[plug] Linux/Rst-B - very much alive and kicking

Daniel Pittman daniel at rimspace.net
Fri Sep 19 07:46:49 WST 2008 

Kev <kdownes at bbnet.com.au> writes:

> This might be of interest, particularly to new Linux users.
> http://www.sophos.com/security/blog/2008/09/1748.html

Mostly, it proposes a more or less unnecessary and generally unhelpful
solution to a "people" problem.

Notably, it discusses a virus that has floated around for Linux for the
last six years or so, capable of infecting "any ELF file in the current
directory."

On an average Linux that means no files, unless you move it somewhere
else /and/ run it as root.[1]

The suggestion of an "on-access" virus scanner is cute, but ultimately
ineffective today[2] and not likely to improve tomorrow[3].


Oh, and if you are concerned: 

If the attacker already has root you have lost.  Best of luck to you,
and I hope you kept good backups.

If not, ClamAV -- which is free -- will detect this.  Spend the day
running it over your entire system and checking to see if anything nasty
turns up.  No need to buy Sophos to detect this nasty.

Regards,
        Daniel

Footnotes: 
[1]  Getting it somewhere like /usr/bin that it could do harm means you
     /already/ have root access.  Only iff you routinely store compiled
     executables in a directory where you work, or routinely cd into
     ~/bin, is this going to be an issue.

[2]  There is a race, which a virus /can/ win, between the scanner
     accessing the files, declaring it clean, and the virus injecting
     code.  Not to mention, for this to be significantly useful the
     virus already reeds to run as root, in which case it can simply
     bypass or disable the virus scanner...

[3]  The current push by vendors like Sophos to introduce on-access
     scanning into the Linux kernel is receiving significant push-back
     from the best developers -- in large part because the anti-virus
     people didn't bother to actually define a threat model[4]

     (Also, on-access scanning /still/ has the race tomorrow.)

[4]  Depressingly, the person they elected to propose the changes didn't
     even know what one was, or why it would matter if they had one.
     (hint: unless you know what the threat is your ideas to fix it are
      /never/ going to work except by blind luck.)

More information about the plug mailing list