-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Bolt wrote:
On Tue, 7 Aug 2007, Michael Letourneau wrote:-
David Bolt wrote:
<Snip>
As more and more file types get linked to more applications I am not so sure that "executing" something has the same meaning it used to. Say you download a new screen saver, you never really execute that, but your window manager utilizes the data in it.
Erm, you can execute a screen saver if you test it. And the window manager will do so when the specified idle time is reached.
As an example, I set the screen saver on my 10.2 system to be BSOD and here's me locating the just where the file is, and what type it is:
davjam@donnas:~> grep -i "saver" ~/.kde/share/config/kdesktoprc [ScreenSaver] Saver=bsod.desktop davjam@donnas:~> grep -i "exec" /opt/kde3/share/applnk/System/ScreenSavers/bsod.desktop Exec=bsod TryExec=xscreensaver Exec=kxsconfig bsod Exec=kxsrun bsod -- -window-id %w Exec=kxsrun bsod -- -root davjam@donnas:~> find /usr/ -mount -name bsod 2>/dev/null /usr/lib64/xscreensaver/bsod davjam@donnas:~> file /usr/lib64/xscreensaver/bsod /usr/lib64/xscreensaver/bsod: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.4, dynamically linked (uses shared libs), for GNU/Linux 2.6.4, stripped
All of which makes for an ideal method of introducing a trojan onto a system[0]. And, just to make sure it works across the widest variety of systems, all that's required is to create a statically linked 32bit binary and it'll run on virtually any x86-32 or x86-64 based system.
Err No... The file itself should usually be read only and only changeable by root, and if you are allowing stuff like this to happen as root more fool you....
Of course, there's also those infections that occur without user intervention, but those tend to come in through security holes in server daemons which are unlikely to be running on a normal users desktop system.
Yup, I would classify those more as worms or exploits rather than virii.
They're under the general "viruses" tag. For my definitions, worms require no assistance to spread, as they actively search for files/systems to infect. Trojans require human assistance to spread and are designed to pretend to be one thing while actually being something completely different. True viruses also require human assistance to spread, but do so completely unknown to the user. Boot sector viruses, and those wonderful macro viruses, are what I'd call a virus. I wouldn't classify any of the recent Windows "viruses" a true virus, I'd call them a trojan instead.
An opinion maybe, but technical nonsense otherwise 1) The classical viruses come in two groups boot sector and binary file infectors, with nominal sub=class functions of droppers a (virus which drops a trojan, virus of a different type etc). Some later DOS viruses spread using all techniques. Boot sector viruses are a vulnerability for systems which use the boot sector to load code that identifies where to load the OS, which covers just about anything. The only time a system is normally vulnerable nowadays is when booting media (the media soes not have to be bootable and boot sector protection in BIOS is usually trivial to circumvent, the only real safety is to only allow booting from trusted boot media when required). The period of time between the machine being started and the OS taking control is a particularly vulnerable moment, but it is now very difficult to infect when the OS is running and in control (but not impossible). File infectors need read access to the file to infect with malicious code. As it is normal practice to keep most system files read only to users the possibility of causing system wide problems is really down to your security practices. When executable file formats were very simple these were relatively easy to write. The key characteristic of a virus is the ability to replicate the original funtionality. Hence boot sector viruses modified boot sectors, and file infectors change files with code to infect other files when run. These viruses do not need human intervention to spread, just various forms of human stupidity. 2) Macro and script viruses are special case of 1 (I was on a CHEST software committee in the early 1990s that identified this as a potential issue then). Basically any programming code can be be infected with code with viral characteristics. Scripts are code. These are considerable easier to produce than executable code base viruses hence their current popularity. 3) Trojans may subvert systems, but do have have the ability to replicate so hence ARE NOT viruses. 4) The first reference to the concept of a computer worm I came across in J.Brunners book Shockwave Rider, worms do not really replicate they propogate the worm itself may disappear but it delivers malware code (usually a trojan of some sort) which it may use to propogate itself elsewhere.The distinction is subtle but important. Worms actively exploit weaknesses and are more of a strategy than anything else. [Odd thing is the idea of self modifying and replicating code is a legitimate area in A.I. research].
But most of the popular services have had some issues, ftp, mail, http, ssh...
The last Linux worm I saw was one that was spread via infected Apache/PHP systems. It worked by having the exploitable PHP parse a command string and fetch a script from some site, chmod the script, and then call it. That script would then download a couple of ELF executables, one of which turned the server into a zombie controlled via IRC, and configured them to start on boot. Thankfully, it's been a couple of years since I saw that, but I still have the sample I managed to acquire stored in an encrypted archive, along with a large selection of Windows viruses[1][2].
This really cannot be called a worm, this more strictly is a dropper. <snip>
David Bolt
What!!!!???? - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGucTyasN0sSnLmgIRAhQ1AJ49qx0y8lJw1+hZ3bZ992Ni3LboDQCgkF78 UpWDeXt9CPqMtZqs9BuQlhE= =eHYv -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org