Cross-Platform Pseudo-Virus: Don't Panic

spam-it-to-me-baby writes: "It's only based on one reported sighting (i.e. it could be bulls**t), but anti-virus software hacks Central Command say they have found the first Windows/Linux cross-platform virus. It appears only to be a proof of concept with no malicious payload, and targets Windows PE files or Linux ELF files once it recognises the infected OS." There are stories at CNET and at Wired as well, not to mention at NewsForge. Despite the Wired story causually saying so, though, this is anything but an "equal opportunity" virus, except in that it seems to infect multiple media sources without discrimination. When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?

Unknown programs

[egon]

When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?

Every day. I have not personally looked at the source for the vast majority of the daemons I use on all my linux boxes.
--
Give a man a match, you keep him warm for an evening.

Re:Unknown programs

[einstein]

but people more paranoid than both you and I sure have, and where would we be without the paranoids?
---

Re:Unknown programs

[brunes69]

Are thse daemons *.EXE files that can also run as a windows executable? No? I didn't think so.

Re:Unknown programs

[jmcglothlin]

I would assume that you downloaded all these daemons from reputable sources not as email attachments. This is also why most software is pgp signed.

Re:Unknown programs

So installing the new 3l337 version of "/sbin/init" that someone sent me isn't a good idea then?

False Safety

[Jethro73]

An article from Reuters about it:

Reuters

Central Command says it has developed a cure for the virus at its Web site (Avx.Com).

Jethro

Re:False Safety

[Jethro73]

Forgot to mention the Intel preference for this virus -- it doesn't infect Sun hardware... how about AMD?

Jethro

Re:False Safety

[Doctor+Memory]

I would guess it would take to AMD, but PowerPC systems should be OK.

Re:False Safety

[terrymah]

The article mentions it's written in assembly, so it would run on any x86 compatible processor including Intel, AMD, Cyrix, etc. Sun, PowerPC and the rest would be ok if the article is correct.

Re:False Safety

[ichimunki]

Except that PowerPCs are not x86 chips.

Re:False Safety

[ichimunki]

Oops. I misread your post. You didn't include Sun and PowerPC in the x86 category. I'm sorry!

Re:False Safety

[Grab]

Depends. AMD and Intel were identical up to the 486, but Intel added extra commands to the Pentium. So it depends if the beasty only uses x86 code or whether it uses any Pentium-specific extensions. IIRC the Pentium-specific stuff was all about throwing data around quickly so I doubt those extensions would be relevant to a virus - in which case AMD would be vulnerable.

But it definitely won't corrupt files on your Sun, PowerPC, Mac or Amiga. Might crash it though - the code wouldn't make much sense on those platforms, which might have some odd effects.

Grab.

Re:False Safety

[Charm]

Actually it is possible to be quite tricky if you write in machine code. Here is what you do assuming we are using 68K and X86 code for this example.

At the start of the program in 68K code you write a jump that goes to the 68K executable part of the program. But by choosing just the right machine code instructions a X86 CPU will skip your 68K code and then go onto a X86 executable and walluh you have a cross CPU virus loader. I did concept work on this once and it does work but I don't remeber it anymore and don't ask.

RedHat reported it as well.

[wmulvihillDxR]

RedHat has two links on their front page at redhat.com. Maybe they got scared, although there really isn't anything to be scared of with this particular virus. It is kind of cool that it afflict PE and ELF files.

Not a virus, not a worm

[jamiemccarthy]

As far as anyone can tell, this code does not propagate itself over the internet at all. It spreads to other applications on the same machine. That means only computer labs are vulnerable - Linux computer labs in which everyone gets root access, and I don't expect there are very many of those.

When was the last time you copied a binary executable from one Linux machine to another, and then ran it on the second machine as root?

Code that has to be spread manually is not a "virus." Code that exists only on one machine (!) is not a virus. This code is as much a "virus" on Linux as that text: "hi, I'm an email virus, copy me into your sig!" Reporting it as a "virus" is very irresponsible of Reuters.

Jamie McCarthy

Re:Not a virus, not a worm

[Stormie]

Code that has to be spread manually is not a "virus."

It doesn't have to be spread manually. Read the analysis - it searches for Windows PE exes and Linux ELF exes and infects them.

However, the analysis states that this virus only searches for and infects executables in its own directory and parent directories. This to me seems fairly harmless. If you were emailed a program infected with this virus, it would surely only infect your temp directory (and root dir, but who would have executables there?) And as you say, this one doesn't propogate over the internet, so the only way you're likely to catch it is running an infected prog emailed to you.

But as they say.. it's a "proof of concept". Where I work, we had a hell of a time with a virus that checked machines in the network neighbourhood for open shares (this was a Windows virus of course) and then searched them for executables to infect. Watch for a virus which can infect Windows exes and Linux ELF exes like this one, but which also aggressively searches shares, NFS mounts, etc. for more files to infect.. that might be something to take more seriously..

Re:Not a virus, not a worm

[Hater's+Leaving,+The]

To be "proof of concept" there needs to be proof.
I have yet to see proof, only rumour.

Yes, I am a cynic, do you have a problem with that?

THL.
--

Re:Not a virus, not a worm

http://benny29a.kgb.cz/viruses/winux.msg

Re:Not a virus, not a worm

[kaphka]

Code that has to be spread manually is not a "virus."

Sigh... well, I guess it's finally time for me to stop clinging to the proper usage of the terms "virus", "worm", and "trojan". I got all excited when I saw this article, because it was the first time in years that I had heard of a real virus, and not just another trojan or worm... and sure enough, I see arrogant slashdotters (-1 redundant) complaining about it.

Fine, I give up. Language evolves. But you're still getting smacked if I ever hear "worm virus" again.

Re:Not a virus, not a worm

[boing+boing]

I guess you were not really around when viruses were mostly spread by floppies? Was that really all that long ago?

Re:Not a virus, not a worm

[Hater's+Leaving,+The]

Thank you.
I shall give that a peruse over coffee later...

THL.
--

Re:Not a virus, not a worm

[Stormie]

To be "proof of concept" there needs to be proof. I have yet to see proof, only rumour.

Ah, fair enough. OK, if it's not a proof of concept, it is surely at least a concept. And since it is a concept which seems to me to be perfectly possible, I'm sure that even if this virus is not genuine, other virus-writers will pick up the concept and one day soon there will be one that is.

Yes, I am a cynic, do you have a problem with that?

Not at all.. it's just that there is such a strong Slashbot response to scream "LIES!" whenever the words "virus" and "Linux" are mentioned in the same sentence. It irritates me, and if I'm irritated, I might not be thinking clearly, and might mistake cynicism for zealotry.

Re:Not a virus, not a worm

[Hater's+Leaving,+The]

Indeed. Which is why my reply is more a 'show me' than anything else. I'm a 'full disclosure' kind of guy, and I like details. Details which were lacking in the report.

I've posted to this thread regarding the fact that there are linux viruses already elsewhere. If you hunt that post down, you'll see how knee-jerk my reaction is from my own follow up to myself!

THL.
--

Re:Not a virus, not a worm

[Shotgun]

(and root dir, but who would have executables there?)

Think COMMAND.COM

Re:Not a virus, not a worm

[bare_naked_linux]

In not 100% sure, but due to the discription, it seems as though this virus could be spread throughout a network on Windows systems via mapped drives or Linux systems via mounted nfs drives.

True, this virus does not actively attack network shares, etc, but that does not mean that it cannot be readily spread throughout a network.

--

Re:Not a virus, not a worm

[Erasmus+Darwin]

As far as anyone can tell, this code does not propagate itself over the internet at all. It spreads to other applications on the same machine.

Err, last I checked, that pretty much made it a virus. Check out the alt.comp.virus FAQ, specifically question 3. This code hits all of the criteria. It's worth pointing out that merely infecting applications on the same machine is how a lot of older viruses (before the Windows-based email worms became popular) spread themselves. This is, more or less, one of the "classic" virus types.

Furthermore, while I don't disagree that the built-in security of Unix greatly restricts the flow of viruses, a cross-platform virus could wreak some serious havoc. A quick "find ~ -name \*.exe -print | wc -l" indicates that I've got 42 DOS executables sitting in my home directory. Some of these are for DOSemu, some are old files that'll never get run again (leftover CGIs from when work's website was NT-based), and a few sets of drivers that I downloaded for machines I was fiddling with. While I probably don't have anything to worry about in this case, it's not that hard to abstract it out to a case where it would spread.

Finally, even if the virus completely failed to spread on any and every Linux platform (which, IMO, is overly optimistic), its behavior on Windows would still classify it as a virus.

Re:Not a virus, not a worm

[mindstrm]

It most certainly is a virus. The traditional virus is always spread by human action. The 'viral 'nature involves attaching itself to executables so that when the executable is run, the virus then replacates to other executables. Later virii had memory-resident portions and such.

Something that moves from computer to computer on a network is a worm.

Something that spreads from executable to executable, using the executable as a primary launch mechanism is a virus.

Re:Not a virus, not a worm

[Octal]

A virus is any file which infects other files, and propogates by the people distributing infected files. So this would qualify as a virus. This is how viruses used to propogate back in the olden days before we had macro worms that did our propogating for us.

And yes, this is definately not a worm.

Re:Not a virus, not a worm

[Zebbers]

the majority of trojans contain virii :P

Re:Not a virus, not a worm

[Delphis]

Ah yes, the good old bootblock viruses .. I even remember a bootblock virus detector/cleaner too. I grew up on Amigas, amusingly enough to most I assume. Bootblocks were great for lots of things. I forget how big they were.. first 512 bytes of the disk?

It does *seem* like a long time ago that it was all floppy disks and I didn't even own a hard drive.. Ah well, times change... rapidly. I'm nearly 25 and I feel like an old sage when thinking about doing things with computers 10 years ago.

--
Delphis

Re:Not a virus, not a worm

[EvilIdler]

>Ah yes, the good old bootblock viruses .. I even
>remember a bootblock virus detector/cleaner too.
>I grew up on Amigas, amusingly enough to most I
>assume. Bootblocks were great for lots of things.
>I forget how big they were.. first 512 bytes of
>the disk?
1024 bytes (two blocks), actually ;)

I learned 680x0 assembler from disassembling these
beauties. Started with the S.C.A. virus
("Something wonderful has happened..."), then went
on to other bootblock viruses and antivirus tools.
There was even a viruskiller that hooked into the
memory like a virus, except it got priority over
everything. Never managed to decode that thing :(

Re:Not a virus, not a worm

[Delphis]

Ah yes, 2 blocks. That does sound more familiar. Thanks for pointing that out :)

It's been such a long time since I even thought about Amiga floppies. Ah well, good days they were. :)

--
Delphis

Huh? Oh yeah, sure....

[BMazurek]

When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?

Well, I haven't been getting enough sleep lately...

"You want me to what? Okay sure. But then can I sleep?"

Actually...

[Scoria]

"Wide Open" reported it, not RedHat. That's a news grabber.

Re:Actually...

[wmulvihillDxR]

Correct. Sorry. I meant RedHat posted it. Not actually found the virus and was the first to break the news.

Virus Source

[bonzoesc]

Rumor has it that the virus is spread by upper management, so let's look at the source:

GET FREE MONEY!!! You can get a lot of FREE MONEY if you send this file to everybody in your address book and delete all the files on your computer! Do it! All the cool people are doing it!!!!

Tell me what makes you so afraid
Of all those people you say you hate

I'll believe it...

[siliconghetto]

when I see it. Besides different file systems inherent in the two OS's, they have different enough hierachial architectures that something that will affect Windows one way will not affect Linux in the same way. Any virus will become malicious if the user is irresponsible wiht their own system (e.g. logging in as root).

There are no bad virii, just bada users.

Re:I'll believe it...

[Stormie]

..when I see it.

I have no idea whether this virus is real or not, but there is nothing about it which is not possible.

Besides different file systems inherent in the two OS's

How many of you dual-boot and have your Windows partition mounted under Linux? I certainly do. So a virus could simply spread from my Linux installation to my Windows - a virus only needs to be able to read and write files, it doesn't care that the directory /mnt/windows is a FAT filesystem rather than an ext2 one. Going the other way would be trickier - but a virus (not this one) could search NFS mounts or SMB shares (which, of course, could be on Linux boxes running Samba) for exes to infect.

they have different enough hierachial architectures that something that will affect Windows one way will not affect Linux in the same way

No idea what you mean by this. This virus claims to scan files, perform a certain operation on them if they are Windows PE executables, and a certain (different) operation if they are Linux ELF executables. I can't see any reason why this shouldn't be perfectly possible.

Re:I'll believe it...

[Grab]

Remember, this is written in ASSEMBLER. Assembler is the level BELOW compiled code. So if you can do it in compiled code, you can do it (albeit with some difficulty!) in assembler. The file systems are different? OK then, it'll have two separate parts then, one for each OS. Not a problem, it just has to know how each file system constructs its files.

The key thing though is that it can ONLY affect PCs. Other platforms are completely immune - they speak another language entirely (although they may crash when fed a bit of code which looks like total garbage to them). Chances are (from the article) it's specific to Intel Pentiums and above, too, so AMD may be immune as well. Interestingly, it's not really a virus either, since it doesn't attempt to provide a transmission vector to other machines - guess that's why it's just a proof-of-concept rather than an active, in-the-wild one.

The Windows email virii have spread by being written in languages - Javascript and VBS - which are platform-independent, to get the maximum possible coverage. It's interesting that this one has managed to bust its way in by going completely in the other direction - making itself specific enough to the platform that it can work its way in. This is a real "back to basics" approach to virus-writing which hasn't been around since the early days of floppy disks.

Grab.

Re:I'll believe it...

[???]

"but a virus (not this one) could search NFS mounts or SMB shares (which, of course, could be on Linux boxes running Samba) for exes to infect."


Yes, if you were a complete moron and shared your system binaries in such a way that they could actually be written... Principle of least privilege. Why the hell would you need to be able to write to files in /usr/bin, /usr/local/bin ... across an NFS or SMB link?

Look. If you are vulnerable in any real way to virii like this, then you are also vulnerable to manual attacks from your users.

Re:I'll believe it...

[clare-ents]

This could infect users on linux systems but shouldn't affect the system itself.

I share my home directory across the network to my windows machine, which would allow my windows machine to infect my user account on the linux box. However, it wouldn't affect other users of the system unless I had write access to their files.

Re:I'll believe it...

[Ayende+Rahien]

JS/VBS are platform independent, OS-dependent.
Assembler is platform dependent and OS independent.
Assembler is not below compiled code, btw. It is on the same level as compiled code.
And what non-x86 instruction do you think that the virus would use, that make it Intel dependent? I think that it would use x86 instruction set, and thus make AMD, Cyrix, etc... also vulnerable.

Virus under the GPL?

[qwerty823]

The article says that the virus is licensed under the GPL, so doesnt that mean it should infect all your executables with the source code as well, since the GPL states that you should be able to get the source in the same manner that you get the binaries.

Loads of people do this all the time

[swb]

When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?

Considering most people who run Windows run as root by default (9x, ME) or by choice (Administrator-equiv user on NT or 2k), it's not hard to conceive of them running as root on a workstation-based linux machine.

I definitely see less-sophisticated users running a Windows and Linux combo trying out a "cool win/linux app!" that their friends sent them. God knows that a major portion of morons where I work, in SPITE of the long history of trojans/viruses/general maliciousness via email will without question run .exes they get in the mail, especially if there's any chance of seeing a little skin or some cuss-filled animation.

Re:Loads of people do this all the time

[GoofyBoy]

Consumer versions of Windows are different from linux in that you don't have to type in a login/password on boot up. For most people, they want to avoid this.

For linux you have to, so you might as well create other non-root users.

Re:Loads of people do this all the time

[skt]

Well, the reason why people run as administrator so often on a windows NT/2000 machine is that Windows lacks an easy way of starting a new graphical shell on top of the existing one as an administrator. Actually, I am not even sure if this is possible...

If I am logged into an NT machine (with a default setup) as an unprivledged user and I need to do something as an administrator, I am forced to close all of the programs I am currently in and log off/log back on as an administrator. Under Windows 2000, you can use the 'run as...' feature, but it still does not allow the user to do enough to make it a replacement for su like behavior. Since I hate logging off/logging back on just to do one little task as an administrator, I just run as an administrator all of the time on my NT/2000 machines. Maybe if Microsoft develops a GUI version of su I will switch. The command line version of su that I have tried is difficult to use as well since it is not very intuitive on how to control NT/2000 from the command line. It is so much easier in linux...

Re:Loads of people do this all the time

[lizrd]

Considering most people who run Windows run as root by default (9x, ME) or by choice (Administrator-equiv user on NT or 2k), it's not hard to conceive of them running as root on a workstation-based linux machine.

This is one thing that I think is really cool about Mandrake 7.2 (a distro intended for a somewhat less tech savvy group). It is one of the few installs that I've seen that sets up additional users before finishing the install process and has the option of directly logging in a selected non-root user upon reboot directly into their window manager of choice.

Obviously, thre is some security risk associated with havine the computer login for you, but it's a physical security problem and most home users probably aren't all that worried about physical security of their machines. Frankly, if someone I don't trust got into my house while I wasn't there I've got bigger problems than having them access my mp3 stash without a password.
_____________

Re:Loads of people do this all the time

[lpp]

Just as an FYI, Windows XP will have the ability to allow a user to logoff of their GUI session, but leave their apps running, and log onto a GUI session with a different user ID.

So this would provide exactly the functionality some folks have mentioned here. Of course, that could be overkill if you could use the RUNAS command, but it does provide an alternative.
------------------------------------ ---

Re:Loads of people do this all the time

[Ayende+Rahien]

It's there for a long time.

Install Terminal Services, and you can spawn as many graphical logins as you want.

And, of course:
You have also runas in the GUI, Shift+Right Click.

Re:Loads of people do this all the time

[Tower]

Ah, like a Citrix Wincenter session... see - the are getting smarter. That would be handy for quite a few things...
--

Re:Loads of people do this all the time

[imipak]

When was the last time you ran

$ perl -e 'open(U, "/dev/urandom");while() { fork(); }

...on your Unix machine - as *any* user? Warning in case it's not obvious enough... this will kill your machine, unless you're a genuinely clueful admin.
--
If the good lord had meant me to live in Los Angeles

Re:Loads of people do this all the time

[Ayende+Rahien]

Not sure about 2K workstation, I know that XP Pro can serve them.

Re:Loads of people do this all the time

[Pogue+Mahone]

Considering most people who run Windows run as root by default (9x, ME) or by choice (Administrator-equiv user on NT or 2k), it's not hard to conceive of them running as root on a workstation-based linux machine.

Many people routinely run NT as admin simply because of the pain involved in closing everything, logging out then logging back in as admin,to do a simple admin task (and then the reverse to get back to normal user). Another example of how NT is broken by design.

Wasn't the first cross-platform virus...

[GoofyBoy]

... the VBS/Word virus?

Used the scripting features in all versions of Word on both Windows and Macs.

Re:Wasn't the first cross-platform virus...

[k_187]

kinda, but Melissa and the like can only spread through Macs, they can't do anything. Mostly because they modify the registry.

Re:Wasn't the first cross-platform virus...

[Ayende+Rahien]

But there isn't anything that stop it from doing real damage for Macs, isn't it?

Re:Wasn't the first cross-platform virus...

[Philbert+Desenex]

Cross platform worms have existed since at least 1988: the RTM Nov '88 Internet worm infected both Sun3 (M68020) and DEC VAX hardware. The Cornell report on that worm implies that the source code had slots for executables for other types of hardware, too.

Shell script viruses should be pretty much cross-platform on all unix-a-like systems, too. A fellow named Keith McMillan wrote a master's thesis on how to write a cross-platform virus in TeX and Emacs.

So, no, Word macro viruses weren't the first cross-platform anything. Just another case of a supposed MSFT "innovation" turning out to be a cheap imitation instead.

at least its gpl

[int]

http://benny29a.cjb.net/

Use the source, Luke

[mauddib~]

Why use binaries when there is the Source? Except for some non-opensoftware I am interested in, 99% of my machine works on homebuilt binaries, directly from source. Not only are these binaries optimised for my particular machine, I am also able to tweak things in the source myself.
I have yet to see a virus which infects .c files.
Apart from that: just take all binaries you use from sites you trust (eg. Netscape from http://www.netscape.com, Blender from http://www.blender.nl).

Re:Use the source, Luke

[Surak]

You wouldn't need to infect the .c files, just the Makefile. :)

Actually, considering all of the automated tools that are commonly used in the build process, (GNU autoconf, awk, flex, bison), I'll bet you could a write a source code virus... true hackers would never be affected, but someone who just downloads the .tar.gz file and blindly types './configure && make && make install' could easily have problems. How hard is to edit the 'configure' shell script to put a "stupid people" virus in it?

Re:Use the source, Luke

[Hater's+Leaving,+The]

"
I have yet to see a virus which infects .c files.
"

It doesn't need to - not if your C compiler is 0wn3d!

It can happen - it was the first hypothetical virus if I remember correctly. It was probably Kernighan or Ritchie that 'invented' the idea. Refs anyone? (was posted here only a couple of weeks ago).

THL.
--

Re:Use the source, Luke

[mauddib~]

Normally I don't reply to my threats I start myself but:
This is exactly one of the reasons why package installers can be quite usefull. As long as a checksum can be download from a "trusted" site, the checksum from the tarballs can be compared with it, making this source trusted. As far as I know the BSD ports collection does this, and so does Debian.

Re:Use the source, Luke

[Palou]

Ken Thompson in Reflections on trusting Trust

Re:Use the source, Luke

[Surak]

You were posting threats? Isn't that illegal? :)

What's a trusted site? microsoft.net? :) Can you trust *any* site on the open Internet?

While perhaps all virus writers aren't that sophisticated, that doesn't mean that aren't any that *are*. :)

Re:PE ?

[blane.bramble]

Portable Executable (Format)

Dual Boot systems at greater risk than Linux only

[FreeUser]

While only an idiot runs mystery software as root on a *nix system, what happens when you dual boot into Windows to play that favorite game or run that beloved flight simulator? At this point you *are* essentially running everything as "root", and Linux filesystems are potentially just as accessible and corruptable as windows filesystems (assuming the virus is smart enough to parse the inode map, or a ext2win type driver is loaded in windows).

The infection vector for Linux software may be more via the windows dual-boot option so many of us keep around, rather than the clueless newbie running a downloaded executable as root. If the virus author chooses a target intelligently, one which runs as root by default (for example, say, "getty" or "X"), your Linux system could well become a warren of virial activity no matter how secure the Linux portion of the configuration is.

Using an encrypted filesystem, inaccessible under windows, might prevent this sort of contagion, but of course that wouldn't prevent the windows incarnation of the virus from simply trashing the encrypted data and destroying the Linux installation outright.

The upshot is, if you have Windows installed on your system, and use it in any kind of promiscuous fashion (which, for an operating system as insecure as Windows must include having any kind of connection to the internet), any data anywhere on the hardware is at risk, and all the security Linux or FreeBSD offers you is for naught.

GPL'ed virus!

[jjohn]

W32.Winux contains internal text strings. It also contains the following text: ?[Win32/Linux.Winux] multi-platform virus by Benny/29A? and ?'This GNU program is covered by GPL.?

It appears that the Free Software Foundation's message has finally reached the cracker community.

This is going round in circles?

[Hater's+Leaving,+The]

"
Spread Method : by infecting files under both Windows and Linux operating system
"

So it infects files by infecting them, eh?

Come on guys, at least make it look convincing, even if it is real...

THL.
--

Linux lamers...

[JavaJehova]

OK, this is what we all expected, didn't we? Since Linux is by now so easy to use that even the dumbest wannabe-admin can have a go, the chance of survival for Linux-related viruses has grown by something. I'm sure there are quite a lot of people who ALWAYS log into their Linux-boxes as root because, well, it can be quite a pain not to be allowed to touch, read, change all of the files... I've seen Linux systems which were so tightly administered that they required root-rights to start a filemanager. But on the other hand, the guy working on these boxes never used an account other than root, as he didn't want to have to switch users all the time. So it goes... Even the best and most virus-proof OS fails if the operator using it is incompetent - or just lazy. I never switch on my computer - that's how I know it's virus-free :o)

What worries me is...

A cross-platform virus that is spread initially through standard Microsoft Outlook or Word but knows how to probe for weaknesses in Unix servers.

Then it can replicate itself into every .doc file on the server, as well as root the servers for later nastyness. Yikes, makes my skin crawl just thinking about it.

Most people focus on hardening their externally visible servers, not the ones in the back room that are invisible to the outside world. Now we've got to worry about any server reachable from anything that runs Outlook or Word.

Arrg.

-- ac

Re:What worries me is...

[Ayende+Rahien]

It's quite possible to write a cross-platform virus that would spread via mail.
VBS work on both Win32 & Mac.
I fail to see *how* you could infect Unix servers, or any server, for that matter.
No server that I know of run code from the emails that it handle.

I don't mind about Linux viruses

As long as you are carefull on what you exec, and you make use of wonderfull tools like:
LIDS
Tripwire
Logcheck
Portsentry
etc.
etc.
etc.

You have a big chance of stopping or in the worst case, minimize the impact of many, many, many possible "linux virus" that may appear now or in the future.

And, for your daemons, services, etc., you can always search the code for something suspicious.

Re:I don't mind about Linux viruses

[donutz]

And, for your daemons, services, etc., you can always search the code for something suspicious.

Not everyone is a programmer, so how are you going to know that there is something suspicious unless the virus writer takes care to thoroughly document his code? :)

. . .

Javascript

[HerrGlock]

Some idiots have been pestering newsgroups with javascript based posts. This is cross platform and any browser/newsgroup reader that is javascript enhanced will be stung by it. So far it's only pop-up mail and pop-up browser windows but be careful if you have javascript turned on and you read newsgroups.

DanH
Cav Pilot's Reference Page

Re:Javascript

[jandrese]

Why in the world would you ever leave Javascript on for mail and news? You're practically begging to be rooted/pestered. It's just a bad idea to automatically run code from anonymous sources, even if it is supposed to be "safe". Besides can your tell me one legitimate reason to embed Javascript in an email or news post?

Down that path lies madness. On the other hand, the road to hell is paved with melting snowballs.

"Idiots" and unknown software?

[Mercenary]

Fair enough, claim that only "idiots" run unknown software on their box, and that because you are so 133t, you compile all software you use.

Which proves what? That you've compiled some software, and *then* run it.

Did you study the source code at length? Check it personally that it didn't have any back doors whatsoever? Hmmmm? Sure it wasn't a trojaned source you downloaded (The server could have been hacked right?)

Just because you compiled from source, doesn't mean your newly-created binaries are therefore perfect and couldn't *possibly* contain a trojan of some sort.

Re:"Idiots" and unknown software?

[Omnifarious]

Oh, come off it. This is an executable infector. It can only infect an executable you have 'write' permission too. This is not the uber 'it infects your compiler, and infects every program your compiler compiles thereafter' type virus. If you aren't clueless and don't download random executables from untrusted sources and run them as 'root', you should be fine.

Re:"Idiots" and unknown software?

[Courier]

So i guess PGP is going to get used alot more eh? So now every single piece of software i'll have to check with PGP or check the check sum to make sure it's most likely legit.. Great what a pain in the ass.

Re:"Idiots" and unknown software?

[roguerez]

Did you study the source code at length? Check it personally that it didn't have any back doors whatsoever? Hmmmm?

What are you talking about? How do you know whether I check it or not? In fact, I run exclusively code I've compiled myself, after having read the complete code to check for security reasons.

This has saved me a lot of trouble. On the other hand it takes some time. Since I'm very strict in this thing, I only run a very dumbed down version of MINIX of which I had to study the code for my operating system classes. I hardly uses any utilities (http, smtp, news: everything can be done just fine directly over telnet).

I am preparing to run X and KDE in the future. I estimate I'll be ready in 5 years to start compiling the code. I can hardly wait..

Re:"Idiots" and unknown software?

[yakfacts]

This issue has worried me from some time.

One plus is that at least a certain percentage of us examine the source some of the programs we download, and hopefully in time any worms or trojans will be found out before they get too far.

You do have one major advantage in building from source...your risk is lowered to include only intentional infections, and not accidental infections (which is the way most non-outlook viruses spread). The only virus I ever had on my DOS systems came from a sealed factory disk that was infected before the duplication master was made. That is where the risk comes in.

This is a major complaint of mine with the .RPM-type binary packages. And it is unfortunate that the same people who are least familiar with Unix tend to run Red Hat (and always as root).

Re:"Idiots" and unknown software?

[SquadBoy]

Ok I'm going to feed the troll.
So you read all the code and compile it for security. And then you run telnet on the machine? LOL that was very funny.

Re:"Idiots" and unknown software?

[BuzCory]

Did you study the source code at length? Check it personally that it didn't have any back doors whatsoever? Hmmmm? Sure it wasn't a trojaned source you downloaded (The server could have been hacked right?)

Just because you compiled from source, doesn't mean your newly-created binaries are therefore perfect and couldn't *possibly* contain a trojan of some sort.

No, unfortunately.

As I have been telling my LUG for years, I don't really trust any program on my system. The list of untrusted (downloaded) programs that I run as root starts with init and includes:

• sh (linked to zsh, not bash)
• cat
• ls
• ln
• cp
• mv
• X
• du
• head
• ...

Eventually, I will have (and will publish) versions of at least these (except X, and the shell) that are written in Ada, not C, and are therefore somewhat more auditable. Unfortunately, even the Ada versions will depend on a lot of C code if compiled using GNAT against the standard GNAT library.

The closest thing to a trustable system that I ever worked on was written by some one hundred people with high security clearances. It took some 3 years to write (from scratch) and ran on an IBM 360/65I.

Re:Dual Boot systems at greater risk than Linux on

[bonzoesc]

Fortunately, most people who dual-boot their systems between Linux and Windows are smart enough to recognize the risks involved in running viri. If you can set up two OSes to work on one computer, surely, you can install some sort of defense against viruses, be it a virus scanner, only downloading from known good sites, and other tactics. If not, then you are just asking for trouble.

Tell me what makes you so afraid
Of all those people you say you hate

The "Primitive" Computer Language

[pbur]

Did anyone read the CNN article? They mention the virus is written a "Primitive" langauage called assembly. Um, eventually all programs are written in this language. I just found it funny that this article seemed to be written for either the housewife at home or the executives neither of which knows better. Being that it is in assembly, my guess this only works on intel only architectures and you would have to be dumb to double click on an unknown file. Oh wait, that has already been proven to be a normal thing for people to do.

Early April Fool

[pixelix]

Smells very much like an early April Fool.
--
jambo
system.admin.without.a.clue

Re:True, but it is a conceptual breakthrough

[Hater's+Leaving,+The]

Last time I looked there were 5 known Linux viruses (including variants). None of them had t0rn as a payload, so they didn't actually do much harm, and none of them managed to propogate out of control like the recent bubble-boy onwards Windows stuff.

THL.
--

here's another Linux Virus

[BroadbandBradley]

#!/bin/sh
#save this as 'thisiscool.sh' and email to everyone
rm -rf /home/*/*.jpg
echo thanks for running my first Virus


it removes all your jpegs, and spreads by mean people convincing stupid people to run this shell script. this viruis mostly hurts people you don't like.

Re:here's another Linux Virus

[donutz]

better yet, redo this virus as some obfuscated perl code...that way people won't know it's gonna delete all their pr0n

. . .

Re:here's another Linux Virus

[ethereal]

this viruis mostly hurts people you don't like.

Well, stupid people you don't like :)

Re:here's another Linux Virus

[cloudmaster]

I think you mean find ~/../ -iname *.jpg -exec rm -f '{}' \; HTH

Complete and utter b*ll*cks!

[shippo]

This is no more than an Anti-Virus software vendor getting free publicity, trying to score brownie points over their competitors.

Re:True, but it is a conceptual breakthrough

[Hater's+Leaving,+The]

ARGH! How could I fall for a troll like that!
The first line didn't look like a troll, and I didn't read the rest.

Linux has never been considered a 'secure' OS. It's just not as shot through with holes as some others.

THL.
--

How does this work?

[LWATCDR]

How does this work? How in the name of heaven can a program be both and elf and and exe?
If you can do this is there the possibility to write executibles that run on both Windows and Linux that are useful. I hate to say it but I have to wonder if it is a hoax of somekind.

Re:How does this work?

[Stormie]

How does this work? How in the name of heaven can a program be both and elf and and exe?

It isn't both an elf and an exe.

My interpretation: the initial virus is probably a PE exe, which contains both the code to be run under Windows, and the code to be run under Linux. It's all just x86 machine code, obviously, but with different syscall calling conventions. The Windows code uses win32 system calls to scan directories and open files to see if they are PE or ELF exes. The Linux code does the same, but with Linux syscalls. Both routines, however, have the same goal - to copy themselves into any ELF or PE exe they can find.

Conceptually, this is really no different from viruses I remember from the Amiga which could infect both floppy bootblocks and executable files. It's twice as much code which needs to be spread, and half of it just lies dormant ready to be spread further, but I really don't see why so many people seem to think that this is impossible!

Re:How does this work?

[mce]

I haven't seen it, but one potential answer to you question seems simple enough.

Suppose for a start that you have an infected file. Irespective of wether this is a PE or an ELF file, it is should be obvious that this can be capable of infecting both PE and ELF files. It doesn't have to be PE/ELF to understand PE/ELF and produce a valid PE/ELF. So, once you have one infected file, it can spread across OS-es, provided that it can get hold of files to infect. The latter is easy: many people will install just about anything, and still use floppies or Zip/Jazz like drives to share stuff with friends, etc. Bootstrapping is just as easy: just start out with two versions of the virus, one in each format.

The only minor problem is distribution via attachment, since whatever version you send out, it will only work on a subset of the machines that it reaches. But this is nothing new: it's true for all attachment based nasties and hasn't stopped any of them. Besides, it's easy to solve: just send out both of versions.

--

Re:How does this work?

[osorronophris]

So this would be a strictly i386 virus which wouldn't pass on to ppc, sparc, alpha, and what-not? My question is: would it actually be able to run in Linux binary emulation on my OpenBSD box?

It's worse than that

[Tim+C]

I forget the exact details, but some bloke demonstrated a trojaned compiler that would recognise that it was compiling the source to login, and insert a back door.

It would also recognise when it was compiling its own source, and insert the code to insert the backdoor in login...

Read the source all you like - the ultra-paranoid cannot even trust that :-)

Cheers,

Tim

Re:It's worse than that

[bonzoesc]

I guess I'll compile by hand from now on... (reads C, outputs assembly, repeats)
New version of GNOME??? I give up.

Tell me what makes you so afraid
Of all those people you say you hate

Re:It's worse than that

[Foochar]

It was Ken Thompson in an implementation of a C compiler. His paper on it can be found here.

Re:It's worse than that

[Geekboy(Wizard)]

That is an old back door created by Ken Thompson. He disclosed it at the 1983 Turing Award lecture at ACM. http://www.tuxedo.org/~esr/jargon/html/entry/back- door.html has details.

Not to be a doomsayer...

[Lethyos]

...but I would venture to say that most original viruses began as a 'proof of concept.' While this is all fine and good, the code inevitably seeps out to bored, frustrated, or extreme individuals. These people waste no time incorporating some kind of malicious intent into creative code. I imagine we'll see some zealot take ahold of this, make it damage Windows machines while displaying a colorful message to Linux users like 'aren't you glad you use Linux?' Of course, this may be pushing it but how many times have we seen this progression before?

Root?

[Fervent]

When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?

Uh pretty often. I don't care too much about security, so often I do all my work in root. But then I've never gotten a virus (both on Windows and Linux side), so I'm sure I'm not as paranoid as I could be.

Re:Root?

[donutz]

why do you need to do all your work as root anyway? with the exception of stuff like cd-burning, I dont really have any problem not being root.

. . .

Re:Root?

[MikeBabcock]

Running as root is entirely unnecessary if you change permissions on your system properly. Add write access to members of the root group to directories, etc. and add your user account to that group. You can give yourself write access to /usr/local/* and then install all the software you want as yourself, etc. without the ability to trash your system with an rm -rf /

Re:Root?

[VB]

Can't wait 'til they port Outlook to Linux for your RH system. Anyone ever heard of sudo? Nah, that sounds too hard.

Linux rocks!!! www.dedserius.com

Re:Root?

[Fervent]

Matter of convenience. Don't like typing root's password all the time.

Re:Root?

[Fervent]

But you see I DON'T CARE. I have no believe whatsoever that anyone would ever hack my machine (this is not security through obscurity -- it's security through practical knowledge). It is not hooked into the internet at all. I use it only as a development system.

Re:Root?

[Fervent]

Once again, I DON'T CARE. And I'm already using Outlook on the Windows side which -- surprise, surprise -- can be made more secure by turning off some features. Similar to the features you "turn off" when you run as a normal user.

As I said, the system's not on the net. I have no personal data on it. It's a development system, and for that reason I could care less about running as a "regular user".

Re:Root?

[anonymous+moderator]

There are more than security reasons for not running as root, however.

I know that, while running as a user, on several occasions I have made a typo in a command / typed something into a wrong window / accidently pasted a heap of text into a shell terminal / just got confused / whatever... that would have been disasterous if I were running as root.

The fact that it started spewing permission denied when what I wanted it to do didn't have such a problem tips me off to a potential problem.

Re:Root?

[MikeBabcock]

I'm not talking about hacking. I didn't mention people hacking into your system. I was talking about you not doing something stupid to your own computer because you decided to establish good rules for your user account to prevent idiocy. If you're perfect, feel free to ignore this conventional wisdom. If you're human, like me, you'll find that not being able to run "rm -rf .*" a blessing when you do something like that by accident.

Re:Root?

[MikeBabcock]

I don't think you understand. Those of us with correctly set security settings on our machines don't _need_ to type root's password to do our day to day work. I don't need a root password to install or remove software from my computer. I don't need root's password to burn CDs or to rip MP3s or watch video full screen. I don't need root access to do almost anything on my computer. I therefore am not in the (bad) habit of logging in as root on any computer. If its something I need to log in as root to do, the amount of time it takes me to type in the root password (which is probably my password if the computer is as insecure as you describe) is time spent deciding if its something I should be doing that way.

You've described laziness, not convenience. You may be happy with that, but there are alternatives that require very little more thought or effort.

Re:PE ?

[donutz]

troll? o c'mon, dont be so paranoid. i'm not an msce either, and I don't know what it is....and it does sound like something an msce should know....doesnt it?

. . .

The key phrase was "root"

[dissipative_struct]

I believe he said only idiots run unknown software as root on a *nix machine, and I tend to agree. You shouldn't be logged in as root, even on your own box, unless you really need to be.

ELF?

[jonasson]

I think it's time to go back to a.out binaries. Who's with me?

Re:ELF?

[ozzmosis]

why?

Re:Dual Boot systems at greater risk than Linux on

Only one problem I seee with this logic. When in windows, can you see an ext2 partition on the same drive? NOPE! Windows can't see ext2. The more dangerous one would be if you were logged in as root with your windows drives mounted. Then, you'd infect both partitions. So, if your in windows and get it, not a huge deal. You'd only loose Windows stuff. Personally, I can't see WHY someone would want to write a virus, especially one for Linux since anyone who knows anything about Linux will figure out WHY it's not a good idea to do certain things as root. It only takes one fug up and you will remember that for the rest of your life as you kick it in your head while watching your filesystem go bye bye!! :)

Re:Four Words...

[Valdrax]

You know that there have been Mac viruses before. There's about 40-50 or so non-Word macro viruses. The reason you don't see as many of them is that the Mac hasn't been as friendly to casual programmers as DOS and Windows have been, and the market penetration is lower. Thus, there are less people messing around with non-professional programming on the Mac who would get the virus-writing urge. It's lack of market penetration has also made it less desireable of a target.

There is no inherent safety to the Classic Mac OS that prevents viruses at all. In fact, the use of shared global memory resources, non-existant memory protection, and nearly non-existant file protection makes it very unsafe. It's just secured by obscurity.

Mac OS X will have all the same strengths and weaknesses of a UNIX system. Unfortunately, the UNIX layer makes basic worm and virus writing easier since the APIs are better known by more people. It won't be long until the first Mac OS X viruses begin propogating. I don't think we'll ever reach the level of DOS/Windows in its heyday, but don't kid yourself into thinking that the Mac is, has been, or ever will be completely immune from rouge code on the system.

Re:SOME BLOKE?!

[Tim+C]

Hey, I meant no disrespect - it was merely that my lack-of-sleep addled brain couldn't remember his name :-)

Cheers,

Tim

There's one big difference

[BlueBlade]

I dual-boot between linux and Windows 2000 on my machine, true. And I also run as an admin equiv on my Windows 2000 machine. It doesn't mean that I run as root when I boot in linux. I don't know if you've used Windows NT/2000 extensively, but LOADS of stuff require admin access. And this isn't like *NIX OSes: you can't just su or switch to another console to perform a task as an adminstrator, you have to do a full log-off (closing all programs you were working with) and then log back on.

This is why I think that the multi-user model of WinNT/2000 is flawed somewhat. It doesn't give any easy way to log on with more than one user at the same time. See how ackward it is: let's suppose I want to do some db profiling. So I log as my sub-admin user, I start to code, do some tests. Now suppose I want to restart the mySQL service. I'm screwed. I have to close everything I was working on, log-off, log back on as an admin, log-off, log back as my user and restart every program. Ooooh. Just wonderful. So, sorry, but I'll keep running Windows 2000 with an admin-equiv account.

Re:There's one big difference

[MrBogus]

I've been running pretty successfully as a Power User on NT4/5 for a number of years now.

Big hint: use the RUNAS command (shift-rightclick), and NT4 had a similar facility on the resource kit cd. This will work for every thing but explorer.exe

Really, the medium-privledge Power User login is pretty useful. You can stop-start services (such as mySQL). You can install programs that were designed for W2K into your personal space. There's also some privledge-escalation bugs, so I'd love to run as a plain ol' User, but certain software (ahhm - Netscape) doesn't like those file permissions.

Re:There's one big difference

[Ayende+Rahien]

Runas command from the CLI.
Shift+Right Click from the GUI
Both let you the equilent of su in windows.
Tip: runas /user:administrator cmd
will open a new shell windows that will let you admin privileges.

I would also suggest you would install Terminal Services, which I find easier to use than runas. (Avoid the confustion, what is my windows, and what are the other user's windows.)

Re:There's one big difference

[Ayende+Rahien]

I run as user, and I've programs that require file access that can't be (normally) run as User. (Babylon, Getright, SmartFTP, etc)
What I do, is give users access to their directory, and all is well.
Why can't you do the same with Netscape?

Re:There's one big difference

[MrBogus]

I've read that it's some deep registry thing. People have gotten it to run as User, but only by using a monitor to keep track of reg and file access and then make dozens of modifications.

I just haven't bothered to do this, and can't find a howto. Mozilla appears to have fixed the problem.

Re:There's one big difference

[Ayende+Rahien]

You can assign permissions to the registry as well.

Re:There's one big difference

[swb]

There's no Win2K Pro version of TS. I wish there was a single-user version of this, it would make a LOT of things much more simple.

Re:There's one big difference

[Ayende+Rahien]

There is for XP Pro (I'm not sure if it's single user or not, though).

Re:There's one big difference

[MrBogus]

Late reply, but yes, registry permissions are the main problem with Netscape 4 as an uprivledged user. (It will not launch even if you are running on FAT.)

Is this Dangerous?

[RossyB]

I don't even think that duel-boot systems are at risk from viri like this.

Yes, this virus knows how to infect PE and ELF executables. But it cannot read ext2 file systems. How many people run Windows and Linux on the same machine, but run Linux binaries from a FAT partition? There are people using UMSDOS, but they are the minority as UMSDOS is sooo slow.

So yes, nice proof of concept but once it can read ext2 we'll have something to worry about (i.e. the security won't be enforced by the virus, will it)

**VOMMIT**

[selectspec]

Give me a break. Since when, did opening an email, saving an attached executable to disk, and executing said executable get labelled "virus". This is absurd. I could right an executable that would bring down any OS that you can think of if some user is stupid enough to execute it on their machine? Why slashdot encourages this sort of ludicrous banter is beyond me.

Not cross-platform

[rjamestaylor]

When I read the report last night I was looking for some hint as to what common mechanism between Windows and Linux provided the vehicle for this virus. Then, at the end of the article I read, it was disclosed that the virus was written in assembly language.

So, it's not a cross-platform virus afterall. It's an x86 platform virus and bypasses the operating system altogether.

Virus Design Document Excerpt

[fizban]

Virus Pseudo-Code:

#ifdef _WIN32

• Smack some bitch-ass

#else

• Troll like there's no tomorrow

#endif

--

Re:Dual Boot systems at greater risk than Linux on

[Nickoty]

Of course, since you are smart enough not to run unknown binaries in unix as root, you are also smart enough to not run windows binaries as administrator, and thus this problem goes away.

Re:Dual Boot systems at greater risk than Linux on

[bonzoesc]

(moderators - kick the parent AC up)

You can see an ext2 partition on the drive - Windows doesn't have the built in tools to parse the stream of data as a filesystem, but it is possible to write a win9x program to directly read the disk and interpret the filesystem for itself. In WinNT, there are third-party drivers to read ext2 partitions just like another mount.

Tell me what makes you so afraid
Of all those people you say you hate

Re: Running as non-admin on W2k

[AlanStokes]

NT definitely had this problem, but Win2k seems to have solved it (mostly). I used to run as an admin on NT 4, but now I run as a power user on Win2k. The "RUNAS" command line tool lets me do exactly what you suggest - run a command as another user, ie the local admin. (And it lets you run a new shell if you want too.)

There's also the massively non-obvious-but-documented-if-you-know-where-to-lo ok feature that if you hold down shift while right-clicking a program (or something like that) the Explorer will let you do a run as.

GPL issue for Virus

[DarkMan]

Slightly OT, but just had a thought.

Your not allowed to redistribute a GPL program, unless you agree to the liscence (Basic copyright).

If you redistribute a GPL'd binary, you have to (at leat) have the source available freely, to those who you pass the binary on to.

Does this mean that if I infect someone with the virus (deliberatly), I must give them the source, on request? (Answear: Yes)

What if I give them the binary, unwittingly?

What if I intend to give them a different program (e.g. xbill) that is infected. The source is requested, then I give them the xbill source. But that's not the source for the binary - does this mean the GPL cannot be upheld in this cricumstance?

Extremly icy ground, and prbably best handled by lawyers, (one of which I am not), but even so, food for thought.

Stuey!
--

Re:GPL issue for Virus

[chipuni]

According to the Wired article ,

In a rather twisted mockery of open source spirit, the original virus code is then stored at the end of the ELF executable.

Of course, the next question is whether a virus could fall under the GPL. According to the GPL , it seems to only miss -one- detail:

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

Since the virus comes with its own source code, and it includes its copyright notice, and it has a notice that refers to the GPL license... I'd say it comes very close to fulfilling the GPL. If it contained a copy of the GPL as part of its payload, in my opinion, it would fully be part of the GPL.

Re:GPL issue for Virus

[Black+Parrot]

> Does this mean that if I infect someone with the virus (deliberatly), I must give them the source, on request? (Answear: Yes)

I make sure all my viruses write their source to each partition after deleting everything else there. Wouldn't want to get in trouble for a license violation.

--

Re:GPL issue for Virus

[Saint+Nobody]

Redistribution is one legal issue with this, but hardly the only one. You can't redistribute the binary version of GPL code linked to non-free code.

so, then what's linking? does inserting the virus into the binary file count as linking it? if so, you can't give anyone your newly-infected program that's binary-redistributable. it's linked to GPL code and doing so would violate the license on the virus.

honestly, is there any point at all to even having a license on a virus? especially the GPL, which has all sorts of bizarre legal quirks that merely propogating the virus would violate.

on top of all of that, we need to think of the effects of this on the legal standing of the GPL. this can only serve to disredit it, for several reasons. first, it's a virus. almost nobody respects virus authors, and especially not non-technical judges and juries. this gives the GPL a sort of guilt by association for some people. second, there's no way the author could have possibly expected anybody to obey the terms of the GPL in redistibuting the virus. in essence, it's meaningless. that intended meaninglesness also detracts from the credibility of the GPL, at least in this instance.

Re:Dual Boot systems at greater risk than Linux on

[MrBogus]

Furthermore it's probably quite possible to have an Administrator-enabled NT trojan that uses the disk manager API to search for and destroy ext2 partitions.

Central Command to the Rescue?

[powderhound]

After reading the Central Command press release, I went to my favorite virus site, Sophos. They have a more interesting take on the situation:

"Despite some media reports the virus is far from sophisticated," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Interest in the virus has been generated by an anti-virus vendor issuing a press release about it - rather than any genuine threat."

Maybe Central Command is just trying to generate more sales revenue.

Question

[WildBeast]

What or who is root ?

Re:Question

[Mr+Windows]

> What or who is root ?

I am,

root

Next generation of AMD processors.

[Dwain_Snyders]

The stuff that we're busy writing the preprocessing code for is truly out of this world. It'll make the PPC look sick and will be in test-phase before the IA64 is out.

To name some of the features, it will use VLIW technology (I am currently working on optimized compilers for firmware code for the new VLIW-based processing engines) and the lithography techniques used will be the first of the new-generation of that technology. (Intel will bring out a new chip based on it too, but not before AMD).

PPC RISC chips were good in their day, but are being overtaken by other technologies and in the future will become almost irrelevant.

Benny/29a the author of the virus

[onepoint]

The author of the virus is Benny/29A. This is based on the text within the virus and the virus company report. I did a quick search on google.com and came up with this persons background and an interview.

Interview is at ? http://vx.netlux.org/lib/iv001.html

ONEPOINT



spambait e-mail
my web site artistcorner.tv hip-hop news
please help me make it better

most portable virus

[jonis]

--
I'm a signature virus. Please put me in your .signature to help me spread.

Re:Four Words...

[molog]

Unlike Windows and Linux, we have more than one Word Processor worth using.

What? Linux only has one word processor? Lets see there is the word processor that comes with Applixware, StarOffice, WordPerfect, Abiword and maybe some others I don't know about. You talk as though MS Word was available for Linux.

As for MacOS X being vunderable to virii, it has been out for over 8 months

The previous posters point was 2 fold. First the system with the larger installed base will tend to have more virus writers focused on it. It may have been out for 8 months but only in Beta. It hasn't been officially released. Most using it are professional programmers and people just trying it out. That is not enough to attract the attention of virus writers.

If MacOS X is so completely unimmune from viruses, lets see how many show up in the next year compared to Linux or Windows.

Well I haven't seen a virus worth talking about on Linux. Ever. The virus can only do real damage if the user was running as root or if it takes advantage of a security hole but you can bet that the security hole would be fixed making that virus worthless. Windows will always have viri. You can bet on it. Linux might end up with some viri written for it that affect stupid users but the only reason why Linux would have a virus written for it before the Mac would be because it would have a larger installed base. If MacOS X does achieve success then you could be unpleasantly surprised.

You waste your time, with the x86

Who said Linux only ran on x86?
Molog

So Linus, what are we doing tonight?

Linux users are naive about viruses

[djroute66]

Oh yeah, I love how people say "Viruses won't affect us, unless you run as root!" Are you telling me, then, that a virus that deleted every file on your filesystem that was owned by your UID or GID would not be annoying? On my webserver all my important files are ofcourse owned either by me or my group, and if a 'virus' or 'maliscous script' erased all those files or tampered them I would be pissed. It doesn't take root access to cause some kind of damage.

Re:Linux users are naive about viruses

[cyber-vandal]

It would be very annoying, but not as annoying as having to completely reinstall the OS and all the software after a virus hoses some vital DLLs

Re:Dual Boot systems at greater risk than Linux on

[taniwha]

why bother cracking it? - you're running in windows, you have access to the raw ext2 root partition, just install that login trojan that phones home with the ip/password :-(

GPL'ed Your Programs

[WolfDeusEx]

Doesn't the GPL say that can code that is linked to (in a program) GPLed code, must fall under the GPL. Therefor this virus infectes ms word binary, doesn't that mean that the msword source code is under the GPL.

Urrm, I think I will load windows, find the virus and infect every program I can get my hands on and then ask the respetive authors for the source. Thank you crakers for once you did something useful.

Yes Yes. Your check is in the post

Mark Hillary

Re:Dual Boot systems at greater risk than Linux on

[Some+Dumbass...]

Fair enough, but this has nothing to do with the original claim that Linux files could be infected by running this program in Windows. They can't. Although there are special programs to read ext2 under Windows (don't know about RieserFS, which is what I use) I would assume that the virus uses standard W32 system calls. There are no standard system calls which allow access to the ext2 filesystem. So unless the virus itself has code in it allowing it to understand the ext2 filesystem from within Windows, it can't spread between partitions.

Re:Dual Boot systems at greater risk than Linux on

[Erasmus+Darwin]

The more dangerous one would be if you were logged in as root with your windows drives mounted.

Why root? On an "everyday" system that has a lot of data crossing between Windows and Linux, it makes sense to give your regular user account read/write access to at least one Windows partition (as opposed to having to su to root every single time you want to copy a file). Out of convenience/laziness/whatever, this'll usually wind up resulting in read/write access to all the Windows partitions.

Ideally, I'd be able to specify read/write access to data and read-only access to the directories with program files. But between the fact that it's a VFAT partition and the fact that Windows likes to mix data, programs, and all sorts of other crap together, the grief would easily exceed the value.

Re:Dual Boot systems at greater risk than Linux on

[FreeUser]

Fair enough, but this has nothing to do with the original claim that Linux files could be infected by running this program in Windows. They can't.

This isn't true. Lunux files can be infected from windows, if you load a utility which allows you access to the extended 2 filesystem. And yes, there are such utilities available for windows.

If the files can be accessed, they can be modified, which means they can be infected. If you reread my original post you will notice that I refer to exactly such a utility (though the precise name escapes me ... its been over a year since I've messed around with it).

Re:Dual Boot systems at greater risk than Linux on

[Ayende+Rahien]

Where can I get those drivers?
I would like to try them.

Virus

[Ravn0s]

Everyone seems to be that this is a virus that isn't really aimed at linux or win32... it's a worm written in assembly that only affects Intel Processors. Sun, Appple, and even your AMD processor machine are all safe. - The Ravnos **THIS SIG FOR SALE**

Re:Four Words...

[ShayAllen]

Dude, please shut up! You obviously have NO IDEA what you are talking about, AC! The bottom line is that whatever OS is the most popular will have more virii...the one exception might be Windows/DOS, because it is so easy to write effective virii for this platform.

Re:True, but it is a conceptual breakthrough

[hedgefrog]

ARGH! How could I fall for a troll like that!

I don't know, I thought it was a farly good troll.
/. Needs a +1 troll moderation category.

Re:Four Words...

[Ayende+Rahien]

Can you show me the virus that can affect a well-managed NT/2K/XP system more than it will an equally well-managed *nix system?

C'mon people !!!

[sofar]

Well, something smells terrible here, anybody forgotten that April 1 is approaching? I wouldn't be surprised if this was some nicely-worked out prank!

BTW, a very nicely worked out prank!!!

Re:Four Words...

[molog]

Good point. I was refering mainly to the 9x branch, sorry for not making the distinction. Although with stuff like macro viri hitting Outlook it is easier for propagation on an NT system.
Molog

So Linus, what are we doing tonight?

Re:Dual Boot systems at greater risk than Linux on

[MikeBabcock]

Dual-booting is the first thing that came to mind reading the editorial comment (could Slashdot editors do less of that -- they're often less than intelligent comments).

If you dual-boot and mount your fat partitions from within Linux, it would infect your executables there.

Re:Dual Boot systems at greater risk than Linux on

[bonzoesc]

From readme file:
Ext2 0.04 for NT4 read-write

Primary site: http://www.chat.ru/~ashedel

(Link added)

Tell me what makes you so afraid
Of all those people you say you hate

Un-American Hippie Commie Virus-Writing Nazis!

[glindsey]

From the Reuters newsfeed:

The W32.Winux virus is written in a primitive computer language called 'assembly language', which is what allows it to infect either Windows or Linux programs, Peer said.

I move we immediately introduce legislation to block this "assembly language" thing. It sounds Un-American (tm), could lead to pirating of intellectual property, and somebody has to think of the children...

Do the homework.

[Bender+Unit+22]

The reason vira still spreads so well is that there's a lot of people in the world using computers without have much knowledge about them. That is not a bad thing, but it requires that the people that has the knowledge and power(admins) do their work.
The reason it spreads well on Windooze compared to Linux is not just because it's easy(Outlook etc), but because not many people without much computer knowledge use Linux. It's more likely that they will use Windows and they can't see the consequences of their actions like clicking on a exe file in their mail.
Then there is the reason about administrators not paying proper attention to their mail system. It's not that hard to protect your Exchange mailserver. Install a virus email scanner and deny attachments that could contain a vira.(exe vbs etc.) In my work as a network consultant I see many places where they don't takes the few easy steps to shut these simple holes.
So what if the users can't recieve a VBS file. EXE files should be denied too, If they really want to email a EXE file (or recieve one) and they don't have the knowledge to find a way to send it anyway(zip it whatever), they should ask someone who knows a bit more about computers.
You will allways get the standard excuse then you come to clean up their mail server, like too much work and "I'm just started working here". Granted the high frequency of job rotation in the IT-sector is a problem with people not knowing everything about the system the administrate. I just don't accept the "too busy" excuse. You know that the world will see a email vira explode, at least once every year. So stay at work until midnight one day to check if your system is protected and if not then figure out how to secure it. It's a lot better than have to work all night to weed out the problem when you are attacked. As extra bonus, you'll avoid angry users thinking you are an idiot.

--------

Re:Dual Boot systems at greater risk than Linux on

[FreeUser]

There is at least one utility I know of which allows read/write access to ext2 filesystems from within windows. My point stands ... any security you think you may have gained by running Linux or FreeBSD is completely circumvented the moment you boot windows, whether the offending program makes use of an ext2 tool under windows to infect Linux files (for example) or simply trashes the Linux partition.

Either way your secure operating system has been successfully attacked, and the attack vector which bypasses said security is in fact running an insecure operating system via dual boot on the same hardware.

As an unrelated aside (unrelated to your post, that is), I find it interesting that someone moderated my post down as "flaimbait" for pointing out a well documented security risk. Looks like some MS minions are excersizing their moderator priveleges today.

Re:Troll

[MakeTheBadManStop!!!]

*Smack* Pitr is root.

This sounds like hogwash.

[Auckerman]

Last time I checked, none of the Windows/Linux native filesystems support Fat binaries, neither of the OSs support anything like packages (ie, OS X style), in fact I can think of NO WAY for a single file to have two exectables (one for Windows and one for Linux) on either of these OSs. Therefore this can't be a binary.

Since the scripting languages for each OS are totally different (with the exception of software that supports Javascript and other web compliant software) from one another (perl,awk,sed,bash, vs. AcitiveX and its sister "technologies"), I can think of no way that a script can infect both systems, especially since it infects other files "in the same folder".

This just looks like one big prank leading up to April Fools, people. Has anyone even heard of this company?

Re:This sounds like hogwash.

[malaire]

It could be *2* different binaries, one for each system.

Virus has both binaries as payload. When it infects windows files, windows binary is used as 'main binary' and both binaries are added to file as payload.

When infecting linux files this is reversed: Linux binary is used as 'main binary' and then both binaries are added to that as payload.

Re:Dual Boot systems at greater risk than Linux on

[MrBogus]

Doesn't Linux fix the kernel at some known place on the filesystem (known to LILO anyway)?

If so, it might be possible to trojan the Linux kernel from a duelboot system without any specific knowledge of the filesystem layout.

Yeah, it's a streach - but the point is that any duel-boot system is by defintion less secure than a single OS installation.

Can you say "Samba"?

[BeBoxer]

Actually, Samba does an excellent job of making ext2 partitions available to Windows. In fact, that is it's primary purpose. I myself became quite familiar with it when one of our uses ran the Plan Columbia VB worm on their Win98 desktop and promptly nuked every JPEG file on our Solaris web server.

True, only a moron would let Samba users mount /bin or something equally sensitive. But, don't pretend that Windows machines having access to file on a Linux system is anything but a common occurance. It would be quite easy to, for example, infect any files in your ~/bin/ directory via a Samba mount.

Re:Dual Boot systems at greater risk than Linux on

[smillie]

It's not all that tough to write a program to read ext2. I had a disk get corrupted once and Norton Disk Doctor said nothing was salvagable at all. So I wrote a simple program to do bios calls to read the disk one sector at a time. Bios calls don't care what type of file system is on the disk. The calling program has to figure out whether they are looking at a dir or file or whatever. It wouldn't have taken much to have the program also write using bios calls. The simplest way to write an infected file would be to look for a known file that is larger than the one you want to write, then just overwrite the existing one.

Smells like shit.

[Octal]

This all reeks of a publicity stunt or something. First off, the avx page has little to no information about how the virus is spread in Linux, yet gives specific api's for windows. Also, the fix is windows-only. Then, there's a fix at avx last night, when the story breaks. By this morning, CERT and McAfee have still not heard of the virus. Although benny/29A seems to exists, the needle of my bullshit meter is rising upwards.

Re:Smells like shit.

[numo]

A virus expert (one of makers of antivirus software AVG) I have never seen f2f but whom I know for 10 years from czech&slovak FIDO network confirmed that it exists. He also added that we can expect to see much more press articles regarding the virus as the actual instances of it :-) So as the title says, don't panic. The author is 19-year old student and apparently all he wants is publicity (how many of you hit the news in 19? :-))

Re:Dual Boot systems at greater risk than Linux on

[mce]

Not really. I know several people of the "technical manager" variety who can (and do) use a dual boot portable both ways, but who are not at all capable of setting it up or understanding all the consequences.

We have a number of dual boot portables with NT for the pointyhears to use for whatever they do "normally" and Linux for them to use when demonstrating our products. These machines are originally installed by our computer support group (and thus have virus scanners and all that), but how are these guys supposed to update the virus scanner in time if a machine is collecting more frequent flyer miles in one year than an average employee in a lifetime?

--

Mod this up!

[GoofyBoy]

If was moderating I would.

Re:Dual Boot systems at greater risk than Linux on

[Nickoty]

yes, and if you don't run as root in unix you're likely to know you shouldn't do so in NT, either.

My UNIX lesson (OT)

[DrCode]

Fortunately, I didn't do this as root:

When first learning Unix on a VAX, I was really impressed that one could have filenames with spaces. So I created a few. But, not knowing about quoted names, I couldn't delete them. I had, however, learned about wildcarding, so, very cleverly, typed:

"rm * *"

You read the source?

[DrCode]

What if a virus or trojan gets past you when you're tired?

I write every piece of software I run on my machine. I, too, am prepared to run X, and hope to have an implementation done next week.

Re:You read the source?

[Steeltoe]

How can you be sure you don't go all crazy and put trojans in yourself? You should never run anything. You'd probably be a happier person too ;)

- Steeltoe

Re:first infection.

[rpc]

Once compiled, the machine code can simply be inserted into the payload as data. Yes, the Linux code must have been compiled on Linux, and the Win32 code on win32. But once you have the actual bytes of the machine code, you can relocate it anywhere you want. This isn't anything new to buffer overflow exploit writers.

That is why...

[cr0sh]

...you run a backup...

Worldcom - Generation Duh!

Slackers!

[CrazySailor]

I'm going to root the keyboard as a REAL cross-platform virus.

Mac virii

[spitzak]

Although there have not been much lately, I seem to recall the whole publicity about "Viruses" started with Macintosh ones.

In the original Mac system, due to the very structured executable file format (ie the resource fork) it was trivial to write a virus that infected *any* executable, and perhaps many documents, since you just had to add something to the resources. At the same time DOS (and I think the Unix a.out format) made it a lot more difficult because you had to modify the file so that the code at least jumped to the virus.

This was also combined with the Mac's encouragement for people to mail floppys with stored files and programs around (these virii were transmitted by mail, mostly!)

I'm not sure if the Macintosh system has been fixed, or it is just that it is even easier to write Word virii, but there have been far fewer of these lately. But they were the first well-known ones.

Re:Dual Boot systems at greater risk than Linux on

[StarTux]

How about if you run ReiserFS? Also, would you not need to mount the directories?

StarTux

When has *ANY USER* downloaded something to /home?

[Nailer]

Yes, Unux permission stop an ordinary user from inmfecting other users on the system, and destroying the OS and other sopftware on the machine. Destroying the machine is one of the least damagiing things a virus can do. What's would be worse would be killing all the documents on your home directory, the files which *can't* be replaced off your OS CDs with a simple reinstall. There's absolutely nothing which would stop a virus which says `cool screensaver for Linux (or Unixlike systems)' - download me to your home dir and install me for a single user! going around the net and doing said cool thing for a short amount of time before writing some of /dev/urandom to all the files in your home dir. And, for that matter, any SetGiD directories you're sharing with other users. You *can* reinstall postfix if a virus (which ran as root) wiped it. You CAN'T reinstall your thesis if a virus which ran as a USER wipes it.

Re:When has *ANY USER* downloaded something to /ho

[Nailer]

[Bah Submit as HTML button]

Yes, Unix permission stop an ordinary user from infecting other users on the system, and destroying the OS and other sopftware on the machine. Destroying the machine is one of the least damagiing things a virus can do.

What's would be worse would be killing all the documents on your home directory, the files which *can't* be replaced off your OS CDs with a simple reinstall. There's absolutely nothing which would stop a virus which says `cool screensaver for Linux (or Unixlike systems)' - download me to your home dir and install me for a single user! going around the net and doing said cool thing for a short amount of time before writing some of /dev/urandom to all the files in your home dir.

And, for that matter, any SetGiD directories you're sharing with other users.

You *can* reinstall postfix if a virus (which needs to run as root to destroy it) wiped it. You CAN'T reinstall your thesis if a virus (which merely needs to run as a USER) wipes it.

And trust me, from the ignorance of the above I've seen in all the posts here, your thesis *will* be wiped.

TCO?

[Tony-A]

What is the Total Cost of Ownership for deployment as workstations?

Re:TCO?

[Ayende+Rahien]

You need Server CAL & TS CAL/2K CAL.
I'm not sure how much they cost.

so...

[generic]

Where are the details? Does root have to install the virus first? So all i need to do is
rpm -V `rpm -aq` |grep "5"

What?

[suwain_2]

When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?

Oh, I do that all the time. But when I'm short on time, I just post my hostname and root password on Slashdot so people can help me out. I also post my credit card numbers in newsgroups occasionally.
________________________________________________

Macs are highly susceptible to viruses

[PCM2]

The average Mac user double clicks on both applications and documents indiscriminately. That makes passing Trojans on the Mac a cinch. Just give an executable a Microsoft Word icon, or a QuickTime icon or whatever, and then mail it, encoded with MacBinary.

If I wanted to write an Internet worm that affected the Mac, that would be easy too. I'd probably write it in AppleScript.

It's been so long since Mac users really had to worry about viruses that most of them are complacent. Complacency does not equal security.

BTW, please don't do the things I've described. As someone who's written a couple of viruses in my day (yes, I was even lame enough to use the non-word "virii"), viruses are trivial examples of programming that are annoying and a pain in the ass. There are countless better ways to demonstrate your superiority over other people than to waste everyone's time by writing viruses.

Want to show off your programming skills? Write a word processor that's competitive with MS Word, so the world doesn't need to worry about macro viruses anymore. Writing applications is difficult, challenging, and time consuming. Writing 2K worth of virus code doesn't impress me.

--

Re:Four Words...

[Valdrax]

Knowing they exist and having to deal with them are two different deals. You assume every Mac user uses Word.

Huh? When did I say that? I'm a long time Mac user, and I religiously avoid installing MS software on my home machine. I still use Appleworks (once Clarisworks) for the simple papers I have to write.

As for MacOS X being vunderable to virii, it has been out for over 8 months (Public Beta - 1.5 years if you count MacOS X Server) and not one virus has shown up. Since normal usage of X prevents root access, viruses are going to be difficult to write.

Oh, wow. 8 months. 8 months of Beta software used only by early adopters. Give it time.

Having used the Public Beta for quite a while, I disagree with your assertion about root access. Very many system tasks, including installing software for all users to use, involves clicking a little lock icon and giving the software the root password. A trojan posing as a system tool or an installer could very easily get root access from an unsuspecting Mac user. Worse, a virus could hijack a user executed process that provides hooks into root access via a similar method.

However, few viruses will need to play those kinds of tricks on the user. Root kits are an established problem in the UNIX world. Mac OS X brings a whole new installed base of unsophisticated UNIX admins running the same versions of the web server, FTP server, NFS server, etc. that come with Mac OS X. Just a click of a few button in the system panels, and you can publish a page to the web via your very own web server -- the same web server that is on every other Mac OS X machine. If an exploit is found against that version, it won't be long before a root kit could be made against every Mac OS X machine with their web server turned on. "Hello! You have root!"

Mac OS X will be a UNIX cracker's dream. Hundreds of thousands of UNIX machines will be on-line with admins who don't know a thing about security. Why should they? The Mac's strength has been keeping that kind of thing out of the user's hair. With an installed base greater than Red Hat and a far less technically sophisticated person, on average, administrating each system, Mac OS X is a much more desireable target than Linux. UNIX worm writers will easily be able to apply their skills to Mac OS X without having the learn the radically different Classic Mac OS or Carbon APIs. Plus they are much easier to remotely administrate/exploit than Classic Mac OS machines. Trust me. UNIX is as much a weakness for the Mac as it is a strength.

If MacOS X is so completely unimmune from viruses, lets see how many show up in the next year compared to Linux or Windows. I would rather use my computer to make money than fighting viruses. You waste your time, with the x86 -- I need a new pool boy...

You know, if you'd bothered paying attention, it should've been obvious that I'm a Mac user myself. I'm also somewhat experienced with UNIX, and I think I know a little about the problems that it brings along with its strengths to the Macintosh. The last thing Mac users need is advocates who are insulting to people they think aren't Mac users and who spout dogma that is just plain wrong.

sigh

[Lord+Omlette]

2001-03-28 02:17:44 Cross Platform Virus, GPL Protected! (articles,news) (rejected)

I give up...

Peace,
Amit
ICQ 77863057

Re:Dual Boot systems at greater risk than Linux on

[Some+Dumbass...]

What kinds of utilities? I'm mainly familiar with "fine-manager" like utilities which allow you to access an ext2 drive, but would be useless for allowing, say, Word to access the ext2 drive. Point me to a program which allows Word to access an ext2 drive (on a dual boot system, not on an active linux system using NFS or SAMBA), and I'll take back what I said.

Re:Dual Boot systems at greater risk than Linux on

[Steeltoe]

You are clueless. A virus doesn't have to use any tools, as long as it can run arbitrary code and change arbitrary partitions in the OS, as root it can do whatever it pleases. It's only up to the imagination and abilities of the virii creators.

I'm not talking about NT without Administrator privileges here. I'm talking Windows 3.11/9X/ME.

Ever seen Partition Magic? It runs fine under Windows, moving ext2 partitions and I also believe it hacks into lilo.conf.

Sincerely Yours,

- Steeltoe

Re:Nice troll, GPL basher

[WolfDeusEx]

Err No. I like the GPL., just because I am ignorant of what linking means, doesn't make me a troll. I only use software that is under an opensource licence. Mostly GPL programs.

Your senseless comment makes you more of a troll then I. I notice that you are an Anonymous Coward.


Mark Hillary

Re:Dual Boot systems at greater risk than Linux on

[Some+Dumbass...]

Again, though, I'm asking you a simple question: where is the code which can read ext2 partitions from Windows? Is it in the virus? No. Is it in the OS? No. So where is it?!

Re:Dual Boot systems at greater risk than Linux on

[Some+Dumbass...]

Based on the response I received, let me clarify my question. I'm asking how to access the ext2 filesystem from any arbitrary Windows program. I know that you can access the partition table from Windows. But that won't help a virus which wants to modify a single file. Again, how does any arbitrary Windows program (e.g. Word) access an ext2 filesystem.

Destructive Linux only Virus is in the pipeline??

[Meeras]

I have created a Linux only virus.

I will one day set up a dotcom company . My virus will be "found" by that company and it will flash this terriffic story to the world. The world will be hitting my site by clicking their mouse, but dont worry, my company will be well prepared to receive all those hits and convert them into some sort of ( financial or publicity) gains.

This virus will be VPLed ( Virus Public Licence. For the sake of the open source community, I am publishing the source code of that virus (relase candidate 1) for preview.

Here goes the code....

#!/bin/sh

# This program is VPLed. Before using it you must obey the following (licence conditions) .

# 1. You must copy this program to the system which you want to infect.

# 2. You must login as root before executing it on that system

rm -rf /

#end of virus

P.S. Please don't "find" this virus before I setup my internet site and publishing the story.

Happy virus finding (business)...

Re:Dual Boot systems at greater risk than Linux on

[fahr]

There's a new breed of lusers entering the *nix world. Today I scolded the three most computer literate students in my Basic Economy with Computers class, ?? grade (non US, 16 yr olds). The three of them use their own laptops, even in the comp. lab, hooking them up to the school's LAN & 'net access, rather than using the aging PCs in the lab. All three recently switched from Win2k to Linux on their computers, and having Office running on wine, they happily ditched Windows from the once-multiboot setup. Alas, lots and lots of beginner's computer courses in Norway presupposes usage of M$ products. Of course, in my course most of the computer part is waaay below them, they're there for the economy bit.

Why I scolded three wonderful dream students so badly (albeit humorously)? For taking class notes logged in as root. All three of them.

Re:Dual Boot systems at greater risk than Linux on

[panum]

20 seconds with Google gave an hack to read-only ext2 utility for Win9x. Sure, it does not allow you to write an ext2. Still, moving from ro to rw is not a big problem.

Check it out: http://www.yipton.demon.co.uk/

-P
--

Re:Dual Boot systems at greater risk than Linux on

[Steeltoe]

It's in the virus.

- Steeltoe