Hi all
I'm using Xubuntu as a desktop for web surfing and emails etc. I'm connected to the Net with a wired router (with hardware firewall) and using FireStarter software firewall.
Should I be using anti-virus & spyware for Linux as well?
The comp is dual booting machine with XP Pro with AVG and Zonealarm. It's a P4 2GHz 512mb RAM with onboard graphics so could handle some realtime monitoring without harming performance.
Cheers
Paul
--------------------------------- Sent from Yahoo! Mail. A Smarter Email.
On Mon, 12 May 2008 15:44:43 +0100 (BST) paul paulcamel500@yahoo.co.uk wrote:
Hi all
I'm using Xubuntu as a desktop for web surfing and emails etc. I'm connected to the Net with a wired router (with hardware firewall) and using FireStarter software firewall.
Should I be using anti-virus & spyware for Linux as well?
The comp is dual booting machine with XP Pro with AVG and Zonealarm. It's a P4 2GHz 512mb RAM with onboard graphics so could handle some realtime monitoring without harming performance.
Cheers
Paul
Sent from Yahoo! Mail. A Smarter Email.
Viruses that work with Linux are exceptionally rare, and even then to do any serious damage they need the root user password.
I do however have clam antivirus linked into Claws-Mail (my web client). Every now and then I will run a file system scan with it as well.
Sam
and even then to do any serious damage they need the root user password.
Not strictly true unless you're talking about servers - yes, damage to the system itself is restricted but most desktop users wouldn't care as much about those as to the personal files in their home directory - which would, of course, be theoretically vulnerable.
But, as you say, linux viruses are exceptionally rare, so it's not a big worry ...
Peter.
On Sun, 2008-05-18 at 13:51 +0100, samwise wrote:
and even then to do any serious damage they need the root user password.
Not strictly true unless you're talking about servers - yes, damage to the system itself is restricted but most desktop users wouldn't care as much about those as to the personal files in their home directory - which would, of course, be theoretically vulnerable.
Has anyone seen the things on windows that change the DNS name servers to some hosted in Russia which work perfectly well for web browsing but as well as providing a convenient log of the sites you are visiting also replace the IP address of common banks, paypal etc with the IP's of phishing clones ? Without Root access on a correctly configured machine that wouldn't be possible.
Of course whether that is better or worse than nuking all your files depends on how careful you are when dealing with those sites and whether or not you have backups..But making you more vulnerable to phishing scams is certainly the more profitable of the two.
Also don't forget that with Root access any existing security on the machine can be more easily reconfigured/disabled.
On Fri, 16 May 2008, Sam Cater wrote:
Viruses that work with Linux are exceptionally rare, and even then to do any serious damage they need the root user password.
Surely malware would exploit some vulnerability in some software you have using a technique such as a buffer overflow attack, which might not require any root user password (ie. you would not get a password promt to enter your root password)?
-Srdjan
Sam Cater wrote:
Viruses that work with Linux are exceptionally rare, and even then to do any serious damage they need the root user password.
On any single-user desktop machine, everything of any value is owned by that user. The fact that the malware will find it hard to install itself at a low level hidden from view is a useful consolation, but all the root-owned files that matter on my desktop are "backed-up" merely by the fact I can restore them from any Ubuntu 8.04 CD followed by an "apt-get upgrade". If I "only" lost the files that my user account has write access to, then I would be very upset and would be no worse off than facing a bare-metal re-install.
If I ran a "funny video" that arrived by email from a friend, and which showed something pretty, whilst emailing itself to everyone in by TBird address book and then deleting all the files accessible by my user, then I wouldn't be thinking I'd got off lightly. None of that is intrinsically impossible with Linux.
Maybe consumer distros like Ubuntu, when faced with a big hard disk to install on, should default to creating a large backup partition onto which /home is backed up regularly in the background (by root, so the backups can't be deleted by a user level program). Sure, allow it to be turned off, but as a default that would be very good in my view, and a better use of background CPU than search indexing or anti-virus scanning.
On Tue, 2008-05-20 at 10:45 +0100, Mark Rogers wrote:
Maybe consumer distros like Ubuntu, when faced with a big hard disk to install on, should default to creating a large backup partition onto which /home is backed up regularly in the background (by root, so the backups can't be deleted by a user level program). Sure, allow it to be turned off, but as a default that would be very good in my view, and a better use of background CPU than search indexing or anti-virus scanning.
A number of distros now provide an LVM option at install, some even default to it IIRC. One thing that might be a good solution would be regular snapshots of logical volumes?
Just my 2p.
Jim
On Tue, 2008-05-20 at 10:45 +0100, Mark Rogers wrote:
Maybe consumer distros like Ubuntu, when faced with a big hard disk to install on, should default to creating a large backup partition onto which /home is backed up regularly in the background (by root, so the backups can't be deleted by a user level program). Sure, allow it to be turned off, but as a default that would be very good in my view, and a better use of background CPU than search indexing or anti-virus scanning.
It's a theory but one that only protects against a subset of potential reasons why you have lost files. I think a better solution would be something put together with hotplug storage/rsync/snapshotting that detects when a removable drive of a reasonable size is plugged in and asks if it can use that drive to store snapshots of your homedir. It could remember the volume from the volid and only ask you once for each volume. Perhaps also pop up a reminder if it hasn't seen a drive to back up to for a while. Sort of a bit like Apple's time machine I guess.
In fact I would be surprised if someone out there isn't working on something to do exactly that.
I think (besides it not protecting against a dead disk or stolen machine) the problem with your suggestion is that new users who just click through the installer will be faced with only half their disk space being available and then be in a situation where the fix to resolve this is a fairly complicated and potentially dangerous (for a new user) dance of repartitioning to get a full size home dir
Wayne Stallwood wrote:
I think (besides it not protecting against a dead disk or stolen machine)
I agree that there are lots of scenarios that this does not protect from, but in the context of recovering from malware it makes sense.
the problem with your suggestion is that new users who just click through the installer will be faced with only half their disk space being available and then be in a situation where the fix to resolve this is a fairly complicated and potentially dangerous (for a new user) dance of repartitioning to get a full size home dir
I'd make it obvious what the options are on installation, eg two radio buttons on the install, with the first one (selected) "Use 50% of disk for backing up your photos, music, videos and configuration in case of accidental loss or damage" and a second one "I'll sort out my own backups or don't have anything important, give me all my disk space".
Users potentially already get confused by the loss of disk space to swap and /boot. Most never get close to using all their disk space and aside from wondering why half their disk is missing (which can be explained) will never care. Ideally the backup partition would be visible in Places -> Computer, showing how full it is, and opening it would start the backup recovery software. I'm thinking on the fly here, there's probably bad things with what I'm suggesting, but I just like the basic principle that backups are the default not an extra. Off-site backup via Internet, or offline to (eg) USB drive, would be an easy upgrade once the data is at least backed up somewhere.
On Tuesday 20 May 2008 10:45:42 Mark Rogers wrote:
If I "only" lost the files that my user account has write access to, then I would be very upset and would be no worse off than facing a bare-metal re-install.
Yes, executables and libraries are easily recoverable from installation media/network repositories. Losing customised configuration files (from /etc etc.) would be slightly annoying.
Maybe consumer distros like Ubuntu, when faced with a big hard disk to install on, should default to creating a large backup partition onto which /home is backed up regularly in the background (by root, so the backups can't be deleted by a user level program). Sure, allow it to be turned off, but as a default that would be very good in my view, and a better use of background CPU than search indexing or anti-virus scanning.
There is Mondo http://www.mondorescue.org/ which is in Debian (and Ubuntu universe). It creates backups as bootable images and can store them on various media including HD partitions. A cron job running its archive tool would be feasible (though note: http://www.mondorescue.org/docs/mondorescue-howto.html#BACKUP-CRON-PROBLEM). Ubuntu could be set up with such a cron job, a spare HD partition for the Mondo image, and a GRUB boot option for booting from it. Maybe it would also need a GTK config tool. I wonder how well it would handle things like efficiency (maybe it could be incremental?) and interruptions (user switches his computer off while it's backing up because he neither knows nor cares).
Cheers, Richard
2008/5/12 paul paulcamel500@yahoo.co.uk:
Should I be using anti-virus & spyware for Linux as well?
Need? Probably not, no.
However, if you get sent a word document with a macro virus whilst it won't effect you, you might inadvertently pass it on to other Windows users by accident, for example.
If you care enough about this unlikely threat, you could consider installing KlamAV [klamav.sourceforge.net] which is the only open source real-time AV scanner for Linux, as far as I'm aware. It's a front-end for ClamAV, which is usually used by email servers to make sure mail passing through is clean.
I don't believe there is a direct equivalent of anti-spyware or a personal application firewall for Linux, but you're unlikely to need them.
Peter.
Hi,
On Sat, 17 May 2008, samwise wrote:
2008/5/12 paul paulcamel500@yahoo.co.uk:
Should I be using anti-virus & spyware for Linux as well?
You want spyware for Linux?? :p
However, if you get sent a word document with a macro virus whilst it won't effect you, you might inadvertently pass it on to other Windows users by accident, for example.
What about Linux viruses? (http://en.wikipedia.org/wiki/Linux_Virus)
If you care enough about this unlikely threat, you could consider
Unlikely? How would you know that you were infected with a Linux virus if you dont have a Linux anti-virus?
But yes, clamav would be a good idea. It also means that if you were in Linux and you downloaded some programs for Windows, you'd feel safer.
I don't believe there is a direct equivalent of anti-spyware or a personal application firewall for Linux,
Tripwire/aide/chkrootkit/rkhunter to name just 4. There's also snort and all those that have strange names like SAINT (which might be SATAN now or vice versa). Just like anti-spyware tools in Windows allows you to detect malware (you'd hope), these tools just listed will help you do the same. Granted, I've never come across an intergrated too with whizbang UI interface like the Windows equivalents - there may well be a F/OSS project that does just that.
As for personal app firewall, I think I read in the snort docs ages ago that you could configure it to drop routes to hosts that seemed to be attacking you, and the dropping would be automatic. I think you'd get an email notification about it too. Maybe some NIDS experts on here can confirm that.
but you're unlikely to need them.
Seriously, we need to stop this attitude that Linux is invincible. It isn't.
- Srdj.
Tripwire/aide/chkrootkit/rkhunter to name just 4. There's also snort and all those that have strange names like SAINT (which might be SATAN now or vice versa). Just like anti-spyware tools in Windows
You think those are desktop tools (let alone for new users)? How many of those (or KlamAV) do you currently run on your personal desktop today?
but you're unlikely to need them.
Seriously, we need to stop this attitude that Linux is invincible. It isn't.
If there's anything that annoys me more, it would be the impractical pedantry of the occasional zealot.
Peter.
On Sun, 18 May 2008, samwise wrote:
Tripwire/aide/chkrootkit/rkhunter to name just 4. There's also snort and all those that have strange names like SAINT (which might be SATAN now or vice versa). Just like anti-spyware tools in Windows
You think those are desktop tools (let alone for new users)? How many of those (or KlamAV) do you currently run on your personal desktop today?
I've got aide and chkrootkit running. Why do you ask?
but you're unlikely to need them.
Seriously, we need to stop this attitude that Linux is invincible. It isn't.
If there's anything that annoys me more, it would be the impractical pedantry of the occasional zealot.
Same here.
- Srdjan
On Sun, 2008-05-18 at 02:07 +0100, Srdjan Todorovic wrote:
What about Linux viruses? (http://en.wikipedia.org/wiki/Linux_Virus)
What about them ? How many of them have actually been seen in the wild outside test conditions ? You do know that list is actually compiled from data taken from various AV solution providers.
Now if you read advice from people who don't have a business interest in selling you protection you will generally hear the same thing echoed again and again. If you get software from trusted repositories and are not using your machine as a mail gateway or samba server for windows machines then there are currently very few reasons to run local AV protection.
If you care enough about this unlikely threat, you could consider
Unlikely? How would you know that you were infected with a Linux virus if you dont have a Linux anti-virus?
The difference between Windows and Linux in this respect (at the moment), is that to get malware on linux takes either a lot of effort or a lot of stupidity, whereas on Windows it takes effort not to get infected. Although that said in the last 10 years I would say that I have on my own Windows machines had about 2 viruses and one bout of spyware. Even in those cases I am not so sure I was at the helm when they got infected.
But yes, clamav would be a good idea. It also means that if you were in Linux and you downloaded some programs for Windows, you'd feel safer.
I don't believe there is a direct equivalent of anti-spyware or a personal application firewall for Linux,
I haven't looked, but given that AVG and Avast have integrated anti spyware into their Windows products, I wonder if they have done the same with their linux products. Again though, at the moment unless you are trying to protect a Windows machine the other side of you or perhaps in a dual boot environment I don't really see the point.
As for personal app firewall, I think I read in the snort docs ages ago that you could configure it to drop routes to hosts that seemed to be attacking you, and the dropping would be automatic. I think you'd get an email notification about it too. Maybe some NIDS experts on here can confirm that.
It is also possible to configure iptables to drop based on the name of the binary, although this needs a nice pointy clicky gui to make it workable for most users. However personally I hate application level firewalls on desktop machines, even on Windows. The protection they offer is overstated anyway.
but you're unlikely to need them.
Seriously, we need to stop this attitude that Linux is invincible. It isn't.
Nobody is saying Linux is invincible, but everything you do with security is a cost (be that user time, computer time or money) vs actual threat level calculation. In my opinion currently unless you are trying to protect downstream Windows boxes that calculation for antivirus on linux (or Mac's for that matter) does not stack. The situation may change in the future as Windows userbase shrinks and the target size of Linux and OSX increases however.
Wayne Stallwood ALUGlist@digimatic.co.uk wrote: [...]
Now if you read advice from people who don't have a business interest in selling you protection you will generally hear the same thing echoed again and again. If you get software from trusted repositories and are not using your machine as a mail gateway or samba server for windows machines then there are currently very few reasons to run local AV protection. [...]
I agree wholeheartedly with Wayne on this. Viruses are very rare on GNU/Linux systems, which I believe is due to the diversity of systems:-
"Diversity, then, works against viruses. If all the systems on the Arpanet ran Berkeley Unix, the virus would have disabled all fifty thousand of the. Instead, it infected only a couple thousand. Biological viruses are just as specialized: we can't catch the flu from dogs.
Bureaucrats and managers will forever urge us to standardize on a single type of system: 'Let's use only Sun workstations' or 'Only buy IBM systems.' Yet somehow our communities of computers are a diverse population - with Data General machines sitting next to Digital Vaxes; IBMs connected to Sonys. Like our neighbourhoods, electronic communities thrive through diversity."
-- Clifford Stoll, The Cuckoo's Egg, isbn:0370314336
I think we're at much more risk from trojans (binaries from tainted sources), worms (programs that break-in and replicate - Stoll later realises that the virus above is actually a worm) and crackers.
Concentrate on checking any incoming programs before execution, avoiding any injection attacks (like using material from incoming email in your mail filters in an insecure way) and on generic perimiter security, like firewalling, intrusion detection and so on. Some of those measures will also detect most viruses.
Hope that helps,
On Sun, May 18, 2008 at 12:31 PM, MJ Ray mjr@phonecoop.coop wrote:
Concentrate on checking any incoming programs before execution, avoiding any injection attacks (like using material from incoming email in your mail filters in an insecure way) and on generic perimiter security, like firewalling, intrusion detection and so on. Some of those measures will also detect most viruses.
A good backup and recovery plan would be useful too.
Tim.
On Sun, 18 May 2008, MJ Ray wrote:
I think we're at much more risk from trojans (binaries from tainted sources), worms (programs that break-in and replicate - Stoll later realises that the virus above is actually a worm) and crackers.
True, but just because a binary is a trojan, does not mean it can't also be a virus and a worm. They're not mutually exclusive. So thus your "we're at much more risk" statement is not always going to be strictly true, as you could have a hybrid malware application.
-Srdjan
Srdjan Todorovic todorovic.s@googlemail.com wrote:
On Sun, 18 May 2008, MJ Ray wrote:
I think we're at much more risk from trojans (binaries from tainted sources), worms (programs that break-in and replicate - Stoll later realises that the virus above is actually a worm) and crackers.
True, but just because a binary is a trojan, does not mean it can't also be a virus and a worm. They're not mutually exclusive. So thus your "we're at much more risk" statement is not always going to be strictly true, as you could have a hybrid malware application.
Not being mutually exclusive does not mean we're not at much more risk from trojans, worms and crackers. I meant to express the relationship mean(risk(virus)) << mean(risk(foreach({trojan, worm, cracker}))) and I think that's pretty surely true, even in light of a hybrid malware application, because that's going to increase risk(virus) but also increase risk on the other side too.
Hope that explains,
On Sun, 18 May 2008, Wayne Stallwood wrote:
On Sun, 2008-05-18 at 02:07 +0100, Srdjan Todorovic wrote:
What about Linux viruses? (http://en.wikipedia.org/wiki/Linux_Virus)
What about them ? How many of them have actually been seen in the wild
They do exist.
outside test conditions ? You do know that list is actually compiled from data taken from various AV solution providers.
True, the list (as with the windows virus list) is provided by biased entities that want to sell you something. Can you trust them?
If you get software from trusted repositories and are not using your machine as a mail gateway or samba server for windows machines then there are currently very few reasons to run local AV protection.
Unless the trusted source becomes comprimised, true.
Unlikely? How would you know that you were infected with a Linux virus if you dont have a Linux anti-virus?
The difference between Windows and Linux in this respect (at the moment), is that to get malware on linux takes either a lot of effort or a lot of stupidity, whereas on Windows it takes effort not to get infected.
A lot of effort on behalf of the attacker and enough stupidity on the behalf of the user, or did I misunderstand?
As for personal app firewall, I think I read in the snort docs ages ago that you could configure it to drop routes to hosts that seemed to be attacking you, and the dropping would be automatic. I think you'd get an email notification about it too. Maybe some NIDS experts on here can confirm that.
It is also possible to configure iptables to drop based on the name of the binary, although this needs a nice pointy clicky gui to make it
Which is a bit silly given that if you have a virus/spyware combo, the name of the binary could change and then the iptables rule will no longer be effective.
but you're unlikely to need them.
Seriously, we need to stop this attitude that Linux is invincible. It isn't.
Nobody is saying Linux is invincible, but everything you do with security is a cost (be that user time, computer time or money) vs actual threat level calculation. In my opinion currently unless you are trying to protect downstream Windows boxes that calculation for antivirus on linux (or Mac's for that matter) does not stack. The situation may change in the future as Windows userbase shrinks and the target size of Linux and OSX increases however.
The think that gets me is that although Windows boxen are allegedly easier to break into, I feel they don't really offer much in terms of power after you break into them. A Unix-like system wil probably offer more power to a cracker. Anyone have experience of this? What kind of tools does Windows malware install? And what tools does Linux malware install?
-Srdj
On Sun, 18 May 2008 14:22:26 +0100 (BST) Srdjan Todorovic todorovic.s@googlemail.com allegedly wrote:
The think that gets me is that although Windows boxen are allegedly easier to break into, I feel they don't really offer much in terms of power after you break into them. A Unix-like system wil probably offer more power to a cracker. Anyone have experience of this? What kind of tools does Windows malware install? And what tools does Linux malware install?
I'm sorry, but that depends entirely on what you mean by power. Do some research on botnets.
The really scary part about windows machines at the end of always on high bandwidth DSL connections is the damage they can do when harnessed in bots of tens of thousands in size. They have enough power to completely hose most ISP backbone connections let alone one or two hosts.
And I only pick on windows machines because of their prevalance in the market. MS has done a good job of putting standardised (I use the word advisedly) easy to use systems into the hands of users who don't have to care how the systems work. Given this huge monoculture in relatively unskilled hands it is hardly surprising that infection is easy to spread.
Current incarnations of viruses and trojans are now used not by script kiddy types, but by serious organised crime groups interested in money. You want to take down Amazon? Hire a botnet. You want to extort money from a commercial website? Hire a botnet. You want to send 100 million spam emails? Hire a botnet.
And without wishing to get into any sterile argument about the prevalence or otherwise of linux (or MacOS) viruses or trojans, the main thing protecting us at the meoment is that we are a minority. Why bother to write a complex piece of software to compromise a very few Linux desktops when the real money is in windows.
Mick
---------------------------------------------------------------------
This is a Microsoft free zone. Please do not send me Microsoft Word Documents. For some reasons, see:
www.gnu.org/philosophy/no-word-attachments.html www.goldmark.org/netrants/no-word/attach.html ---------------------------------------------------------------------
On Sun, 18 May 2008, mbm wrote:
On Sun, 18 May 2008 14:22:26 +0100 (BST) Srdjan Todorovic todorovic.s@googlemail.com allegedly wrote:
The think that gets me is that although Windows boxen are allegedly easier to break into, I feel they don't really offer much in terms of power after you break into them. A Unix-like system wil probably offer more power to a cracker. Anyone have experience of this? What kind of tools does Windows malware install? And what tools does Linux malware install?
I'm sorry, but that depends entirely on what you mean by power. Do some research on botnets.
Yes, I know about botnets. What I was thinking of is such capabilities as raw sockets, though I think I read that WinXP does have raw socket support.
The really scary part about windows machines at the end of always on high bandwidth DSL connections is the damage they can do when harnessed in bots of tens of thousands in size. They have enough power to completely hose most ISP backbone connections let alone one or two hosts.
But sed 's/windows/Linux/g' and it's still as scary and valid.
And I only pick on windows machines because of their prevalance in the market. MS has done a good job of putting standardised (I use the word advisedly) easy to use systems into the hands of users who don't have to care how the systems work. Given this huge monoculture in relatively unskilled hands it is hardly surprising that infection is easy to spread.
Interesting you should say that. I saw Ubuntu CDs being placed as cover CDs for those magazines that are aimed at total computer newbies. These computer newbies are likely to be 'unskilled' and probably don't care how the system works.
Current incarnations of viruses and trojans are now used not by script kiddy types, but by serious organised crime groups interested in money. You want to take down Amazon? Hire a botnet. You want to extort money from a commercial website? Hire a botnet. You want to send 100 million spam emails? Hire a botnet.
Yes, that's extremely worrying. I suppose, with script kiddies, they just want a little bit of fun and fame, but will eventually realise they were doing something wrong. With organised crime groups, they are fully aware they are doing something wrong, and they want to carry on anyway.
And without wishing to get into any sterile argument about the prevalence or otherwise of linux (or MacOS) viruses or trojans, the main thing protecting us at the meoment is that we are a minority.
But the minority will change to a majority at some point, especially if the trend to include easy to use Linux distros on computer beginers magazines continues.
-Srdjan
On Sun, May 18, 2008 at 02:22:26PM +0100, Srdjan Todorovic wrote:
The think that gets me is that although Windows boxen are allegedly easier to break into, I feel they don't really offer much in terms of power after you break into them. A Unix-like system wil probably offer more power to a cracker. Anyone have experience of this?
How can that possibly make sense? A computer is a computer, Windows and Linux have basically the same feature set in that they can carry out computing tasks and talk to the internet. You can install unix tools on Windows or even a virtualised install of linux in Windows userland.
Just because it might not be a reliable operating system is irrelevant in the context of botnets as if a few machines die/fall over/get reinstalled the horde is still out there. The whole power of Linux is the diversity it provides, as already pointed out the whole monoculture of Windows is precisely why it makes a nice target.
Is there any actual or theoretical task that Linux can do that Windows can't do? I'm not talking about running a specific program or software availability for the platform as that could be solved by porting software etc. I mean an actual task or process that Linux can do that Windows can't do either now or in the future if someone coded it?
Adam
On Monday 19 May 2008 09:20:22 Adam Bower wrote:
Is there any actual or theoretical task that Linux can do that Windows can't do? I'm not talking about running a specific program or software availability for the platform as that could be solved by porting software etc. I mean an actual task or process that Linux can do that Windows can't do either now or in the future if someone coded it?
http://en.wikipedia.org/wiki/Halting_problem
Oh no, wait. Linux can't do that either.
R. ;-)
Hi
2008/5/19 Adam Bower adam@thebowery.co.uk:
On Sun, May 18, 2008 at 02:22:26PM +0100, Srdjan Todorovic wrote:
The think that gets me is that although Windows boxen are allegedly easier to break into, I feel they don't really offer much in terms of power after you break into them. A Unix-like system wil probably offer more power to a cracker. Anyone have experience of this?
How can that possibly make sense? A computer is a computer, Windows and Linux have basically the same feature set in that they can carry out computing tasks and talk to the internet.
As per my other email, I as thinking of other things like raw socket support, or something similar.
It will be more likely that a linux/unix box will have a C compiler installed than Windows having a C compiler. Yes, I am aware that some distros don't install copilers and devel tools, but lots of boxen might well have them.
You can install unix tools on Windows or even a virtualised install of linux in Windows userland.
You might have to pull lots of packages and deps, depending on what you want and have. Would malware writers bother?
Just because it might not be a reliable operating system is irrelevant in the context of botnets as if a few machines die/fall over/get reinstalled the horde is still out there. The whole power of Linux is
Yes, in the context of botnets.
the diversity it provides, as already pointed out the whole monoculture of Windows is precisely why it makes a nice target.
Won't the syscalls and the C lib follow set standards for the interfaces, like POSIX compliance etc? Sure libraries will be different versions, but you could possibly have several versions of the same malware for different versions of the libs. It's not like you'll need a specific version of Gnome (for eg.), or certain version of libpng.
Is there any actual or theoretical task that Linux can do that Windows can't do? I'm not talking about running a specific program or software availability for the platform as that could be solved by porting software etc. I mean an actual task or process that Linux can do that Windows can't do either now or in the future if someone coded it?
No, probably not.
Srdjan
On Mon, May 19, 2008 at 10:10:33AM +0100, Srdjan Todorovic wrote:
You might have to pull lots of packages and deps, depending on what you want and have. Would malware writers bother?
Well, usually they just upload a statically compiled program that they need. I don't see what relevance that having a C compiler would have given that if you are administering a botnet you aren't exactly going to compile software by hand on a compromised host and having a C compiler isn't exactly a unique or difficult thing to get hold of. ;)
Adam
On Sun, 2008-05-18 at 14:22 +0100, Srdjan Todorovic wrote:
Which is a bit silly given that if you have a virus/spyware combo, the name of the binary could change and then the iptables rule will no longer be effective.
Ok fair point...it's the wrong way round. Drop everything and allow only known binaries that you have added rules for. Of course all this is irrelevant if the malware in question has managed to get root access as it can then flush/modify the rules
BTW some (if not all) versions of Norton Internet (in)Security have the same issue as their application rules are based on filename and location not signature so if you get enough privileges to write to a file that is likely to have been allowed though (like the Norton updater itself) then you can pass the firewall.
Anyway it is a moot point because general users will tend to click on allow in fear that denying access to something will break something. The number of times I have seen malware in the allowed list on Windows machines almost outnumbers the times I have seen critical things that do genuinely need to get to the Internet in the denied list. I mean in all honesty how is the end user supposed to know that wuauclt.exe should be allowed access and randomspyware.exe shouldn't.
Hi I use avast anti-virus and firestarter firwall with Ubuntu 8.04. just as another line of defence, don't know of any spyware program for linux. A linux version of spybot would be good Barry
-
Adam Bower -
Barrys linux mail -
Jim Rippon -
Mark Rogers -
mbm -
MJ Ray -
paul -
Richard Lewis -
Sam Cater -
samwise -
Srdjan Todorovic -
Tim Green -
Wayne Stallwood