Re: [LUG] Banking trojan targeting Linux

[Tom Brough <tombrough@xxxxxxxxxxxxxxxx>]

On 08/08/13 21:51, bad apple wrote:

On 08/08/13 21:35, Mark Evans wrote:

On 08/08/13 12:56, Daniel Robinson wrote:
> Run a virtual machine is my 2 pence... Perhaps somebody can say why
> this is good practice.

You'd probably also want to be able to reset the VM to a known state
before doing anything. VMWare and VirtualBox have a "snapshot"
feature, you could copy the virtual drive file or run a "Live Distro"
from an ISO inside a virtual machine.

>

That's exactly what he's talking about: using a known-good virtualized system that is snapshotted at suitable point(s) and is shut down after use without allowing the differencing disk to be written back. Every grown-up virtualization platform I know of, including at least Parallels, KVM, Xen, VBox, VMWare, Hyper-V, z/VM, QEMU and the rest have been able to do this forever - it's not a feature many use, for some reason.

It's much faster, more secure and less lame than either booting a live media in a VM or fully rebooting the physical host with a live disk (which in 2013, is maximum fail unless you're doing it for disaster recovery of some kind).

Disclaimer: I may know more about Daniel's security setup than most, as I may have given him some advice off-list. Maybe.

Regards

I may be missing the point here but if the snapshot has a security defect embedded in it (known or more likely unknown at present)  then surely you are loading the same defect every time you boot the VM snapshot. So eventually someone will discover said defect and exploit it and your snapshot. IMO the older the snapshot the more vulnerable it becomes.

True the trojan dies when the machine is switched off, but it can be re-installed the second the machine is turned on again using the exact same security hole, given that the snapshot faithfully reproduces good and bad code alike every time its started.

If I understand these bots correctly once they infect a machine they call home to momma, failure to report in regularly would get an instant re-infection attempt from the "controller" using the same technique. DHCP might help here if your ip changes between reboots, but even this isn't that helpful as ISP's use ranges of IP's that are well known to crackers and users alike (whois). My DHCP IP address hasn't changed since the ISP's last crash although my firewall/gateway has been rebooted numerous times since then.

Surely it would be better to keep your security fixes up to date even if you run the risk of introducing new issues in the process? At least that way you are keeping the crackers target moving.

Or perhaps you are suggesting keeping the snapshot updated with latest security patches? Now that might make more sense (to me), but then keeping control of that process introduces admin headaches.

All I know is nothings safe in the world of IT. Safety is an illusion. You develop an unhealthy? paranoia if you spend too much of your life working with computers.

I guess what I am really saying is don't get comfortable with the idea that a snapshot running on a VM makes you cracker proof.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq