|
Posted by The Ghost In The Machine on September 26, 2007, 5:21 pm
If you were Registered and logged in, you could reply and use other advanced thread options
wrote
on Wed, 26 Sep 2007 14:13:47 -0500
> On Wed, 26 Sep 2007 11:51:54 -0700, The Ghost In The Machine
>> In comp.os.linux.advocacy, Ignoramus25760
>> wrote
>> on Wed, 26 Sep 2007 11:37:08 -0500
>>> I came up with a nefarious, but interesting idea. It would be useful
>>> to those who run botnets.
>>>
>>> Botnet software could be enhanced in the following ways:
>>>
>>> - besides everything else, check if you have a wifi adaptor. If so,
>>> scan neighboring networks to look for unprotected networks or those
>>> encrypted with WEP. Take your time and crack the WEP encryption using
>>> computers in botnet.
>>>
>>> Then proceed with
>>>
>>> 1) Using those other connections to send spams and other bad things
>>> (thus protecting a little bit the computer on the botnet)
>>>
>>> 2) Infect all private computers on those external private networks,
>>> put virus code into .EXE files on private shared drives, etc
>>>
>>> The effect of this is going to be that all apartment buildings will
>>> become giant zombie anthills, so to speak.
>>>
>>> The viruses and scumware would "hop" the firewalls in ways not done
>>> before (through air rather than incoming ISP data pipes).
>>>
>>> I do not write viruses or run botnets, but I think that it is a neat
>>> idea.
>>>
>>
>> A few questions.
>>
>> [1] In Linux, at least, infection of .EXE files might be
>> hampered by the issue that the user account can't write
>> into /bin, /usr/bin, /etc, etc., or most files sitting
>> therein. (The exceptions are /tmp and /var/tmp; some
>> programs get a little sloppy therein. These are holes,
>> and they do happen.) How does one get around this?
>
> Usually those directories are not network shared either.
I could see mounting /usr and /opt on an NFS share.
I'll admit there are some issues with doing so,
especially if one has to support multiple system types
(x86 and PPC, perhaps -- or even Athlon and Pentium D).
One can also mount /bin as well, if one is running diskless.
Of course, Linux doesn't have Intel PE formatted files
anyway (unless one installs WinE), or, generally, files
named '.exe'. The best one can do is something along the
lines of
find / -type f | xargs file | grep 'ELF 32-bit' | cut -d: -f1 | \
xargs ./infect_me_please.sh
or some such. "infect_me_please.sh" would not be the actual name
of the virus, but it would be something that looks innocuous.
>
>> [2] A compromised root machine might have some difficulties
>> spreading on NFS-mounted drives if said drives have the
>> no_root_squash option. How does one get around *this*?
>
> The typical worm action on a network (as happened in the last work
> attack at one place I know), is that the worm looks for EXE files on
> shared drives and infects them, hoping that one day they will be
> executed.
So how does the worm write to read-only files?
>
>> [3] Assuming NAT software (which on Linux isn't too hard
>> to set up), how does the virus on an infected machine do
>> the bunny hop? Especially if the virus hasn't crossed
>> the local user-root barrier? Best I can do is Slightly
>> Suspect Emails(tm), and those aren't all that hard to block.
>
> The only thing that I can think of where linux boxes can be
> compromised this way, is to look for less secure things inside
> presumed safe home networks, or pretending to be trusted hosts (I am
> 10.0.0.3, and want to log on as joeblow) and using rlogin and such.
I never use rlogin; I use ssh exclusively. I'll have to
look to see if TCP can be impersonated (UDP, yes, but
that's not used for ssh, rlogin, telnet, etc.)
>
>> [5] Whatever gave you the notion that this is a neat idea?
>> Of course, it does have an appeal to those who like to set
>> up botnets -- but those are few and far between. Most people
>> will probably think it's a terrible idea, and will want to
>> cast about for defenses against it.
>
> I think that it is clever, but "unhelpful" idea.
Depends on who's being helped. :-)
>
> i
--
#191, ewill3@earthlink.net
Murphy was an optimist.
--
Posted via a free Usenet account from http://www.teranews.com
| 
XML site map