Re: Re: January 15 is Personal Firewall Day, help the cause

[Valdis.Kletnieks () vt edu]

On Sat, 17 Jan 2004 08:43:52 MST, Bruce Ediger <eballen1 () qwest net>  said:

> The commercial anti-virus people have never really addressed the
> lack of in-the-wild viruses for the unixes in general, and linux
> in particular.  Or, back in the day, why didn't VMS suffer from
> a plague like DOS did and Windows does?

Google for '+VMS +WANK'.  So it was certainly *possible* to create a VMS-based
worm.  However, that was back in the Elder Days, when VMS and other dinosaurs
still walked the earth in great numbers. And all the various systems in those
days had minor outbreaks of things - there was the CHRISTMA EXEC and variants
that plagued VM systems on Bitnet and VNET, the Morris worm that beat up on VAX
and Sun-3 boxes, and a host of other things on other systems.

But that was in the Elder Days. And that's an important point - VMS didn't have
a major worm problem mostly because in the days when it had market share, the
number of black hats who had access was limited.  Whoever released WANK had to
get access to HEPNet first, which for 98% of the users out there was
non-trivial.  But once you got onto HEPNet, there were enough VMS systems to
sustain a virus.  On the other hand, even then DOS and Windows had a significant
market share and information exchange (on floppys and BBS back then).

And that's the crucial point - the rate of information exchange with similar
systems.  Can your worm/virus contact another vulnerable system before it is
eradicated on its current host?  This is something that public health workers
have understood for a long time - for many diseases it is *not* necessary to
vaccinate 100% of the people, because a 95% or so rate is sufficient to keep it
from getting an epidemic going.  You're simply not likely enough to meet
another vulnerable person while you're contagious.

Now, it's safe to assume that every black hat has Internet access, and can
release a worm.  However, due to monoculture effects, there are only a very
limited number of operating systems and services that a worm can realistically
exploit.

Windows? A worm won't starve.  It will die of indigestion, and take out the net
if it burps.

Linux?  I strongly suspect that Lion was fairly close to as big as a Linux worm
can possibly get - and it was nowhere the size of most Windows worms.

Solaris?  We've seen automated scans for rpc.ttdbserver exploits, and had
clusters of machines all get whacked at once.  There's ecological space for
a slow-moving patient worm here...

HP/UX, AIX, Tru64?  A worm *might* be able to survive on these platforms,
but it would have to be very stealthy to survive on a given host long enough to
actually find another host to jump to.

Other boxes like MVS, VM, VMS, HPE, and the like?  The worm is almost
certain to die of starvation and/or boredom.

Attachment: _bin
Description: