On Tue, Aug 24, 2004 at 09:20:46PM -0700, Aron Roberts wrote:
> Tom Holub asks:
> >Do you know of examples of Unix viruses in the wild?
>
> From 15 minutes of Googling ...
>
> You may recall that Robert Morris's Internet worm in 1988 was one of
> the first computer worms to draw widespread attention, and that
> this worm was written for Unix systems
> <http://en.wikipedia.org/wiki/Morris_worm>.
Well, I suppose we have a nomenclature issue here. The Morris worm
exploited a hole that was remotely vulnerable due to a buffer overrun;
it did not involve installing binaries on the host, and it would not have
been caught by an anti-virus program.
> In the years which have followed, there have continued to be a modest
> number of Unix/Linux worms detected in the wild, many of which merely
> try to exploit well-known, remotely-accessible vulnerabilities, perhaps
> often thus obtaining privilege escalation, and in so doing, propagate
> from machine to machine. In most cases, these vulnerabilities have
> been quickly patched within the affected Unix and/or Linux
> communities, so the number of vulnerable hosts has been small.
As with the above, remote vulnerabilities are not a class of problem
which is addressed by anti-virus software. Remote vulnerabilities
are, to some extent, addressed by firewall software, which I noted as
being important for Unix workstations. I would extend that to all
Unix hosts.
> Because the privileges under which most users of Unix or Linux
> systems are usually running generally don't permit alteration of
> interesting files or processes, it has been difficult for true Unix/Linux
> viruses to spread. Thus, these viruses have been either rare or
> non-existent in the wild, depending on which analysis you choose to
> believe. Several authors have expressed the opinion that Bliss
> for Linux may be the sole example of malicious code with
> virus-like characteristics found in the wild:
>
> http://www.viruslist.com/eng/viruslist.html?id=3134
Suffice it to say, Bliss is not "in the wild" in the same way that
Netsky or Bagel are. I have never heard a report of a campus host
being compromised by Bliss or any virus/worm/trojan with similar
characteristics or behavior.
-- Tom Holub (tom_holub@LS.Berkeley.EDU, 510-642-9069) College of Letters & Science 249 Campbell Hall ------------------------------------------------------------------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.berkeley.edu/>.Received on Tue Aug 24 21:49:34 2004
This archive was generated by hypermail 2.1.8 : Tue Aug 24 2004 - 21:49:43 PDT