Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

Valdis.Kletnieks_at_vt.edu
Date: 01/17/04

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause" 
    To: Bruce Ediger <eballen1@qwest.net>
Date: Sat, 17 Jan 2004 13:43:04 -0500

    On Sat, 17 Jan 2004 08:43:52 MST, Bruce Ediger <eballen1@qwest.net> said:

    > The commercial anti-virus people have never really addressed the
    > lack of in-the-wild viruses for the unixes in general, and linux
    > in particular. Or, back in the day, why didn't VMS suffer from
    > a plague like DOS did and Windows does?

    Google for '+VMS +WANK'. So it was certainly *possible* to create a VMS-based
    worm. However, that was back in the Elder Days, when VMS and other dinosaurs
    still walked the earth in great numbers. And all the various systems in those
    days had minor outbreaks of things - there was the CHRISTMA EXEC and variants
    that plagued VM systems on Bitnet and VNET, the Morris worm that beat up on VAX
    and Sun-3 boxes, and a host of other things on other systems.

    But that was in the Elder Days. And that's an important point - VMS didn't have
    a major worm problem mostly because in the days when it had market share, the
    number of black hats who had access was limited. Whoever released WANK had to
    get access to HEPNet first, which for 98% of the users out there was
    non-trivial. But once you got onto HEPNet, there were enough VMS systems to
    sustain a virus. On the other hand, even then DOS and Windows had a significant
    market share and information exchange (on floppys and BBS back then).

    And that's the crucial point - the rate of information exchange with similar
    systems. Can your worm/virus contact another vulnerable system before it is
    eradicated on its current host? This is something that public health workers
    have understood for a long time - for many diseases it is *not* necessary to
    vaccinate 100% of the people, because a 95% or so rate is sufficient to keep it
    from getting an epidemic going. You're simply not likely enough to meet
    another vulnerable person while you're contagious.

    Now, it's safe to assume that every black hat has Internet access, and can
    release a worm. However, due to monoculture effects, there are only a very
    limited number of operating systems and services that a worm can realistically
    exploit.

    Windows? A worm won't starve. It will die of indigestion, and take out the net
    if it burps.

    Linux? I strongly suspect that Lion was fairly close to as big as a Linux worm
    can possibly get - and it was nowhere the size of most Windows worms.

    Solaris? We've seen automated scans for rpc.ttdbserver exploits, and had
    clusters of machines all get whacked at once. There's ecological space for
    a slow-moving patient worm here...

    HP/UX, AIX, Tru64? A worm *might* be able to survive on these platforms,
    but it would have to be very stealthy to survive on a given host long enough to
    actually find another host to jump to.

    Other boxes like MVS, VM, VMS, HPE, and the like? The worm is almost
    certain to die of starvation and/or boredom.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause"

    Relevant Pages