LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-18-2007, 09:30 AM   #31
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67

Quote:
Originally Posted by kstan View Post
If I'm not mistaken a script in windows 'format c:\' will detect by antivirus, and I't consider as viruses.
Windows will not detect 'format c:\' as a virus. If you write a batch file that says format c:\ it is no different from opening a command prompt and typing format c:\. The anti-virus does not know the difference from the 2. They both start a command shell then execute the command 'format c:\'. They are identical. The truth is that they are not viruses and will never be considered viruses. the only way on windows to stop that is to create a GPO that denies running batch files.
 
Old 09-18-2007, 11:52 AM   #32
kstan
Member
 
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851

Rep: Reputation: 31
Quote:
Originally Posted by slimm609 View Post
Windows will not detect 'format c:\' as a virus. If you write a batch file that says format c:\ it is no different from opening a command prompt and typing format c:\. The anti-virus does not know the difference from the 2. They both start a command shell then execute the command 'format c:\'. They are identical. The truth is that they are not viruses and will never be considered viruses. the only way on windows to stop that is to create a GPO that denies running batch files.
I can't sure whether windows won't detect format c:\ as viruses or not, because I don't try it before. Let say we have a vb6 program which will call a shell function and run 'shell "format c:\"' . If I'm not mistaken this will detect by the antivirus(Which i read from somewhere else). The antivirus company can't simply say "Ops, this is not my fault, this is a command, not a virus, you run it and I should not detect it, because it is a shell command". Don't you think it silly and funny? I hope I can have a try about it when my laptop is ready (Recently I'd swap my laptop and I still not yet setup my winxp guest os). Of course, I don't want to find a fire fighting but just want to say the realistics.

For newer antivirus strategy, base on virus pattern is it sufficient? Same viruses can have few pattern or version, but they maybe target for same purpose. NOD32 is most intelligent antivirus and it able to detect new viruses which been or never apear before, because it use another way to recognize viruses. Using virus pattern probably an older ideal and too many kind of pattern can cause over kill, performance drop and the worst thing is, it is not way to stop it.

Back to origin, if we say a program which plant in 'rm -rf ~/' shell command is not viruses. Again, assume it is openoffice.org 3.0 (I just know that 2.3 come out already ), then what you will call it?

I bet you won't say it is trojan, spyware, worms right?

Anyway, win32sux had show me some Linux malware from clamav side, but 118 hit of the malware, how many of it you consider as virus(From the name itself, found that some of them is back door, some of them is exploit hacking tool, and etc kind of worm which I don't know at all what is this)? For myself all is, why because it hurt me.

Regards,
Ks

Last edited by kstan; 09-18-2007 at 12:05 PM.
 
Old 09-18-2007, 12:29 PM   #33
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by kstan View Post
Back to origin, if we say a program which plant in 'rm -rf ~/' shell command is not viruses. Again, assume it is openoffice.org 3.0 (I just know that 2.3 come out already ), then what you will call it?
Honestly, I'm not sure what I would call it. Perhaps I would call the source code something like "evil code" or maybe "rogue code" or something. If the "rm -fr /" wasn't intentionally put there by the OpenOffice.org people (like if it was put there by a cracker who managed to modify the code) perhaps I'd call it "poisoned code". I really don't know.

Quote:
Anyway, win32sux had show me some Linux malware from clamav side, but 118 hit of the malware, how many of it you consider as virus
I don't know, and I don't really see myself losing any sleep wondering about it. Seriously, why does it matter so much to you? As has been said before, when it comes to security, you have SO MUCH MORE to worry about than viruses.

Quote:
From the name itself, found that some of them is back door, some of them is exploit hacking tool, and etc
Yes, I think it's great that ClamAV detects many kinds of malware.

Last edited by win32sux; 09-18-2007 at 12:52 PM.
 
Old 09-18-2007, 05:52 PM   #34
AceofSpades19
Senior Member
 
Registered: Feb 2007
Location: Chilliwack,BC.Canada
Distribution: Slackware64 -current
Posts: 2,079

Rep: Reputation: 58
I think that as long as you maintain good security practices(not running as root, using only trusted sources, keep up with updates etc.) it is unlikely that you will get a virus
 
Old 09-18-2007, 07:49 PM   #35
kstan
Member
 
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851

Rep: Reputation: 31
Quote:
Originally Posted by win32sux
Seriously, why does it matter so much to you? As has been said before, when it comes to security, you have SO MUCH MORE to worry about than viruses.
As I mentioned previously, maintaining good security practices sacrify some productivity, and some more a lot of Linux user won't know there is some "Poison code" inside a program(Another example, awe need to install 3rd party hardware driver from 3rd party website, the driver of course install in 'kernel').
Why I care it? If saw the problem I bring out the problem. See everybody comment and feed back is it really a problem. Debate is a way for us to know it(Lucky because I can debate with you).


Quote:
Originally Posted by AceofSpades19 View Post
I think that as long as you maintain good security practices(not running as root, using only trusted sources, keep up with updates etc.) it is unlikely that you will get a virus
That's a problem. Don't you think you need to sacrifice many time and wait so long. Compiling it from source code is make sense if you know how to.

As a simple example, you playing web designing. You need to make sure your website compatible with ie, firefox, opera and etc. Probably ie4linux is a cooltool for you because it help you and safe a lot of time. However it is up to you whether you trust him or not right? If you trust him, you will install and run it. If you know they cannot be trust, what happend with you? You will take time to install wine, take time to configure wine(assume winedoor not yet assist before, because during I play it wine door really not yet exist), download installer, run the installer, download ie6, download flash plugin and etc. A simple job become complicated and time consuming.

I agree Linux is great, but I think it really need some realtime scan engine (thanks win32sucks had point out the clamav alternative) to get ready for Linux virus+antivirus war. No matter we want to run a program, install a program, or open a document, it should be checked by antivirus.

Regards,
Ks

Last edited by kstan; 09-19-2007 at 01:23 AM.
 
Old 09-19-2007, 08:30 AM   #36
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by kstan View Post
a lot of Linux user won't know there is some "Poison code" inside a program
Good point. Of course, this is true on any OS. How could we know whether or not there is poison code inside Windows, for example? Open source OSes like GNU/Linux do, however, have an advantage over their closed-source/proprietary counterparts in this respect. The code is available for peer-review, and at least for the critical/popular programs, this has a HUGE impact. Closed-source programs don't have access to the huge, worldwide, human-powered, distributed source code auditing system. And it's a shame, because the system works very well. Just look at the number of security fixes that are contributed to open-source projects by volunteers from around the world every single day.

It sounds to me like you want some sort of tool that will absolutely guarantee that there are no security problems with a particular program. I wish there was such a tool also, but their isn't. It does not currently exist on any OS, and I'm not sure if it will ever exist either. Hence, we do what we can. Typically this will mean our own personalized mix between tools, policies, and procedures - as does pretty much anything security-related. And once we've exhausted all of our methods, we will come to rely on the aspect of software development which we should never take out of the equation: trust.

Quote:
Why I care it? If saw the problem I bring out the problem. See everybody comment and feed back is it really a problem. Debate is a way for us to know it(Lucky because I can debate with you
Well, I think it's really great that you know how to have a civil discussion. Linux virus threads have a tendency to bring-out the worst in many people, and they are known to be very suceptible to the flame war phenomenon.

Quote:
That's a problem. Don't you think you need to sacrifice many time and wait so long. Compiling it from source code is make sense if you know how to.
Trusted source refers to "trusted party", etc. It doesn't imply the use of source code. We could, for example, download a binary from a trusted source.

Quote:
As a simple example, you playing web designing. You need to make sure your website compatible with ie, firefox, opera and etc. Probably ie4linux is a cooltool for you because it help you and safe a lot of time. However it is up to you whether you trust him or not right? If you trust him, you will install and run it. If you know they cannot be trust, what happend with you? You will take time to install wine, take time to configure wine(assume winedoor not yet assist before, because during I play it wine door really not yet exist), download installer, run the installer, download ie6, download flash plugin and etc. A simple job become complicated and time consuming.
I understand what you mean, I just fail to see how any of this is Linux-specific. This seems to me like more of a natural and unavoidable circumstance of information security in general. If you don't trust the source (developer, maintainer, distributor, etc.) of a piece of software, you will find an alternative/trustworthy one if possible. Sometimes this means jumping through hoops.

Quote:
I agree Linux is great, but I think it really need some realtime scan engine (thanks win32sucks had point out the clamav alternative) to get ready for Linux virus+antivirus war. No matter we want to run a program, install a program, or open a document, it should be checked by antivirus.
I'm pretty sure you can set up your system to do this if you really wanted to. You don't have to wait for a Linux distribution to have this sort of setup running out-of-the-box before you can enjoy it. I would actually encourage you to write a HOWTO for the Linux Answers security section if you decide to do this, so that it can be easily done by others who want to do something similar. AFAICT, you have all the necessary tools available already, you would just need to find a way to make them work together in desktop-centric harmony.

Last edited by win32sux; 09-19-2007 at 08:49 AM.
 
Old 09-19-2007, 09:06 AM   #37
kstan
Member
 
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851

Rep: Reputation: 31
Quote:
Originally Posted by win32sux View Post
Good point. Of course, this is true on any OS. How could we know whether or not there is poison code inside Windows, for example? Open source OSes like GNU/Linux do, however, have an advantage over their closed-source/proprietary counterparts in this respect. The code is available for peer-review, and at least for the critical/popular programs, this has a HUGE impact. Closed-source programs don't have access to the huge, worldwide, human-powered, distributed source code auditing system. And it's a shame, because the system works very well. Just look at the number of security fixes that are contributed to open-source projects by volunteers from around the world every single day.

It sounds to me like you want some sort of tool that will absolutely guarantee that there are no security problems with a particular program. I wish there was such a tool also, but their isn't. It does not currently exist on any OS, and I'm not sure if it will ever exist either.
I mean, the minimum guarantee is we need Linux antivirus. Of course this antivirus will bring trouble for people like administrator, but at least it help a general user who don't know it. Especially for enterprise users.

Hence, we do what we can. Typically this will mean our own personalized mix between tools, policies, and procedures - as does pretty much anything security-related. And once we've exhausted all of our methods, we will come to rely on the aspect of software development which we should never take out of the equation: trust.

Well, I think it's really great that you know how to have a civil discussion. Linux virus threads have a tendency to bring-out the worst in many people, and they are known to be very suceptible to the flame war phenomenon.
Of course, flame war is no meaning for you and me. The important is what we gain later on.

Trusted source refers to "trusted party", etc. It doesn't imply the use of source code. We could, for example, download a binary from a trusted source.

I understand what you mean, I just fail to see how any of this is Linux-specific. This seems to me like more of a natural and unavoidable circumstance of information security in general. If you don't trust the source (developer, maintainer, distributor, etc.) of a piece of software, you will find an alternativetrustworthy one if possible. Sometimes this means jumping through hoops.

I'm pretty sure you can set up your system to do this if you really wanted to. You don't have to wait for a Linux distribution to have this sort of setup running out-of-the-box before you can enjoy it. I would actually encourage you to write a HOWTO for the Linux Answers security section if you decide to do this, so that it can be easily done by others who want to do something similar.
AFAICT, you have all the necessary tools available already, you would just need to find a way to make them work together in desktop-centric harmony.
I willing to do it, but the problem is I not yet know what is the form of Linux viruses, you know it?
So, since you agree that Linux have viruses, in what extent Linux antivirus should take care? For myself it more or less work like windows antivirus, support firewall, detect virus pattern, detect phishing, pop3/smtp scan, realtime scan (of course only scan for linux viruses to reduce performance impact).
The bad news is so many kind of distro and so many kind of application exist in Linux world, eveybody have difference flavour make the protection scope become unbelivable large.

Regards,
Ks
 
Old 09-19-2007, 09:39 AM   #38
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
I mean, the minimum guarantee is we need Linux antivirus. Of course this antivirus will bring trouble for people like administrator, but at least it help a general user who don't know it. Especially for enterprise users.
There are already several antivirus programs for Linux. We've already mentioned ClamAV, which is free (as in freedom), but I can think of non-free ones such as maybe F-Prot or AVG. There are several others available, just Google for them.

Quote:
Of course, flame war is no meaning for you and me. The important is what we gain later on.
Yup.

Quote:
I willing to do it, but the problem is I not yet know what is the form of Linux viruses, you know it?
No, I don't know the internals of viruses if that is what you are asking. I am not a programmer. But either way, that is something that should be left to professionals (the antivirus developers). So maybe stop-by some of their websites and see if they have any documentation that satisfies your curiousity.

Quote:
So, since you agree that Linux have viruses, in what extent Linux antivirus should take care? For myself it more or less work like windows antivirus, support firewall, detect virus pattern, detect phishing, pop3/smtp scan, realtime scan (of course only scan for linux viruses to reduce performance impact).
That sounds more like a full-blown security suite.

I'll say this much: We already have decent anti-phishing built-into Firefox, and we have good GUI front-ends for Netfilter/iptables. So I think your time would be much better spent by focusing on getting your box to use ClamAV to work in the manner you described in the last paragraph of your previous post: "No matter we want to run a program, install a program, or open a document, it should be checked by antivirus". That's just IMHO, of course.

Quote:
The bad news is so many kind of distro and so many kind of application exist in Linux world, eveybody have difference flavour make the protection scope become unbelivable large.
Well, a well-written HOWTO can make it work regardless. It'll take more effort, but it *is* feasible and you should not be discouraged by the diversity of the distro ecosystem.

Last edited by win32sux; 09-19-2007 at 10:51 AM.
 
Old 09-19-2007, 08:12 PM   #39
kstan
Member
 
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851

Rep: Reputation: 31
Quote:
Originally Posted by win32sux View Post
There are already several antivirus programs for Linux. We've already mentioned ClamAV, which is free (as in freedom), but I can think of non-free ones such as maybe F-Prot or AVG. There are several others available, just Google for them.
I think clamav should be enough, but their engine is little bit slow.

That sounds more like a full-blown security suite.
Yes, in this manner all desktop is been protected. In current world the Linux users is increasing dramatically, the security concern for desktop must put in more. For server side, network infrastrure I believe there is no problem. Because usually after install and forget, won't use it to run unnecessary softwares.

I'll say this much: We already have decent anti-phishing built-into Firefox, and we have good GUI front-ends for Netfilter/iptables. So I think your time would be much better spent by focusing on getting your box to use ClamAV to work in the manner you described in the last paragraph of your previous post: "No matter we want to run a program, install a program, or open a document, it should be checked by antivirus". That's just IMHO, of course.
I hope so, in my new laptop which we coming next month (or 2 month).

Well, a well-written HOWTO can make it work regardless. It'll take more effort, but it *is* feasible and you should not be discouraged by the diversity of the distro ecosystem.
I will say, what to do?

However, as previous mentioned, I insist think that the easiest, simplest and 1st form of Linux viruses is a piece of code from shell command, no matter it is injected in c language (System ("rm -rf /")) or from perl, php or a simple .sh file. The content properly just like below:-

1. rm -rf /

2. find -name "*.xls" -exec echo "All your excel document has been distroy by me, don't you forget there is linux viruses. Next time please use odf format. Ka! Ka! Ka!"
> '{}' \;

3. cat /dev/null ~/*

Of if you not agree in above form, lets convert to hex format(I'm not refer actual table, just test the 'rm -rf /' from xev.):
27 58 65 20 27 41 65 61 (Which is rm -rf /)

Is this view more convenient with you?

Regards,
KS
 
Old 09-19-2007, 09:16 PM   #40
AceofSpades19
Senior Member
 
Registered: Feb 2007
Location: Chilliwack,BC.Canada
Distribution: Slackware64 -current
Posts: 2,079

Rep: Reputation: 58
thats not a virus, a virus is a program that self-replicates and sends itself to a another machine, a shell script that does rm -rf / does not self repilcate to my knowledge and doesn't send itself to a another machine, so its not a virus, just a command, or shell script
 
Old 09-20-2007, 01:44 AM   #41
kstan
Member
 
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851

Rep: Reputation: 31
Quote:
Originally Posted by AceofSpades19 View Post
thats not a virus, a virus is a program that self-replicates and sends itself to a another machine, a shell script that does rm -rf / does not self repilcate to my knowledge and doesn't send itself to a another machine, so its not a virus, just a command, or shell script
No, I can make a script which able to replicate itself, from computer to computer. Somemore it can check your icq account, adress book and etc. Only use shell script. You think it still not a virus?

I think so it already become virus, it is just shell command can behave like a viruses, then it is a virus.

Regards,
Ks

Last edited by kstan; 09-20-2007 at 01:46 AM. Reason: correct some confusion.
 
Old 09-20-2007, 09:50 AM   #42
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
A virus doesn't send itself to other machines. If it does, then it's a worm. A virus needs a third-party to take care of the transportation. Regardless, kstan, your rm -fr shell command could never be considered a virus or a worm or anything other than an evil shell script. If you still feel so strongly about it I would once again suggest you take this up with an antivirus mailing list or something like that. I, for one, would actually be quite interested to hear what they reply. Even if they blow you off, you should have no problem figuring-out how to add a definition for your "rm -fr /" (and similars) into ClamAV. This way when you do a clamscan those type of scripts will get detected.

Regarding your HOWTO, I would say the first step for you is to actually get a test system set up. So do your research, download the tools, and start getting them to work in tandem until you accomplish your goals. Once you've actually done it yourself, only then should you proceed to write it down for other people to do. Then you can submit it to LQ Answers and see if it gets accepted. I can't really offer any assistance as I've never had the desire for on-access file scanning, and hence no experience. I am satisfied by just scanning files I receive/download. But I do think many people would be interested in the setup you had in mind, which is why I encourage you to dive-in head first and get started.

BTW, I invite everyone to participate in our GNU/Linux GUI Security Suite thread if you would like to discuss the need (or non-need) for a GUI application providing a centralized location for desktop users to configure their general security settings (firewall, anti-malware, backup, encryption, anti-phishing, IDS, etc). There is also an interesting virus poll which was started by phantom_cyph.

Last edited by win32sux; 09-20-2007 at 10:18 AM.
 
Old 09-20-2007, 05:40 PM   #43
AceofSpades19
Senior Member
 
Registered: Feb 2007
Location: Chilliwack,BC.Canada
Distribution: Slackware64 -current
Posts: 2,079

Rep: Reputation: 58
Quote:
Originally Posted by kstan View Post
No, I can make a script which able to replicate itself, from computer to computer. Somemore it can check your icq account, adress book and etc. Only use shell script. You think it still not a virus?

I think so it already become virus, it is just shell command can behave like a viruses, then it is a virus.

Regards,
Ks
what I meant was a script like
#!/bin/bash
rm -rf /


is not a virus, it is just a shell script
 
Old 09-20-2007, 08:01 PM   #44
kstan
Member
 
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851

Rep: Reputation: 31
Quote:
Originally Posted by AceofSpades19 View Post
what I meant was a script like
#!/bin/bash
rm -rf /
is not a virus, it is just a shell script
Of course it is a script, but when it injected into particular program which at the end we don't recognize the computer will perform this action, then it can be virus. I mean in my opinion.
Quote:
A virus doesn't send itself to other machines. If it does, then it's a worm. A virus needs a third-party to take care of the transportation. Regardless, kstan, your rm -fr shell command could never be considered a virus or a worm or anything other than an evil shell script.
Seems like with won't get same opinion in this way.

If you still feel so strongly about it I would once again suggest you take this up with an antivirus mailing list or something like that. I, for one, would actually be quite interested to hear what they reply. Even if they blow you off, you should have no problem figuring-out how to add a definition for your "rm -fr /" (and similars) into ClamAV. This way when you do a clamscan those type of scripts will get detected.
This is a good ideal to deal with them, I hope they will think twice how Linux viruses will behave. Will let you know what their opinion (Or probably I invide their expertise to join this topic)


BTW, I invite everyone to participate in our GNU/Linux GUI Security Suite thread if you would like to discuss the need (or non-need) for a GUI application providing a centralized location for desktop users to configure their general security settings (firewall, anti-malware, backup, encryption, anti-phishing, IDS, etc). There is also an interesting virus poll which was started by phantom_cyph.
No matter how, security is main concern to avoid hacker/cracker's viruses blow the world of Linux Desktop. The Windows user will say Linux Desktop is not secure at all, it is sucks!

Regards,
Ks
 
Old 09-21-2007, 04:43 AM   #45
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
Quote:
Originally Posted by kstan View Post

No matter how, security is main concern to avoid hacker/cracker's viruses blow the world of Linux Desktop. The Windows user will say Linux Desktop is not secure at all, it is sucks!

Regards,
Ks
I do not know any windows users that say that linux is not secure. most windows users i know don't even know what linux is. i know people that say linux sucks but 90% of them have never used linux and once they do they change there mind. windows just sees stuff that linux or bsd does and tries to copy it but they always do a shit jobs of it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: GNU/Linux and freedom: non-free software hidden in your GNU/Linux distribution LXer Syndicated Linux News 0 04-02-2010 11:21 PM
Antivirus survey: Do you run an antivirus program on linux? atom Linux - General 29 09-03-2009 03:22 PM
2008 US General Election Megathread XavierP General 205 11-07-2008 12:37 PM
Ubuntu - ALL FINE NOW! - Megathread FreeDoughnut Ubuntu 41 07-24-2006 08:53 AM
Antivirus for Lunix similar Norton Antivirus for Windows Chivozertsev Linux - Software 1 03-31-2005 07:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration