Slashdot Mirror
Win32/Linux Cross-Platform Virus
An Anonymous Coward writes "Symantec reports on the first virus to infect both ELF and PE binaries on Linux and Win32. "The first Win32/Linux cross-infector, {Win32,Linux}/Peelf, uses two separate routines to carry out the infection on PE and ELF files. This variant of Simile shares a substantial amount of code between the two infection functions, such as the polymorphic/metamorphic engines, the only platform-specific parts being the directory traversal code and the API usage.""
No crossingover to this platform
Compiling all my apps from source removes worries about this kinda thing ;)
I *never* run prebuilt binaries if at all possible.
TODO: Something witty here...
...not to be logged in as root. At least the typical Linux user can limit the damage this way.
I think that this was cooked up in Symantec's labs in order to scare people & possibly serve as an ad for their software, especially if they have a "solution" that runs on Linux.
While working to convince many of my friends and colleagues to give Linux a try, one of the most vexing hurdles I've come across is the following:
Me: "Dude, you should really try Linux! It's fast,
it's free, it's really secure - and, best of
all, you get all the source code, so you can
see how it -really- works, and even contribute
your own code, if you want."
Dude: "Is there antivirus software for Linux?"
Me: "Well, no - Linux doesn't have viruses,
per se, so there's no need for antivirus
software!"
Dude: "My bosses won't let us run any boxes
which don't have antivirus software
installed. Let me know when I can buy
antivirus software for Linux."
So, now that we have virii on Linux, we'll soon have antivirus software, and I can show my friends yet another way in which Linux has caught up with Windows!
more and more windows fucntions everyday. Hopefully this new feature encourages some more switchover to linux.
True genius is grasping a situation like a peice of fruit, and peircing it just right so that it drains dry.
It is the first to use pretty much the same injection code routines for both, though. The previous virus I referenced had two separate infection routines for PE and ELF files.
Sinepaw.org: Grape Winos
http://www.treachery.net/~jdyson/trojans/
send em to friends, watch them laugh as their hard drives get erased
send em to enemies
run them yourself! viruses rule! http://www.treachery.net/~jdyson/trojans/
Nonetheless you are encouraged to update your virus definition files to the latest and greatest. And for you who don't have an anti-virus software yet, this was the subliminal message in the announcement that you need to buy one !
Does anyone know if this virus has the ability to target ELF binaries on a bsd platform, or is it safe for some reason?
The synaptic link was rather unhelpful in explaining how it is infecting, and a google search is coming up blank.
Any further info would be appreciated!
I live in a giant bucket.
I've never gotten a virus. Virus protection software is like condoms.. only idiots us them.
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me......
Systems Not Affected: Windows.....
What the hell is that supposed to mean ? Windows != Windows ?
Im not here now... Im out KILLING pepperoni
Comment removed based on user account deletion
[root@bigassopendomain /]./virus /]
"virus" requires the following dependancies
libinfect.so
libcrash.so
please check the path and filenames and try again
[root@bigassopendomain
forget it.
Well, looks like this does not affect those using Linux on PowerPC, Sun, or any of the other platforms supported.
On a lighter note, if this virus were open source it would compile to the other platforms. Someone should post a link to the Sourceforge page, with links to source tarballs as well as Debian and RPM packages.
The line in the document:
> So far Symantec has not received any
> submissions of this virus from customers.
is rather suspicious. If no-one has ever reported this virus, does it mean that Symantec created it?
There's also no information on how it would infect Linux systems. Does it affect user files or does it use buffer overflow to gain root access?
.. is supposed to spread around?
;P
Infected win executables run on windows, ELF executables run under linux.. I don't think there are that many programs crossing the wall between the two platforms.
But probably i'm forgetting about wine, vmware and dual-boot machines
:dikappa
[1] Viruses are an urban myth. It's like the story of alligators in the sewers of New York, everyone knows about them, but no one's ever seen them.
That means less than a shit if you don't actually AUDIT the code before compiling.....
OMGF OMGFKSAHJGKSJ LINUX DOESNT HAVE VIRUSES AHAHA LNOT ROFL NOT LIKE THAT WINDOWS SHIT HAHAHA
Dolts.
I've been saying it for years. Linux isn't some magical little leprechaun with a pot of gold. Or perhaps it is, and only now Virii writers are after its lucky charms.
We can look forward to even more virii coming out as popularity grows. I seriously hope someone with the knowledge to starts working on a virus checking program.
(Hopefully, not Symantec/etc. We'll know they're interested when we see a flood of virii like never before...)
So this virus thing links against my GNU code, does it?
Where can I download the source?!?
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
They are hoping you checked it.
So far Symantec has not received any submissions of this virus from customers.
From this I infer that the virus was not found in the wild. So where from, exactly? I'm thoroughly confused, this makes no sense.
Beer Party. We hit the big time. Our own virus!
"Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Linux
Systems Not Affected: Windows, Microsoft IIS, Macintosh, Unix"
I guess by Windows they must mean Windows 3.1 or 3.11, since that's the only M$ version I don't see listed. If not, I hope they fix that on the web page or your average user will get confused.
Well, heres something a bit interesting to think about. Maybe Norton made the virus. Why, you may ask? It very well may have been made so companies running linux will be fooled into buying their software. Seriously, if people keep migrating from Windows to Linux as it matures, where's Symantec's business gonna be?
If I wasn't so lazy, I'd have a sig.
$outlooke / asted/bin)
bash: outlook: command not found
$whereis outlook
outlook:
$which outlook
/usr/bin/which: no outlook in (/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/hom
What is pirate software? Software for inventory of stolen treasure?
When will the virus be available under GPL? :)
at McAfee's website here
btw the linux version has been known about for a few weeks now according to their dates.
but anyways when the original variant came out in February they state...
The sample of this virus was sent on 14 Feb 2002 to fourteen different AV companies by the virus author. In about 2 weeks the virus sample was also circulated in an electronic magazine distributed by 29A virus writing group (version 1b).
lots of info about what it actually does to windows machines there, but almost nothing about what it does on Linux
A virus needs to start somewhere. The code doesn't magically appear in your system. In order to get a virus on a Linux box, you need to download an infected binary (or the actual code and compile it) and then run it. Once you run it, it needs to search for another binary that it can infect (has write permissions to) and then modify it.
/bin, /usr/bin, etc binaries from a known source or from source code. If some user runs the virus, it will only be able to infect files that he has write permissions to and on most Linux boxes (at least the distro's I've seen), users aren't allowed to write to systemwide binaries.
The reason that it's hard to infect a Linux (/Unix/anything with a decient permission structure) system is that hardly anyone runs daily activities as root and only updates their
The virus is "kinda neat" as far as it's ability to infect multiple platforms and avoid detection, but is really "no big deal" to most systems out there. Windoze(tm) users get viruses sent through email (usually via worms) that self execute when they're opened. This infects files that they have write permission to (usually all of them since 9x boxes have no permission structure and most users on NT systems are run in the Administrator's group) and causes system havoc. Since no Linux mail readers that I know of will execute binaries without at least asking, the user would have to specifically download the binary and run it. At that point, all I have to say is "duh".
So how do you infect your Linux box? On purpose...with a lot of effort. How does this effect the rest of us?
*pause* *giggles* </Bubbles>
--
Mike Nugent
-- Mike wildcard@illuminatus.org
I've never use anti-virus stuff & I've never got them.
Which people ask me what anti-virus software to used. I tell them not to click anything they're not sure about. Especially file attachments with a 'X' or 'V' in the file extention.
Don't use outlook
& make sure 'veiw file extensions' or whatever is enabled in Windows explorer's view menu options. So they arn't tricked by a holidaypic.jpg.ocx or whatever attachment
Now.. if only we could get those same brilliant minds working on a compiler that produces a single executable that works on both platforms, and shares as much code as possible.
Usually when a company releases a software package, it comes out on Windows first. Those running Linux usually have to wait a few months for a Linux port to be released, if it ever does at all.
I praise this virus writer for releasing Windows and Linux versions of the software simultaneously. If only other companies would follow their lead.
"People that quote themselves in their signatures bother me" - athakur999
It's a little different from standard virus infection, but the techique could be easily modified. Here's a short description of the technique, and here's the full text of the speech (with slides).
Yes sometimes it seems that Windows was designed to handle viruses.
If by handle you mean be infected by and transmit.
I'm watching Tom Cruise getting it on with a hooker! A great party!
If you mount FAT (and NTFS too?) volumes under linux as read-write, if you get infected under Linux, it will scan your volumes for PE executables as well. It will infect your Windows volume while you're under Linux.
The thing is that the majority of LInux users (I think) are dual booters, so this would give the virus a prime target to hit.
...there's a group of people trying to get Windows-only virii to run via wine to see if they can get faster infection times under Linux.
So you see, it took a while. Well, at least it's a working release that hits the market with a bang.
Fight hunger. Filet a politician and send him to a 3rd world country of your choice.
You guys may not believe this but I stopped using all anti virus software from 1996 onwards on win98/95 systems in home and *never* got infected by it.
Only thing me and my wife need to do is not to open any emails we don't know who sent it. This I did after getting frustated by all the virus updates I needed to do before and the associated false alerts.
We use just rergular netscape mail to get our mails--outlook is too smart for us, I saw it was trying to execute things by it's own and we stopped using it.
Symanetc is probably coming up with these viruses and now trying to expand it's market to so called unix boxes too. It will be nice if someone blows the plan with some strong evidences.
This is so pathetic that in the IT world there is no new invention anymore and the new of a virus is hitting the front page ! Only cool thing coming out is in the linux/bsd world, but, the other companies are not really doing anything new other than coming up with doing the same thing in differrent way with some fancy marketing jazz attached to it.
Anyway, I guess we will find the source.
in the wild, all on it's own. Then you can say that linux has viruses. Even then I bet that it will just take a patch to a couple of programs to close that hole.
And if you want even better security for Linux goto the nsa.gov site and get the secure version of Linux that basicially runs every program in it's own security space, with only the access to the file system that it needs to perform it's work. Thus, a web server would have read only access to the files it was serving and append write access to it's own log files.
All the files in my home directory can fit on a single CD with plenty of room to spare. Restoring some files from backup is much much easier than first reinstalling the OS, and *then* restoring some files from backup.
___
If you think big enough, you'll never have to do it.
The thing that jumped up and grabbed me by the throat is this quote: So far Symantec has not received any submissions of this virus from customers.
Can somebody please explain how you can show the capabilities of the virus if no-one has submitted it, (unless of course, they're the author).
What's the exploit? How is this propogating?
What's with the gif? - its nearly unreadable- this to supposedly to show the output on a linux box. It looks like it was manually run on the system?! This reminds me of the amish do-it-yourself virus.
I think that this is the most made up sounding report I have ever seen. I'll go as far as to say that NAV has been had by a couple of pratical jokers.
A lot of people have said Linux has fewer viruses than Windows only because Linux isn't as widely used... Well, this is the chance to do some comparisons. How devastating is the cross-platform virus to each system, and how fast does it spread on each?
Also note that it's a virus, not a security hole or flaw in the system - this doesn't make Linux less secure like a Melissa-type problem that takes advantage of holes made by one company's stupid software bundling decisions.
== Paul Rickard, Editor of The Microsoft Boycott Campaign ====
Reading /. really makes my day!!
This sig can be distributed under the LGPL license
"This is meant to imply that a threat can infect across multiple platforms, Win32 and Linux..."
Sounds like a troll to me, or maybe I should be precise and say FUD. "Imply" means nothing. Robert McNamara was the master of sounding definite while saying nothing by stuffing the word "possible" into every statement. Just like this use of imply, it makes whatever is being said a null statement. Go away...
Let's see: 0-49 infections? How about an actual number of infections, if any?
And how many are Winboxen and how many Linux boxen?
And why Linux and not Unix (I know, different binary formats---but that really shouldn't matter).
0-2 installations affected? Which is it, 0, 1 or 2? Again, what OS was running.
Sounds like somebody is trying to spread some FUD here. I'd be ashamed to put up such meaningless info for public consumption. Two obvious 'possible' benefactors: the AV companies and MS Corp. Or---much as I'd like to blame the corps---it's most likely some a-ho who wants props for doing the supposedly impossible: writing a Linux virus. Funny, there's nothing about this on SecurityFocus, where I'd expect a BIG headline.
Call me when there's some credible evidence...
Thumper
-----
"Those who would give up essential Liberty, to purchase
a little temporary Safety, deserve neither Liberty nor Safety."
--- Benjamin Franklin
I have seen such viruses a looong time ago, so I thought this was something new. .exe and elf?
I thought it was a virus that had the same binary on both windows and linux!
Is it technically possible to do this, or is the header too different from
I really don't think there is any important header on windows, so it should be possible.
A hybrid virus could have its own filesystem code, and thereby infect say a linux partition on a dual-boot machine that is currently booted in windows, or vice-versa. The real killer here would be that your regular user-ID based security wouldn't help at all. While running in windows, the virus would have unlimited access to the linux-partition, enabling it to infect linux binaries it otherwise would only have been able to touch when run as root. And while running in linux, it could infect binaries on a FAT partition without having to worry about the virus-checker getting in the way. In fact, it could easily infect or replace the virus-checker itself.
My congrats go to the coder who was behind this, a good job well done.
The whinning security-experts will never see the beauty in this. A polymorphic engine?
when was the last time there was a real polymorphic virus? and a cross-platform one at that.
Another kudos flies to "the whale" aka "motherfish". The first polymorphic virus, EVER.
Ok.. my question is how does a program manage to execute on Windows and Linux? aren't the loaders diffrent and incompatible?
First we get RMS wanting us to say GNU/Linux and now we have someone else wanting us to say Win32/Linux? When will the madness end? ;-)
Well, the Wine team should hire this guy for their V3 release, he could add up the remaining (dis)functionnality missing to close the gap between linux and windows compatibility :)
--- Metamoderating abusive downgraders since my 300th post.
During my intern job this summer, I am using a Linux PPC for checking my mail and run my "admin" apps (oo 1.0+MozillaRC, yeah!) Of course, while my co-workers are spending way to much time dealing and worrying with virus infections on their machines, I can safely upload any message without fearing a dreaded attack. I don't even have to run an antivirus program. It pays to be a minority.
PPA, the girl next door.
-- I feel better now. Thanks for asking.
Who's up for ethnically cleansing the east side of KC? I'll bring the ropes..
This is not really the first win/linux virus. There was a cross platform virus over a year ago. Wired had an article on it, as did f-secure.com. This may be more malicious, but the first was GPL'd.
I hope my PlayStation 2 running Linux remains unaffected then.
:v)
I did actually think of using it as a firewall box at one point. That'd confuse the crap out of script-kiddies.
Vik
has really HIT the BIG TIME now :)
errr....umm...*whooosh* *whoosh* Is this thing on ?
That's not true. The virus does not infect Linux!
Instead, it infects GNU/Linux!
There, that's much better.
[ This is an RMS-approved AC post. ]
This seems more like a proof of concept to me than a real virus. Especially since the author specifically emailed the virus to anti-virus labs, it's more like: See, it *can* be done.
:)
Of course, you could expect that. Basically, a virus relies on just one thing: privileges. Privileges means the possibility to mess other programs up. And because there are so much Windows virusses compared to other OS-es, it's easy to see Windows handles rights... differently... than a secure OS
I don't think Linux, or UNIX viruses in general, will become a real threat. As long as you use your brain and don't do everything as root (as about every guide warns you against anyway), you'd be rather safe. Can't mess up stuff without the rights to do so.
http://www.bartleby.com/61/81/V0118100.html
It's "viruses", not "virii", regardless of what anyone tells you.
And no, "virii" is NOT the Latin form. In fact, the real plural of the Latin form, "viri" was rarely used at all, to lessen confusion between it and the plural of a common form of the Latin word for "man" ("vir"), which is spelled identically.
(Mod this down, I don't care! The truth must be known!)
Old but never say never
A buffer overflow vulnerability exists in the popular mail client Pine 4.21 (and possibly earlier versions), relating to the function which regularly checks for incoming email.
The real concern here is that this requires no user interaction to exploit.. a target need only be using a vulnerable version of pine. The overflow occurs when the user recieves new email. While typically not yielding root privileges (unless root reads email with pine AS root) this can be used by a remote, anonymous attacker to gain local access to the target host.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Now that's really some good thinkin' there. Completely bypasses all your security because you're not running any of it. Take it a step further, a virus that infects and spreads on Windoze, where it's easy to do, but finds Linux partitions, roots them and installs its own backdoors and so forth.
Kinda scary. Next time you're in linux, it connects to somewhere over the net telling the author another box has been rooted and voila, he ownz you.
Kinda a good reason not to run Windows in dual boot mode I'd say.
There's some preemptive stuff you can do with this though.. Have a kernel module (possibly compiled in) that does checksums all your major binaries before booting and warns you when they've changed. Of course, the virus has total kernel access too, so this may not be effective if the author planned for it.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
How hard symatic worked to create that virus and if the number of sales will more than cover the costs of their developing and releasing it.
OK. I have Symantec's Norton Antivirus running on my Windows XP machine (which like many of us also dual boots to Linux.) Norton Antivirus seems to be pretty good at keeping itself up to date with the latest known viruses out there but what can I use on Linux? Other than minimizing my time spent as root is there anything else? Is there an virus scanner for Linux? I have never seen one but hopefully one is in the works.
Damnit elf! *click, click, click* 'yeeeow!'
Elf is about to die! "woohoo... fag, don't shoot our food assmunch"
Thats what they want! Perhaps its some new ploy from M$ to convince you that you are not using Windows and that its time to upgrade *again*.... Or someone (Norton) is trying to hide the flaws in Windows.
Or perhaps that sounded funnier in my head.
*sigh*
So fucking what. if you run win32 or Linux as Root then you get what you deserve!
(I run win98, so haa haa!)
seriously... same processor, same code, now theres a suprise!
Duhhhhhh.......
Since the GPL is, after all, a viral license.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
On slashdot, I see a lot of people with the opinion that virus writers won't bother to create a lot of virii for Linux, because they could affect a lot more people if they stick to writing for windows. If you ask me, this attitude of you can't hurt me nah nah nah nah, will at some point provoke them into turning a great deal of attention to trying to make us Linux users eat our words.
So I'm thinking that shortly, although we have a better natural defence against virii, that we will be bombarded with quite a few new viruses.
Jeeze, wtf is the damned plural of that...
Namely, what entry vectors it uses. So now we know there's a new virus out, but we don't have any idea how it's going to infect a system. We know we may be vulnerable, but we don't have any idea what we have to check or shut down to stop being vulnerable. This is why I get fanatic about full disclosure.
Since the source code for antivirus programs cannot be publicly reviewed, and you have to be running Linux in root to get a virus, installing antivirus on a Linux computer is a pointless security risk that will slow down your system.
By the way, I've always been amused by all the Windows administrators that are unaware of NT/W2K floppy root kits that reset the administrative password in a minute.
but, as I read your post more closely, I wonder if it was a an attempt at ironic humor (after all everyone knows that using a condom is anything but idiotic) and perhaps the moderator didn't catch it. Or you could be a lame ass troll... I'd like to give you the benefit of the doubt. I'm not not licking toads...
Ignorance kills, complacency kills, hatred kills, but usually not the ones guilty of them.
The reason that it's hard to infect a Linux
You said it yourself - hardly anyone updates from a known source. Put up your web page of `mplayer 0.98 CVS packages' and tell some folks on IRC about it (maybe actually include mplayer CVS). This great new version of Mplayer doesn't have packages or come with anyone's distro.
Tell some people on IRC. They'll download it, and it will infect every RPM on their system (or Dpkg,but Dpkg isn't LSB and its distros don't have as many users as RPM based ones).
Hell, sign the source / binary packages if you want - if you live in a country where the law doesn't care about this sort of thing, and you don't work for a company where you might be fired for such behavior, go ahead. So many people seem to make a big deal about knowing packages came from a particular source - it doesn't matter if you can't punish that person if they do trojan an app.
So how do you infect your Linux box? Easily, through denial of an obvious threat.
Try, "A good reason not to run Windows."
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
uhhh sure...
___
If you think big enough, you'll never have to do it.
It would be interesting if a virus would get onto a system, then crosscompile for all the gcc targets to be a true multiplatform bug. It could get on a box, then infect all the crossplatforms that system supports.
Tired of legitimate data sources? Try UNCYCLOPEDIA
Make the Debonate virus. It runs under win32 to collect system information which it writes to a small partition at the end of hda. Then it does a Debian net install, completely securing the box by obliterating Windoze.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
If it just deletes everything without infecting anything and spreading itself for a while. Now a real cross-platform virus would try and mount your FAT partitions under linux and your ext2 partitions under Windows and cross infect would be nasty.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
A poorly secured nix box.. is even more attractive to script-kiddies than a windows boxen. So I fail to see how PS2 Linux as firewall would make you immune.
The short answer is no. The longer answer is given below.
::laughs hysterically:: We barely had time to post on alt.comp.virus in Usenet.
First, I'll explain who I am. I'm Alan Solomon, I'm a programmer, I designed and coded the engine in Dr Solomon's Antivirus, that engine is now also used in the McAfee (Network Associates) scanner (although I'm sure that by now it's somewhat different from the engine I wrote).
I worked in the AV world from 1988 to 1998. I'm doing other stuff now, I don't have any ownership in any antivirus companies. Also, caveat, I've been out of this business for a few years, so my knowledge-state isn't current. And, of course, I really can only speak for myself, and the company that bore my name. I can't really speak for other companies.
I used to get asked "Do antivirus companies write viruses?" a lot. It is, of course, a very insulting question, like asking firemen if they start fires, or dentists if they're the cause of tooth decay. However, I always tried to contain my irritation at the insult (on account of my guess that most people asking me this, don't realise it's an insult) and the answer is "No."
1. It's unethical. But I guess if you believe that the antivirus folks are a bunch of unethical scroats, that's not a very convincing reason. Actually, the technical folks in the AV industry have to be *very* ethical. Because unethical ones tend not to be accepted by the consensus, and thereby lose a crucial source of information exchange.
2. It's illegal (actually criminal, virus authors have been put in prison for this. Chris Pile (the "Black Baron") got 18 months, for example). And you can get caught (ask Pile). If you think a company could ask a programmer to write a virus, and hope that no-one else in the company would know about this, and that there's no risk of jail - think again. You have to be *really stupid* to write a virus when you're not able to guarantee anonymity. Of course, you have to be pretty stupid to write a virus at all. By the way, 99% of the viruses that I analysed were really crudely made; some didn't even work at all.
3. There's no point. Kids all over the world are writing viruses at no cost, providing an ample supply of new stuff.
4. It takes too long. I'd estimate that the Simile virus, as described, took months and months to develop. It took McAfee two weeks to do the detector; Symantec about the same. So, if the AV companies had to write the viruses as well as do the Antivirus, they'd need 10 or 20 times as many programmers. And you'd have to keep that lot a deadly secret, of course.
You can't imagine what it's like in a virus lab. There's N new viruses per month, where N isn't a fixed number. And there's M people to do the analysis and coding, and M is never enough. It was like being on a treadmill, and you know that the treadmill is getting faster all the time. Write new viruses?
So why do antivirus companies sometimes see viruses before any users? Simple. The virus authors send them. The first time this happened was over a decade ago; it surprised me then. And we thought it through at that time. Do we just delete it, and pretend it didn't happen? If you've been sent a virus, and you think you're the only person in the world who has a copy of that virus, you can destroy it, and the world has one virus less. But if there's a chance that the virus author has, or will, release it in the wild, you have to build detection for that virus.
Also, you have to give a copy to the other antivirus companies. Because we programmers made an agreement between ourselves that we wouildn't force users to buy three different products to detect three different viruses, that we wouldn't compete on the basis of "we can detect X virus and no-one else can". We'll compete on price, speed, accuracy, tech support, etc etc, but not by restriction of virus samples between trustworthy AV companies.
So, once the virus author gives it to one AV company, all the AV companies have a sample (shortly after) and that virus might not be in the wild, and might never get into the wild. But you can't be sure. For this virus, we read that the virus author sent it to 14 AV companies.
There's a separation in AV companies between the programmers, who do the virus analysis and coding, and the marketroids, who do the, uh, marketing. The marketroids are constantly trying to persuade people to buy AV software, the programmers constantly trying to hold them in some degree of responsible check. The progammers do have a degree of control, via mechanisms that we put in place a decade ago, but it's impossible to persuade anyone that when a new and technically interesting virus comes along, that people should not be told. You really can't, and shouldn't, try to keep a new and technically interesting virus, a secret. Of course, then the media get their paws on it, and blow up a scarestorm. How do we stop that? I don't think we can.
I haven't seen or analysed this virus, but from what I've read, it does look A) technically interesting, and B) a complete pig to design detection for (detection means, you always spot the virus when it's there, and you never give a false alarm when it isn't). This virus is technically interesting because it's cross-platform. And it's a complete pig to detect because B.1) it's polymorphic, meaning if you put several samples side by side, there isn't any byte-string that you can be sure will be in all of them, B.2) it's metamorphic (meaning, it's horribly horribly polymorphic, even after you decrypt it you don't have any constant byte-string) and B.3) entry-point obfuscation (which means you don't even know where to start looking for the virus, all you know is that it might be somewhere in the file).
The fact that the AVERT folks (McAfee) have admitted that this one virus will cause "a slight performance decrease" in the virus scanner, means that this is a significant virus; pretty much every virus causes a near-zero impact on scanning speed. I'd guess that "ActiveDAT technology" means "we've encoded some executable code in the DAT file which the scanner will run". In other words, they had to write a subroutine specifically for this virus.
That's something that you don't expect to do more than once every couple of years or so.
Next - can viruses infect Unix, despite the unix security system?
Yes.
First, I'd point out that Fred Cohen's doctoral thesis on viruses in 1986, was done using unix boxes. Viruses do not break system security. They infect wherever the system security allows them to, and that's sufficient for them to spread. I'm not expecting a sudden wave of infections on Linux boxes, but please don't think that viruses cannot work on Linux.
One problem, is that the distinction between an executable and a data file is very grey. Try this simple experiment. Take a simple perl script, test.pl, and change the permissions to 400. Now try to run it. Unix security stops you. Now try running "perl test.pl", and it will run fine.
And think about macros in documents. They will run even though the document has non-executable permissions.
See, it doesn't matter that you can't infect ls or ps or df. All it takes is for you to be able to infect your own user-written stuff.
And by the way, you can infect ls and ps and df. Every now and then, I log in as root, to do some maintenance-type thing, or install something. And while I'm root, if I run a virus-infected program, then the virus has root privilege, and can infect ls and ps and df and anything else it wants to.
OK, so now we've established that you can infect your own software, let's consider damage. A Linux virus will be prevented from deleting the system files, or from formatting the hard disk, by the system. But since it's running with the same privilege that I (as an ordinary user) has, it has the same read, write and delete access to my data files that I have. And, of course, my data files are the only files with real value on the computer. The Linux system itself can be reinstalled in minutes.
I've gone on too long already. I better stop before I write another book.
Can someone explain to me what a boxen is? I feel like I'm slipping behind on this hip tech lingo.
-----
PGP Key ID 0xCB8FF658
Everyone knows they hire people to write viri so they can write software and make money. It is like someone throwing a brick through your window with a note attached that says: "Bricks thrown through your window? We offer brick removal and window repair service at a low, low cost."
..we would have some way to spread the virus on linux :)
Time travel is possible. We are quickly heading for 1984.
OK, so I back up my home and only install binaries to /usr/local where I have execute but not write. Whats the big deal? This ain't no desktop OS - I just restore my home and move on.
/tmp and if ya'll are too lazy to backup ~ then you can loose the tera byte of MP#s ya swiped from napster...
Nothing that runs can write anyplace but ~ and
Windows is much more annoying to install and is almost impossible to install in 15 minutes if you expect the result to be able to do anything.
Seriously - many systems besides Linux use ELF binaries: BSD, Solaris, others. Are they also affected?
this shouldn't be a serious threat on linux. since the average user don't install new software often (unless they install every piece of free software). and since most of the installation would be done by root who hopefully knows not to install something not trusted (and probably digitally signed). where is the problem? i think we should get into the practice of only installing software that is digitally signed. red had for one signs all their rpms. and some other sites sign their sources too. so don't freak out about not having source either.
It's actually a germanic plural.
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
Like patch outlook,IE and IIS? change all the settings on outlook and grey out the checkboxes with the registry settings so the moron users won't set it back to use word as your mail reader...(and can we please disable that damned out of office assistant?)
99.997% of all virii spread because the virus writers know that the end users are dumb as a box of rocks... hell, how many times have we had email spread viruses, and people STILL open attachments without a thought.. (Wow dave's sending me nude pictures of his wife again!)
the only way to stop virus attacks are to either kill all the users (I wish!) or disable the dangerous options in the software they are using.
only then will we stop the virus problems.
Do not look at laser with remaining good eye.
"Therefore, all PE files are executable, but not all executable files are portable." (from Symantec's website).
Slashdot and Symantec are FUD whores.
I am basking, however, in the fact that I just connected to the internet for the first time with my box running FreeBSD, but...
Hey, a binary that runs on some stock machines if you're dumb enough to launch it...
I'm sorry, but it's just FUD.
Biggest technological breakthrough this year. Somebody's working, while you guys sun your noses and stink up your undies.
Also are you the same Alan Solomon (Dr Solomon) interviewed in UK's PC PRO Sep 2000?
The reason that it's hard to infect a Linux (/Unix/anything with a decient permission structure) system is that hardly anyone runs daily activities as root and only updates their /bin, /usr/bin, etc binaries from a known source or from source code.
While that may seem logical and common-sense to you, this is NOT obvious and intuitive to a huge newcomer/dilettante population out there.
A typical conversation on IRC:
[root] ne1 4 a question???
[Speare] Hey, root, it's a security risk to
run IRC or any software as the root
user. Set up a normal account and
use the root account just for system
administration tasks.
[root] i been on linux since 5.2, dont lecture
[root] ne1 no why
Seems like the de-facto third thing that every newbie wants to do, right after their first Linux distro install, is to rebuild their kernel. Why? I have no idea.
Yet almost nobody tells them how to build the kernel as non-root, or put the source anywhere but in root-writable /usr/src/linux, or why they should just stick to the pre-built, pre-audited kernels from their distro provider.
If SOMEONE wanted to zombie a lot of clueless folks, they should just distribute "helpful" kernel-building scripts.
Linux isn't secure until users know what security is.
[
So far Symantec has not received any submissions of this virus from customers.
Well, of course they haven't. They invented it and haven't unleashed it yet. You've got to build up the hype first right?
Just think about it, what better way for an anti-virus software company to ensure revenue for years to come than writing new viruses all the time. Now that IBM is advertising Linux solutions, Symantec figured they'd start "supporting" Linux too.
Before I get flamed, I'm just kidding.
It is, of course, a very insulting question, like asking firemen if they start fires, or dentists if they're the cause of tooth decay.
True story: My dentist, when I was a kid, would give out lollipops. Pure sugar, artificially-colored, decay-inducing lollipops. Swear to God.
Also: More than one fire department has been caught setting fires to put out. (It's especially prevalant among volunteer fire departments, which are often composed of people who enjoy playing with fires.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
A hybrid virus could have its own filesystem code, and thereby infect say a linux partition on a dual-boot machine that is currently booted in windows,
In other words, Windows is SO insecure that running it on a dual-boot Win/Lin machine opens a hole to infect the Linux partition. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
They've always had it in for PC users, I mean hey, look how much progress Darwin has made...;)
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
Dual-Boot danger:
Presumably if someone took one of those open source Windows apps that allow reading the linux partition (only ext2 currently), then it could add code to login/init etc and infect the linux partition ready for one you next boot into it?
Code would be small (50-60k?). This implies the linux community has to support some sort of password/checksumming or encryption.
Roll out tripwire!
Testing version has been available for about a year now and "production" release is now avialable for trial and purchase.
And my experience: So far I'm testing previous development release and it works.
hany
I should start by saying that I'm both surprised and disappointed that AV companies don't write viri. There are always new types of viri coming out, with some clever tricks here or there to get past the scanners. If the AV companies had a team of dedicated virus-writers, they would probably come up with the tricks before the PFY's did.
3. There's no point. Kids all over the world are writing viruses at no cost, providing an ample supply of new stuff.
This seems like the best argument (an economic one), but it ignores the simple fact that a team of smart researchers are going to be more clever than the kid who hasn't actually taken an algorithms class yet.
I'm not saying that the researchers should be releasing viri into the wild, but they should be writing them. Some sort of 'in-the-wild-simulator' would be a good way test them.
I'm, of course assuming, they're running on a non-Net-connected system, with good physical security.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
their fire brigade (started by Crassus) was accused of various things.
Actually, raising awareness of this is good, but you've probably violated some law.
Yeah, your virus is crap and obvious, but I hope you don't live in the United States, for your own sake. It's probably in violation of the DMCA, for some damned reason or another.
They who would give up an essential liberty for temporary security, deserve neither liberty or security
Infecting the linux kernel would be quite hard, because the kernel file has three layers of code:
:-)
- Layer 1: 512 bytes: BOOT sector used only for standalone kernel boot from floppy, also contain some parameters, like which device is to be used as the root filesystem.
- Layer 2: +/- 4Kb: Setup code with the GZip decompressor for the 3rd layer
- Layer 3: GZipped kernel code
Infecting layer 1 is impossible; there is no room to add more code.
Infecting layer 2 (setup) is very risky; you can add stuff here but setup is limited in size.
Infecting kernel mean this:
- Strip the 2 first stages from file
- Decompress the kernel
- Patch the kernel
- Recompress the kernel
- Replace the 2 first stages that were stripped.
- Re-run lilo: Patching a compiled kernel is an operation that manipulate files and there is *abolutely no warranty* that your patched file will be placed at *exactly* the same place as the old one. Furthermore, the kernel may have grown in size. Lilo doesn't understand filesystems, it use a blocklist to find where the file is stored on disk and if the kernel blocks have moved, he's screwed.
And even if the kernel file is placed at the same location, if it has a little size overhead, the tiny last chunk of data will not be loaded, leading to a CRC error when decompressing.
Decompressing-recompressing is a CPU-hog task, this will be noticed very quickly, even on today's fast machines.
There is so many steps involved in infecting kernel that the virus will be quite large. (We're far from the good-ol' DOS times, where 6Kb for a virus is HUGE).
A virus that show himself is a dead virus.
Does anybody fix that gaping lilo-security-hole (init=/bin/bash) that allow you to bypass startup scripts and having a root shell without any password ??
The -en postfix is german for plural. Saying "a boxen" as in "a windows boxen" (your parent) is like saying "a boxes" and demonstrates lack of clue. The correct term (if one can speak of correctness of slang) would be "a windows box" or "a couple of windows boxen".
I know that even when I was being paranoid about backups, I only backed up certain files daily and did a full ~ backup no more frequently than once a week.
Remember - part of the reason it hurts to lose ~ is because of the frequency of changes, not necessarily the size of the data. The importance of a data file is only extremely loosely related to its size.
Symantec and other anti-virus manufacturers would probably find it in their best interest to write viruses themselves. If they can figure out the newest, best ways of doing things, then they can heuristically detect viruses that use them, even if it's not the exact same virus.
In fact, they already do this and admit to it... if you read most virus reports (not the big ones, obviously), including this one, they say something like "occurrences in wild: 0". In this case, it's "0 - 49", which probably means "0" or "we slipped and it got on somebody's workstation for an hour".
If the viruses aren't being found in the wild, where do you think they're coming from? From their labs, of course - so they can study the techniques of virus authors. It doesn't require a conspiracy theory, just common sense.
In post-9/11 America, the CIA interrogates YOU!
To most people, there's no difference whatsoever.
To AV folks, a worm is just a particular subset of the class of viruses.
Klez, the number one virus today, is a worm. I haven't checked the numbers, but right now, I'm guessing that email accounts for 99% of virus (i.e., worm) transmission. And I'd guess that the majority of in-the-wild viruses today, are worms.
Not to dispute you.. well.. okay, to dispute you.
Klez is a virus, not a worm. By the definitions used by most techheads out there, a worm can infect your machine without you doing anything whatsoever. Klez, and other e-mail bourne viruses, require you to run an executable in some fashion (via opening an email, running an attachment, whatever). A worm doesn't need this, it uses exploits against your machine's network capabilities to get itself to run on your system. The Morris worm is probably the best known one, but there have been others. Code Red strikes me as probably the most recent worm. Etc..
Sorry, I just hate it when I see anyone refer to an email virus as a worm. It's not.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Actually, writing a virus on UNIX could be easy. I could think of a few ways to do it, although they would mostly require trojans(if you wanted to really keep things going without any privileges).
As for the fireman/dentist/antivirus arguement?
Firemen HAVE been known to start fires. It is called munchausens(sp?)
Dentists have been known to encourage cavities. Heck, one invented cotton candy!
Of course, Firemen don't need fires, and fires HAPPEN!
Dentists don't need cavities, and cavities happen.
Antivirus companies NEED viruses, and they don't just happen.
As for antivirus software? It is interesting that it often gets written BEFORE the virus is really discovered.
I forget when the Vax rolled around, sometime in the early 80's. They got called "vaxen", and it spread at some point to boxen in general . .
hawk
hawk, shuddering at the notion of an 1802 compatible virus . . .
"Antivirus companies NEED viruses, and they don't just happen."
.c, although not .d, because the explanation for that is pretty obvious - the viruses are very similar.
Before I started doing antivirus software, I ran one of the first data recovery companies, getting folks data off hard drives that didn't work any more. I didn't NEED viruses. When they happened, I decided it was something I wanted to get into.
The first virus I saw (1987) was Brain (allegedly written in Pakistan, I have doubts about that). And it was A) interesting technically, and B) I guessed that this would become an increasing problem on PCs. Well, I was right, I wrote a great scanning engine (you expected modesty?) and we sold product to loads of people.
I remember, in the spring/summer of 1989, a few months went by without any viruses appearing. There was a chap in the AV world I used to gossip with, and we talked about this. Have they stopped? Is it all over? About a dozen viruses, and that's it? It didn't occur to me, and I don't think it occurred to him, to "help things along" by writing a few viruses.
Now, there's a few hundred each month.
Incidentally, there are a few Linux scanners; that's what I was using to identify the Win32 viruses that people were inadvertently emailing me. NAI (McAfee) does one (porting the engine to Unix was my initiative, back when I ran the comapny that carried my name), so does F-Prot, so does Sophos, so does Norman and there's probably others. Some of these might still be beta; contact the companies to get the latest info. I think at least some of them might be free. Again, check for yourself.
There might be some open-source scanners, but I don't know of any.
"As for antivirus software? It is interesting that it often gets written BEFORE the virus is really discovered. "
Would you care to give several examples of this, so that I can disagree? Because if you're correct, that's a very incriminating smoking gun, and worth taking to the police authorities of the country where it happened.
Of course, you aren't referring to heuristics, which aim to work in a semi-generic way, or to entirely generic software (such as change-detection). And I guess you aren't referring to the fact that a detector for W32.nastyvirus.a might also detect W32.nastyvirus.b and
Your statement seems to say that the detection for a specific virus is *often* written before that specific virus is discovered, and I'd like to hear some instances of this situation.
Because my opinion is that this has never happened.
There was a virus called 'Esperanto' which infected both Windows and Mac (pre-OSX). But I think i wasn't very widespred.
yep, nothing like a *nix box to break windows boxes. since crackers operate on a network, it makes sense to use a platform with a tcp/ip stack that works correctly.
Use "rpm --verify" on RedHat.
or wait... I think I have heard somebody call Linux a virus...
Isn't it strange that people call the anti-viruses viruses and the non viruses viruses?
www.openproliferation.org
But AV companies are still indirectly responsible for the persistence of viruses. Right now, everybody just buys Norton or Symantec. As a result, there is no pressure on companies like Microsoft to fix their operating systems, applications, and software distribution mechanisms. Why should they? Customers are considered "irresponsible" if they don't also shell out money for an AV subscription.
http://www.symantec.com/avcenter/venc/data/linux.s imile.html
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Linux
.
Systems Not Affected: Windows, Microsoft IIS, Macintosh, Unix
windows xp supports full *nix sockets now, so it's just as cracker friendly.....
--fetch daddy's blue fright wig, i must be handsome when i release my rage
Except that most crackers like tools, like a remote-login-capable shell. XP doesn't have one of those...
Most of those viri are quite old, and they usually only screw with classic MacOS (if they are compatible with OS 9, which they might not be since many were designed for earlier versions of MacOS) ...or perhaps some carbon apps.
Moreover, most mac viri are dished out to those who pirate mac software on IRC, Hotline, Carracho, etc. I've been a mac user for many many years, and I've never recived an email virus.
There are really only a handfull of viri out their that can affect OS 9 and or OS X. Most usually do not do that much, and it is almost as if you really have to go out of your way to get infected.
Within the past few years, development of Mac antivirus software has all but come to a full stop (anyone remember Disinfectant?...RIP). Norton AntiVirus is just about the only thing you can buy for virus protection on MacOS, and most sales go toward paranoid mac users who really don't know any better. Furthermore, it seems to me as if the folks at Symantec now only caters toward killing lame little Apple scripts that mac users make to screw with other mac users.
Now I don't really want to get into the reasons why MacOS is more or less prone to viri. I think a lot of this is more sociolgical then technical. OS X might start to see the advent of more viri since it has been atracting a geekier crowd, but we will see.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
DMCA violation by M$ anyone? Mebbe we can roll the US gov in there too for not stopping Windows earlier - then watch how quick the DMCA drops from the books. ;)
Is the plural of: campus - campii? no compus - compii? no Getting sick of seeing this. The plural of virus is viruses...not viri (there's no such word) or virii (again, so such word). The word "virus" in Latin is a mass noun and thus has no plural (In Latin) at all. If it did have a plural, it would have been "virus" (with a long u), because it is a noun of the 3rd decline. The English-language plural of virus is viruses...a fact any doctor, AV vendor, or even run-of-the-mill dictionary will confirm.
This is the scond time a "must have root to infect" virus has been created.
Windows: Don't do something stupid like reading e-mail..
Unix: Be very careful not to strip your security bare naked and tatoo your butt with "Hack me crash me rip me dry"... You MIGHT get a virus.
Even if a user runs programs as root as a habbit they wouldn't pick up e-mail that way.
Unix delivers e-mail to the user account.. only the user account could pick it up...
Unless you go out of your way to run everything as root and not have user accounts and set up your e-mail to always be delivered to root...
That would be the same as removing all the locks on your car and replacing the egnition with a swotch..
Thats pritty much what you have with Windows... You could have exactly the same thing with Linux if you want..
But there is a reason why IRC servers kick you off if your running your client from root...
It's multiplatform for a reason... needs Windows to spread becouse it's not going to find enough Unix users in the world...
(Maybe two exist... gotta adjust for stupidity with sunden outbreaks of genous.. such as that needed to strip Unix so badly as to make a virus infection actually work)
After the first virus anti-virus companys prommised us software for Linux...
The only reason the virus worked at all was a defective libary asked users to run binarys as root.
I personally prefer to always download source code not binarys.. this is just one reason..
If Windows users did the same thing... and changed the e-mail client to one that dosen't download and run binarys automaticly.. (anything not available from Microsoft) they too won't get viruses.
I don't actually exist.
And .NET is getting ported to other platforms...
When you are in Windows, your permissions on raw device access do not matter. The software running on windows has full access to all the hardware, all the partitions, and there is effectively nothing to stop any software from doing whatever it wants to a mounted FAT32 partition, or your unmounted Linux partition.
I haven't used it in a while, but in the past there was a suite of Win32 tools called the e2tools (I sure someone else can correct my memory) that would allow you, right from your DOS prompt, to look at any file on an ext2 partition. Set an environment variable, and then type e2ls /home/foo and it would happily display the contents of /home/foo the same as if you were booted into Linux and typing at a Bash prompt.
Could be done. Could be done pretty easily.
-Steve
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
How to Use the Remote Desktop Feature of Windows XP Professional (Q315328)
No, it's not SSH or rsh or rlogin, but it does give you the ability to remotely operate / admin a WinXP Pro box. I used to use a similar program from McAfee a few years ago called "Remote Desktop/32" that allowed me to manage all of my Windows NT HTTP/NNTP/SMTP & POP3 Servers when I ran a Seattle-based ISP several years ago - worked like a champ, with the only exception being that I had to do it across a dial-up connection...which made it fairly slow.
I'm sure that some hacker/code-monkey will try to exploit that soon, just to make Windows users angry and to make *nix look more secure than Win32...
ScottKin
I don't give a rat's behind about "karma" here or anywhere else. Don't like what I have to say here? Deal with it!
hmm and to infect an system you really have to run it as root and of course the only people that would get affected by this is people that do everything as root otherwise it only affects the users files, and also unlike win we have to actually choose to run the files:) The real threat to linux boxs is script kiddes/root holes
The package is called Ximian Evolution
Stu
The reason multiple Vax machines got called Vaxen was because the plural of 'ox' is 'oxen.' That's what I'd always heard.
Pope Felix the Scurrilous.
Computer Geek by day, religious Icon by night.