[OLPC Security] A mom's worries

alien alien at MIT.EDU
Thu Nov 29 17:07:53 EST 2007 

> The notion of malware for *nix systems (including Linux) isn't all
> *that* far-fetched.

Totally. I've worked on lots of incident response cases involving hacked
*nix systems, from botnets to DDOS Trojans to straightforward data
thefts. The main different between these and Windows incidents is that
the Linux exploits were consistently more traditional-- ie they tend to
work by exploiting web servers or brute-forcing account passwords--
while in the Windows world the trend has been moving more toward
client-side exploits, phishing, etc.

Now that a large number of kids will be in possession of modified Linux
systems, I suspect we'll start seeing an increase in client-side Linux
exploits, too.

> Access as an ordinary user is all that's required (in general ) to
> set up outbound network connections, run processes in the background,
> etc. A spam-bot doesn't need root access.

Great point!

s


Marcus Leech wrote:
> Seth Woodworth wrote:
>> Yes, because there is such a thriving anti-virus industry for linux
>> systems.
>>
>> Maybe someone should explain the OLPC system a little better.  The
>> idea is that malicious software (or any software for that matter)
>> isn't allowed to do anything.  The worst that it could do is take up
>> resources until it was shut down.
>>
>> This is basically what anti-virus software does.  It finds programs
>> that it thinks are malicious, and contains them from accessing things
>> that they shouldn't.  It sounds like you are suggesting someone writes
>> a program to do this again.
>>
> The notion of malware for *nix systems (including Linux) isn't all
> *that* far-fetched.
> 
> You *have* to assume that at some point, some piece of application
> software has a remote-execution vulnerability (that is, a
>   vulnerability that allows an attacker to load and run code in the
> context of the targetted application).  In *nix, this would
>   be the "context" of an ordinary user, which means that the downloaded
> code can only muck with objects that the
>   ordinary user has access to.  But that isn't a guarantee that
> *nothing* bad would happen.
> 
> Consider, for example, that on ordinary *nix desktop systems, the user
> usually (but not always) has root access via
>   "su" or "sudo".   Consider a remote-execution exploit that quietly
> mucks with the users .profile/.cshrc/.bashrc to
>   point the user at slightly-modified versions of sudo that collect the
> password, and then call the "real deal".
> 
> The code simply lies dormant until the users happens to do a "su" or a
> "sudo", and then "does interesting things".
> 
> It's not inconceivable, it just hasn't happened on any kind of scale
> that's interesting.
> 
> One should also consider that some types of malware are perfectly happy
> not to have "root" access.  Access as an ordinary
>   user is all that's required (in general ) to set up outbound network
> connections, run processes in the background, etc.
>   A spam-bot doesn't need root access.
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Security mailing list
> Security at lists.laptop.org
> http://lists.laptop.org/listinfo/security

More information about the Security mailing list