[svlug] LoveLetter reporting -- Microsoft, not computer, virus

kmself@ix.netcom.com kmself at ix.netcom.com
Fri May 5 10:58:01 PDT 2000

On Fri, May 05, 2000 at 12:55:51AM -0700, Rick Kwan wrote:
> (I think I just let a message thru with a null body... sorry
> about that.)

No problem.  But I would appreciate your dropping the cc:'s.  I get

> I have to admit to a certain amount of glee when someone sends me
> a message saying, "DON'T OPEN THAT MAIL!"  I write back and say,
> "Sorry.  I don't run Windows; I'm immune to this virus."

Gloating is wonderful, ain't it?

> We've probably had this thread before, but given the questions
> posed we probably should do it again.  So let me play devil's
> advocate for a moment.
>   * What stops someone from writing a virus that attacks a
>     mailer (e.g., Netscape) on a UNIX/Linux system?  Couldn't someone
>     just as easily read the address book there and propagate
>     the attack?  Isn't it just a case of Linux systems not being
>     so widespread?

What stops it?  Paranoia, system design, file association, the concept of
default actions.  Could a similar attack happen to our world?  Yes and no.
Mostly no, though this doesn't make the scenario impossible.  I've also
been thinking about this much of today.

First off, the LoveLetter (or LoveBug) is very similar in certain
regards to the Morris Worm of 1987.  Morris exploited weaknesses in
mailer software, including an ability to execute code; propagated itself
through known systems; and essentially could be stopped only by shutting
the entire global mail network down.

Things have moved on.  Sendmail is now rather more secure (though its
reputation is tainted), and many of the more obvious exploits as were
used in LoveLetter are closed.  Mostly after having been tried....  Part
of the benefit is just having had an extra 15 years of paranoid living
under our belts.

In some ways, the task on GNU/Linux [1] is easier -- address books are
ASCII, there are more commands available, more resources to use.

But in GNU/Linux's favor are paranoia, heterogeneity, and limited
user-space privileges.  Paranoia means you don't assume an executable is
safe to be executed, and you certainly don't do anything so stupid as to
run the bloody thing without specifically requesting it.  

Unlike MS Windows, where applications are horribly overloaded as authoring
tools / viewers / automation tools, a GNU/Linux document viewer tends to
be, pretty much, a document viewer only, without programmatic elements.
Where processing capabilities are provided, as in a browser, there are
usually attempts to contain the process in a sandbox, and generally
tools have the option to disable all such processing.  Note that this is
a convention, not a hard-and-fast rule of GNU/Linux, and that there are
plenty of things that *do* happen automagickly on many systems.

In MSFT land, file associations are determined by file extension.  One
method for bypassing virus scans and execution checks for one
email-vectored Trojan was to write a MS Word document (macro-capable) with
an RTF extension (non-macro capable).  The virus scanners ignored it,
but MS Word opened the file with full macro capabilities.  GNU/Linux by
contrast uses magic (the first few bytes) of a file to determine its
type.  This can make a directory listing take a few seconds longer for a
particularly large directory (/usr/doc under my Debian system, with 926
entries), but identifies files as they truly are, not as they purport
to be.

Yet another failing of MS WinXX is the default action association of
files.  It never made any sense to me what "Open" should mean, or that
it would, in any circumstance, mean "Execute".  Default file
associations are horribly broken IMO anyhow, and if used at all should
probably be categorized along the lines of "view (non-executable text
viewer), edit (authoring tool), execute (run)".  If at all possible, the
execute association should *not* be readily available.  If it is, there
ought to be some way of designating a sandbox that the program runs in,
in a very strictly limited sense.  

My own approach with GNU/Linux and attachments of any sort is to filter
them through "less" or "strings" before looking at them.  Even HTML,
particularly when associated with spam, as it's now fairly common practice
to embed either URLs or images with unique keys as an aid in developing
delivery metrics -- why give them *any* data at all?

Note that we shouldn't be entirely smug.  It's very possible that a
vendor or developer will come up with a mailer or other network-enabled
interactivity tool, which can be made to accommodate executable content.
Actually, browsers already do this, to a limited extent, and through
MIME associations do in fact launch applications on web content on a
routine basis.  But, for the most part, the default settings are sane
and the applications are judicious.  You'll probably find that the
default action specified for a shell script under your browser is "ask
user" rather than "bash %s".

However, there are a number of attacks, notably the recent TrinOO DDOS
attacks, which specifically used GNU/Linux (though more specifically,
Solaris GNU/Linux <g>) hosts.  Though the client has been adapted now to
work on WinXX systems, IIRC.

But even should such applications be developed or released, I don't
think the problem would be as severe on GNU/Linux as with Windows.
In large part this is because, being based on open standards and very
frequently free software, it means that there are a number of different
tools available to perform a particular task.  It's relatively unlikely
(and generally a Bad Thing [tm]) for any one tool to become absolutely
dominant in an area.  So any exploit would be naturally be limited
in scope.

>   * Can't a virus wipe out a hard drive on a GNU/Linux system just as
>     easily as a Windows box?  (Explain this to a non-computer type.)

User space segregation means that a GNU/Linux file generally can't be
executed with system privileges.  The system-trashing behavior of
LoveLetter would have been far more limited under a GNU/Linux system -- only
files writable by the afflicted user would be modified.  In order to run
rampant, the executable would have to gain root access -- at which
point, more interesting possibilities generally become available.

Note, however, that a partition network-mounted to infected MS Windows
systems could have been affected by LoveLetter executing on the MS
Windows box.

>   * Given the gravity of the attack, why don't the computer security
>     folks just come out and say, "This software architecture is
>     poorly conceived; Windows needs to be fixed."?  I have yet to
>     see this particular statement.  (This one actually bothers me,
>     especially after the "GNU/Linux users are sloppy" discussion.)


You've just stated my opinion.  MS Windows is fundamentally flawed and
cannot be trusted in an untrusted environment.  Even without malicious
intent, it's very possible for accidental actions to take of and
overwhelm a MS Windows-oriented network.

> --Rick Kwan
>   rick.kwan at lightsaber.com
> Jeffrey B. Siegal <jbs at quiotix.com> wrote:
> > When contacting the press via legacy technologies here are a couple of
> > issue to suggest they investigate:
> > 
> > 1. Why, despite multiple occurances of such viruses, does Microsoft
> > refuse to remove the ill-conceived and poorly designed "features" which
> > allow such viruses to exist?
> > 
> > 2. Why, despite having caused, on multiple occasions, at least hundreds
> > of millions of dollars in damages, including to innocent third parties
> > not even using Microsoft products, shouldn't Outlook and Exchange be
> > considered "defective products"?
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/mailman/listinfo/svlug

Karsten M. Self <kmself at ix.netcom.com>         http:/www.netcom.com/~kmself
    What part of "Gestalt" don't you understand?
GPG fingerprint: F932 8B25 5FDD 2528 D595  DC61 3847 889F 55F2 B9B0

[1] GNU/Linux can be generally taken to mean GNU/Linux or GNU/Linux like
operating systems.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20000505/a6138076/attachment.bin

More information about the svlug mailing list