Path: utzoo!utgpu!attcan!uunet!convex!killer!texbell!nuchat!sugar!peter From: peter@sugar.uu.net (Peter da Silva) Newsgroups: comp.sys.amiga Subject: Re: Internet UNIX (BSD) virus Keywords: UNIX, BSD. Virus, worm Message-ID: <2965@sugar.uu.net> Date: 7 Nov 88 12:51:15 GMT References: <13232@oberon.USC.EDU> <2954@sugar.uu.net> <13280@oberon.USC.EDU> Organization: Sugar Land Unix - Houston, TX Lines: 148 In article <13280@oberon.USC.EDU>, papa@pollux.usc.edu (Marco Papa) writes: > In article <2954@sugar.uu.net> peter@sugar.uu.net (Peter da Silva) writes: > >First of all, the channel of infection is a gaping hole in sendmail that > >isn't typical of UNIX mail systems. > It din't use just a hole in BSD sendmail, but also a hole in fingerd and > included a very knowledgeable password guessing program, all put together. Without the bug in sendmail it wouldn't have a foothold for further infection. Besides, "fingerd" is another BSD program. I presume it's a server to support remote user lookup (my BSD manual is an OLD 4.2 one, and there's nothing between fastboot and ftpd). Another case of BSD's priorities in the convenience-vs-security spectrum. > >The typical PC or Amiga virus is a couple of hundred bytes long... and it's > >got complete access to the whole system... on any PC. This virus had a couple > >of hundred lines of prelude code, and was only able to infect a small > >fraction of the machines available to them... > Tell that to the people at Stanford, with (over 2000 machines infected) or > to the folks at CalTech, UCLA, USC, Berkeley, MIT, Lawrence Livermore, which > have had similar numbers of machines infected. The latest count is that over > 6000 UNIX BSD hosts have been infected. 6000 VAX or Sun-3 UNIX hosts whose administrators and users have agreed among themselves to allow an extraordinary amount of interconnectivity. Given that most of these hosts are workstations, that's a tiny fraction of the machines available to the virus. > People have stayed up for 2 nights all over the US to "manually" eradicate > all the instances of the virus and many are still at work on it right at > this moment. Try to guess how much money was lost in man-hours (and this > was fortunately a "sort of benign" virus). They left themselves open to this attack. This isn't a UNIX problem. This is a political problem. They decided to go for convenience instead of security, depending on goodwill and the threat of sanctions to keep people in line. I suspect that even with this attack it's a good balance for their environment. The man-hours that would have been lost to general hassles over the years if these features hadn't been available probably counterbalance the time spent tracking this sucker down. The virus was tracked to its source in a matter of hours. Even the much more virulent worms that abound in the PC world (more evidence, if any is needed, for the greater susceptibility of unprotected single-user systems) are tracked to their source within weeks. If someone had actually put a *real* virus in the net they'd be hit so hard with so many charges and ill-will they'd never get a job in this business again. > > and a simple reboot would clear it out. > ^^^^^^^^^^^^^ > Bullshit! Get your facts. Read ...43-bugs or whatever that usergroup is called > for the details on how to kill the virus once and for all. If it's not executing, it's cleared out. All that's left is a handful of files in temp, and some orphan inodes. Even if you leave them there you're safe. You can get re-infected if you re-connect to the net after the reboot without clearing up the holes that left you open in the first place. But that's rather like expecting penicillin to keep you from ever catching clap again... And using obscenities in a public message is not generally considered appropriate behaviour. Are you trying for weembadom? > >I'm not saying, and I've never said, that UNIX is uninfectable. Just that > >it's a LOT harder to build a sucessful virus... that wouldn't be as > >sucessful as a simpler virus on an unprotected single-use system. This one > >is everything I've claimed a UNIX virus would be: highly complex, > >relatively limited in scope, easily killed and guarded against. > ^^^^^^^^^^^^^ > "Easily" killed doesn't mean much. Sure it does. If this had been a really tough virus, like the ones that hide in utilities and system files on PCs, the Internet would still be down. > I can assure you that in $$$$$, this > virus was much more costly that ANY of the Amiga viruses combined. In dollars? If the result is a little tightening of internet security this virus will have had a positive dollar value. Let's look at a typical PC virus. Let's look at the IBM PC world, where viruses are more common. To the individuals involved, the Internet virus cost a couple of nights sleep and a day's work. People with PCs have lost days or weeks of valuable work when their files were eaten by a virus. I need more than just your assurances that the total cost in grad-student-hours is greater than the cost in real-productive-work lost to, say, the Israeli virus or the Brain virus. I suspect that the cost of a program like "Rogue", in grad-student-hours, is far greater than this little mishap. > And > as you probably know, a student at Cornell did this one. Just wait until > organized crime gets into this business. If they do, they'll be using grad students from Cornell and Berkeley and other places where BSD is popular to do the dirty work. > >I expect there will be more. I don't expect anything as virulent as the Byte > ^^^^^^^^ > >Bandit or Brain virus. > You ain't seen nothing, yet. Good luck on your dreams. I've seen things you people can't possibly imagine. Didn't you bother to read my pseudo-prophetic "Usenet Virus" article? Oh, of course you did... as I recall you credited me with independently reproducing the work of some big shot professor of yours. Oh, speaking of ftpd: From the 4.2BSD manual, 4 March 1983... in the BUGS section: "The anonymous account is inherently dangerous and should be avoided when possible" [ you're still allowing anonymous ftp, no? ] Let's look at rexecd. BUGS: "Indicating 'login incorrect' as opposed to 'password incorrect' is a security breach which allows people to probe a system for users with null passwords" [or, presumably, for people with passwords in a list they're carrying around] rlogind and rshd. BUGS: "The authentication procedure used here assumes the integrity of each client machine and the connecting medium. This is insecure, but useful in an 'open' environment" Not only security holes, but *documented* as such! For completeness, let's have a look at... sendmail. This isn't in the BUGS section, but the implications are amazing: "Any address passing through the initial parsing algorithm as a local address ... is scanned for two special cases. If prefixed by a vertical bar ('|') the rest of the address is processed as a shell command..." That was 5 years ago. You people never learn. -- Peter da Silva `-_-' peter@sugar.uu.net Have you hugged U your wolf today? Disclaimer: My typos are my own damn business.