----- Original Message ----- From: "foodog" To: Sent: Thursday, March 07, 2002 3:37 PM Subject: Re: regularly scheduled paranoia. Was: Re: Anti Virus > Nancy Sollars wrote: > ... > > Id like to see proof of concept mechanics to see how stealthing would work & > > how the apparent apache viiri effects all other binaries cuz it must run as > > root to be able to do what is claimed. > > For stealthing see innumerable rootkits, adore, t0rn or kis for > example. I recall reading about lkm-like behavior without loading > modules - probably in one of the last two releases of Phrack, but I'm > not positive (will try to locate). As for running as root, that's the > joy of the script kiddie vector: tell them it requires root and they'll > oblige. When they break into another system and import their > tools'n'toys they'll also run as root. > > Suppose nmap is trojaned: > $ nmap -sS -O kickme.dim.org > > Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) > You requested a scan type which requires r00t privileges, and you do not > have them. > > QUITTING! > > > Since each linux system differ's quite substancially from the other creating > > a viiri that would be effective is practically zero ... proof of concept in > > europe show'd that getting a viiri in to some system setups is not a problem > > but when you start patching the kernel and having your daemons running as > > users and not root forget it.. > > Li0n showed that even shoddy code specifically aimed at only one > distribution can spread. IIRC, there wasn't any technical reason to > restrict it to Redhat systems. I agree that Linux users are > *potentially* in a much better position to defend, I just haven't run > into many people with an appropriate level of paranoia. > > It seems like targeting elf executables is a good choice for a virus > author. I await the verdict of people crafty with disassemblers to > decide how portable this one is. It would make sense to package such a > virus with a working exploit if your goal is to spread far and wide. > agreed on the above totally ... i guess having the openwall and hap patches in ones kernel and build all binaries using a bounds attack fixed gcc is classed as paranioa.. Paranoid as ever 3 full glibc's and gcc's Nige ... > Steve > > > > Nige > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >