On 3/13/06, Daniel Bauer
However, on Win I "installed" a rootkit once just by inserting an *legally bought* Sony-Music-CD (last time in my life, I bought a music CD!) - and I have no idea if something like that could happen with Linux, too, because big companies absolutely do not respect my privacy and have a lot of criminal energy and resources, for sure...
Now this is where Windows and Linux differs. In order for something like this to happen on Linux, you need to insert the CD, then log in as root user on your machine, then mount the CD and then run the rootkit installer from the CD. So, you basically need to install the rootkit yourself. Someone can install a rootkit on your machine over the network, by exploiting a known vulnerability of a specific piece of software on your machine, but they need to be able to connect to a port on your machine from outside (That is where the firewall comes in) So, let's say for example that the telnetd program has a vulnerability. Now the vulnerability will only exist in a specific version or range of versions of the telnetd program and it is normally patched soon after the vulnerability has been discovered. But let's say that you do not update your machine regularly and you are running an old version of telnetd that still has the vulnerability. Telnetd listens on port 23 on your machine. So, Mr CR Acker is scanning for machines with port 23 open and discovers yours. He then runs a script that will contact your machine and access port 23 and then send a certain command to that port. The command (or stream of data) is designed to exploit the vulnerability in your version of telnetd. It works and your telnetd cracks up and allows Mr Acker to access your machine as root user via the telnet port. So he uploads his rootkit and installs it. I am not a security expert, but as far as I know, this is basically how a UNIX/Linux system can be compromised. The experts can correct me and or expand a bit on it. So, you can see that to get malicious software onto a Linux box requires that a number of things needs to be in place: 1) You need to have the correct version of the vulnerable software installed. 2) The vulnerable software needs to be running and listening on an Internet port 3) Your firewall have to allow access to that port from outside. Taking into account that most vulnerabilities on OSS software are detected and fixed by the community or developers long before Mr CR Acker does, and you need to have your firewall set up to allow access to the application, you can see that it is quite difficult to get into a box that is properly maintained. The attacker also needs to get root access to your machine to do any real harm. There are a lot of other design issues that makes Linux very virus-unfriendly. It is also very un likely that you can get a rootkit or any malicious software installed by just inserting a CD, as Linux systems normally do not run anything on a CD by itself. KDE and GNOME do have the capability to do so, if it is set up to do it, but then it is run as a normal user and not root (except if the user is stupid enough to run a desktop as root and in that case he/she deserves what they get)
I have never run a anti-virus program on Windows, because I thought this is only money-making. As I did not use Outlook, but Eudora, turned html-view and automatic downloading off and only opened attachements I knew what they are. I never had any problems.
The strategy of not using Outlook and IE is good. I think most of the virus problems are caused and sustained by those two apps.. Fortunately wwe do not have them on Linux. :-) To come back to the ZoneAlarm thing. I have gkrellm running on all my desktops, so I can always see what the CPU, network and disk usage is (together with a number of other things). I can immediately see if my network, CPU or disk usage is not what I expect it to be and then I use tools like ps and netstat to see what is doing stuff on my machine that I do not expect. I suppose this is my way of doing what ZoneAlarm is doing. I just approach it from a UNIX perspective. :-) -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za ~ A dinosaur is a salamander designed to Mil Spec ~