LINUX TIPS AND TRICKS --- June 09, 2000

Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters

*********************************************************************

Detecting Malicious Code
by Danny Kalev

Many malicious attacks are detected too late, if at all. A seasoned 
hacker won't necessarily leave a "Hacked!" note on your company's home 
page. Financial and military organizations are particularly prone to 
break-ins, in which hackers install an eavesdropping agent (e.g., a 
packet sniffer, a Trojan horse) or a virus on the target host. Hackers 
often know how to tamper with the system's log files to hide the traces 
of their break-in. What can you do to avoid this from happening? First, 
remember that prevention is the best defense. Make sure that your system 
doesn't have any weak links that hackers exploit:  usernames without 
passwords, passwords that are very short or easy to guess, or poorly 
configured authorizations. Still, these measures are useless once a 
hacker has already broken into the system and installed malicious code. 
What can you do now?

Object reconciliation is a reliable technique for detecting malicious 
code on your system. Object reconciliation is a process in which system 
objects such as files, directories, and devices are compared against 
themselves on an earlier date. A system administrator stores a snapshot 
information of the system and uses that information to compare the 
system's state at a later stage. Although backups can be used for this 
purpose, comparing complete files takes a long time. A better technique 
is to store only the checksum values of the system's files. For example, 
suppose you have a file called "defragment" that contains a disk 
defragmentation program. After installing the system, you collected the 
checksum values of all existing files, including "defragment", and 
stored these values in a special database. Later, a hacker broke into 
the system and tampered with this file. Consequently, an object 
reconciliation process will detect that the tampered file's checksum is 
different from its original checksum. Clearly, something is wrong here. 
You can delete the file and restore the original one from a safe backup. 

Object reconciliation must be performed regularly. Furthermore, it's 
advisable to store the checksum database on read-only media. The best 
time to create the checksum database is right after the system has been 
installed.

Currently, several object reconciliation tools are available for Linux. 
Most of them use the MD5 algorithm to compute a file's checksum as a 
128-bit "fingerprint". One such tool is AIDE (Advanced Intrusion 
Detection Environment), which is a GPL replacement for Tripwire(TM). You 
can find more information about AIDE and download it from 
http://www.cs.tut.fi/~rammer/aide.html.

************************************************************************

About the author
----------------
Danny Kalev is a system analyst and software engineer with more
than 10 years of experience, specializing in C++ and
object-oriented analysis and design on various platforms including
VMS, DOS, Windows, Unix, and Linux. His technical interests involve
code optimization, networking, and distributed computing. He is
also a member of the ANSI C++ standardization committee and the
author of ANSI/ISO C++ Professional Programmer's Handbook (Que,
1999). Contact him at linuxnl@excite.com.
 
*********************************************************************

CUSTOMER SERVICE

You can subscribe or unsubscribe to any of your e-mail newsletters by 
updating your form at: 
http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html?

For subscription changes that cannot be handled via the web, please send 
an email to our customer service dept: support@itworld.com

*********************************************************************

CONTACTS

* For editorial comments, write Heidi Carson, Managing editor,
Newsletters at: heidi_carson@itworld.com
* For advertising information, write Dan Chupka, Account Executive at:
dan_chupka@itworld.com
* For all other inquiries, write Jodie Naze, Product Manager,
Newsletters at: jodie_naze@itworld.com

*********************************************************************

Copyright 2000 ITworld.com, Inc., All Rights Reserved. 

http://www.itworld.com
