padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (04/04/91)
>From: micor!esleng!esleng.ocunix.on.ca!dag@uunet.UU.NET (Dave Gilmour)
Basically, the sheer diversity of UNIX platforms provides the best
defense against malicious software. Mix in the user/kernel and
"rights" requirements and you have the basis for a good protection
scheme.
Mr. Morris's worm was directed at only two platforms: DEC Ultrix and
Sun/OS as I recall and it had to carry separate code modules along for
each.
Viruses are remarkably sucessful on PCs, not because of the operating
system, though DOS certainly does nothing to stop a virus, but because
every machine from the lowliest 8088 to the mightiest 486 runs the
basic 8086 instruction set at startup. Add in the fact that every
function and every entry address defined in the 27 October, 1982 BIOS
specification still exists and you have the key to the spread of
malicious software.
With UNIX on the other hand, not only is a certain amount of integrity
checking built in to the O/S, but malicious software (and many users)
have no idea if the architecture is based on an Intel 80386, a
Motorola 680x0, the CVAX chipset, or some other RISC or CISC
architecture. To the user, the biggest question is usually whether it
is a C or Bourne shell.
When we talk about "portability" in the UNIX world, we are usually
referring to the fact that ASCII is ASCII and that source code that
compiles on an Apollo can also compile on a VAX. That they use wildly
different run-time-libraries is unimportant at the source-code level.
In comparison, writing a virus that can attack both an IBM-PC and a
MacIntosh would be simpler than one that could affect just the
different varieties of Sun microsystems - no I am not picking on Sun,
I just happen to have those manuals on hand.
In addition, UNIX being a "real" multi-user operating system has had
to layer in many integrity checks to protect users from each other.
These same checks make it much more difficult to spread a virus
without notice.
I am not saying that it cannot be done, just that it would be first,
difficult, and second, would have to be targetted to a particular
platform or platforms.
As yet, we have not seen any real threat to the UNIX platforms that
cannot be countered with effective use of the tools built in. The
biggest danger is still an "accident" by someone with root privilege
and a managerial lack of proper training of system administrators.
(off the soapbox, Padgett)ethan@thinc.COM (Ethan.Lish@THINC.COM) (04/10/91)
padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) writes: Greetings - In continuation of the *NIX Virus Thread I would like a add a few points. First off I would like to direct you to 'Computer Systems' Volume 2 Spring 1989, Experiences with Viruses on *NIX Systems and Virology 101 > Basically, the sheer diversity of UNIX platforms provides the best > defense against malicious software. Mix in the user/kernel and > "rights" requirements and you have the basis for a good protection > scheme. This is correct if your virus model excludes the shell script world. I have not seen *any* published model to define a virus vs Trojan Horse in the group. Was one published and I missed it? The simplest form of a *NIX virus is : cp $0 . Now *every* *NIX platform I know of will run this "virus" Thanks, \Ethan\ P.S. **NOTE DO NOT RUN THIS VIRUS, SO I DON'T HAVE TO SAY "I TOLD YOU SO"** - -- "If everyone swept his own doorstep, the whole world would be clean" A Chinese proverb Ethan.Lish@THINC.COM _____ 1.301.652.0651 _____ {uunet,anagld}!thinc!ethan Tomorrow's Horizons, Inc. 4807 Bethesda Ave, #330, Bethesda, MD 20814-5299
mchinni@PICA.ARMY.MIL (Michael J. Chinni, SMCAR-CCS-W) (04/11/91)
ethan@thinc.COM (Ethan.Lish@THINC.COM) writes: > The simplest form of a *NIX virus is : > cp $0 . > Now *every* *NIX platform I know of will run this "virus" > P.S. **NOTE DO NOT RUN THIS VIRUS, SO I DON'T HAVE TO SAY "I TOLD YOU SO"** Given the usual definition of a virus (i.e. Cohen's formal definition of a virus as roughly stated by spaf@cs.purdue.edu (Gene Spafford)) as: "code that makes a (possibly modified) copy of itself in another program" and assuming that Ethan was serious about "cp $0 ." being a virus. How is "cp $0 ." a virus? On my systems all that will do is copy your Current Shell Interpreter (CSI) to your current directory. In my case that was the same as doing "cp /bin/sh .". I see no way that could be considered a virus. This is not even a security risk in and of itself. It WOULD be a security risk if: 1) your local superuser had "." before "/DIR" in their PATH/path (where "/DIR" is the path of the directory where the CSI is) because if: 1) you do the "cp $0 ." 2) you change your copy of the CSI to add malicious code 3) you get your local superuser to go into your home directory as root and run your copy of the CSI you could get full root privileges (assuming your malicious code did this) and this IS a security breach. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Michael J. Chinni US Army ARDEC - - - - - - - - - - - - - - - - "To Do is To Be" Socrates "To Be is To Do" Plato "Do Be Do Be Do" Sinatra /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
pg9065@computing.bradford.ac.uk (Paul) (04/17/91)
ethan@thinc.COM (Ethan.Lish@THINC.COM) writes: > The simplest form of a *NIX virus is : > cp $0 . > Now *every* *NIX platform I know of will run this "virus" > P.S. **NOTE DO NOT RUN THIS VIRUS, SO I DON'T HAVE TO SAY "I TOLD YOU SO"** Ooops, just ran it! It said "No file for $0.". Thats on Sun OS 4.1 running csh. Just how is cp $0 . supposed to be a virus? Even if $0 was defined to something valid all it would do is copy a file into your current directory. Paul Sutton Department of Computing, University of Bradford, Bradford, BD7 1DP, UK p.c.sutton@bradford.ac.uk