[3117] in WWW Security List Archive
Re: New and destructive word macro virus
daemon@ATHENA.MIT.EDU (Nir Soffer)
Sat Sep 28 13:37:15 1996
Date: Sat, 28 Sep 1996 17:59:25 +0200 (IST)
From: Nir Soffer <scorpios@cs.huji.ac.il>
To: "David W. Morris" <dwm@shell.portal.com>
Cc: John Cronin <John.Cronin@oit.gatech.edu>,
"David M. Chess" <CHESS@watson.ibm.com>, www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.93.960927184147.5973C-100000@jobe.shell.portal.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Sorry to butt in like that, but I disagree -
<newbie mode on>
On Fri, 27 Sep 1996, David W. Morris wrote:
>
>
> On Fri, 27 Sep 1996, John Cronin wrote:
>
> > I have to partially disagree here. While it is theoretically possible
> > to write a virus for Unix for instance, for it to really do damage, it
> > would have to be run as root. If a non-root user runs a program that
>
> Huh ... no theory here ... I would clasify the cancelbot which trashed
> a bunch of alternate life style newsgroups earlier in the week as a
> virus. The internet worm was a virus. Depending on what code is
> executed in the user's environment, there is all kinds of risk. For
> example, one of my client installations uses NIS shadow passwords and
> yet the libc support for reading the crypted password worked just fine
> from a perl program I wrote. So while the /etc/passwd file didn't
> deliver the insight directly, it could provide the list of keys needed
> to fetch passwords which would then be hacked via crack.
That all depends on how you define a virus, I for one define a virus as a
piece of code that replicates itself via other pieces of code, just like
a real life virus does, lives parasitaclly (sic) on the host of the body
until the body dies, and moves from diffrent cells to other cells. What
you are describing here is what I define as a trojan - i.e - A piece of
code that does something diffrent then you'd expect from it, often
maliciously. AFAIK virii are impossible on all UNIX systems , since there
is no way (I know of, please correct me if I'm wrong) to trap instances
other processes are started and then infect them (I'm not even sure that
it's possible to infect Unix binaries, but here I can be corrected again
and would be gladly be corrected.)
> And so forth. Not all viruses cause direct damage. A typical UNIX system
> has all kinds of world readible data which is presumed to be safe behind
> the firewall but isn't if there is a backdoor based on imported code.
Again, you're describing what I define as a trojan, would you call the
program known as 'socket daemon' which does exactly what you describe as
a virus ?
> PC viruses have been popular with crackers because network access such as
> enabled the worm has not been available so the crackers figured out an
> alternative for spreading their grief. Then they used a time driven
> trip wire to achieve the world wide effect achieved on interconnected
> UNIX systems. In each case the problem surfaces over a wide area with
> little warning.
Hmm. The line between a worm and a virus is a very fine line, I define
worms as pieces of code who spread themselves via network holes. (as
opposed to procesess that lurk around and wait for other programs to be
executed and then infect them.). It's all a matter of semantics.
> So I think UNIX systems need to be just as concerned about the execution
> of unauthorized code as do users of PCs.
Ofcourse. :).
> Dave Morris
Nir.
--
Nir Soffer AKA ScorpioS. scorpios@cs.huji.ac.il
http://www.cs.huji.ac.il/~scorpios/
'Keyboard not responding, press F1 to continue.'
