New worm targets Linux systems

sprkymrk

New worm targets Linux systems

This worm attacks web server software installed on Linux systems. McAfee assigns it "low risk" and Symantec "medium risk". The interesting thing to me is two-fold. First, since most linux users do NOT run AV software, how will they know they are infected? Second, it's not "really" attacking anything to do with the linux kernel, but rather third-party linux software. This is becoming true with almost all newer exploits and malware. Rather than target the OS (whether Windows, *nix, etc.) it is third party apps that run on these platforms that are targeted.

Reasons? In my research:

1. Both Windows and Linux have automatic updating measures to quickly roll out patches for OS based vulnerabilities. While some third party apps also have this feature, it is less often used or enabled. Additionally, unlike Windows Updates or Up2Date, there is rarely an Enterprise level way to update such apps (okay - SMS comes to mind).

2. Third party applications rarely go through the now rigorous Quality Assurance & Testing that OS's do, and therefore can be more easily exploited.

JDMurray

sprkymrk wrote:

2. Third party applications rarely go through the now rigorous Quality Assurance & Testing that OS's do, and therefore can be more easily exploited.

In my opinion, this is the real problem because attacks at this level are mostly indifferent to the operating system. Widely-used applications, such as Microsoft Office, iTunes, AIM, Skype, and FireFox, have increasingly become popular Malware targets for installing rootkits/Trojan horses and privilege escalation attacks. However, client-side apps rarely go through any sort of vulnerability assessment as part of their SDLC because software developers don't understand how their apps can be used as an "attack surface" for gaining access to a computer.

And I'm really sick of people saying that Open Source software is safer because the source code is available to be reviewed for back doors and malicious operation. Does the typical user of Open Source software really do that? Or are they more likely to just install, configure, and use the package without every looking at the source code? And how many people have the tools and experiences to conduct static and dynamic software security code analysis? Please point me to an organization whose charter is to specifically perform vulnerability assessments on Open Source software packages, because I want to work for them!

keatron

JDMurray wrote:

sprkymrk wrote:

2. Third party applications rarely go through the now rigorous Quality Assurance & Testing that OS's do, and therefore can be more easily exploited.

In my opinion, this is the real problem because attacks at this level are mostly indifferent to the operating system. Widely-used applications, such as Microsoft Office, iTunes, AIM, Skype, and FireFox, have increasingly become popular Malware targets for installing rootkits/Trojan horses and privilege escalation attacks. However, client-side apps rarely go through any sort of vulnerability assessment as part of their SDLC because software developers don't understand how their apps can be used as an "attack surface" for gaining access to a computer.

And I'm really sick of people saying that Open Source software is safer because the source code is available to be reviewed for back doors and malicious operation. Does the typical user of Open Source software really do that? Or are they more likely to just install, configure, and use the package without every looking at the source code? And how many people have the tools and experiences to conduct static and dynamic software security code analysis? Please point me to an organization whose charter is to specifically perform vulnerability assessments on Open Source software packages, because I want to work for them!

My friend, you catch the very essence of a sermon I've been preaching for 6 years. And you are right on!! 99% of all vulnerability research and discovery I've done this year has been open source distros and Solaris. And quiet frankly, it's not pretty.

Slowhand

JDMurray wrote:

And I'm really sick of people saying that Open Source software is safer because the source code is available to be reviewed for back doors and malicious operation. Does the typical user of Open Source software really do that? Or are they more likely to just install, configure, and use the package without every looking at the source code? And how many people have the tools and experiences to conduct static and dynamic software security code analysis? Please point me to an organization whose charter is to specifically perform vulnerability assessments on Open Source software packages, because I want to work for them!

I'll second that notion. It's the same song I've heard in almost all my years of IT work, "I use Linux, so I'm secure". Blanket statements like these are the real killers, because it lulls people into believing the rhetoric. I've yet to work with anyone that actually digs into the source code for the applications they use, test out the software, and report back security holes or performance flaws. I hear things like "Windows isn't secure", "Firefox can't be used to infect computers with viruses/worms/etc.", and the worst of all, one I heard while working with Apple salesmen, "Macintosh computers don't get viruses, and they can't be hacked". At this point, I've given up trying to argue the facts with most people, trying to tell them that any system can be compromised, all software needs to be updated, and that there is more to being secure than what operating system you use. The topic of third-party apps always comes up in these discussions, and most people I talk to dismiss the idea of using something like iTunes or FireFox to infect or compromise a computer. Ironically, though, they have no trouble accepting that Microsoft Office is vurnerable, simply because it's a Microsoft product. And, because a piece of software like FireFox, for example, isn't made my Microsoft, it's assumed to be "secure".