Options

How Linux will destroy the Internet

sexion8sexion8 Member Posts: 242
Won't be too popular with nix fans...

http://infiltrated.net/ubuntuDestruction.php
"Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
«1

Comments

  • Options
    KGhaleonKGhaleon Member Posts: 1,346 ■■■■□□□□□□
    I agree with whatever that guy was rambling about, and further propose that non-technical people never touch a computer ever again. :D

    KG
    Present goals: MCAS, MCSA, 70-680
  • Options
    Darthn3ssDarthn3ss Member Posts: 1,096
    thats a interesting article, but thats assuming that nothing will change but the amount of people using linux. as issues arise, i'm sure they'll be fixed.

    also, i don't think linux is ready for every day peoples use. even with ubuntu i've still had to spend hours on the internet trying to find out how to get my wireless, card ready, etc drivers to work.
    Fantastic. The project manager is inspired.

    In Progress: 70-640, 70-685
  • Options
    silentc1015silentc1015 Member Posts: 128
    sexion8 wrote:
    Won't be too popular with nix fans...

    http://infiltrated.net/ubuntuDestruction.php

    Interesting to see that point of view, but in my opinion it's a total load of garbage. I'm just three paragraphs in and I can point out something cmpletely absurd about each.

    Personally, I think it could end up being the worst thing on the planet.

    Really... Worse than nuclear proliferation, genocide, diseases, etc?

    It's an all too powerful operating system and should not be tailored for day to day tasks, and for the zealots who've been porting Linux over and cartoonifying this operating system, for the average user, shame on you.

    It's not all too powerful. Windows is just as powerful if you have the right tools or know some scripting and programming languages to craft your own. I say this, and I'm one of the biggest Linux fans you'll ever see.

    For starters, imagine the ever elusive types of viruses that will sprout up on these machines. Secondly, imagine a script kiddiots glee when he or she discovers that he can now compile mega DoS attacks much easier than he could on Windows.

    If someone compiles applications that perform DOS attacks and writes viruses that take advantage of 0day exploits, I don't really think you can call them simple script kiddies anymore.

    The rest of the article is pure sensationalism and an extremely contrived example of which you can do the exact same in a Windows environment.
  • Options
    sexion8sexion8 Member Posts: 242
    Really... Worse than nuclear proliferation, genocide, diseases, etc?

    It's called "figuratively speaking...
    It's not all too powerful. Windows is just as powerful if you have the right tools or know some scripting and programming languages to craft your own. I say this, and I'm one of the biggest Linux fans you'll ever see.

    Windows could never compete with Linux on 1) a networking scale 2) on methods to capture what is going on (lsof vs. Task Manager). I can build you a worm that would be undetectable on Linux versus one on Windows. 1) There are far more antivirus companies catering to Windows and eventually they'll catch on. Windows is straightforward in terms of doing an analysis. Nix is a more difficult beast to contain so again I ask... What would you do under these pretenses when a couple of hundred thousand grannies have their Ubuntu machines compromised.

    Let's take this to a legal level now. We've all heard about the old woman who was molested by the RIAA for downloading... She was dead (http://www.betanews.com/article/RIAA_Sues_Deceased_Grandmother/1107532260), etc., that is a no brainer. Easy for authorities to track down. Now let's throw this scenario out there... Old grandpa went and bought himself an Ubuntu powered Dell that was compromised and used to host kiddie pix. The attackers modified all sorts of scripts to clean up after themselves as if no intrusion ocurred. The feds arrest old grandpa. Guess what, there is no evidence of the compromise and grandpa was clueless. There was and never will be any antivirus I could think of to stop that from happening. You think the feds will care whether grandpa is telling the truth. I suggest you read some legal casefiles and understand the harsh realities of laws in the US.
    If someone compiles applications that perform DOS attacks and writes viruses that take advantage of 0day exploits, I don't really think you can call them simple script kiddies anymore.

    I suggest you go out and acquaint yourself with the true definition of script kiddie.
    The rest of the article is pure sensationalism and an extremely contrived example of which you can do the exact same in a Windows environment.

    You CAN do SIMILAR things under Windows but not to the same extent.
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
  • Options
    markzabmarkzab Member Posts: 619
    Maybe it's early, but as soon as I read the title...

    "Sharks with Lasers", popped into my head. icon_eek.gif

    800px-Dr_Evil.jpg

    Ok, I obviously need to get more sleep. icon_lol.gif
    "You, me, or nobody is gonna hit as hard as life. But it ain't how hard you hit; it's about how hard you can get hit, and keep moving forward. How much you can take, and keep moving forward. That's how winning is done!" - Rocky
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Hmmmm. Reminds me of everyone's favorite Internet alarmist (but very nice guy and smart too) Steve Gibson. He made the following statement before the release of WinXP:
    When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before.

    He based this on the fact that Windows, under this new OS, could spoof it's IP address as easily as the Unix/Linux machines could. Here are a couple of his reasons for sounding the alarm:
    It is impossible for an application running under any version of Windows 3.x/95/98/ME or NT to "spoof" its source IP or generate malicious TCP packets such as SYN or ACK floods.
    As a result, Internet security experts know that non-spoofing Internet attacks are almost certainly being generated by Windows-based PC's. Forging the IP address of an attacking machine (spoofing) is such a trivial thing to do under any of the various UNIX-like operating systems, and it is so effective in hiding the attacking machines, that no hacker would pass up the opportunity if it were available.

    It is incredibly fortuitous for the Internet that the massive population of Windows-based machines has never enjoyed this complete "Unix Sockets" support which is so prone to abuse. But the very bad news is . . .

    This has horribly changed for the worse with the release of Windows 2000 and the pending release of Windows XP. For no good reason whatsoever, Microsoft has equipped Windows 2000 and XP with the ability FOR ANY APPLICATION to generate incredibly malicious Internet traffic, including spoofed source IP's and SYN-flooding full scale Denial of Service (DoS) attacks!

    Guess what? While his reasoning and facts were correct, his greatest fears and big alarm never surfaced. I'm not sure exactly why.

    Now if script kiddies already using Windows never rose to the occasion, why would handing out Linux boxes to granny be any different? They didn't take the opportunity then and they probably won't even if Linux becomes mainstream (which it won't any time soon here in the US where everyone can afford Windows). Why, well they're probably called "script kiddies" for a reason. Maybe your opinion of them is too high, sexion8?
    All things are possible, only believe.
  • Options
    sexion8sexion8 Member Posts: 242
    sprkymrk wrote:
    Now if script kiddies already using Windows never rose to the occasion, why would handing out Linux boxes to granny be any different? They didn't take the opportunity then and they probably won't even if Linux becomes mainstream (which it won't any time soon here in the US where everyone can afford Windows). Why, well they're probably called "script kiddies" for a reason. Maybe your opinion of them is too high, sexion8?

    Windows has never had 1) the amount of moronic tools available under *Nix. Tools like Fragroute, IRPAS, Scapy. Enabling them the option to have these tools is a big mistake. Its not alarmist and perhaps I could have stated "idiots in the malware, organized e-Crime world." One in all they're the same to me.

    The difference again, between Windows based idiots and those using *Nix (Solaris, BSD, Linux) as their platform of choice, is, it actually takes someone with a little more than a clue. By script kiddiots I'm not talking about a juvenile with too much time on his hands compiling smurf. I'm talking about the phishers, the malware spreaders, the organized idiots who would have the best/worst tool at their disposal.

    So maybe I should go back and re-write "script kiddiots/e-organized crimesters/fraudsters/phishers". Would it make more sense to some of you then.
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
  • Options
    PashPash Member Posts: 1,600 ■■■■■□□□□□
    For £6.09 (around $12) i have setup and I am hosting my own website. So for just the cost of the domain name its a pretty sound investment.

    Im new to linux but a huge fan already.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • Options
    silentc1015silentc1015 Member Posts: 128
    Pash wrote:
    For £6.09 (around $12) i have setup and I am hosting my own website. So for just the cost of the domain name its a pretty sound investment.

    Im new to linux but a huge fan already.

    I'm glad to hear it. That's one thing that makes Linux so great. You can do things like operate a DNS server, a web server, large databases, etc for free. Not only can you do useful things with them, you can use them to train yourself.

    Have fun and pay no attention to alarmists. They'll have something new to complain about in 5 or 10 years when Linux hasn't destroyed the planet. icon_lol.gif
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    sexion8 wrote:
    I'm talking about the phishers, the malware spreaders, the organized idiots who would have the best/worst tool at their disposal.

    Don't you think they're using linux already? Organized e-crime perps are actually subsidized by your standard Mob/Mafia crime syndicates for purposes of identity theft through spyware. These guys are not idiots, nor are they currently using Windows except for creating Windows based malware.

    Are you strcitly speaking of the ability to create linux based malware once linux has a large enough user base to justify the effort? Then I would submit that if the user base becomes mainstream the AV companies will have more/better support for catching these things. Additional open source solutions will also come to the forefront IMO.
    All things are possible, only believe.
  • Options
    sexion8sexion8 Member Posts: 242
    sprkymrk wrote:
    Are you strcitly speaking of the ability to create linux based malware once linux has a large enough user base to justify the effort? Then I would submit that if the user base becomes mainstream the AV companies will have more/better support for catching these things. Additional open source solutions will also come to the forefront IMO.

    No, Linux based malware is out there already, I'm talking about someone with enough time on their hands to craft a completely uncontainable worm, virus, etc., I've played with this idea for a long time... In 1999 I wrote a program called rootkeep (http://tinyurl.com/2ms26w) that KEPT a backdoor on Solaris. You rebooted... It came right back... The same with venomous (http://infiltrated.net/scripts/venomous) ... It's actually really simple...

    I wrote one that is completely heuristic based on time that changes every two days while dormant, once an hour while active. It is oblivious to whatever you want to throw at it, and uses a combination md5 and sha1 sum to masquerade itself. Its similar to the concept of Voltron - the old cartoon where they all combined to make one fighter... All hidden through ranDumb directories and files that are already on your system. So even the "security" conscious won't have a clue. I haven't posted the source on this one and I don't want to... Believe me when I tell you, there would be no av on the planet that would stop it, there is nothing to detect, its based off of all the files on your system already... There is nothing to look for, it only compiles itself when it needs to and destroys itself afterwards... So good luck looking for something that doesn't exist. You would need to run an AV 24/7 against it.
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
  • Options
    sexion8sexion8 Member Posts: 242
    Have fun and pay no attention to alarmists. They'll have something new to complain about in 5 or 10 years when Linux hasn't destroyed the planet. icon_lol.gif

    That's actually a shame considering you supposedly have your CISSP. Funny thing is, I've been dealing with people with certs for over 12 years now and have sparred with the best right on down to IETF, IEEE, SAGE Engineers, and I have no problem explaining the concepts, theories and proving them. I'd hate to have a one sided thinker in my company. "A cert does not make an expert" words to live by told to me by a Columbia Professor
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
  • Options
    silentc1015silentc1015 Member Posts: 128
    sexion8 wrote:
    Have fun and pay no attention to alarmists. They'll have something new to complain about in 5 or 10 years when Linux hasn't destroyed the planet. icon_lol.gif

    That's actually a shame considering you supposedly have your CISSP. Funny thing is, I've been dealing with people with certs for over 12 years now and have sparred with the best right on down to IETF, IEEE, SAGE Engineers, and I have no problem explaining the concepts, theories and proving them. I'd hate to have a one sided thinker in my company. "A cert does not make an expert" words to live by told to me by a Columbia Professor

    Feel free to continue with your personal attacks. Your attitude is why I'm basically avoiding dialogue with you, or "sparring" as you refer to it. I would address your accusations about my credability but I don't feed trolls.
  • Options
    malcyboodmalcybood Member Posts: 900 ■■■□□□□□□□
    sexion8 wrote:
    That's actually a shame considering you supposedly have your CISSP. Funny thing is, I've been dealing with people with certs for over 12 years now and have sparred with the best right on down to IETF, IEEE, SAGE Engineers, and I have no problem explaining the concepts, theories and proving them. I'd hate to have a one sided thinker in my company. "A cert does not make an expert" words to live by told to me by a Columbia Professor

    Don't bother doing the CCVP or CCIE then
  • Options
    Ricka182Ricka182 Member Posts: 3,359
    and to think, he's now posted some of the comments made my users here on that site.....it seems as some people take some things way too seriously, on both sides..... icon_rolleyes.gif
    i remain, he who remains to be....
  • Options
    malcyboodmalcybood Member Posts: 900 ■■■□□□□□□□
    Ricka182 wrote:
    and to think, he's now posted some of the comments made my users here on that site.....

    LOL that's ridiculous!
  • Options
    sexion8sexion8 Member Posts: 242
    Ricka182 wrote:
    and to think, he's now posted some of the comments made my users here on that site.....it seems as some people take some things way too seriously, on both sides..... icon_rolleyes.gif

    All sides of a story are valid. I like hearing people's point of views its what makes things better at times. I don't ask that anyone agree with me, I simply made my statements and I appreciate others' as well. As for comments on "Don't take the CCVP or CCIE" ... Doesn't bother me I've been through too much to let anything get to me.
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
  • Options
    silentc1015silentc1015 Member Posts: 128
    malcybood wrote:
    Ricka182 wrote:
    and to think, he's now posted some of the comments made my users here on that site.....

    LOL that's ridiculous!

    I just looked. He's quoting me! LOL
  • Options
    malcyboodmalcybood Member Posts: 900 ■■■□□□□□□□
    sexion8 wrote:

    "A cert does not make an expert" words to live by told to me by a Columbia Professor
    sexion8 wrote:
    All sides of a story are valid. I like hearing people's point of views its what makes things better at times. I don't ask that anyone agree with me, I simply made my statements and I appreciate others' as well. As for comments on "Don't take the CCVP or CCIE" ... Doesn't bother me I've been through too much to let anything get to me.

    My point was if you believe the first quote above from mr professor why are you bothering with CCVP and CCIE? I didn't just say dont bother with it if you actually read it properly!

    Anyway I'm bored of this thread now so have fun icon_lol.gif
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Be fair on your other site and at least provide the link to the discussion here rather than just pulling excerpts. icon_cool.gif

    Let's all keep the opinions polite. Everyone is entitled to a little respect whether you agree with them or not.

    Sextion8 - It really looks to me like you're talking about rootkits. What's special about yours that I'm missing? Morphing/resurrecting rootkits are not new. Dangerous yes, hard to detect, yes. Normally requires a rebuild of the infected machine if you can detect it at all. But it's not a new concept at all. Fill in the blanks for me here... Why would the propogation of the linux desktop ruin the Internet? More vicitms? More than already exist on Windows desktops?
    All things are possible, only believe.
  • Options
    bighornsheepbighornsheep Member Posts: 1,506
    I guess this is a classic scenario of ethics and power. I think that computers, or information technologies in general have become so available to most people that it's hard to seperate the have's and have-not's. I recall a case study about r&d 2 years ago that addresses compromises, and solution-finding, I think the key issue in such scenarios greatly involves what kinds of choices people make and for what reasons. Looking into history of science and technology, there has been several examples of "positive motives" leading to mass destructions, although I wouldnt say Linux was a "positive motive" in terms of why it was created, but it definitely has opened the door for many great innovations, and the whole open-source community, and as for what this movement will eventually become given its potential (both positive and negative), perhaps only time will tell.

    Nevertheless, I see why somebody concerned with secruity and networking will write articles of such predictions, at the same time, I can also see why somebody else will think it's over-worrying, for myself, I think that as long as the general people act according to their right conscience, there isnt much more one could do, in the real world, even the safest drivers taking all the precautions end up getting killed by bad & crazy drivers, so I guess in the computer world, it's not uncommon to think that perhaps the good "computer-citizens" will be accused of crimes they did not commit.

    In summary, it's definitely a valid concern, but what more could one do?
    Jack of all trades, master of none
  • Options
    sexion8sexion8 Member Posts: 242
    sprkymrk wrote:
    Sexion8 - It really looks to me like you're talking about rootkits. What's special about yours that I'm missing? Morphing/resurrecting rootkits are not new. Dangerous yes, hard to detect, yes. Normally requires a rebuild of the infected machine if you can detect it at all. But it's not a new concept at all. Fill in the blanks for me here... Why would the propogation of the linux desktop ruin the Internet? More vicitms? More than already exist on Windows desktops?

    Added the link... Now to fill in the blanks... You missed the initial post in which I linked rootkeep... Its undetectable, uses existing files already ON YOUR system and evolves... Unlike Windows based malware which needs something executed, downloaded or run, this is already on your system... Clean it? You mean re-install there is nothing to clean...
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
  • Options
    PashPash Member Posts: 1,600 ■■■■■□□□□□
    I'm glad to hear it. That's one thing that makes Linux so great. You can do things like operate a DNS server, a web server, large databases, etc for free. Not only can you do useful things with them, you can use them to train yourself.

    Have fun and pay no attention to alarmists. They'll have something new to complain about in 5 or 10 years when Linux hasn't destroyed the planet. icon_lol.gif

    Thanks, I am having fun already...Im mainly using the box to get back into php/mysql stuff that I used to do a lot a little while back.

    But I do pay attention to people expressing their thoughts...even on the internet. While I can neither agree or disagree with that gentlemens post (because im new to linux) I do respect that it's his opinion....the same as I respect your view on him being an "alarmist". Ill make up my mind soon I should think...probably when someone puts a nasty virus on my box because I havent got a clue how to secure it properly :p
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    sexion8 wrote:
    sprkymrk wrote:
    Sexion8 - It really looks to me like you're talking about rootkits. What's special about yours that I'm missing? Morphing/resurrecting rootkits are not new. Dangerous yes, hard to detect, yes. Normally requires a rebuild of the infected machine if you can detect it at all. But it's not a new concept at all. Fill in the blanks for me here... Why would the propogation of the linux desktop ruin the Internet? More vicitms? More than already exist on Windows desktops?

    Added the link... Now to fill in the blanks... You missed the initial post in which I linked rootkeep... Its undetectable, uses existing files already ON YOUR system and evolves... Unlike Windows based malware which needs something executed, downloaded or run, this is already on your system... Clean it? You mean re-install there is nothing to clean...

    Never said "clean"... I said "rebuild". icon_wink.gif
    I'll check your link to rootkeep closer. You're right, I missed it.
    All things are possible, only believe.
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    sexion8 wrote:
    sprkymrk wrote:
    Are you strcitly speaking of the ability to create linux based malware once linux has a large enough user base to justify the effort? Then I would submit that if the user base becomes mainstream the AV companies will have more/better support for catching these things. Additional open source solutions will also come to the forefront IMO.

    No, Linux based malware is out there already, I'm talking about someone with enough time on their hands to craft a completely uncontainable worm, virus, etc., I've played with this idea for a long time... In 1999 I wrote a program called rootkeep (http://tinyurl.com/2ms26w) that KEPT a backdoor on Solaris. You rebooted... It came right back... The same with venomous (http://infiltrated.net/scripts/venomous) ... It's actually really simple...

    I wrote one that is completely heuristic based on time that changes every two days while dormant, once an hour while active. It is oblivious to whatever you want to throw at it, and uses a combination md5 and sha1 sum to masquerade itself. Its similar to the concept of Voltron - the old cartoon where they all combined to make one fighter... All hidden through ranDumb directories and files that are already on your system. So even the "security" conscious won't have a clue. I haven't posted the source on this one and I don't want to... Believe me when I tell you, there would be no av on the planet that would stop it, there is nothing to detect, its based off of all the files on your system already... There is nothing to look for, it only compiles itself when it needs to and destroys itself afterwards... So good luck looking for something that doesn't exist. You would need to run an AV 24/7 against it.

    Well I looked through some links on rootkeep - current AV catches it before it gets downloaded.

    As for "undetectable" code that only compiles itself when needed, I am guessing (and only guessing) that the actual act of beginning to compile itself will be what a good host-based IDS/IPS will be programmed to watch for.
    All things are possible, only believe.
  • Options
    sexion8sexion8 Member Posts: 242
    sprkymrk wrote:
    Never said "clean"... I said "rebuild". icon_wink.gif
    I'll check your link to rootkeep closer. You're right, I missed it.

    There's a Canadian company I did some contract work for last Thursday (NDA the whole 9), they were leveraged because of the good old "oops I forgot to turn off that account" bruteforce attack on SSH. They had a CISA & CISSP for a CSO whom I was in liason with - who actually hired me to do the analysis of what happened... After I found out everything I needed to and did my report for them, I actually spent more time on the phone with the CSO explaining it all to him what had happened. I got into discussion of this same topic with him... "What would you have done if the intruder didn't only want your machine for a spambot?" And he proceeded with book like material conversation which had me shaking my head. I respect everyone's opinion(s) to the fullest so apologies to ANYONE who misinterprets my conversation as something more than what it is intended to be. To me its a debate, you state your point, and let me state mine...

    Right now, as I will restate, I've been playing with numerous concepts and theories when it comes to security. I'm working on a multicast vector attack on SMS, a multicast attack on VoIP, I've already proven an attack on BGP routing via dampening back in 1999, and now I'm starting to dabble with the "what ifs..." and they aren't overblown "what ifs" they're more like... "Here is a baseline to destroy this..." Now what if my intentions were malicious. This is what a lot of people don't understand or can't comprehend. I don't write anything to be an ass, I write them because others will write them and their intentions won't be to spur debate or to have others look @ the issue.

    I respect the posts of just about everyone here, certified or not, that portion in all honesty means little to me. What means more is good dialog, not a quick snub at the nose with a "you can't do that"... I can prove that I can and I actually show it... Now if someone would care stating "well this is how I would stop it". I'd like to hear it. I've already heard/seen all of the "you must be crazy" comments, but the problem is, I've given proof via my script. Try it if you'd like there isn't any hocus pocus voodoo involved. Just a simple shell script based off of the system you already have. No downloading, no social engineering... It's already in place. THAT's the point I'm trying to make... What is going to happen when these attack vectors are used... And they will be.
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
  • Options
    sexion8sexion8 Member Posts: 242
    sprkymrk wrote:
    As for "undetectable" code that only compiles itself when needed, I am guessing (and only guessing) that the actual act of beginning to compile itself will be what a good host-based IDS/IPS will be programmed to watch for.

    Did I mention the heuristics behind the other version I won't release ;)

    rootkeep is 8 years old already ;) Rootkeep uses an exploit before its functional. This one doesn't need it, it uses files in /usr/includes so it doesn't need to get anything. All is does is parse out words.
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
  • Options
    silentc1015silentc1015 Member Posts: 128
    My opinion in regards to rootkits is this. If the attacker has reached a point where he or she can already install a rootkit, your security has already failed for the most part. At this point all you can do is pray that your OS security mechanisms (file intrigy checking such as tripwire, AV, etc) work properly. If these don't detect the rootkit, you're pretty much screwed.

    I would be very interested in hearing how a rootkit could avoid something like a well-configured file integrity checking software package that stores a hash of all critical files, checks it on a routine basis, and sends a log of any inconsistencies off-site. For a rootkit to work properly it absolutely must modify files. If I'm missing something here, I would appreciate being clued in. I'm not being sarcastic either. I appreciate an education.

    Detection and defeat of such an attack really needs to occur at the network perimeter, or at the local system's level on the tcp/ip stack in the form of a local firewall. If it gets past this point, in my opinion, all bets are off. This is not to say that your system security should be neglected. But here is an analogy. You want to stop bank robbers at the front door, or even in the parking lot. Once they're inside (ie. have a system account), you don't want to be praying that they can't cut through the vault. You obviously still want your vault, but you never want to have to rely on it.

    If someone rootkits your machine with absolutely no detection at any layer of defense, you've simply done something (or many things) wrong. Assuming you do things correctly, you should have no problem detecting such an attack, at which point an OS rebuild from known trusted media is the only sure solution.
  • Options
    sexion8sexion8 Member Posts: 242
    I would be very interested in hearing how a rootkit could avoid something like a well-configured file integrity checking software package that stores a hash of all critical files, checks it on a routine basis, and sends a log of any inconsistencies off-site. For a rootkit to work properly it absolutely must modify files. If I'm missing something here, I would appreciate being clued in. I'm not being sarcastic either. I appreciate an education.

    You won't necessarily need to defeat a well configured file integrity checker. In fact all you'd need to do is cause more than one collision and that's already been done a while back

    http://www.cits.rub.de/MD5Collisions/
    http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

    How trustworthy would you deem Tripwire, etal to be if all of the sudden you're seeing all sorts of collisions? I wrote a program a while back to do that too... Take two checksums (http://tinyurl.com/22enmt) for files on a Unix based system but everyone screamed "overboard security!" ... Was it? What were the odds of someone leveraging both md5 and sha1 in the same setting, on the same intrusion, in under 59 minutes (amount of time in crontab) before I caught them? I may redo the intergrity checker soon who knows... When I have a week to kill. May even make it database driven with information stored offsite for comparative analysis... Who knows...

    To answer your question though, for my rootkit to work it does not need to modify anything. It never downloads anything, never touches anything... Quick logical flowchart...

    /usr/includes (files are already there)
    /tmp/ garbage is stored here...

    first
    go into certain files from /usr/includes and elsewhere

    then
    parse out certain words from these files... remember to change the files you look at

    after
    take all these words and combine them into a script in /tmp

    then
    run that script in /tmp

    after
    delete yourself


    What are you looking for? The script is gone and it never downloaded or save anything... Yet you will still be backdoored... If I HAD TO modify some of the files, they would be random files as well, never the same...

    You would have to run tripwire of other similar program non-stop and catch it at that instance... Make more sense now? That WITHOUT the fact that I could cause one or two collisions if you rely on md5 and sha1... How many false positives before the typical admin just ignores errors? Its human nature... So go out and recompile the latest stable version of whatever... What do you think sysadmins would do when that newly compiled version of whatever is giving them false positives... They'll ignore it... And we're talking sysadmins here... The original article covered grannies ;)

    PS... Think you can chmod||chown /tmp? Try it well see how fast things break.
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    sexion8 wrote:
    To answer your question though, for my rootkit to work it does not need to modify anything. It never downloads anything, never touches anything... Quick logical flowchart...

    /usr/includes (files are already there)
    /tmp/ garbage is stored here...

    first
    go into certain files from /usr/includes and elsewhere

    then
    parse out certain words from these files... remember to change the files you look at

    after
    take all these words and combine them into a script in /tmp

    then
    run that script in /tmp

    after
    delete yourself


    What are you looking for? The script is gone and it never downloaded or save anything... Yet you will still be backdoored... If I HAD TO modify some of the files, they would be random files as well, never the same...

    Okay, sounds good. But what is this script and how do you get it on the computer in the first place? I'm talking about the original script that parses the other files.... to create a script that runs in the /tmp? And if it can't find all the words necessary to create your script?

    sexion8 wrote:
    They'll ignore it... And we're talking sysadmins here... The original article covered grannies ;)

    PS... Think you can chmod||chown /tmp? Try it well see how fast things break.
    I won't argue either of those points. icon_lol.gif
    All things are possible, only believe.
Sign In or Register to comment.