separation of user data and system binaries and settings.

I can replace ALL of /usr, /bin and /sbin and glance through etc
(ideally I check it against m4/CVS/tripwire/backups).

Twistedly, I mount /home (ok, I'm lazy /u short for /users)
nosuid, noexec, nodev.

I also mount /usr readonly and on production machines I mount /
readonly (with /dev on an MFS).  Put a virus on that!

I just wish Solaris let me do this kinda thing.

Ok, in that light, have you ever mounted ANY part of
a windows system on a read only file system?

Apps and the OS insist on writing into their areas.
What's changed in you C:\Windows\ in the past 2 days?
Why?

I don't know either.
What's changed in my /etc/ in the last month?  I can tell you in detail.


Being sort of security compulsive, I build from source.
Being sort of security compulsive, I like the gauntlet that OpenBSD
throws down (thought they way they throw it can be annoying).
Buffer overflows are the bain of C code and of all machines that
aren't totally isolated.

Many chips (not x86) support separation of data and code (musta
gone to harvard :).  ELF has options that I've not seen anyone but
them use:
  Marking a page either executable or writable.  W(xor)X or W^X.

Write over an input variable that doesn't check and throw your
nasty code on it at the end and, er... it cores on you.

netbsd and openbsd have systrace.  More security at the OS level.

It would be nice if root didn't exist as it does.  VMS had some
things worth emulating (THIS user can give/take anyone privs, but
can't do anything else while THIS user can create sockets, etc).


So go through the exercise of looking just at what Win viruses do,
how they get in and see where Unix addresses some of those
vulnerability.


Unfo, NT was based on a lot of NT and had the potential to really
address security.  Not only is it not programmed in from the start,
it barely seems an afterthought.

Some of the best advertising possible for Linux/BSD/MacOS/Unix (or
even SCO!) comes in the form of 2 HUGE attacks on Windows in 2
weeks and 3 CERTs against IE and Windows in 3 weeks.

I'm waiting futiley for the US Gov't (or local ones) or Fortune
1000 companies or hell, a company of 500 coming out and loudly
saying:  "we can't afford Windows as it is.  We're not buying
upgrades,
 we're redeploying machines to those who NEED Windows and doing
 training on GNOME/KDE for our other users."

I want to see SOME large org take a leadership position that holds
MS responsible for BILLIONS of dollars of cleanup and recovery from
these breakins.  I make my own futile point of now buying off the
web when I know they are using IIS.  I call their 800 number to
order.  And toss a note.  Shouting in the emptiness, I'm sure.
Just like my asking the DSL folks where their IPv6 gateway is.

But it's appalling that so many companies are willing to be
hit and cursed at and spat upon by a vendor.