[ale] RE: I'm really getting sick of these "vague" Linux virusannouncements

Jonathan Rickman jonathan at xcorps.net
Mon Sep 10 09:38:15 EDT 2001 

On Mon, 10 Sep 2001 greg at turnstep.com wrote:

> Well, how about some facts? How about less speculation and
> scaremongering? They mention that Apache has a much
> larger share of the webserver market than IIS and suggest
> that a virus for Apache would be much worse than Code Red.
> This is pure FUD. First, this particular exploit is in no way
> related to web servers, as Code Red is. It has nothing to do
> with it any more so than any other program on the Linux box.

I agree with you up to this point...

> Second, Apache has a totally different design than IIS and
> will *never* be vulnerable to the same sort of exploit. It just
> ain't gonna happen. Even if you could somehow pass it an
> arbitrary command, Apache by default runs as a very low
> priority user. Third, people who run Apache are more likely to
> be involved in the nitty-gritty details of their box than their
> point-and-click-install IIS brethren, and thus will detect and
> patch problems more quickly. Fourth, it is not automated like
> Code Red but requires active user participation to forward
> it.

First of all, an arbitrary command is pretty dangerous...no matter
what user is running it. Priveledge escalation is always possible.
Second, making any assumptions about the administrators (or secretaries)
who maintain servers is very dangerous. Linux is far more widespread now
than it was several years ago. 3 years ago, I would have agreed with you.

> I agree with Bryan - this is poor news reporting, and told
> us next to nothing about the actual virus, which is (IMO)
> pretty harmless. When was the last time a Linux admin
> you know received an attachment from someone (known
> or unknown) in email with no explanation on it, saved it
> to disk, set it executable, and ran it as root?

This is the point that needs to be made. This trojan announcement sure
seemed to be a publicity stunt on the part of Qualys. I don't know about
you, but I thought it was a joke after I read the advisory on Bugtraq...a
deliberate joke that is. Then I wondered if it might be a diversionary tactic
backed by MS. Finally I settled on the publicity stunt theory. Apparently it
worked though...plenty of journalists jumped all over it.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list