计算机病毒和入侵检测第四章课件.pdf

第4章Linux病毒技术 刘功申 上海交通大学网络空间安全学院 School of Cyber Science and Engineering • 本章的学习目标： • 了解Linux的安全问题 • 掌握Linux病毒的概念 • 掌握Linux下的脚本病毒 • 掌握ELF病毒感染方法 Linux安全吗？ • 一个最大的误区就是很多高性能的安全操作系统 可以预防计算机病毒。 • 另一个误区就是认为Linux系统尤其可以防止病 毒的感染，因为Linux的程序都来自于源代码， 不是二进制格式。 • 第三个误区就是认为Linux系统是绝对安全的， 因为它具有很多不同的平台，而且每个版本的 Linux系统有很大的不一样。 Linux病毒列表 • Slapper: The most dangerous Linux worm; its network -aware and in August 2002 it exploited a flaw in OpenSSL libraries in Apache servers with OpenSSL enabled. • Bliss: Also a well -known bug, it infects ELF executables, locating binaries with write access and overwrites those with its own code. • Staog: Considered the first Linux virus, it infects ELF executables. • Typot: A Linux Trojan that does distributed port scanning, generating TCP packets with a window size of 55808. • Mydoom : Windows worm have network propagation and process termination capabilities to launch a denial of service (DoS) attack on . • TNF ：A DDoS agent.Makes ICMP flood, SYN flood, UDP flood, and Smurf attacks. It also has the capability of installing a “root shell” onto the affected system. • R16.A: Delete file in the current directory.Overwirte /bin/cp, /bin/ls. Create /usr/SEXLOADER, /usr/TMP001.NOT. • RAMEN: The first virus in Linux. Overwrite all index.html in the system. Add two ftp account “anonymous and ftp” in the system. Add itself’s script in /etc/rc.d/rc.sysinit. rpc.statd (port 111/udp ) , wu-ftpd (port21/tcp), LPRng (port 515) • LINDOSE.A: A rare cross -platform scourge, able to jump Windows PE and Linux ELF executables. Its a proof-of-concept worm and has not hit the wild. • MSTREAM.MST : A DDoS agent. It will open TCP port 6732 and UDP port 9325. Create master and server files. • ADORE.A: A internet worm. Overwrite /bin/ps.