In search of a Linux Virus Scanner

To: debian-user@lists.debian.org
Subject: In search of a Linux Virus Scanner
From: Theodore Knab <tjk@annapolislinux.org>
Date: Mon, 1 Oct 2001 13:51:31 -0400
Message-id: <[🔎] 20011001135131.A4124@annapolislinux.org>

Hi all,

With the Nimba virus/worm and the Code Red worm breaking Windows around the globe, I am nervously waiting for the next Linux Worm.

It would be more work to make a Linux virus or worm because the designer would have to take care creating 2 programs as opposed to one.

What is being done to protect against this ? Are there any Linux virus/ worm scanners for Debian?

---------------------------------------------
Over-Simplified Hypothetical Linux Worm Design
---------------------------------------------

The first program would have to be a transport or vector.
The second program would be the virus or worm.
The vector would open the door to the unpatched machine and then send the buffer overflows for known vunerablities.
During the Linux World in NYC Feb. 2001, Bruce Perens gave a high level presentation where he presented a little C program that could be used as a vector to open a door to an unpatched machine.

1. Vector (transport)
C code that emulates a legal connection to a host machine.
This C code could try opening all the following connection to a remote host (open ports 21,22,23,25,53,80).
After connecting, the C code would call the worm.

2. Worm (known exploits)
While (port open)
Send_Exploit_for_Wget to port 21
Send_Exploit_for_Sendmail to port 25
Send_Exploit_for_Telnet to port 23
Send_Exploit_for_SSH to port 22
Send_Exploit_for_Bind to port 53
Send_Exploit_for_Apache to port 80

Other Hypothetical Threats Articles:
http://lwn.net/1998/1119/Trojan.html

Existing exploits for Linux machines:
http://www.google.com/search?q=cache:a7Rlxpy-qPg:www.insecure.org/sploits/INND.1.6.overflow.html+exploit+%22%23include%3Cstdio.h%3E%22&hl=en
http://www.google.com/search?q=cache:dI3dvxVTUoo:www.insecure.org/sploits/routed.tracefile.html+exploit+%22%23includ
http://www.google.com/search?q=cache:P2i_y4xKLY0:oliver.efri.hr/~crv/security/bugs/Linux/krnl220.html+exploit+%22%23include%3Cstdio.h%3E%22+linux&hl=en
http://www.google.com/search?q=cache:slTym0c2sGo:www.nmrc.org/files/unix/cxterm.exploit+exploit+%22%23include%3Cstdio.h%3E%
http://www.google.com/search?q=cache:8YybojTeyf4:security-archive.merton.ox.ac.uk/bugtraq-199909/0104.html+exploit+%22%23include%3Cstdio.h%3E%22+linux&hl=en

----------------------
GNU PGP public key
http://www.annapolislinux.org/docs/public_key/GnuPG.txt
---------------------

Reply to:

Follow-Ups:
- Re: In search of a Linux Virus Scanner
  - From: Noah Meyerhans <noahm@debian.org>
- Re: In search of a Linux Virus Scanner
  - From: Dave Sherohman <esper@sherohman.org>
- Re: In search of a Linux Virus Scanner
  - From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>

Prev by Date: RE: Multihead
Next by Date: pppd cant' assign a remote ip and i'm desperate
Previous by thread: RE: Multihead
Next by thread: Re: In search of a Linux Virus Scanner
Index(es):
- Date
- Thread