On Sat, 17 Jan 2004 08:43:52 MST, Bruce Ediger <eballen1@qwest.net> said: > The commercial anti-virus people have never really addressed the > lack of in-the-wild viruses for the unixes in general, and linux > in particular. Or, back in the day, why didn't VMS suffer from > a plague like DOS did and Windows does? Google for '+VMS +WANK'. So it was certainly *possible* to create a VMS-based worm. However, that was back in the Elder Days, when VMS and other dinosaurs still walked the earth in great numbers. And all the various systems in those days had minor outbreaks of things - there was the CHRISTMA EXEC and variants that plagued VM systems on Bitnet and VNET, the Morris worm that beat up on VAX and Sun-3 boxes, and a host of other things on other systems. But that was in the Elder Days. And that's an important point - VMS didn't have a major worm problem mostly because in the days when it had market share, the number of black hats who had access was limited. Whoever released WANK had to get access to HEPNet first, which for 98% of the users out there was non-trivial. But once you got onto HEPNet, there were enough VMS systems to sustain a virus. On the other hand, even then DOS and Windows had a significant market share and information exchange (on floppys and BBS back then). And that's the crucial point - the rate of information exchange with similar systems. Can your worm/virus contact another vulnerable system before it is eradicated on its current host? This is something that public health workers have understood for a long time - for many diseases it is *not* necessary to vaccinate 100% of the people, because a 95% or so rate is sufficient to keep it from getting an epidemic going. You're simply not likely enough to meet another vulnerable person while you're contagious. Now, it's safe to assume that every black hat has Internet access, and can release a worm. However, due to monoculture effects, there are only a very limited number of operating systems and services that a worm can realistically exploit. Windows? A worm won't starve. It will die of indigestion, and take out the net if it burps. Linux? I strongly suspect that Lion was fairly close to as big as a Linux worm can possibly get - and it was nowhere the size of most Windows worms. Solaris? We've seen automated scans for rpc.ttdbserver exploits, and had clusters of machines all get whacked at once. There's ecological space for a slow-moving patient worm here... HP/UX, AIX, Tru64? A worm *might* be able to survive on these platforms, but it would have to be very stealthy to survive on a given host long enough to actually find another host to jump to. Other boxes like MVS, VM, VMS, HPE, and the like? The worm is almost certain to die of starvation and/or boredom.
Attachment:
pgp00029.pgp
Description: PGP signature