has had a broadband always on connection throughout and I am a heavy
internet user. I don't consider the seriousness of a threat worth the
hassle. Each person can choose for themselves. That is my take on it.
As for Windows users, I don't care. They have chosen their poison. I am
unsympathetic to them. They have choice and choose to use Windows. So they
get what they desire. It isn't like they have no alternative. If I pass on a
windows virus, it isn't intentional. I don't wish them any harm. I just
don't like to engage in Windows fear mongering and pander to their needs. I
want to stay above the fray.
BTW, I don't run Wine. I choose to run all Windows programmes in a VM so
that I can isolate any problems to that machine. I have cloned it just in
case. If Windows gets contaminated then I will dispose of the the machine
and run the clone. To me that is the only way that it makes sense to run
Windows. It's security is so poor that it is hopeless. Apparently Windows 7
is no better. Already there are bug fixes for exploits and virus problems.
People say that Windows gets them because of its popularity, but that does
not make sense. Windows 7 have had security problems and exploits that were
known when it shipped. It is just the way Microsoft thinks. It is market
driven.
Is it likely that more Linux viruses will infect us over time, as Linux
gains popularity? Perhaps, but I think not. First off the system is more
protected. It has separate root and user areas and different permissions and
it has no central registry. Secondly, Linux users are smarter about
passwords and security issues. Thirdly, if it was possible, I think that it
it is highly likely that Microsoft would have had their hackers pushing out
Linux viruses in order to prove that Linux is no more secure. They have done
worse to their competition.
Suggesting that we should get ready now for whenever they come is a bit
premature. Let's demonstrate a threat before we start crying that the sky is
falling.
Roy
2009/11/23 TODD <trgbeck@gmail.com>
>
>
> Is Linux really prone to virus like M$ Windozes?
>
> I know some say not to bother with AV Product but I have been using
> Bitdfender and really like it better then ClamAv. Bit-defender almost runs
> like MS Win Version. Actually runs in background,preload AV Engines at
> startup,drop zone. A lot better then CalmAV as far as I see.Well I know
> there is known virus/worms, male-ware that DO find ways in to Linux.So as
> mainstream it gets there will be hackers and cracks to get maleware into
> linux as time goes it wont be safe in any system or game consoles out
> there.As for now these are well know out there for Linux,
> Think Safety First always.....Nothing is safe unless you monitor and do
> checks in your systems.
> ====================================================================
> Linux.Worm.Slapper./A/ /B/ /C/ /D/ Spreading-Damage:medium
> Discovered: 2002 Sep 24 (A-2002 Sep 16 D- 2006 Feb 21
> SYMPTOMS:
> - File /tmp/.cinik, /tmp/.cinik.c, /tmp/.cinik.go (variant B);
> - File /tmp/.unlock.c, /tmp/httpd, /tmp/.update.c, /tmp/update;
> - directory /tmp/.font-unix/.cinik (variant B);
> - Message "foo" …
> -Variant A
> - files "/tmp/.bugtraq" and "/tmp/.bugtraq.c" containing the worm's
> executable and source code;
> - a process ".bugtraq" running (the executable worm);
> - UDP port 2002 open.
> - files "/tmp/.bugtraq" and "/tmp/.bugtraq.c" containing the worm\'s
> executable and source code;
> - a process ".bugtraq" running (the executable worm);
> - UDP port 2002 open.
> -Variant D
> Presence of file “listen.log†in the same directory with the virus.
> Port 27015 on UDP is opened.
> Increase of CPU usage due to the many outgoing TCP connections on port 80.
> TECHNICAL DESCRIPTION:
> Linux.Worm.Slapper.A
> Internet worm that exploits a vulnerability in the OpenSSL implementation
> of the Secure Sockets Layer protocol - sending a malformed client key in an
> SSL request may cause a buffer overrun and run code of the attacker\'s
> choice on the server; more detailed information regarding this vulnerability
> (discovered in July 2002) is available in the document
> http://www.openssl.org/news/secadv_20020730.txt. The worm targets several
> Linux distributions running the popular Apache web-server.
> The worm scans for vulnerable computers in the network having IP's in the
> form a.b.c.d, where 'a' and 'b' are chosen randomly ('a' is limited to one
> of 162 possible values in the range 3 to 239) and 'c' and 'd' are iterated
> through all possible values. For every scanned IP, the worm tries to
> establish a HTTP connection in order to query the operating system and see
> whether a vulnerable version of the Apache server is running (Gentoo,
> Debian, Red-Hat, SuSE, Mandrake and Slackware operating systems, and several
> versions of Apache 1.3.xx are currently "supported" by the worm; a default
> configuration of Red-Hat Linux running Apache 1.3.23 is assumed if none of
> the hardcoded ones is detected).
> The worm will attempt (a maximum of 20 times, with 0.1 seconds between
> retries) to connect to the possibly-vulnerable computer's default SSL port
> (443) and send it a malformed string that will cause a buffer overrun and
> will run the embedded x86 machine-code; this code sequence uses INT 80h
> system calls to access Linux kernel services and invoke the shell (with
> redirected output for "silent" execution) in order to perform the following
> actions:
> - save an encrypted (uu-encoded) copy of the worm's C source-code in
> "/tmp/.uubugtraq";
> - decrypt it to "/tmp/.bugtraq.c";
> - compile the source to "/tmp/.bugtraq";
> - run the generated executable with the sender machine's IP as a
> command-line argument.
> (The sequence includes selected code for the determined Linux/Apache
> configuration.)
> This mechanism of sending the source code (C program) and compiling it on
> the target machine ensures the worm's portability on many distributions of
> Linux.
> Besides replicating to other computers in the network as described, the
> worm listens to UDP port 2002 for (encrypted) messages, providing the
> following functions:
> - direct communication with another infected machine;
> - relaying a data packet to another infected machine;
> - broadcasting a data packet to all infected machines;
> - running a command on the machine;
> - initiate a distributed denial-of-service attack on a machine (using UDP /
> TCP / IPv6 TCP connections, or DNS requests for the domain name servers).
> This backdoor-like behaviour compromises the local machine's and the
> network's security and functionality.
> These are 2 variants of Linux.Worm.Slapper.A. They use the same exploit and
> the changes are minor. The file names are different from first variant as
> specified in the Symptoms section. Another change is the port of the
> backdoor component of the virus:
> - 1978 - variant B
> - 4156 - variant C
> The B variant sends a notification mail-message to address
> cinik_worm@yahoo.com <cinik_worm%40yahoo.com> with the IP and some other
> informations of the infected host. Some comments in the virus source
> (.cinik.c) are written in Romanian. If the virus fails to download the
> source code on the victim, it will try to download it from a Romanian site.
> The C variant contains another backdoor (.update.c and update) which
> connects on the port 1052. To be used, the backdoor requires a password to
> be given. Also the virus sends a notification to aion@ukr.net<aion%40ukr.net>
> .
> In conclusion, analyzing the source codes, these variants were modified by
> a 24 years old Romanian (variant B) and a 21 years old Ukrainean (variant
> C).
> -Variant D
> This worm is compiled with gcc. The virus scans for port 80 on random IP
> addresses. If one of these computers has a XML-RPC for PHP Remote Code
> Injection vulnerability (Bugtraq ID 14088 , http://mamboserver.com/ ), the
> worm sends several commands to the victim computer (that download the worm
> using wget).
> Once a computer is infected , the worm send a notification message (via
> UDP) on attacker server , port 25555. The worm opens 500 TCP conections at
> once while scanning for vulnerability on hosts. This increses CPU usage
> (many syncronize conections (SYN) can be seen using "netstat" linux
> application).
> The worm also tries to download itself on victim computer (using php/xml
> vulnerabilities) from the following address http://209.123.16.34/ .
> Not really liunx but may get through Wine. As there is servral win32 virus
> out there to mention but this trojan may find its way in wine.
> So note ine can catch these possibly so beware.
>
> Trojan.Peed.JVL(Peed,Zhelatin,Nuwar,Peacomm )
> Spreading-Damage:medium Size:~110 kB Discovered:2008 Jul 04
> SYMPTOMS:
> Computer slow-downs,increased network activity.
> Presence of the specified files and registry entries.
> TECHNICAL DESCRIPTION:
> When started, the malware copies itself to the following location:
> %windows%\[malware_name].exe
>
> It creates the following registry entry:
> HKCU\Microsoft\Windows\CurrentVersion\Run\"[malware_name]" =
> "%windows%\[malware_name].exe"
> A few examples of [malware_name] are:
> "msserv"
> "msssecurity"
> It synchronizes the current computer time by executing the following
> commands:
> w32tm.exe /config /synffromflags:manual /manualpeerlist:time.windows.com,
> time.nist.gov
> w32tm.exe /config /update
> The malware adds itself as a Windows Firewall exception by executing the
> following command:
> netsh firewall set allowedprogram %windows%\[malware_name].exe
>
> The virus registers the compromised computer as a peer in its malware
> network and uses a randomly chosen UDP port to communicate with the other
> peers. It also sends to its network an unique ID for the compromised
> computer from the registry key:
> HKLM\Microsoft\Windows\ITStorage\Finders\"config"
> It drops a list of the initial peers to the configuration file:
> %windows%\[malware_name].config
> The malware updates this list by communicating with url-s like:
> cadeaux-avenu[hide]/getbackup.php
> The malware also has backdoor capabilities and can perform actions like:
> - send spam emails by using its SMTP engine
> - send system information from the compromised computer
> - download and execute other malware
> - update itself
> It searches email addresses from files with the following extensions:
>
> ".wab"".txt"".msg"".htm"".shtm"".stm"".xml"".dbx"".mbx"".mdx"".eml"".nch"".mmf"".ods"".cfg"".asp"".php"".pl"".wsh"".adb"".tbb"".sht"".xls"".oft"".uin"".cgi"".mht"".dhtm"".jsp"".dat"".lst"
> It does not send spam emails to email addresses that contain the following
> strings:
> "@microsoft""rating@" "fsecur""news""update""anyone@""bugs@""contract@
> ""feste""gold-certs@""help@"
> "info@""nobody@""noone@
> ""kasp""admin""icrosoft""support""ntivi""unix""bsd""linux""listserv""certific""@foo""@iana""free-av""@messagelab""winzip""google""winrar""samples""abuse""panda""cafee"spam""pgp""@avp.""noreply""local""root@
> ""postmaster@"
> Examples of sent emails:
> Subject: Well done 4th!
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
> American Independence Day http://69.251.[hide]/
> Subject: Amazing Independence Day show
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
> Stars and Strips forever http://68.90.195.[hide]/
> Some of sent emails' subjects are:
> Amazing firework 2008 Amazing Independence Day salute
> Amazing Independence Day show America for You and Me
> America the Beautiful American Independence Day
> Bright and joyful Fourth of July Celebrate Independence
> Celebrate the spirit of America Celebrate with Pride
> Celebrating Fourth of July Celebrating the Glory of our Nation
> Celebrating the spirit of our Country Celebrations have already begun
> Fabulous Independence Day firework God bless America
> Happy Birthday, America! Happy Fourth of July
> Happy Independence Day Home of the Brave Independence Day firework broke
> all records Just You Light up the sky Long Live America
> Proud to be an American S America the Beautiful S Happy Fourth of July
> S Stars and Strips forever Sparkling Celebration of Independence Day
> Spectacular fireworks show Stars and Strips forever Super 4th!
> The best firework you've ever seen The best of 4th of July Salute
> Time for Fireworks Well done 4th!You Stay In My Heart
> Some of the ip-s used in the email body:
> 12.173.3.17\12.206.167.119\166.82.212.39\206.174.87.86\206.74.70.49
> 207.244.171.96\208.126.51.68\216.137.135.74\216.255.59.26\24.0.122.81
> 24.13.166.252\24.13.97.222\24.130.139.182\24.147.15.92\24.152.149.120
> 24.165.150.180\24.17.174.193\24.182.235.74\24.205.232.11\24.238.99.243
>
> 24.242.213.72\24.249.135.214\24.33.244.139\24.33.89.242\24.4.23.176\24.6.219.159\24.7.77.216\24.92.177.76\24.99.230.65\4.248.91.23\63.78.247.132\64.179.170.8\64.252.164.229\64.53.204.29\65.185.105.8\65.185.32.14\65.190.171.249\65.25.89.233\65.26.141.252\65.33.188.214
>
> \66.108.212.234\66.176.27.185\66.176.38.218\66.190.179.22\66.207.80.239\66.245.42.63\66.31.118.34\66.65.85.219\67.149.166.122\67.160.102.118\67.167.223.69\67.167.51.11\67.176.18.50\\67.181.66.114
> \67.185.246.151\67.191.111.202\67.33.240.209\67.36.178.10\67.38.31.104
> \67.65.218.142\68.118.224.81\68.123.103.252\68.123.111.6\68.179.134.99
>
> \68.186.95.152\68.32.95.182\68.34.130.92\68.51.239.72\68.61.116.164\68.62.190.121\68.72.110.46\68.73.159.167\68.83.187.175\68.91.83.15
>
> \69.0.75.77\69.14.241.85\69.141.230.19\69.153.15.97\69.225.5.209\69.230.217.93\69.234.41.107\69.237.236.202
>
> \69.251.31.74\69.253.205.240\70.118.103.166\70.126.163.86\70.131.107.42\71.138.48.93\71.14.77.216\88.73.16.57
>
> As far as now Linux still safe cause it takes more work to make
> Virus,Trojan,male-ware compared to win32 maleware, Virus,Trojans.
>
>
>
[Non-text portions of this message have been removed]
------------------------------------
To unsubscribe from this list, please email LINUX_Newbies-unsubscribe@yahoogroups.com & you will be removed.Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/LINUX_Newbies/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/LINUX_Newbies/join
(Yahoo! ID required)
<*> To change settings via email:
LINUX_Newbies-digest@yahoogroups.com
LINUX_Newbies-fullfeatured@yahoogroups.com
<*> To unsubscribe from this group, send an email to:
LINUX_Newbies-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
No comments:
Post a Comment