Anti Virus, now Anti Spy-ware

Nils Kassube kassube at gmx.net
Wed Jun 18 18:35:21 UTC 2008 

Steve Lamb wrote:
> On Wed, June 18, 2008 10:11 am, Nils Kassube wrote:
> > While I don't generally disagree with this argument, I think on a
> > workstation it could be a big problem already if the malware would
> > "only" access the user area.
>
>     But this is hardly an issue compared to having system privileges.

If you look at it from the admin point of view, you are absolutely right. 
But Ubuntu is often installed on a single user's machine where the 
valuable data are inside the home directory of that user. So the valuable 
part isn't protected from an attack.

> > A malicious program could be accidentally installed
> > by the user and run at login with the user's privileges.
>
>     Which login?  As I posted elsewhere I have XFCE, Gnome, KDE3 and
> KDE4 all installed.  Just taking Ubuntu's make variants, any malicious
> software that is limited to user space would have to somehow inject
> itself into 4 different "logins" to cover a user since it can't touch
> the system boot-up scripts in /etc.

Right - that's the advantage of not haveing a monoculture.

> > It wouldn't be a great problem to reinstall the OS within a
> > reasonable time.
>
>     This is where you make the mistake of equating Windows threats with
> Linux.  If one's user space is infected one doesn't need to reinstall
> the OS.

Sorry, I think I didn't write it clear enough. I know it isn't necessary 
to reinstall the OS if only a user account is compromised. For me it 
would be more trouble to restore my user data than to reinstall the OS. 
In this regard the better security model of Linux wouldn't necessarily 
help me.

> One simply need a different user account, elevate to root, 
> remove the infection.  I only say a different user account because one
> has to presume the current one is compromised.  One of the pitfalls of
> Ubuntu's policy of a non-functional root password.  No way to get into
> root without a non-compromised normal user.

No problem: Boot into recovery mode.

> > But if a malicious program only modifies my personal files it would
> > probably take some time until I notice. Then I can only hope that I
> > still have a backup of the files from before the malicious program
> > was somehow installed.
>
>     That is a user process and one many people fail at.  Myself
> included. My point isn't that it couldn't happen.  It can.  It might
> yet still happen.  My point was that since there is such a strong
> division between user and system privileges any such infection is
> trivial to remove because simply logging in from a different user
> prevents the infection from running and engaging in any self-defense
> measures that are now so common with malicious code on Windows.  It
> also prevents the infection from burrowing itself into the system's
> core.  To do all of that requires obtaining elevated privileges which
> is several magnitudes harder than on Windows.

Agreed, it is easy to clean up an infection if only a user account is 
compromised.


Nils

More information about the ubuntu-users mailing list