Viruses, viruses, and more viruses

3 new scenarios for the weekend …

I recently had to rebuild a Linux server for a large national retailer, running a console-based app, due to hardware failure. This duly done and the machine back in operation, I was surprised to get a call relating to high traffic usage on that network. As some background to this network, the client has a nation-wide site-site network for remote users and simultaneously an internet link at the head office.

The ISP did some work on this issue ( surprise surprise ) and came up with what appeared to be traffic running from the Linux box to a porn site in America. Considering this only started when the Linux box was rebuilt, it was the obvious culprit here. Unfortunately the traffic was blocked before I had a chance to look at the Linux box, and when I did check it, I found nothing – completely clean. And that includes rootkit checks, running processes, port/socket checks, etc.

What was interesting, was the continued use of telnet as a connection method to the server. Considering the ease with which one can snoop telnet traffic and retrieve logins, this is a serious oversight, but one that actually happens quite often. Telnet remains an oft-used connection tool to run app on Unix/Linux boxes. Back in the day when nothing was really internet connected and networks were private, this was ‘ok’, but these days when everything is connected to the world-wide virus bucket, it’s not. Developers need to start using the myriad of other methods available to provide applications to end users – telnet is no longer an option.

Suffice it to say, an infected remote desktop could have uploaded a virus to the user’s home directory ( shell access grrr ) on the Linux box, and then did some naughty stuff. So although the Linux box itself was not compromised, it was used as a conduit. Moral of the story? – leave shell access alone and use a client-server dev model.

News on Thursday from the States, indicated that the US Marshals had been infected by a ‘mystery computer virus’. Yip you got it right – mystery ( according to the article author ). I presume it’s a mystery because the US Marshals do not want everyone knowing they’ve been infected by Conficker or some other well-known virus. Marshals spokeswoman Nikki Credic indicated that ‘at no time was data compromised’. ??? How would she know this, if it was a mystery virus? The mind boggles. You have to wonder why some of the largest security agencies in the world continue using a desktop OS that accounts for around 97% of the planet’s insecurities.

Kaspersky have found infections on manufacturer M&A’s Companion Touch netbook at their factory. The units were still in their packaging and ran Windows XP. The piece of malware was apparently spread through an infected USB stick that had been used to install Intel drivers on the machines. Well done Kapsersky ( sarcasm )! For your information M&A, there is an alternate OS you can use on your netbooks ( called Linux ) that can prevent less ( or even all ) of this sort of thing happening. And another thing: why does your netbook cost $499? I can get a full blown notebook for that price. Doesn’t the netbook label infer something small, light and cheap?