[ILUG] Porting MyDoom to Linux

Rick Moen rick at linuxmafia.com
Wed Feb 4 00:01:35 GMT 2004 

Quoting kevin lyda (kevin+dated+1076270750.9056c1 at ie.suberic.net):

> several people - paulj and chriss higgens have pointed out the
> technology of why it's easy.

In theory, as long as you avoid specifics and/or assume people leave
handily exploitable software lying around.

> the social reason is that there is no standard "linux" and
> there is no standard mua on linux.

This argument often gets a _little_ overstated:  If someone were to find
and attack without any advance indications a remotely exploitable flaw
in the then-current version of, say, mutt that allowed remote execution
of arbitrary local code, then some large fraction of the entire *ix
world would have "fun" for two or three days -- if it were sufficiently
fundamental to the program and sufficiently independent of local
configuration.  (Obligatory nod:  You address those matters further on.
Thanks.)

Other hypothetical examples include malware written in elisp.  But the
word "theoretical" tends to be present a lot in these discussions,
either expressed or implied:  The examples tend to handwave around
myriad implementation obstacles.

> as linux becomes more common on the desktop, there will be more
> similarities.  but then companies like redhat and lindows and others are
> doing things to get security fixes sent out to users in an automated way.
> yes, ms is beginning to do this, but they're working hard to stamp
> out piracy at the same time which works against getting all users to
> get updates.

This is an interesting and subtle point, one that I failed to grasp
until my mother-in-law, an MS-Windows user who's pursuing her doctorate
in network security, pointed it out to me:  A large fraction of
MS-Windows installations are hopelessly mired in vulnerable software
that _will not_ be patched for reasons no better than being either no
longer supported or bootlegged.

And a friend reminded me of one of the constant points of pain in
MS-Windows system maintenance, which I'd likewise forgotten about:
Rare is it that the patching system permits you to fix just one thing.
Instead, you're pushed towards "service packs" that may in the aggregate
be unacceptable because they break too many other things while fixing
some others.

Here's an extremely effective essay by my friend on that subject:
http://www.aaxnet.com/editor/edit029.html

In the *ix world, we're able to apply fixes in a much more atomic
fashion.  You can patch _just one thing_.  Likewise, because we favour
standardised, documented software interfaces at fairly fine levels, we 
can if necessary sidestep a problem by switching to some functional
equivalent.

I.e., if there were a problem with Apache without an immediately
satifactory fix, most sites can switch to thttpd, boa, WN, Mathopd,
Yaws, Seminole, chttpd, xs-httpd, etc. without prohibitive problems.
Ditto switching among {Exim|Postfix|Courier-MTA}, and so on.  Back in
September of last year, I considered temporarily switching from OpenSSH
to LSH, on account of the then-pending security announcement that
frogmarched OpenSSH users onto the new privilege-separation code.

Last, both the windows of vulnerability and severity of such problems
tend to be, in general, lower (when you compare groups of systems
serving up similar degrees of functionality -- absent which proviso we'd
all want to run bare MS-DOS or such).

> so yes, technically linux shares some of the same potential faults.
> however i can think of only two times unix/linux had a worm spread
> rampently from system to system - the morris worm in 1988 on bsd/vax
> systems....

The Morris worm was largely aided by a sendmail debug faclity
negligently left enabled in most copies, and by the absence of shadow
passwords at that time.

> and a few years back on linux/apache/x86 systems (code red
> i think?).  

The Slapper worm exploted a notorious hole in an obsolete version of 
OpenSSL, on badly maintained sites using a particular configuration of
Apache with that obsolete OpenSSL version.

ObPunchLine:  "Well, don't do that, then."  People hit by that one might
merit pity, but no other sorts of sympathy.

-- 
Cheers,                           "This is Unix.  Stop acting so helpless."
Rick Moen                                               -- D.J. Bernstein
rick at linuxmafia.com

More information about the ILUG mailing list