On Tue, 3 Feb 2004, Frank Boehme wrote:
> I was just wondering how difficult it would be to port MyDoom to
> Linux. Sorry for imposing my thoughts..
>> Suppose there would be something like MyDoom 0.1-alpha on SourceForge. I
> think, the TODO file could probably read like this:
>> * Convince the victim to unpack and execute binary mail attachments
Linux presents no barrier to this. The only difference is that
currently Linux users tend to be more technical and know better. From
what I understand, current versions of Outlook try to make it
difficult to run binaries direct from email. (though, do any unix
MUA's allow one to execute attachments by clicking on them? with or
without "are you sure" messages?)
Ie the problem is the user...
Further, Linux MUAs are not immune from security vulnerabilities.
There have been vulnerabilities where MUAs will execute arbitrary
data found in mails. (pine has had a few I know, being a pine user.
I'm assuming other MUAs have had these vulns too). Ie it neednt even
require the victim to take any action, other than check his mail.
> * Find a means to scan for email addresses in the user's data
trivial. eg create a pipe and fork off and run a simple shell
command.
> * Mass email to the addresses found
trivial.
> * Upon execution of the attached binary, install a backdoor server that
> listens to certain ports,
been done lots of times with other worms. (eg the apache worm).
> some of which with low numbers. Must run as non-root. Should keep
> listening after logoff. (xinetd?)
low-number isnt needed. after logoff is easily done.
> * Have this server accept connections from anywhere.
easily done, its the default for a socket :)
> * Do all this without write access to /etc. We are not root.
not a problem.
> * Major rewrite of the code. Forced to switch to another OS.
Unfortunately not so. See, eg, the apache SSL worms. Unix is no more
secure than windows.
The only thing Unix and Linux have going for them is:
- diversity
- different architectures
- different systems with different libraries
- even similar systems (eg built from same code) can still be
different enough (function addresses) that worm propogation is
difficult
and
- far more technically adept and security aware user base
Fedora and (i think) recent RH9 kernels also have exec-shield which
makes it even more difficult to be able to consistently exploit
Fedora also has prelink (available too for RH9) set to randomise
library addresses slightly.
But there isnt really anything inherently secure about Unix.
> Have a nice day (it rains here),
>>> Frank
regards,
--
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
warning: do not ever send email to spam at dishone.st
Fortune:
Parts that positively cannot be assembled in improper order will be.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
