Slashdot Mirror

Listen to the low-karma slashdot troll Sheepdot. Sure, he says a lot of obviously wrong things and gets called out on it, and whenever he does he refuses to justify himself and just insults the people who catch him. This is a sure sign of a truly powerful security and voting systems expert.

I mean, what does Bruce Schneier know? The world comes to slashdot trolls for its opinions, after all.

How can anyone fail to sense your hidden genius in your appreciation for half-baked security tools that have a history of failure traceable as far back as Phrack articles from 1993.

Yes, ladies and gentlemen, only on slashdot can a whiny, obnoxious, ignorant baby like Sheepdot treat experts like assholes and still get a free education in return:

--
"More recently, other implementations of LKMs for hiding processes,
files, and directories have come about that can get around the above
described methods of defeating standard root kits, as well as
cryptographic checksumming programs like "tripwire" that must trust the
operating system to present them with valid bits from disc and memory.

The Hacker's Choice (THC) from Germany has write-ups on loadable
kernel modules for Linux, FreeBSD, and Solaris, which describe this
methods of hiding out on a rooted box:

http://www.thehackerschoice.com/papers/LKM_HACKING .html
http://www.thehackerschoice.com/papers/bsdkern.htm l
http://www.thehackerschoice.com/papers/slkm-1.0.ht ml

TESO has another Linux LKM ("adore") along these same lines:

http://www.team-teso.net/releases.php

Using methods such as these, integrity checking programs like "tripwire"
and NIPC's "find_ddos" programs can be subverted, as the kernel could
not even be trusted to give correct results when searching process
tables, network structures, or file systems.

You might think that simply disabling LKM support in the kernel -- which
is still a good idea to improve security on a server whose configuration
will be stable -- is the final answer. Not exactly.

Another method of inserting code into running kernels -- even if LKM
support is not present -- is described by Silvio Cesare:

http://www.big.net.au/~silvio/runtime-kernel-kmem- patching.txt"
--

Too bad you can't run tripwire to protect your brain, Sheep. LOL.

I think a simple "virus-writing-HOWTO" on google give an idea of how many people can do it... Thanks to Silvio http://www.big.net.au/~silvio/, Good-ay Mate !!!

UNIX doesn't have this brain damage, thankfully, making it a lot more difficult.

You might want to actually check your assumptions...

From this page:

"* VIT The VIT Virus is a Linux x86 parasitic virus that infects ELF executeables by using the padding of the text segment. For replication, direct infection via attemption infection of executeables in the current directory is employed. This virus is documented in the article UNIX ELF VIRUS AND PARASITES. The name of this virus by curiosity was given by the people at FProt who noticed the virus created a temp file using the letters VIT."

&sign($AC[0]);

UNIX doesn't have this brain damage, thankfully, making it a lot more difficult.

You might want to actually check your assumptions...

From this page:

"* VIT The VIT Virus is a Linux x86 parasitic virus that infects ELF executeables by using the padding of the text segment. For replication, direct infection via attemption infection of executeables in the current directory is employed. This virus is documented in the article UNIX ELF VIRUS AND PARASITES. The name of this virus by curiosity was given by the people at FProt who noticed the virus created a temp file using the letters VIT."

&sign($AC[0]);

even then, you don't need root.. if your average user is downloading binaries then one infected binary can infect all their binaries.. give one of those binaries to a friend and you have an active virus. I think viruses will really take off when binary distributions become common place and warezing starts happing.

The herd effect stuff is interesting.. anywhere online that I can read about it's effects on computer viruses? I think this is a hurdle and virus programmers will just get smarter and make it harder to detect that you are infected. Downloading binaries is pretty popular, even now, and will get more popular in future. Jumping from user to root is not a great problem, if the user su's.. using exploits is bad.. it sets off alarm bells and ties the life of the virus to the exploit. code that automatically searches for exploits is a damn hard idea (and possibly an example of the halting problem?). There is some great research going into computer viruses that will answer a lot of these questions and pose solutions.

that's stupid.. the virus spreads because people copy the binaries from one machine to another.. why would you copy an x86 binary to a ppc box? You wouldn't! Thus you could write an x86 ELF infector and it would spread to every box that someone copied infected binaries to. Yes, it is not going to jump to a PPC box but who the hell said it would? Does it even make sense that it should? here is your virus and it is mainly C, you can recompile it for any linux box you want (oh.. and fuck a.out, who the hell needs it.. ELF is everywhere).

there are linux viruses, they are just not spreading. Anti-virus research for linux must be supported now to ensure there will be a defense when linux viruses do start to spread.

there are linux virii and quite interesting ones.. is the world plaqued by them? no.. is it ever likely to be? maybe.. it really depends on how many young coders start joining the linux band wagon (it is usually beginner and inexperienced coders who find spreading viruses entertaining).. Will we have a defense? Only if we support virus authors and researchers.

unless you get down with gdb then you don't know squat. redhat could get infected (especially seeing we all know linux viruses don't exist) and give a copy of it to everyone.

hehe.. more like:

calvin:~$ wget http://somesite/pointlessgadget.tgz
calvin:~$ tar -xzvf pointlessgadget.tgz
calvin:~$ cd pointlessgadget
calvin:~$ ./configure
calvin:~$ make
calvin:~$ ./pointlessgadget

"that was boring.. I'm gunna go shoot stuff"

calvin:~$ su
calvin:~$ /usr/leet/leetgame

pointlessgadget was infected with a virus.. when you ran the virus it infected every one of your running processes, including your shell. You su'd to root and it peaked at your psuedoterminal to snarf the root password. It then su'd to root and infected every running process on the machine. You then ran leetgame and the virus infected it. Next you'll probably run 'ls' and then it's all over.

Fiction? You can do it using ptrace. You can read about it here.

you dont have to be root to spread. Modern linux viruses dont run as root, they dont infect the kernel, they follow the user and snarf authentication passwords. So when you download that game and run it as user "safedude" and it says "this game must run as root" and su to root, it is sitting there snarfing your psuedoterminal for the root password. It then spawns it's own su, enters the root password and infects every running process. Even if you only su to "safedude2" it will follow you there too, and all the executables you run as safedude2 that are writable (or owned by safedude2 and can be chmod()'d) will be infected.

not the keyboard, the psuedo-terminal. snarfing authentication tokens is a way to jump from user to user and yes, to root. The technique is follow the user and it is what modern linux viruses are about.

so as a normal user I dont have the right to run a program.. what the hell is this? windows nt corporate workstation? 1. You don't need root for a virus to spread 2. You don't need to infect the kernel for a virus to spread. An ordinary user (not a dumb or stupid user but just your average joe linux user) can get a virus, compile some code and it is in that new binary as well. Give that binary to someone else and it will spread. Who copies binaries? Average users. If your distributor gets a virus and compiles a binary release, you have a virus on lots of machines.. that's lots of users spreading that virus. linux viruses exist and are quite well written. No-one spreads these things because it is research. It is an arms race. If this research is forced underground then we revert to the old model, of 3 or 4 companies carteling a product that does a half assed job. Base level security is a must, but not at the expense of usage.

viruses arnt about destruction.. you have been duped by the anti-virus corporate world.. "viruses are evil.. if you get a virus you will instantly loose your harddrive!!".. viruses are about research.

check out http://www.big.net.au/~silvio/.. you can infect a user as non-root, follow that user around, snarf their authorization tokens and move on. As for damage, viruses arnt about damage.

linux viruses have been created. They don't run around infecting people because of the popularity problem. They people with the skills to program linux viruses are not interested in releasing them into the wild. They want to understand the various ways that a linux virus can spread and develop tools to stop that spreading. One day there will be enough people coding on the linux platform to find those few who like to cause people greif. Hopefully the anti-virus software will be far enough ahead to thwart them.

have been created. They don't run around infecting people because of the popularity problem. They people with the skills to program linux viruses are not interested in releasing them into the wild. They want to understand the various ways that a linux virus can spread and develop tools to stop that spreading. One day there will be enough people coding on the linux platform to find those few who like to cause people greif. Hopefully the anti-virus software will be far enough ahead to thwart them.

you dont need root to spread, you dont need to modify the kernel and you probably shouldn't. Modern linux viruses are about following the user around.

modern linux viruses do not run as root. They run as the user and follow them around. As for the interactive password, it's an authorization token, the virus can snarf it and pretend to be the user.

not true. linux viruses are not prevailent because the technical skill required to write them comes from people inside the linux community. These people feel a desire to gain knowledge, not vandalize and hassle other people. Kevin Kelly said "viruses are a critical part of all complex systems", the beleif that viruses can only thrive on naive systems is, well, naive. The human body is not exactly naive, nor is the whole web of life. You can check out modern linux virus research at http://www.big.net.au/~silvio/. Programmers who get infected with a linux virus and then pass it on would not be shunned by society, probably they would just be kindly informed that they were infected and then post an appology and a clean distribution.

not true.. if you infect the programmer then you can infect the distribution, then you can infect the user and the user can infect the programmer. Follow the user, use the users authorization tokens, forget exploits, forget kernel. Check out modern linux virus technology: http://www.big.net.au/~silvio/

yes.. we can deal with viruses faster and better than anti-virus companies can (microsoft aint got nuffin to do with it.. they just make the crappy software that gets infected) but only if computer virus research is supported and not forced underground. There is a lot of linux virus research going on with the hope that we can develop a good immune system to linux. You can read about some techniques at http://www.big.net.au/~silvio/

1. There are lots of "userland" windows viruses.. in win32 virus talk these are called "ring-3 infectors", you don't need root and you dont need to attack the kernel. 2. There are a number of very good - and viable - linux viruses. They are simply not spread because they are research, they are an investigation of a problem with the hope of developing a solution. You can read about them at http://www.big.net.au/~silvio/

1. Follow the user
   
2. Dont use exploits, the virus will only last as long as the exploit!
   
3. snarf authorization tokens
   

viable linux viruses are more than possible, they are written. check out http://www.big.net.au/~silvio/ for three.. I happen to know for a fact that this isn't even the total of this individual's research. He is currently on a holy quest to stop "oppression" and hasn't posted his latest code. Windows is getting boring, people don't copy binaries anymore (unless they're setup.exe which gets a bit tiresome), so linux, with it's unfashionable but existing binary distributions is a new target.

modern linux viruses do not run as root.. they do not use exploits and they do not infect the kernel. Modern linux viruses are about following the user. You can read about recent linux virus research at http://www.big.net.au/~silvio/.. this is the first step to making a viable defense system to viruses. One must understand viruses to defend against them. I dont think you have to be "stupid" to get a computer virus (though it doesnt hurt).

digitally signing something is something that is done by a user - the programmer who develops the binary. If the binary is infected then the programmer has just signed the virus. This is the point of modern linux viruses, follow the user.. go with them everywhere and get in on everything they do with binaries. If you are going to communicate with binaries (and that includes giving, selling and chatting) then you are going to spread viruses. A lot of interesting linux virus research can be found at:

http://www.big.net.au/~silvio/

all good points.. but just things to get around. As linux becomes more popular binary distributions will become common. Download a binary that has a virus and run it as a normal user. Now you can infect every process that is currently running by that user, not the binary, the process. Everything that user touches that has executable and writable permissions will be infected. Lets say the user now compiles some code, that binary will be infected, the user puts the binary into a tar ball and shoves it onto their ftp site for distribution.. the virus spreads. This is just file infection. When you add to that gathering authorization tokens and other methods of "following the user", an effective virus can be written and has been. You can look at the source, and hopefully the idea will not scare you so much that people like Mr Garfunkel drive this research underground. check it out:

http://www.big.net.au/~silvio/

you make some good points in your article. But most of the things you say stop viruses are just hurdles, things to get around. There is research into getting around these hurdles and then battling those techniques. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

I really dont think you have to be clueless to get a virus. The problem is that people do distribute binaries or users don't look at the source code they are compiling. Modern Linux viruses do not use exploits to spread. It's all about following the user. Going where they go, snarfing their authorization tokens and infecting every binary they have write permissions to (in the hope that someone else will run it). The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

thank you! thank you! No.. there arnt really any computer viruses.. they are written, they do not spread.. macro viruses spread and email worms spread.. but they are signs of poor understanding or apathy on behalf of users. most computer virus authors write viruses for the sake of understanding the technology. Spreading computer viruses is considered taboo in the computer virus community. linux is not exception. there is a lot to be learnt about linux viruses, and yes they are possible. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

sticking your head in the sand is no way to defend against "a plague of viruses". Writing viruses is the only way to actively discover how it is possible to defend against them. A lot of linux viruses have already been written by very smart people and most have a scanner written for them too. Every virus developed introduces new information that can be added to a "generic scanner". Open and intelligent discussion of virus techniques is the solution to computer viruses.. on all platforms.. but the corporate antivirus companies dont want you to know that. They want you to subscribe to virus bulletin (a $5000/year subscription) and join the international computer antivirus standards body Caro (to join Caro you must be unaminously voted into Caro by current members. All current members are antivirus companies (or their founders) and have an interest in not voting you in - less competition). Dont let the anti-virus scam continue onto the linux platform. Do some research, address the problems. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

that's right.. an open community can do more to defend against viruses than an antivirus company ever could. The first step is to admit that it is possible and investigate the ways that it could be done. Many linux viruses have been written and most have a scanner written for them too. Every new virus provides information for a "generic scanner". The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

kind of abusive arnt we? Writing viruses is no simple task (I exclude macro viruses.. there's a legal requirement that you shove your head up your own arse before you can write a macro virus). Now spreading a virus is simply stupid.. you gain nothing from it and make people's lives hard. Writing viruses is just as hard as uncovering a security flaw and writing an exploit.. if not harder.. do some research before you preach. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

good points.. but I dont think you need to be "dumb" to get a virus.. you do have to be "dumb" to pay for a product to get rid of a virus that will probably cause you no trouble if you just leave it the hell alone. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

bah.. willfully infecting people is bad (m'kay) but what I program on my own computer is my business. Viruses are damn interesting and writing viruses is the first step to defeating them. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

viruses can spread as non-root too! the most interesting linux virus trait is to gather authentication tokens to increase the yeild of program infection. Someone su'ing to root is a god send if a virus can simulate a getpass().. infect /bin/ls and you have the entire system. Then it's a matter of getting off that system and onto another.. this is where the line is blurred between virus and worm. Infection (and residency) is really about following the user.. go where they go and you will find others to infect. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

virus != worm.. though when it comes to linux we will really start to blur that line.. the Internet worm mainly spread by the finger exploit.. but the strength was that exploits were commonly unfixed and there were a lot of them. Modern viruses do not rely on exploits to propogate.. in windoze virus terminology, most linux viruses are "ring-3" (commonly called userland), not "ring-0" (kernel). The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

oh please.. excluding macro's, when was the last time you had a virus on your windows box? most people would say never.. even with the latest wizz bang virus protection software.. wake up.. it's a scam. Antivirus companies make false claims about how dangerous viruses are and how effective their product is.. most viruses do not spread.. they are written purely out of interest or to be a part of the "virus community". Linux is no exception (or any other platform for that matter.. take palm os, win ce, mobile phones).. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

absolutely right.. there is not "secure" way to stop a wayward program from modifying your kernel once it has root.. that's the point of root, if you have it you can do anything. There are things you can do to reduce it.. like getting rid of /dev/kmem and randomizing the position of the syscall table. Increasing apparent security of linux is something good that can come out of virus research. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

really the key here is to keep linux viruses open source and support linux virus developers.. it's really quite comparable to the biological warfare debate.. if your own people arnt making them then how will you know how to combat what the enemy is doing? The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

modern linux virus technology does not use exploits.. that's rule number one.. a virus that is based on an exploit will last as long as the exploit.. modern viruses follow the user and attempt to gather authorization tokens. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

As we all know, the best viruses come from Australia. In the case of linux viruses, check the mailing list archives maintained by Silvio.
Who is an all round cool guy.