Re: Do we really need to worry about viruses

[Alan Shutko <ats@acm.org>]

Ron Johnson <ron.l.johnson@cox.net> writes:

> How can an email virus work on *ix?

How does it work on Windows?  Either convince the user to click on a
link, or exploit a bug in the MUA.  When it has code running, scan
the user's address book and mail archives, and send out lots of
email.  Include your own SMTP client to contact servers.  None of
this is restricted by root.

It can also pop up a DDOS or SPAM server running as the user in a
high-numbered port.  If it wants root-level privileges (which none of
the viruses out for Windows seem to need or care about) it can pop in
a sniffer or some sort for the user's keystrokes to see if the user
ever su's.

> And a click-thru virus (or is it really a trojan?) can only do 
> damage to files that you have privs to touch (unless there's a bug
> in Java or JavaScript).

Sure.  So?  All the files I really care about are the ones I have
privilege to touch.  I don't care about the OS so much... I can
install it again.  I do care about the documents or code I'm working
on.  Or my local customizations.  I have a 2GB home directory on my
laptop at the moment.  I care more about any of that data than
anything the virus can't touch.

Or, at work, I have access to modify all sorts of things that I need
to in the context of my job.  A virus could have a lot of fun.

Sure, you can mitigate the risk.  Backups, CVS repositories, secondary
accounts for certain things, keeping things on several machines, can
all reduce the damage a virus could do.  But just saying "A virus
can't hurt a user unless it's root" is incorrect.  And downplaying
that it can affect any file the user can touch ignores where most of
the value is in the files on an average system.

-- 
Alan Shutko <ats@acm.org> - I am the rocks.
Data in Oz: "If I only had a pulmonary apparatus . . ."