Re: [offtopic] Back from my vacation

[off topic for squid-dev and posted here only because the question was..
please delete if not interested in viruses or their impact on my
mailbox..]

Wojciech Puchar wrote:
>
> > Henrik wrote:
> > I am back from my vacation, and noticed that my mail fetch routine had a
> > small hickup (cable modem disconnected), and a virus had flooded my
> > mailbox.
> are there viruses for unix? how does them work???

I did not have a virus, but my mailbox was flooded with too many copies
of some Outlook virus, each carrying 300K-1MB document with it. And with
a 5MB mailbox quota the mailbox did not last very long...

Even if the Virus I was troubled by is not a UNIX virus or caused any
infection on my machines there are a couple of UNIX viruses. Works
similar to any other brand of viruses. Less common mainly due to the
diversity of UNIX flavors, stronger default system security and less
integration between system components making it quite unlikely a user by
mistake starts a virus infected file on UNIX.

More common on UNIX is worms of various kinds, using flavs in "standard"
network components such as BIND or Sendmail. But again, the diveristy of
UNIX flavors and versions in use makes the impact much less than similar
worms in the "other" world.

Perhaps most common in the UNIX world is crack robots, where a cracker
has a robot (or in some cases a worm) that searches for hosts to use in
DDOS attacks. Quite often unilizing IRC networks and the like to provide
an indirect and hard to trace communication channel between the attacker
and his controlled zombies. These hack robots searches for hosts with
known vulnerabilities, and then automatically installs the tools the
cracler needs in his future attacks, plus a number of backdoors to ease
reentry into that host in case the host owner discovers the crack and
tries to clean up.

Some guidelines on how to protect one self from viruses/worms/crackers:

1. Be skeptic

 1a) Never play intimately with programs of unknown/doubtful source.

 1b) Never play intimately with data of unknown/doubtful source

2. Use protection

 2a) Don't publish more services on the Internet than you need to. Make
use of firewalling, bastion hosts etc.

 2b) Make use of the file protection mechanisms provided by all modern
OS:es, and always run programs using a non-privilegied account. Use a
special account for system administration.

3. Assume you will get cracked

 3a) Isolate the few services you do need to publish, using
non-privilegied accounts, chroot, and similar methods to limit the
possible damage on the host in case one of the services gets cracked.

 3b) Isolate any hosts you run services on by inverse firewalling,
protecting the rest of the world from the host in case it gets cracked.
The last thing you want is some cracker using your host and bandwidth
for cracking/crashing other systems.

4. Stay current

  Stauing current on important components is mostly a good thing, but
opposed to the standard belief, staying current on the latest patches is
not the most important measure and not always the best thing to do. No
matter how much time you spend on staying current, there is always
windows of time where you will be vulnerable to various issues. It is
better to make sure you know how to deal with the computer diseases and
minimise the effects than try to vaccinate your systems against each and
every possible disease that pops up.

--
Henrik