Slashdot Mirror
Cross-Platform Pseudo-Virus: Don't Panic
spam-it-to-me-baby writes: "It's only based on one reported sighting (i.e. it could be bulls**t), but anti-virus software hacks Central Command say they have found the first Windows/Linux cross-platform virus. It appears only to be a proof of concept with no malicious payload, and targets Windows PE files or Linux ELF files once it recognises the infected OS." There are stories at CNET and at Wired as well, not to mention at NewsForge. Despite the Wired story causually saying so, though, this is anything but an "equal opportunity" virus, except in that it seems to infect multiple media sources without discrimination. When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?
An article from Reuters about it:
Reuters
Central Command says it has developed a cure for the virus at its Web site (Avx.Com).
Jethro
Quidquid latine dictum sit, altum viditur.
GET FREE MONEY!!! You can get a lot of FREE MONEY if you send this file to everybody in your address book and delete all the files on your computer! Do it! All the cool people are doing it!!!!
Tell me what makes you so afraid
Of all those people you say you hate
When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?
.exes they get in the mail, especially if there's any chance of seeing a little skin or some cuss-filled animation.
Considering most people who run Windows run as root by default (9x, ME) or by choice (Administrator-equiv user on NT or 2k), it's not hard to conceive of them running as root on a workstation-based linux machine.
I definitely see less-sophisticated users running a Windows and Linux combo trying out a "cool win/linux app!" that their friends sent them. God knows that a major portion of morons where I work, in SPITE of the long history of trojans/viruses/general maliciousness via email will without question run
While only an idiot runs mystery software as root on a *nix system, what happens when you dual boot into Windows to play that favorite game or run that beloved flight simulator? At this point you *are* essentially running everything as "root", and Linux filesystems are potentially just as accessible and corruptable as windows filesystems (assuming the virus is smart enough to parse the inode map, or a ext2win type driver is loaded in windows).
The infection vector for Linux software may be more via the windows dual-boot option so many of us keep around, rather than the clueless newbie running a downloaded executable as root. If the virus author chooses a target intelligently, one which runs as root by default (for example, say, "getty" or "X"), your Linux system could well become a warren of virial activity no matter how secure the Linux portion of the configuration is.
Using an encrypted filesystem, inaccessible under windows, might prevent this sort of contagion, but of course that wouldn't prevent the windows incarnation of the virus from simply trashing the encrypted data and destroying the Linux installation outright.
The upshot is, if you have Windows installed on your system, and use it in any kind of promiscuous fashion (which, for an operating system as insecure as Windows must include having any kind of connection to the internet), any data anywhere on the hardware is at risk, and all the security Linux or FreeBSD offers you is for naught.
The Future of Human Evolution: Autonomy
W32.Winux contains internal text strings. It also contains the following text: ?[Win32/Linux.Winux] multi-platform virus by Benny/29A? and ?'This GNU program is covered by GPL.?
It appears that the Free Software Foundation's message has finally reached the cracker community.
Code that has to be spread manually is not a "virus."
It doesn't have to be spread manually. Read the analysis - it searches for Windows PE exes and Linux ELF exes and infects them.
However, the analysis states that this virus only searches for and infects executables in its own directory and parent directories. This to me seems fairly harmless. If you were emailed a program infected with this virus, it would surely only infect your temp directory (and root dir, but who would have executables there?) And as you say, this one doesn't propogate over the internet, so the only way you're likely to catch it is running an infected prog emailed to you.
But as they say.. it's a "proof of concept". Where I work, we had a hell of a time with a virus that checked machines in the network neighbourhood for open shares (this was a Windows virus of course) and then searched them for executables to infect. Watch for a virus which can infect Windows exes and Linux ELF exes like this one, but which also aggressively searches shares, NFS mounts, etc. for more files to infect.. that might be something to take more seriously..
Then it can replicate itself into every .doc file
on the server, as well as root the servers for later nastyness. Yikes,
makes my skin crawl just thinking about it.
Most people focus on hardening their externally visible servers, not the ones in the back room that are invisible to the outside world. Now we've got to worry about any server reachable from anything that runs Outlook or Word.
Arrg.
-- ac
Fair enough, claim that only "idiots" run unknown software on their box, and that because you are so 133t, you compile all software you use.
Which proves what? That you've compiled some software, and *then* run it.
Did you study the source code at length? Check it personally that it didn't have any back doors whatsoever? Hmmmm? Sure it wasn't a trojaned source you downloaded (The server could have been hacked right?)
Just because you compiled from source, doesn't mean your newly-created binaries are therefore perfect and couldn't *possibly* contain a trojan of some sort.
Smells very much like an early April Fool.
--
jambo
system.admin.without.a.clue
-- js.
Fine, I give up. Language evolves. But you're still getting smacked if I ever hear "worm virus" again.
MSK
It was Ken Thompson in an implementation of a C compiler. His paper on it can be found here.
"You can't fight in here! This is the war room" --Dr. Stra
Only one problem I seee with this logic. When in windows, can you see an ext2 partition on the same drive? NOPE! Windows can't see ext2. The more dangerous one would be if you were logged in as root with your windows drives mounted. Then, you'd infect both partitions. So, if your in windows and get it, not a huge deal. You'd only loose Windows stuff. Personally, I can't see WHY someone would want to write a virus, especially one for Linux since anyone who knows anything about Linux will figure out WHY it's not a good idea to do certain things as root. It only takes one fug up and you will remember that for the rest of your life as you kick it in your head while watching your filesystem go bye bye!! :)
You know that there have been Mac viruses before. There's about 40-50 or so non-Word macro viruses. The reason you don't see as many of them is that the Mac hasn't been as friendly to casual programmers as DOS and Windows have been, and the market penetration is lower. Thus, there are less people messing around with non-professional programming on the Mac who would get the virus-writing urge. It's lack of market penetration has also made it less desireable of a target.
There is no inherent safety to the Classic Mac OS that prevents viruses at all. In fact, the use of shared global memory resources, non-existant memory protection, and nearly non-existant file protection makes it very unsafe. It's just secured by obscurity.
Mac OS X will have all the same strengths and weaknesses of a UNIX system. Unfortunately, the UNIX layer makes basic worm and virus writing easier since the APIs are better known by more people. It won't be long until the first Mac OS X viruses begin propogating. I don't think we'll ever reach the level of DOS/Windows in its heyday, but don't kid yourself into thinking that the Mac is, has been, or ever will be completely immune from rouge code on the system.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
You can see an ext2 partition on the drive - Windows doesn't have the built in tools to parse the stream of data as a filesystem, but it is possible to write a win9x program to directly read the disk and interpret the filesystem for itself. In WinNT, there are third-party drivers to read ext2 partitions just like another mount.
Tell me what makes you so afraid
Of all those people you say you hate
Slightly OT, but just had a thought.
Your not allowed to redistribute a GPL program, unless you agree to the liscence (Basic copyright).
If you redistribute a GPL'd binary, you have to (at leat) have the source available freely, to those who you pass the binary on to.
Does this mean that if I infect someone with the virus (deliberatly), I must give them the source, on request? (Answear: Yes)
What if I give them the binary, unwittingly?
What if I intend to give them a different program (e.g. xbill) that is infected. The source is requested, then I give them the xbill source. But that's not the source for the binary - does this mean the GPL cannot be upheld in this cricumstance?
Extremly icy ground, and prbably best handled by lawyers, (one of which I am not), but even so, food for thought.
Stuey!
--