Brilliant Trojan Idea that we aren't immune to

James Wilkinson ubuntu at westexe.demon.co.uk
Tue May 31 16:59:53 UTC 2005 

Andy Choens wrote:
> But, here's this new toy I read about.  This thing I saw on the BBC
> currently attacks windows, but could be pretty easily reconfigured to
> attack us just as easily.  IE downloads and runs it (loud round of
> applause for IE please).  It installed encryption software on your
> computer and then encrypts all of your data....you know the stuff in
> your My Documents Folder!  It leaves you with nothing but a big
> encrypted mess, and a text file explaining how to get your !@#$% back.
>  It's a freakin' ransom note!  This is absolutely brilliant.  Here's
> why I think we shouldn't laugh too much.  True, it can't install
> encryption software on a Linux computer because it wouldn't have the
> right privileges for it, but think how many of us already have that
> software installed on our computers!  I certainly do.....many of you
> do as well.  Heck....the more paranoid you are, the more likely you
> are to have it installed!
> 
> Next step, if someone can find a buffer over-run in a graphics library
> somewhere or some other cute buffer over-run and then slip a carefully
> made graphic, or whatever into the website, to run a simple script,
> we'd get hit just as hard.

Yes, once someone can find a vulnerable buffer over-run somewhere they
can get at it, they can get into your system. That's the real hole. That
there might be software on the system to help them further isn't that
big a deal. Encryption software isn't a lot to download.

That's how the few existing Linux worms spread; through unpatched holes
on old (even then) versions of Red Hat Linux, without firewalls. (Google
for Ramen and "L10n worm").

And that's what the Linux community have been fighting:

 * stuff like apt-get upgrade, yum, up2date to make "keeping it patched"
   easy;

 * distros coming by default with firewalls and not running stuff open
   to the net to minimize targets;
   
 * stuff like execshield, nx and SELinux to minimise what attackers can
   do with buffer over-runs (at different levels: nx and execshield stop
   them running code that way, while SELinux stops the code going too
   far);

 * continued attention to exposed software to minimise vulnerabilities

 * possibly un-intentionally, the range of software available seems to
   be growing. So there are more different versions and a lower
   percentage of vulnerable systems.

 * I get the impression that there are a growing number of AMD64 or
   Power based users (and then there's S390 mainframes)... That makes an
   attackers life difficult, too.

James.
-- 
E-mail address: james | We still have enough spare cardboard sitting around
@westexe.demon.co.uk  | to send a bus by Parcelforce, although not enough
                      | wrapping to be sure they wouldn't deliver it broken
                      | into two pieces.  -- Alan Cox

More information about the ubuntu-users mailing list