Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!pacbell.com!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: VALDIS@VTVM1.CC.VT.EDU (Valdis Kletnieks)
Newsgroups: comp.virus
Subject: re: Unix viruses and damaging programs (UNIX)
Message-ID: <0009.9104081309.AA03138@ubu.cert.sei.cmu.edu>
Date: 5 Apr 91 17:03:16 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 42
Approved: krvw@sei.cmu.edu

>Date:    Wed, 03 Apr 91 21:10:57 +0000
>From:    vancleef@iastate.edu (Van Cleef Henry H)
>...
>b. That all "security" to read and write as a superuser has already
>been breached and that this breach has gone undetected.

If the first part of this is true, *all* bets are off.  See Ken
Thompson' Turing Award lecture "On Trusting Trust" for an example.

If you are permitting the intruder super-user access and source
access, about the *only* way to recover is to scrub the disks and
re-install the system from known good tapes from the locked vault.
You will have to first format the disks, then convince yourself that
the distribution tapes are in fact clean - don't trust your backup
tapes, they might be bad.  Then re-install the operating system.  Then
restore user files, checking each one for any and all possible trojans
that might still be left in them.

Under Unix, if you don't trust your kernel, you can't trust ANYTHING.
Your only hope is if you can find a "trick" that the intruder didn't
trap against in his kernel hacking.  However, Dijkstra once said:

"Testing can show the presence of bugs, but not their absence."

So if you DONT find anything, that does NOT prove your system is
clean, it only means that it's *either* clean *or* the intruder is a
step ahead of you.

The second part - the assertion that the breach is undetected - is
also quite suspect.  Remember - we've only caught the second best
computer criminal.  The best is so good that we'll never catch him.
If your system check (whatever its form) actually *finds* anything,
then it won't be an undetected breach anymore.

If you are planning a *serious* research effort on Unix, you should be
addressing the issues of access right compartmentalization - i.e.
work on closing the *holes* so that the guy can't *GET* to superuser
status...

                                  Valdis Kletnieks
                                  Computer Systems Engineer
                                  Virginia Polytechnic Institute