cross-platform virus

Sasha Tsykin stsykin at gmail.com
Mon Apr 10 12:20:31 BST 2006 

John wrote:
> Daniel Robitaille wrote:
>> On 4/8/06, Shawn McMahon <smcmahon at eiv.com> wrote:
>>
>>> On Sat, Apr 08, 2006 at 10:57:37AM +0800, Senectus . said:
>>>
>>>>   6. su root
>>>>   7. make install
>>>
>>> If we're going to install viruses, let's do it the "right" way:
>>>
>>> sudo make install
>>
>>
>> I always wondered about the potential of a problem with sudo in the
>> context of a linux virus/worm script.  Let's say that "virus" had the
>> line "sudo rm -Rf /", and that script/virus was run automatically
>> because of an action of the user in an application with a bug/security
>> weakness  (by reading an email, clicking a link in firefox, whatever).
>>  Obviously it wouldn't work (sudo needs to ask for a password), unless
>> the user had done a sudo command within the last 15 minutes, and the
>> sudo command still has a token not to ask for a new password.
>>
>> Wouldn't making Ubuntu's sudo asking for a password every single time
>> instead of the current once-per-15-minutes  make the OS more secure
>> and immune to this type of simple script with a damaging payload?  But
>> of course that would be annoying while using sudo in our day-to-day
>> usage, but for an increased security I would consider doing it (and
>> actually do on one of my system)
> 
> sudo's tickets can be tied to a specific tty; while not foolproof, it 
> makes the use of sudo to do this kind of thing rather problematic, 
> requiring the victim to
> 1. Create a new tty (eg open konsole or gnome-terminal)
> 2. Authenticate using sudo
> 3. Undo 1.
> 
> Only then might the victim be vulnerable.
> 
> To exploit the vulnerability, the attacker then needs the attack vector. 
> Knowledgable users should check their email clients & such to check that 
> they do not automatically run executable content (some years ago kmail 
> tried but failed as it didn't do the chmod); if they do, then report it 
> as a bug and, as needed, argue for it to be fixed.
> 
> 
> Note that one does not have to be root to do evil things. Root kits _I_ 
> have seen would have been more effictive if not run as root - buggering 
> up /bin and /sbin wrongly causes the system to not run and then it's 
> immediately apparent something's wrong. OTOH quitely installing an IRC 
> bot as an existing (or maybe new) user may well go undetected for quite 
> some time.
> 
> 
All very well and good but what about the users without knowledge? They 
don't read this list, they don't know about this problem, and they will 
be the ones caught by any problem, not the experts, and they are the 
target audience for Ubuntu, lets not forget.

Sasha

More information about the sounder mailing list