On Sunday 02 December 2007 20:09, Rony wrote:
jtd wrote:
Besides sourceforge and similiar repos dont care whats on the server. You have to do the verification by checking the sigs. Debian uses md5 hashes in a Release file and gpg for sigining the Release file. u can therfore be reasonably sure that what u download is ok. Similiar schemes should exist for other distros too.
This virus does not reach the stage of executing after download. As soon as you click on the download link, instead of the file download beginning, the system goes into a reboot. It has got infected.
That IS execution.
On reboot, it brings in the bigger payload which causes irreversible damage as it reboots everytime an admin command is run.
That is a very poorly written virus. You want to have control rather than mindlessly rebooting the system, which will only make him paranoid. Maybe it's a side effect of preventing the av from execution as avs require admin privileges.
If the net is shut off just before the system boots again, the bigger payload is kept away and the system can be restored to an earlier clean period.
You are assuming that it is restored. Once infected you have got to format. You just dont know what has been compromised particularly in with closed software. Unless you have a previous known good offline disk dump to restore from. With opensystems too the task of restoring a compromised system can be a real pain and would be undertaken only for forensic purposes.You are mostly better off reinstalling and patching up before going online.
This is something very recent
It is not, just that this virus has exposed itself.
so I was wondering if there has been some major attack on the web servers.
You are mixing up things. Even if the linux (or some other os ) server is hosting malware, the servers are not under attack. The server simply stores whatever the user chooses to store and does not care about the intent of a particular piece of code. Infact even perfectly legit software can be trojaned. You therefore never want to install anything from anywhere without undergoing a painful verification process. with Debian sarge u had to do it manually unless you used backported apt and friends. However with etch the process has been automated (and a pain for somethings that i do).
BTW Debian servers were compromised too. But instead of hiding under the sheets and issuing stupid PR, a full disclosure was made and the servers taken offline. Afair they were offline for a month. There was also the case of some part of the kernel with a deliberately introduced vulnerability. Subsequently several procedures were put in place to permit traceability. No hiding under the sheets here either.
That is what finally make systems secure - public scrutiny, full disclosure and public contribution. No amount of AV pasted on top of crap is going to change that. Ofcourse the very hard decision to change underlying bad design criteria, which will break all compatibility will never be taken for doze -it's entire edifice is built on that falsehood.