Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is the Unix Community Worried About Worms?

Cliff posted about 13 years ago | from the if-it-can-happen-in-Redmond dept.

Linux 516

jaliathus asks: "While the Microsoft side of the computer world works overtime these days to fight worms, virii and other popular afflictions of NT, we in the Linux camp shouldn't be resting *too* much. After all, the concept of a worm similar to Code Red or Nimda could just as easily strike Linux ... it's as easy as finding a known hole and writing a program that exploits it, scans for more hosts and repeats. The only thing stopping it these days is Linux's smaller marketshare. (Worm propagation is one of those n squared problems). Especially if our goals of taking over the computing world are realized, Linux can and will be a prime target for the worm writers. What are we doing about it? Of course, admins should always keep up on the latest patches, but can we do anything about worms in the abstract sense?" Dispite the difficulties in starting a worm on a Unix clone, such a feat is still within the realm of possibility. Are there things that the Unix camp can be learning from Code Red and Nimbda?

cancel ×

516 comments

Sorry! There are no comments related to the filter you selected.

I hate you all! (-1)

cyborg_monkey (150790) | about 13 years ago | (#2331369)

Especially the fuckwit ACs. Burn in hell, motherfuckers!

Re:I hate you all! (-1, Offtopic)

Anonymous Coward | about 13 years ago | (#2331381)

What you say?

Re:I hate you all! (-1, Offtopic)

Anonymous Coward | about 13 years ago | (#2331391)

Awww... look at mackga's little bitch bark.

How cute.

Re:I hate you all! (-1)

cyborg_monkey (150790) | about 13 years ago | (#2331415)

Bring it on, bitch!

Re:I hate you all! (-1, Flamebait)

Anonymous Coward | about 13 years ago | (#2331454)

I think YOU'RE the bitch.

Admit it. You and mackga are butt-buddies both on- and off-line.

If you don't, I'll post pictures of you and him on the net. Having Malda in the gangbang picture is just a bonus.

Re:I hate you all! (-1)

cyborg_monkey (150790) | about 13 years ago | (#2331484)

Yeah, go ahead and post the pictures.

Re:I hate you all! (-1, Offtopic)

Anonymous Coward | about 13 years ago | (#2331516)

Malda told me not to or he'll do something to my kneecaps.

Re:I hate you all! (-1, Offtopic)

Anonymous Coward | about 13 years ago | (#2331416)

Get back to your journal.

Well... (0, Offtopic)

Scoria (264473) | about 13 years ago | (#2331382)

I'm waiting for someone to write a worm that's cross-platform and exploits just about everything.

That'd be a big worm, though. And it's about time that Microsoft stops hogging the worm marketshare!

What gives me the willies is... (-1, Offtopic)

Anonymous Coward | about 13 years ago | (#2331520)

... cross-platform worm that gets through firewalls as an outlook e-mail attachment that some doofus opens up, and then starts poking around for weak unix servers behind the firewall, or just starts sniffing for passwords.

I think a lot of people think that just because their *nix box is behind the firewall it is safe from hacking, so they use telnet, have *s in /etc/exports, and unpatched sendmails and all that.

IIS Worm Update: 27192 probes from 713 different hosts

-- ac today

What to learn from M$ worms (1)

while(1)fork()0x42 (521209) | about 13 years ago | (#2331383)

Just say NO to closed-source products.

I had worms once (-1, Offtopic)

Anonymous Coward | about 13 years ago | (#2331384)

But the vet gave me some pills.

WTF. (-1, Flamebait)

xmutex (191032) | about 13 years ago | (#2331386)

Are you trying to say there may be some sort of flaw or shortcoming of Linux?

You can't say those things around here. What's wrong with you?

With RMS around (-1)

Spootnik (518145) | about 13 years ago | (#2331492)

The Unix community should be worried about worms. When was the last time Richard Stallman changed underwear?

keep your code clean? (0, Troll)

mrsmalkav (33086) | about 13 years ago | (#2331389)

It seems like it would be a stupid answer to this question being as UNIX code is generally cleaner than Windows code. My understanding is that the hackers are just trying to exploit weaknesses. The best solution for that is to not have weakness. And if you do, fix it (patching, etc). It seems that most viruses are written for MS products (ie Outlook) anyway, but being as UNIX programs or opensource programs are pretty clean and tight, there's not that worry.

I don't think there really is anything to be done differently....

Re:keep your code clean? (0)

Anonymous Coward | about 13 years ago | (#2331426)

hackers are just trying to exploit weaknesses

Partially true.

They want to exploit weaknesses in popular software. >p> Contrary to the open source dogma, Microsoft software is not any weaker than open source software. However, because it's much more popular it also gets targetted more by the crackers and therefore also looks more vulnerable.

Re:keep your code clean? (-1, Flamebait)

davmct (195217) | about 13 years ago | (#2331483)

you're an idiot.

Re:keep your code clean? (-1)

Spootnik (518145) | about 13 years ago | (#2331512)

No he is right, Richard Stallman should take a shower once in a while.

Re:keep your code clean? (2, Informative)

GregK72 (43118) | about 13 years ago | (#2331550)

I think that people could probably find exploits in Apache, Sendmail, etc... probably a lot easier since they can scan the sourcecode. From what I have read though, most of these worms & virii are not very complicated and are using relatively easy to exploit holes in M$ products. Most of these holes exist since M$ is trying to make life easier on the user by doing work behind the scenes (such as automatically calling an IE dll to render an HTML email). As work continues on desktop environments such as GNOME and KDE, I think that it is not unreasonable to expect to see exploits in those products being used. But since M$ products dominate the desktop market, I expect to find most people writing worms&virii for M$ environments.

Linux has plenty of marketshare (2, Informative)

EllisDees (268037) | about 13 years ago | (#2331396)

The only thing stopping it these days is Linux's smaller marketshare.

What smaller marketshare? Check out the Netcraft [netcraft.com] survey if you don't believe me. I think better programming is the reason we aren't seeing any worms targetted at linux web servers.

Re:Linux has plenty of marketshare (0)

Anonymous Coward | about 13 years ago | (#2331439)

funny, do a search on that page and the word Linux is only there once - and has nothing to do with the surveys.

With something like 95% of consumer PC's being sold with windows, please quit kidding yourself that linux doesn't have a smaller marketshare.

Re:Linux has plenty of marketshare (1)

egon (29680) | about 13 years ago | (#2331479)

I think his point is that linux has a larger marketshare with regards to web servers (which appears to be the primary propagation method for this particular virus I believe).

Re:Linux has plenty of marketshare (0)

Anonymous Coward | about 13 years ago | (#2331489)

That's not important. We should be talking IIS Vs. Apache market share here.

Re:Linux has plenty of marketshare (1)

quartz (64169) | about 13 years ago | (#2331499)

That, and the fact that the average Apache admin is *way* more knowledgeable than your average IIS admin. I guess that's what you get when you market web servers under the "easy-to-use" paradigm: admins who know little else than where the "on/off" button is.

Re:Linux has plenty of marketshare (0)

Anonymous Coward | about 13 years ago | (#2331519)

Yes, check out netcraft.

http://www.netcraft.com/Survey/index-200106.html [netcraft.com]

Windows has 49% of the web SERVERS .

frequent distros - already 1 step ahead (1)

shibut (208631) | about 13 years ago | (#2331397)

By having many releases of Linux distros at various times, when you get the most recent version you are up to date on protection (whatever that may be). On the other hand, M$ does not bother to incorporate their patches in later CDs of their OS. For example, the Oct 2000 patch was not incorporated in a w2k/iis server sold this summer. It's only 9 months later...

Re:frequent distros - already 1 step ahead (1)

hal_mayned (471350) | about 13 years ago | (#2331463)

Why can't you jjust have a process monitor (perhaps like the freedom.net product) where you can set which programs can and can not access the internet, close unused ports, etc. If a program tried to disguise itself as an allowed program maybe even monitor for irregular internet usage activity by a program.

Grammar (0, Offtopic)

ugen (93902) | about 13 years ago | (#2331398)

Being a computer geek does not releive you of aneed to use good grammar. It's "dEspite"..

Re:Grammar (0)

Anonymous Coward | about 13 years ago | (#2331449)

You forgot a space in there grammar boy :)

Spelling (1)

Edgewize (262271) | about 13 years ago | (#2331457)

Being a computer geek does not releive you of aneed to use good grammar. It's "dEspite"..

Being a nitpicker does not relieve you of the need to spell properly (releive?), use correct spacing (aneed?), or punctuate correctly (is it . or ...?).

Re:Spelling (0)

Anonymous Coward | about 13 years ago | (#2331530)

Er ... and he was pointing out a spelling error, not a grammar error. YHBT.

Re:Grammar (-1, Offtopic)

Anonymous Coward | about 13 years ago | (#2331467)

yo retard. it's spelling, not grammar, that is the problem here. if you're gonna correct someone, get it right.

Re:Grammar (2)

Restil (31903) | about 13 years ago | (#2331475)

Its "relieve."

Its "a need."

ahem....

-Restil

Re:Grammar (0)

Anonymous Coward | about 13 years ago | (#2331481)

1. "Dispite" is not a grammatical error, it's a spelling error.
2. "releive" is a spelling error, "aneed" is a typographical error. Kettle black, glass houses, that sort of thing.
3. Who really cares? This is just a discussion board, not a formal paper or something.

Can't happen (0)

Anonymous Coward | about 13 years ago | (#2331399)

No one runs *nix as root.

Unless you have root, you can't do much damage to a system.

It's impossible to get root on a *nix system without permission, because it is designed that way.

Learning from Code Red? (4, Insightful)

Kaz Kylheku (1484) | about 13 years ago | (#2331400)

The UNIX world already had a worm that recursively exploited security holes and spread, back in 1988.

THAT was the worm to learn from, not Code Red!

by Robert Morris (2, Informative)

maddogsparky (202296) | about 13 years ago | (#2331461)

Yeah. It was the classic example that we studied in my Computer ethics class. Sounds sort of like the nimd worm in that it had four different methods of spreading. The only thing that stopped it from being even worse than it could have been was a programming error that caused it to fill up memory and eventually cause the infected machine to crash.

something to remember (2, Informative)

CoreyG (208821) | about 13 years ago | (#2331403)

Worms aren't just a Microsoft thing. You should know(remember?) that the first worm ever written infected many *NIX systems (and the net in general) quite badly.

Holding back the worm (4, Funny)

Heem (448667) | about 13 years ago | (#2331404)

The only thing stopping it these days is Linux's smaller marketshare.

That, and the fact that MOST *nix users/admins tend to be a bunch of computer dorks, like us, and will be sure to stay up to date on security concerns, or at the very least, clean their system of the worm in a timely fashion.

Monoculture (3, Insightful)

fractalus (322043) | about 13 years ago | (#2331406)

Even if Linux gained market dominance, it wouldn't quite be the monoculture that Windows is. There are many distributions of Linux, which put important files in different places. This isn't insurmountable but it does make writing a worm capable of running rampant a wee bit harder.

Also, it's my experience that (for now) people who set up Linux to run on the net are a little bit more clueful than NT administrators. NT seems to encourage the idea that any moron can run it because it's point and click. This isn't true; it takes more work to effectively admin an NT box than a Linux box.

There have and will continue to be worms. Worms are most successful at any point of monoculture. (sendmail; bind; IIS) The solution, then, is not dominance... but diversity.

Open ports and executables (1)

shinji (34318) | about 13 years ago | (#2331407)

I for one close all ports that I don't need to be open. At work this means my linux box listens on zero ports. I don't execute code that people send me in emails (though no one sends my linux executable stuff just MS Crap (people are wiser than that)) If I do open a port I update update update. 'nuff said. Most these worms exploit known bugs that MS users haven't heard about but the patch has been out for months.

Re:Open ports and executables (0)

Anonymous Coward | about 13 years ago | (#2331535)

At work this means my linux box listens on zero ports.

wow, you must not do very interesting work.

Apt and cron (4, Informative)

Anonymous Coward | about 13 years ago | (#2331409)

Or any other form of auto-updater. Remember, Code Red and Nimda used holes that were patched months ago.

Patch the holes that are inevitable. Patch them early.

I'm confident (-1)

SpanishInquisition (127269) | about 13 years ago | (#2331412)

I'm sure that if enough open source developers set their mind to it, they can come up with better worms than those available for Windows, really it's just a question of time and resource but the open source development model will always come up with the best product in the end.

Lessons learned... (1)

Glock27 (446276) | about 13 years ago | (#2331413)

Are there things that the Unix camp can be learning from Code Red and Nimbda?

Certainly! First, that such worms affecting Microsoft servers are very good for Unix/Linux business! :-)

Secondly, that 'integrating' everything under the sun into the OS leads to security holes and maintenance problems.

Finally, that Open Source is better in terms of the actual number of security holes - which will certainly decrease over time (which is apparently not the case with Microsoft products).

186,282 mi/s...not just a good idea, its the law!

Nitpick (0)

Anonymous Coward | about 13 years ago | (#2331417)

Worm propogation is more of an \Theta(2^n) problem, given an infinite pool of vulnerable, unaffected machines.

Nimbda? (1)

$eRvmanIO (302817) | about 13 years ago | (#2331418)

I thought it was Nimda....

Could blame the spellchecker, but admin spelled backwards? Come on....

the real culprits (1)

Tregod (441880) | about 13 years ago | (#2331419)

i dont beleive we should be AS worried as all the windoze users out there. It's the *nix users who are creating the horrible virii (or so im guessing due to "elitist" status of many *nix users) of which windoze machines "just happened" to be suceptable to. we obviously should continue to keep security tight in case of future intrusions.

Yep, (0)

Anonymous Coward | about 13 years ago | (#2331420)

Don't run daemon's that are know to have buffer overflows. Bind, sendmail, NFS, LPRng come to mind. If you must run them, research either replacements in bind,sendmails case (djbdns,qmail,postfix) or proper setup in NFS and LPRng's case.

Further, don't run daemons that send a unix password in plain text over an untrusted network (ie the internet).

Finally, run a firewall to limit access if your box is on the internet or on a DMZ.

From earlier in the day... (2)

FortKnox (169099) | about 13 years ago | (#2331421)

Just read this [slashdot.org] and protect yourself.

This is a pretty pathetic ask/.

Lion (0)

Anonymous Coward | about 13 years ago | (#2331428)

UNIX/Linux has already been hit with worms. It's no more difficult. The Lion worm that affected bind a few months (9?) is a good example.

someone else will if I don't (1)

great throwdini (118430) | about 13 years ago | (#2331429)

Dispite the difficulties in starting a worm on a Unix clone, such a feat is still within the realm of possibility. Are there things that the Unix camp can be learning from Code Red and Nimbda?

Despite the difficulties in starting a worm on a Unix clone, such a feat remains possible. Are there things that the Unix camp can learn from the Code Red and Nimbda incidents?
Mod down if you wish, but I'm just doing my part to push Slashdot editors to improve themselves and their grammar. "Write-ups that are more concise, better grammar," I say.

Re:someone else will if I don't (0)

Anonymous Coward | about 13 years ago | (#2331552)

Nice work, but you failed to address the smugly arrogant tone.

same goes for virii.... (1)

pherthyl (445706) | about 13 years ago | (#2331431)

sure right now there are almost no linux virii but if it ever does gain widespread acceptance you can be sure the virus writers will target it...

THere should be an antivirus program for linux... the only problem being, who wants to write a program that may never be used?
I suppose there would be enough time to write it when the viruses start appearing..

*nix is safe for now... (1)

superflex (318432) | about 13 years ago | (#2331432)

The answer is obvious. *nix admins don't need to worry because the people writing these things run *nix on their boxes, and they're not interested in screwing themselves over.

then again, perhaps i'm overestimating the self-preservation instincts of the script-kiddies

i'm gonna puke (0)

Anonymous Coward | about 13 years ago | (#2331435)

if I see one more person write virii instead of viruses. Virii is not a word!

Re:i'm gonna puke (0)

Anonymous Coward | about 13 years ago | (#2331447)

Virii is not a word

But you just used it in a sentence! :-)

uh... worms? (1)

Swaffs (470184) | about 13 years ago | (#2331437)

Not only does linux have a smaller market share, but there's also so many varieties and configurations that writing one that can attack a significant portion of that marketshare would seem quite difficult. Add to that that Linux users tend to be better informed on these things, and its less likely to find vulnerable systems. Most importantly, any infected boxes would probably soon become obvious to the admin, and it would be fixed. There's really no excuse for Code Red to still be propagating.

It's worth noting.... (1)

pjbass (144318) | about 13 years ago | (#2331438)

that people who run different Unix platforms (Linux included) are typically more aware of potential security holes that their applications/OS may have. People usually are subscribed to Cert's mailing list, and although the advisories come out after the initial uncovering of a worm/virus/exploit, the people who take care of these boxes have a good idea of what's installed on their boxes, and know where to look for more proactive administration. I think a big reason why Microsoft software is a target that seems to be much more affected (not only that it is a bigger market-segment share) is that its users are normal users, not your everyday 1337 user, so they will not necessarily know what's wrong with their system (let alone what's installed) until something bad happens to their system. So I'm not sure it's a question of are we vulnerable in the Unix world, but the question should be, how much more aware are we in the Unix world OF potential exploits, or even how much less aware might we be?

/pj

Sweet Revenge (1)

WildBeast (189336) | about 13 years ago | (#2331448)

Security is only an illusion, we can't be 100% secure without sacrificing our privacy and/or confort; even then that won't guarantee our security. Ask yourself this, is it easier to destroy or to create?

I say we should do the same thing as U.S. does with terrorists. Find the worm writers and beat them to a pulp. We'll make them our bitch.

More than I was last week, but not terribly so (1)

barzok (26681) | about 13 years ago | (#2331451)

I don't think anyone can say in all honesty that they aren't more concerned about it. But I also feel fairly safe as I keep a minimum of ports open and I don't screw around with software I suspect to be unsafe. Nor do I just run anything someone sends to me.

It's hard to not be "one of those smug Linux geeks" this week. However, my Linux- FreeBSD-lovin' friends, our day will come if we don't keep watching out for ourselves. Keep your eyes open and your ports closed.

I'd like to see 'White Hat' worms... (2)

ddstreet (49825) | about 13 years ago | (#2331453)

What I think would be interesting, is a Linux worm that used a security hole to get into a box, then closed the security hole, then propagate to other boxes, and finally uninstall itself. Maybe also leave a message or email on the box stating that it's fixed the box's security hole...;-)

Unfortunately, doing constructive work (i.e., fixing the security hole) is always more difficult than doing destructive work (e.g., rm -rf /). But worm/virus writers seem to have plenty of time on their hands...

Re:I'd like to see 'White Hat' worms... (0)

Anonymous Coward | about 13 years ago | (#2331482)

being hit by a "white hat" worm wouldn't make me feel any better than being hit by a "black hat" worm. either way, my box has been compromised. sure, the white worm was nice enough to let me know, but i probably would've found out anyway. either way, it means i'm reinstalling the os.

Despite .... not "Dispite" (0)

Anonymous Coward | about 13 years ago | (#2331455)

Dont spite me ...

Smaller market share? (2)

rw2 (17419) | about 13 years ago | (#2331456)

The only thing stopping it these days is Linux's smaller marketshare.

I thought apache had a majority share of the web server market. One that has been hit by worms, and those worm writers usually choose IIS despite it's smaller market share.

It could be because IIS has more exploits...

Re:Smaller market share? (1)

Mr. Sketch (111112) | about 13 years ago | (#2331533)

Not to be nitpicky, but Apache runs on windows too. But you're right that IIS definately has more exploits which would make it a better target despite it's smaller market share.

Re:Smaller market share? (0)

Anonymous Coward | about 13 years ago | (#2331554)

No, Apache has a smaller share of servers. They have a larger share of host names. Remember, more than one host name can be run on a single instance of a server.

tail -f error_log (0)

Anonymous Coward | about 13 years ago | (#2331465)

yes it effects us Linux people!!!!!

Ignorant Question: (3)

rkent (73434) | about 13 years ago | (#2331466)

Okay, here I go, proving my lack of server programming skilz: is it really so hard to prevent buffer overflows? Why does the length of a URL (for example) ever cause a server to crash?

It seems like every time you get input from the outside, you would only accept it in segments of a known length, and whatever was longer would just wait for the next "get" or whatever. At least this is the case in my (obviously limited) socket programming experience. So when some program is hit with a buffer overflow error, does the team of programmers smack their collective head and say "d'oh"?

Re:Ignorant Question: (1)

valdis (160799) | about 13 years ago | (#2331543)

Yes, they smack their collective head and say "d'oh".

Remember - it's usually NOT the URL itself that causes the problem - it's when you start parsing it down, and you look for a '~username' to expand in a URL, and of COURSE since usernames are 8 chars or less, you have a 'char username[8];' declaration...

(and yes, there's an OBVIOUS bug in the example, the fact that you can be passed a username over 8 chars, and a SUBTLE bug too, left as an excersize for the reader.)

Subtle bug? (2)

dschuetz (10924) | about 13 years ago | (#2331572)

Is it that the username might be 8 unicode (or other multi-byte format) characters?

Just a quick hunch...

It's the MCSE's fault (1)

alen (225700) | about 13 years ago | (#2331468)

Back in ancient Persia they would tie someone to a boat and pour honey on his stomach. They would also leave some meat. And add the maggots and other cute little lifeforms. In the space of a few weeks they would eat the victim alive.

That's one way to solve the problem.

Been there, on UNIX (1)

Lish (95509) | about 13 years ago | (#2331469)

Worms are not a new phenomenon [google.com] . What new can we learn from Code Red et al that we shouldn't have learned already? The lesson, as always, to sysadmins is basically, keep your patches up to date; to developers, don't write buggy code. (Particularly code with silly errors like buffer overflows. C'mon, folks, bounds checking!)

Yes, I know it's not really that simple, but in many ways, it is.

Re:Been there, on UNIX (1, Funny)

Anonymous Coward | about 13 years ago | (#2331573)

As a developer, I thank you! All this time I've been writing deliberately buggy code, never imagining that it might cause problems.

Find a *root* identitied server. (2)

DunbarTheInept (764) | about 13 years ago | (#2331470)

To really make a worm mess people up, it needs to get root access. That fact alone is enough to make Apache more secure than IIS, due to the fact that unless you're an idiot you run your Apache servers as a non-root user. And even if you're an idiot there's still a good chance you are running your server as 'nobody' anyway, since that's the default insallation setting. You would have to be a very special sort of idiot, the kind that goes out of his way to do idiotic things on purpose, in order to be running Apache as root.

Now, this doesn't alleviate all the problems of course, because even with "normal user" access a person can still do some damage. The web pages are probably owned by that normal user, so with normal access a person could alter your content. The normal user could set up cron jobs for himself such that he attacks other machines later, and thus you can still get propigation without root. So this still leaves open the possiblity of having DNS attacks (since being a part of the attack doesn't require root privilieges, just any user will do.) But it doesn't really leave any way to mess up the target machine permanently. You couldn't alter the httpd program, for example, since it isn't owned by the same user as the user ID it runs under.

At worst, you lose the web pages themselves, but most likely you have those copied over from some other location as part of your "I'm going to edit in a scratch area and then install these changes for real after I try them out" technique.

Speaking of Microsoft: (1)

bribecka (176328) | about 13 years ago | (#2331471)

[yahoo.com]
Microsoft has delayed the XBox.

I submitted this as a story but apparently it's not juicy enough (rejected).

Re:Speaking of Microsoft: (0)

Anonymous Coward | about 13 years ago | (#2331509)

Finally, some news from the Xbox camp. When I saw the gamecube launched I was wondering what ever happened to this thing. Poor Microsoft, their whole strategy was to get it in the hands of consumers before the game cube did. They were talking about a delay a few months ago, no doubt some sort of software bug. Can't wait to find out what I get for Christmas this year.

Is Linux hard to infect for binary worms (0)

Anonymous Coward | about 13 years ago | (#2331474)

A question to the experts:


Since there are so many different distributions of Linux compiled with different versions of gcc, different optimization flags, etc., does this make life hard for "binary only" worms? The thinking being that to exploit a garden variety buffer overrun in a controlled way, one probably needs a highly specialized worm code. So even if the same version of some vulnerable software is installed on different Linux distributions, one may be attacked by a particular instance of a worm, while the other one is not. Or that a hand-compiled version of a critical piece of software is less likely to be infected by a worm, provided some non-standard compiler settings are chosen?


Is this a significant effect which limits the spread of worms on Linux?

Microsoft vs Linux (2)

josepha48 (13953) | about 13 years ago | (#2331476)

I think the big difference here is that most people at some point in the Linux commuintiy start to look at security as part of the system, not like Microsoft where security is only now being thought of.

Lets face it Linux comes and has come with ipchains and now iptables for firewalling and many other UNIX flavors have similar features. Linux and the UNIX community think about things like proxy firewall combinations, where Windows is only now starting to think about this. It is not until the release of XP (or the anticipated release as it is not out) that windows is by default including a firewall.

People in the unix community also tend to be more aware of what is going on on their system. They have logs and there are tools to view them.

While I do not dismiss the possiblity that if Linux / UNIX got to be as popular as windows then there would be more 'attempts' I think that because of the nature of Linux you would have a much harder time of spreading a worm like code red.

A good UNIX administrator is going to spend time in configuring his web server and securing it. If they do not think about this then they are no good.

If you are wondering how secure your computer is try these two site. They'll help, but don't try this at work or you may piss off your admins. https://grc.com/x/ne.dll?bh0bkyd2 or http://scan.sygatetech.com/

Wha't the next step for UNIX security? (2)

melquiades (314628) | about 13 years ago | (#2331486)

Certainly the robust UNIX security model is one reason we haven't seen as many worms. The strategy of creating a separate "www" or "http" user to run Apache, a "db" user for the database, etc., is common and very wise. If somebody co-opts your web server, at least it can't wipe your db. It still has weaknesses -- it's sometimes necessary to grant more permission to certain users/processes than you might like, and it requires a lot of vigilance from sysadmins, but it works quite well.

I wonder if there isn't a way of generalizing this to allow more sweeping, more generalized expressions of security rules. A UNIX install has soooo many little apps, and so many points of contact for everything, it's sometimes hard to say "I want all apps that could access X to have permissions Y, or go through acces point Z." TCP wrappers are a good example of the kind of thing I'm talking about -- they provide a single point of access and control for all things TCP, and they make it much easier to set up very broad rules that you know cover all possible cases.

Am I making any sense here? How might an OS take on this issue in the general case? It seems like one next logical step for UNIX security.

The real reason. (2)

TheNecromancer (179644) | about 13 years ago | (#2331487)

Microsoft systems are more susceptable to worms(IMHO) because the level of compter knowledge is way higher for Unix users that it is for Microsoft users. I mean this sincerely, and not just as flamebait.

Consider how many Unix users would actually just open their emails and run attachments blindly. I would venture that there are a ton more Microsoft users that actually do just that!

There are security problems on *nix boxes... (1)

nite_warrior (151737) | about 13 years ago | (#2331503)

there have been worms exploiting *nix boxes, I think that the biggest difference is that running a *nix box u HAVE TO KNOW WHAT U DOING, not like Windows system that u just mark a couple of checkboxes to make a system secure. Unix let u specify exactly which services the computer will be offering on a network, and as long u keep those services secure u make lot for the security of the system. If u left unused ports open u can become a target of some exploit...

Also, most of the sys admins on the *nix world are reading about security issues related to their systems to protect them, while a lot of the sys admins of windows systems (at least the ones i know) dont do it...

Being worried on ur system and the way it is working is a big thing on Unix world.

difficulties? (2)

friscolr (124774) | about 13 years ago | (#2331507)

Dispite the difficulties in starting a worm on a Unix clone, such a feat is still within the realm of possibility. re there things that the Unix camp can be learning from Code Red and Nimbda?



what difficulties?



whenever an inexperienced user brings up a redhat 7.0 or lower box on our network, it is exploited within 12 hours. within 24 hours i have received email from admins on other networks informing me that the redhat box has been probing their network. 1 minute later i have informed yet another user that it takes more to do my job than booting off of cd and following instructions on the screen.

someone out their has already taken advantage of the various vulnerabilities found in older distros.



lessons learned? i am reminded of something my brother told me:

Having your own box appeals to the pioneer spirit: your own plot of land to develop as you please, fighting off the savages, protecting from the elements.



In other words, every time you run software which other people will somehow have access to (users running desktop software, server software connected to the internet , etc) you will need to constantly monitor and upgrade that software.

The Morris Worm (2)

Prof_Dagoski (142697) | about 13 years ago | (#2331510)


Let's not forget that what was probably the first worm, the Morris Worm, was released on Unix machines. I don't remember the year, but it was in the early days of the Internet when about all there was out there was Unix and VMS. The lesson that the Unix community took away from this and other incidents was that they needed to secure their machines and tighten up code. The point here is that no system is immune. When I first started out in the Internet field, almost all attacks were launched against Unix and VMS machines because that's about all that was hooked up to the Net on a constant basis. So, don't get smug just because Micrsoft is victimized today. After MS dies a firey death, something else will become the dominant system on the net and that will be the most attacked system.

Are you saying MS is first? (0)

Anonymous Coward | about 13 years ago | (#2331511)

Do you really think Microsoft OSs are the first to encounter a worm? They've been around longer than Microsoft. And why would it be any harder to infect a Linux box? Unless your refereing to the a) general lack of functionality and robustness and b) the fact that it's mostly techno geeks running Linux that are a bit more educated on internals and security than the average Windows user (they have to be in order to get anything to work). If your counting those 2 points, then yes, it might be easier.

too many script kiddies... (1)

akira2001 (138064) | about 13 years ago | (#2331513)

basically, back in the day worms only affected UNIX systems because they were pretty much the only systems that were networked and mult-user. Hence, you could write a worm on a major UNIX system and it's affects could be felt for all the users on that system. These worms took knowledge of UNIX and usually programming in c. Today's script kiddies are "writing" viruses using virus generation programs to dump out a lame vbscript to affect outlook users. I think many of the older "hackers" have lost interest in the whole scene or have gone out and gotten high paying software jobs. The major reason for this is because the orginial worms were written by hackers to show off & display weaknesses in UNIX system. Now, script kiddies write virus to show off, but also to cause damage to tons of people. It takes a great deal less of skills to point out the weakness in windows ... it's just not built for security by design, it's built for usability.

Why is open source more virus-secure? (1)

skuzzlebutt (177224) | about 13 years ago | (#2331515)

Maybe I'm a little slow, but I don't understand fully how open source development tools, peer-review, and the like can IN AND OF THEMSELVES keep a system safe(r) from virii...What is it about Apache that keeps it from getting attacked less than IIS (besides just poor code and built-in backdoors, and the fact that people just want to screw with MS). I'm sure Apache has it's holes yet to be exploited, too

...wouldn't the actual OS security features be the biggest factor (i.e., forced logins and priv levels vs. global access for all)?

Can someone explain this in terms that a retard like me can understand?

Re:Why is open source more virus-secure? (1)

WildBeast (189336) | about 13 years ago | (#2331537)

yet to be exploited? Don't you remember when apache.org got cracked?

Re:Why is open source more virus-secure? (1)

skuzzlebutt (177224) | about 13 years ago | (#2331541)

Yeah, but I mean new (undiscovered) holes that get hammered on the CodeRed level...

WTF -- does anyone here have a memory? (0)

Anonymous Coward | about 13 years ago | (#2331517)

Rembember the Ramen worm? So, yes, it is more than a possibility.

Thankfully I trust Apache more than I trust IIS. Also the marketshare thing does help and the fact that Red Hat now disables every network service by default helps. We are safer but by no means in the clear. We just have to keep our eyes open and our systems patched.

Why is this difficult? (1)

Billy Bo Bob (87919) | about 13 years ago | (#2331528)

I fail to see why so many believe this is difficult. There are several well documented holes in common Linux services that -- although patches exist -- almost certainly exist in a large number of systems. Several give plenty enough access to be able to write automated entry/replicate code that works. Just examine some of the honey pot projects to see how fast a Linux machine will get hacked (in a few cases hours after deployment).

I suspect the lack of worms is:

  • Lack of interest on the virus/worm writers part. Windows in more fun (to crack).
  • Poorer food source. Lets face it, @home is just chock full of win machines which are unpatched; you will have much more successful propagation with windows machines

It could happen... (2)

Greyfox (87712) | about 13 years ago | (#2331540)

God knows there are enough newbie sysadmins who feel that even though 30 years of sysadmin wisdom says never run as root, they feel they can because they understand the risks involved. They typically also give all their friends accounts on their system (Ooh! I have a multiuser OS! I'll give all my friends accounts!) Usually they stop doing that after the second or third time they get compromised and have their hard drives filled up with goat porn.

Fortunately the default installs of most of the mainstream distributions are getting more secure as time goes by. And while RedHat traditionally isn't quite as easy to set auto-updating up for as Debian is, it's still pretty easy to keep up with the security patches for it. I'd really like to see the package maintainers package at least some of the more traditionally insecure packages (*Cough*Bind*Cough*) in ultra-paranoid configurations, say, statically compiled and chrooted. It hasn't been enough of an irritation for me to go do it myself though.

We all pretty well know, though, that security is more what the user does with the OS rather than how inherently "secure" the OS is out of the box. FreeBSD is by reputation one of the most secure OSes available but I could take that thing and install a bunch of servers with holes in them and be no better off than if I was running Windows 2000 doing the same thing.

Smaller marketshare??? (1)

MS (18681) | about 13 years ago | (#2331548)

The only thing stopping it these days is Linux's smaller marketshare

If I recall correctly, Linux' marketshare among webservers is around 40% (Apache has 61%), while Windows' is around 25%. Considering that worms spread among servers, and that among the top webservers there are lots of Linux but barely Windows, worms "should" spread much easier under Linux/Apache than under NT/IIS.

Several studies from Netcraft to Securityspace show you, that neither IIS as webserver nor NT as OS is the most popular among InternetServers.

ms

I send you this tarball... (1)

Scratch-O-Matic (245992) | about 13 years ago | (#2331559)

Hello. How are you?

I send you this tarball in order to have your opinion.

Bad Comparison (2)

gad_zuki! (70830) | about 13 years ago | (#2331560)

If someone goes through the trouble of downloading/buying Linux and setting it up as a public server they're probably a lot more computer literate than most windows users. They certainly would understand the need for patches and probably read some kind Linux news site to keep up.

Now if Linux had windows' market share, it would have to come pre-installed with a new PC and not require the user to do much more than just use the GUI. Which is fine as far as I'm concerned, but we can also assume a Linux dominated universe would be full of unpatched servers too.

Maybe untreated Windows exploits are heading toward exinction. Its easy access to the internet that has created such a huge market for anti-virus software. Maybe we'll start seeing Windows shipping with an MS or a third party patch manager in the near future. Or something like NAV with a patch checker. "No viruses found, you are open to these attacks, please goto this URL to download the patches."

linux can only get worse (0)

Anonymous Coward | about 13 years ago | (#2331562)

linux has got the market share of smart users. now it must expand and get stupid ppl to use it too. this means the new wave of linux admins will but dumb ass ppl who don't know how to sort their boxes out and worms will also infest linux as well so that we will also look like stupid windows users just cos we use linux because of these dumb ass ppl.

Hard to create a Unix worm??? (2)

sterno (16320) | about 13 years ago | (#2331563)

Why do you think it's harder to create a *nix worm? I mean the basic principles of worm propagation work under any platform if there are any security holes. Certainly *nix does occasionally suffer from security vulnerabilites, if perhaps less than Windows. Look at the ramen worm that was going around recently. I STILL get scans on my box for that vulnerability. Certainly the scale is less dramatic because of the fewer *nix systems out there, but it's not like writing a worm for unix is somehow more difficult than for windows.

VERY Concerned (1, Informative)

MadCamel (193459) | about 13 years ago | (#2331564)

I am very concerned about UNIX/Linux worms. Not only is it possible, but it is probable. As much as I dislike Microsoft, they DO release security fixes for their products, usualy before a worm is written to exploit the vulneribilities. The same goes for Linux, BSD, and any other activly maintained operating system. So why are these worms causing so much trouble? Because the average user has no idea how their OS works, and no clue about security. With the recent advancements in user-friendlyness, the same thing goes for Linux too. For example, the statd worm family, which had rooted every insecure RedHat machine in 24.*.. With matters like this, it is not the OS that matters. It is the user/admin of the OS being clueless about security. Until users learn how to apply security patches, and learn to keep up with the latest security news, these things will be commonplace. I sincerely hope that this recent outbreak of particularly nasty worms will get more users and admins interested in keeping their machines secure.

Attn: Cliff. (-1)

medicthree (125112) | about 13 years ago | (#2331567)

It's not NIMBDA, it's NIMDA. Are you getting paid to do this, or what? My god, If I were to turn in a report as sloppy as the posts by many ./ admins, I'd be canned in a day.

There have already been some Linux worms (1)

Chibi (232518) | about 13 years ago | (#2331575)

There have already been a few Linux worms:

  • Ramen worm [cnet.com] - sucks up lots of bandwidth by doing network scans and changes the main page on web servers. (January 2001)
  • Adore worm [cnet.com] - Replaces ps with another program that would list all processes except for the worm. Then it would e-mail "several key system files" to some e-mail addresses. (April 2001)
  • Lion worm [cnet.com] - attacked computers running BIND. (March 2001)


One thing pointed out in most of the cases is that there had been patches out for at least a few months that would have protected the computers from attack (Just like Nimda). It just goes to show that it isn't just Windows admins/users who don't keep up-to-date on security.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?