Linux security (was Re: [clug] Witty worm a wake up call)

Antti.Roppola at Antti.Roppola at
Tue Jun 8 00:58:50 GMT 2004

Martijn van Oosterhout wrote:

> To do it properly you need to compromise the kernel, then all bets are
> off. In normal userspace it would be quite tricky, expecially the
> user/root boundary is tricky (most users don't own binaries). Scripts
> are another possibility, ala macro virus.

We were discussing this last night. Once you get something in user-land,
you could have it automatically check for current escalation exploits
and try get through before the system gets patched. Who's going to notice
if a compromised Mozilla is pulling stuff in through port 80? Even a
script that runs wget now and then could get by unnoticed.

A harder thing is automatic propagation. A bit harder since *usually* we don't
run stuff without questioning it. However, imagine a compromised ssh/scp
that doesn't (just?) log keystrokes, but inserts its own to do things with
the account at the other end (i.e. install itself). If it keylogs, it doesn't
even need to wait for you to open a session.

Installing IDS on *every* computer starts looking like a good idea.


More information about the linux mailing list