malware defense

andrew@daviel.org
Fri, 3 Dec 1999 10:11:47 -0800 (PST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Richard Gooch: "Re: Can't hardlink in different dirs. (BUG#826)"
Previous message: William Montgomery: "psaux affects lowlatency-2.2.13-A1"
Next in thread: Benjamin C.R. LaHaise: "Re: Breakage in arch/i386/kernel/time.c"
Reply: Benjamin C.R. LaHaise: "Re: Breakage in arch/i386/kernel/time.c"

malware - malicious code such as viruses, trojans, worms etc.

IMO, malware poses the greatest threat to the Internet community since the
busy signal, and I was wondering what might be done to counter it.

scenario 1 - some group (politically motivated, whatever) hacks a website
and instead of defacing the homepage, makes some changes in the download
area
scenario 2 - an email virus like happy99 or explorezipworm
scenario 3 - your system is cracked and system files replaced
endgame 1 - the payload is a time bomb, running a DoS on 2000-01-01
endgame 2 - the payload is an intelligence gathering agent, mailing
results back home

In these scenarios, the old adages of "don't run code from untrusted
sites" and "only open attachments from people you know" don't help.
Recently, the RingZero trojan behaved as in endgame 2 - mapping web proxy
servers and returning results to Russia. It is still active - watch your
port 3128,8080 logs. I also remember an ssh or tcpd tarball being trojaned
for a few days a while ago, as in scenario 1.

The problem, then, is how to authenticate code before it makes system
calls - writing to disk, or using the network. RedHat's RPM, with GPG/PGP
signing of packages, is one way to avoid installing a tainted package,
but doesn't address the other infection vectors.

I wondered if it were possible to do something like compute a checksum
of images before running them and compare with a database of digitally
signed checksums, or do the old VMS thing and assign images network
privileges. I had thought to write a daemon that occasionally runs through
/proc/*/exe and checks things.

It occurs to me that the Java community has been through all this already,
though I get the impression that signing of objects is pretty rare still,
and the tools I had seen for signing Netscape applets were commercial.

thoughts ?
ideas ?
"been there, done that" ?

(apologies to Michael Mueller, whose alias tends to appear in searches for
"malware" ...)

Andrew Daviel
Vancouver Webpages, TRIUMF etc.

(please cc. andrew@daviel.org - though I will follow the archive)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Richard Gooch: "Re: Can't hardlink in different dirs. (BUG#826)"
Previous message: William Montgomery: "psaux affects lowlatency-2.2.13-A1"
Next in thread: Benjamin C.R. LaHaise: "Re: Breakage in arch/i386/kernel/time.c"
Reply: Benjamin C.R. LaHaise: "Re: Breakage in arch/i386/kernel/time.c"