Anti Virus Software for Linux:

[Martin G. McCormick]

	The subject line is Anti Virus Software for Linux:.  I am
not sure how much of that you will find as UNIX systems don't
exactly get the same viruses that DOS and Windows systems do.

	They have their own set of nasties to look out for.  One
of the most potentially dangerous things to watch out for are
security holes that are created by malfunctions in the operating
system such as un-checked buffers or timing situations sometimes
called race conditions in which somebody can do terrible things
to your system by sending it certain commands at just the right
time in relation to each other to break an application in such a
way as to gain root access.

	Once they gain root, the world is their oyster so to
speak.

	Un-checked buffers are one of the most common hacker
access methods and the way they work is pretty simple.  A certain
program may have some memory set aside for holding perhaps a user
ID and password or a set  of operating parameters.  Maybe the
programmer decided that 32 or 64 bytes was sufficient for this
information.  Now, suppose somebody accesses this program and
begins to pump junk characters at it in place of anything useful.
If the buffer is un-checked, the routine that stores these data
does nothing but add one more character to memory each time a new
character comes in.  It keeps adding and adding until the 32 or
64 bytes are filled and then it keeps right on grinding away
overwriting other buffers and maybe even getting in to program
code.

	At that point, the program dies as soon as the storage
routine hits some vital part of the code.  What happens after
that is anybody's guess, but it is possible for someone to write
executable machine code in to that buffer such that it actually
runs.  It is sort of like a woodsman who can fell a tree and
control exactly where it falls.

	The hacker scripts that bust UNIX systems do exactly this
kind of controlled destruction to a vulnerable system because any
program running as root will give the hacker root privileges when
its burned-out shell crashes.  The hacker script will then
sometimes be able to create a new user account and give the thug
a root shell to do more dirty work.

	Older versions of just about every form of UNIX known to
man contain all kinds of weak spots that have been discovered and
fixed.  The hacker community is well aware of all these
vulnerabilities and there are web sites that come and go which
contain various types of scripts and executable programs which
probe unsuspecting UNIX boxes for holes to exploit.

	The main way to keep out of that kind of trouble is to
stay abreast of the security advisories for your particular
operating system.  There are mailing lists for redhat and Debian,
for instance, and probably a list for every flavor of UNIX.

	Another way folks get burned in the UNIX world is by
installing a full suit of programs with everything enabled.  Such
things as file sharing and remote procedure calls in which one
can manage systems remotely are great for network administrators,
but they also provide more playgrounds for hackers and crackers.
If you aren't careful, somebody in some far-off land may decide
to manage your system for you and, believe me, he or she isn't
doing you any favors.

	The main difference between Windows viruses and UNIX
system exploitation is that a lot of UNIX, these days, is
open-source which means that more people know what is inside.
This is both a blessing and a curse.  The curse is that smart
hackers know how it works so they know how to abuse it.  The
blessing is that there are just as many if not more smart good
people who are figuring out ways to either keep the exploit from
succeeding or different ways one can configure the system to
discourage this activity.

	Windows, however, is a closed system in which exploits
are built from someone's gaining proprietary knowledge or someone
simply abusing poorly-designed code such as what happened with
the Love-letter worm last year.

	I think that Microsoft has been rather proactive in trying
to fix these holes, but they never should have been created in
the first place.  I have been working with networked computers
for eleven years, now, and we used to discuss the nightmare
possibilities of email that could execute or certain kinds of
remote access and what people could do with it.

	It all came to pass and it has been just as bad as many
of us feared it would be.

	UNIX systems don't really need antivirus software for
themselves although they might be able to use some sort of filter
to prevent them from forwarding emails containing viruses.

	All of us who run UNIX systems, however, owe it to the
rest of the world to be current on security practices and do as
much as we can to configure our systems properly so that they
don't become hijacked.

Martin McCormick WB5AGZ  Stillwater, OK 
OSU Center for Computing and Information Services Network Operations Group