On 3/6/2010 4:04 PM, nate wrote:
if you can upload source code, you can upload a precompiled binary
True, but most attacks are automated, and try to attack as wide a range of machines as possible.
If I were to write a bit of malware for *ix that needed a custom binary on the target machine, I'd at least consider distributing it as C code, banking on the fact that most *ix systems have a C compiler installed by default these days.
The core assumption here is that it's easier to write C code for an *ix system that will compile on a wide range of OSes than it is to craft a binary that will run on as many systems. One of the biggest problems in the *ix world is a reliance on source-level compatibility. Other OSes -- Windows in particular -- take a different tack, providing ABI-level compatibility over the course of decades. That has pluses and minuses. For a malware writer, it means it's far more reliable to distribute binaries than C code.
That being said, I always find it to be a colossal PITA to work on an *ix system without a C compiler. Again, source vs. ABI-level compatibility. Too often, I need to install something that isn't available as a binary package for that particular system, or I need it to install in a nonstandard way, so I have to build from source.
You might find that this is one of those security risks you're prepared to accept. Just because you identify a risk doesn't mean you have to defend against it. You should always do the cost-benefit calculation before you decide.