[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Viruses and rootkits WAS Re: weird problem with one mail account in Thunderbird....ISP or what ?

 Hi.

On Thu, May 28, 2015 at 01:42:14PM -0400, Deb wrote:
> 
> 
> On 05/28/2015 01:23 PM, John Hasler wrote:
> >Frank writes:
> >>It's the ISP security guys who are insisting in their words "the
> >>account or perhaps your whole computer is infected".
> >The only Linux malware in the wild attacks Web sites via vulnerabilities
> >in things like PHP.  Aside from the difficulty there is no motivation
> >for creating malware to attack Linux desktops.  There are not enough of
> >them (and you'd need a version of your malware for every dist) to make
> >it profitable.  A good piece of Windows malware can turn a million
> >Windows desktop boxes into bots.  How many Linux bots would the same
> >effort yield?
> That's for profit, but why wouldn't at least a few random amateurs create
> Linux malware for fun and practice? Or is it too difficult for the
> pimples-and-braces crowd?

Why, they do, of course. Both for fun and profit.

It's just that they choose somewhat different targets from your typical
run-of-the-mill PC.

Exibit a. Android-based phones and tablets. Porn ransomware, botnets,
PII theft - you name it, they have an app for that :)

Exibit b. Your typical Linux-based router box sooner or later will be
included in certain botnet (or they try to do it at least).


Why do it? The amount of said devices available in public is the main
factor.


Why is it possible? The main differences between PC and said devices are:

- Relative lack of updates (4-5 times during 'product' lifecycle at best)

- Relative 'platform stability' (meaning - more or less the same library
set and kernel due to the lack of updates)

- Swiss cheese security configuration by default: administrative
interfaces on WAN for routers, horribly coded kernel modules such as
ozwpan, insecure permissions for /dev/kmem on certain phones, and last,
but not least - well-known username/password pairs such as admin/admin
that nobody bothers to change


Does this means that you need to be very unlucky to encounter a malware
on a typical amd64 Debian installation (disregarding PHP or other
webserver software)? Yes.

Does this means that you should not do something with said Debian
installation beforehand? For me the answer is - no, just because I like
to cater for that paranoid guy in my head :)


Is clamav is the answer to Linux malware? No, because the only thing
that clamav is supposed to do is to check for Windows malware while
running on Linux (or *BSD) box.

What is the correct answer to Linux malware? Any kind of IDS, be it the
local one (rkhunter, debsums, fcheck), or distributed one (snort).

Reco
Reply to: