Slashdot Mirror
Win32/Linux Cross-Platform Virus
An Anonymous Coward writes "Symantec reports on the first virus to infect both ELF and PE binaries on Linux and Win32. "The first Win32/Linux cross-infector, {Win32,Linux}/Peelf, uses two separate routines to carry out the infection on PE and ELF files. This variant of Simile shares a substantial amount of code between the two infection functions, such as the polymorphic/metamorphic engines, the only platform-specific parts being the directory traversal code and the API usage.""
...not to be logged in as root. At least the typical Linux user can limit the damage this way.
If you read the source. I don't know about you, but I don't have time to go through everything I build with a fine tooth comb looking for nasties.
Grabbing source and make installing it is about the same as grabbing a binary, as far as security goes. You just don't know what's in there.
--
pants ahoy
I think that this was cooked up in Symantec's labs in order to scare people & possibly serve as an ad for their software, especially if they have a "solution" that runs on Linux.
While working to convince many of my friends and colleagues to give Linux a try, one of the most vexing hurdles I've come across is the following:
Me: "Dude, you should really try Linux! It's fast,
it's free, it's really secure - and, best of
all, you get all the source code, so you can
see how it -really- works, and even contribute
your own code, if you want."
Dude: "Is there antivirus software for Linux?"
Me: "Well, no - Linux doesn't have viruses,
per se, so there's no need for antivirus
software!"
Dude: "My bosses won't let us run any boxes
which don't have antivirus software
installed. Let me know when I can buy
antivirus software for Linux."
So, now that we have virii on Linux, we'll soon have antivirus software, and I can show my friends yet another way in which Linux has caught up with Windows!
more and more windows fucntions everyday. Hopefully this new feature encourages some more switchover to linux.
True genius is grasping a situation like a peice of fruit, and peircing it just right so that it drains dry.
Running ./configure can be just as bad if you aren't extremely careful. The monkey.org server was compromised last week, the security tools hosted on the site had backdoors placed into their configure scripts, and almost a thousand people were hit with it...
url: http://online.securityfocus.com/archive/1/274927
It is the first to use pretty much the same injection code routines for both, though. The previous virus I referenced had two separate infection routines for PE and ELF files.
Sinepaw.org: Grape Winos
Do you read over the entire source code for all of the apps you install?
You forgot to include "and completely understand" in the above quotation.
We all know (I'm sure) that the function of a routine isn't always obvious. And especially if someone is trying to hide a routine, the functionality could be made very un-obvious.
A complete source code audit for any major application would be far more labourious than any individual would have the time to undertake in most circumstances.
If you're a zombie and you know it, bite your friend!
Are you sure you can trust your compiler? http://www.acm.org/classics/sep95/
The more advanced the technology, the more open it is to primitive attack
[root@bigassopendomain /]./virus /]
"virus" requires the following dependancies
libinfect.so
libcrash.so
please check the path and filenames and try again
[root@bigassopendomain
forget it.
Well, looks like this does not affect those using Linux on PowerPC, Sun, or any of the other platforms supported.
On a lighter note, if this virus were open source it would compile to the other platforms. Someone should post a link to the Sourceforge page, with links to source tarballs as well as Debian and RPM packages.
No, you dumbass. that would be true if you were the only one who wants to install a program. However, it isn't so. YOU might not look in the code, but OTHERS do.
And why worry about downloading binaries? Even if you don't scan them for viruses, others do.
No crossingover to this platform
You mean virues, or software in general?
at McAfee's website here
btw the linux version has been known about for a few weeks now according to their dates.
but anyways when the original variant came out in February they state...
The sample of this virus was sent on 14 Feb 2002 to fourteen different AV companies by the virus author. In about 2 weeks the virus sample was also circulated in an electronic magazine distributed by 29A virus writing group (version 1b).
lots of info about what it actually does to windows machines there, but almost nothing about what it does on Linux
A virus needs to start somewhere. The code doesn't magically appear in your system. In order to get a virus on a Linux box, you need to download an infected binary (or the actual code and compile it) and then run it. Once you run it, it needs to search for another binary that it can infect (has write permissions to) and then modify it.
/bin, /usr/bin, etc binaries from a known source or from source code. If some user runs the virus, it will only be able to infect files that he has write permissions to and on most Linux boxes (at least the distro's I've seen), users aren't allowed to write to systemwide binaries.
The reason that it's hard to infect a Linux (/Unix/anything with a decient permission structure) system is that hardly anyone runs daily activities as root and only updates their
The virus is "kinda neat" as far as it's ability to infect multiple platforms and avoid detection, but is really "no big deal" to most systems out there. Windoze(tm) users get viruses sent through email (usually via worms) that self execute when they're opened. This infects files that they have write permission to (usually all of them since 9x boxes have no permission structure and most users on NT systems are run in the Administrator's group) and causes system havoc. Since no Linux mail readers that I know of will execute binaries without at least asking, the user would have to specifically download the binary and run it. At that point, all I have to say is "duh".
So how do you infect your Linux box? On purpose...with a lot of effort. How does this effect the rest of us?
*pause* *giggles* </Bubbles>
--
Mike Nugent
-- Mike wildcard@illuminatus.org
My Linux/Windows Boxes have been virus free because I'm not retarded enought to "Click here for sexy virgins!"
This one is not sexually transmitted.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
Now.. if only we could get those same brilliant minds working on a compiler that produces a single executable that works on both platforms, and shares as much code as possible.
Usually when a company releases a software package, it comes out on Windows first. Those running Linux usually have to wait a few months for a Linux port to be released, if it ever does at all.
I praise this virus writer for releasing Windows and Linux versions of the software simultaneously. If only other companies would follow their lead.
"People that quote themselves in their signatures bother me" - athakur999
...there's a group of people trying to get Windows-only virii to run via wine to see if they can get faster infection times under Linux.
A lot of people have said Linux has fewer viruses than Windows only because Linux isn't as widely used... Well, this is the chance to do some comparisons. How devastating is the cross-platform virus to each system, and how fast does it spread on each?
Also note that it's a virus, not a security hole or flaw in the system - this doesn't make Linux less secure like a Melissa-type problem that takes advantage of holes made by one company's stupid software bundling decisions.
== Paul Rickard, Editor of The Microsoft Boycott Campaign ====
A hybrid virus could have its own filesystem code, and thereby infect say a linux partition on a dual-boot machine that is currently booted in windows, or vice-versa. The real killer here would be that your regular user-ID based security wouldn't help at all. While running in windows, the virus would have unlimited access to the linux-partition, enabling it to infect linux binaries it otherwise would only have been able to touch when run as root. And while running in linux, it could infect binaries on a FAT partition without having to worry about the virus-checker getting in the way. In fact, it could easily infect or replace the virus-checker itself.
> Compiling all my apps from source removes worries about this kinda thing ;)
Not hardly. Look at how something like Klez works..it can infect a system through vulnerabilities in Web browsers if you check your e-mail through a Web interface. It's only a matter of time until viruses and worms with similar abilities move to Linux and OS X. The only reason they haven't done so yet isn't superior security, it's the fact that Windows systems are the best targets since there are so many. Why infect a few Linux boxen when you can infect tens or hundreds of thousands of Windows machines with the same effort?
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
I don't know about you, but I don't have time to go through everything I build with a fine tooth comb looking for nasties.
I don't either, but the mere fact that the source code is available makes the author trustworthy in my opinion. The mindset of OSS developers is to help out and show off (I should know, as I am one). The last thing a free software author would ever do is try to compromise your system. Especially if you're trying to build a reputation, why ruin it? Do you honestly think, for example, that David Faure of KDE would put something harmful into the next release? Or Linus would try to slip something devastating into the kernel? I would bet money this would never happen.
These developers work their asses off for the community and keep their code open. No need for me to personally read any of it. They already get 10x my trust by their actions.
Compiling all my apps from source removes worries about this kinda thing ;)
;)
In case you were wondering, he's posting from a machine running the Linux kernel, version 1.1, which he just recently finished checking.
In a bitter case of irony, I screwed with his compiler to make that kernel bundle in a trojan.
This seems more like a proof of concept to me than a real virus. Especially since the author specifically emailed the virus to anti-virus labs, it's more like: See, it *can* be done.
:)
Of course, you could expect that. Basically, a virus relies on just one thing: privileges. Privileges means the possibility to mess other programs up. And because there are so much Windows virusses compared to other OS-es, it's easy to see Windows handles rights... differently... than a secure OS
I don't think Linux, or UNIX viruses in general, will become a real threat. As long as you use your brain and don't do everything as root (as about every guide warns you against anyway), you'd be rather safe. Can't mess up stuff without the rights to do so.
Old but never say never
A buffer overflow vulnerability exists in the popular mail client Pine 4.21 (and possibly earlier versions), relating to the function which regularly checks for incoming email.
The real concern here is that this requires no user interaction to exploit.. a target need only be using a vulnerable version of pine. The overflow occurs when the user recieves new email. While typically not yielding root privileges (unless root reads email with pine AS root) this can be used by a remote, anonymous attacker to gain local access to the target host.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Now that's really some good thinkin' there. Completely bypasses all your security because you're not running any of it. Take it a step further, a virus that infects and spreads on Windoze, where it's easy to do, but finds Linux partitions, roots them and installs its own backdoors and so forth.
Kinda scary. Next time you're in linux, it connects to somewhere over the net telling the author another box has been rooted and voila, he ownz you.
Kinda a good reason not to run Windows in dual boot mode I'd say.
There's some preemptive stuff you can do with this though.. Have a kernel module (possibly compiled in) that does checksums all your major binaries before booting and warns you when they've changed. Of course, the virus has total kernel access too, so this may not be effective if the author planned for it.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
The short answer is no. The longer answer is given below.
::laughs hysterically:: We barely had time to post on alt.comp.virus in Usenet.
First, I'll explain who I am. I'm Alan Solomon, I'm a programmer, I designed and coded the engine in Dr Solomon's Antivirus, that engine is now also used in the McAfee (Network Associates) scanner (although I'm sure that by now it's somewhat different from the engine I wrote).
I worked in the AV world from 1988 to 1998. I'm doing other stuff now, I don't have any ownership in any antivirus companies. Also, caveat, I've been out of this business for a few years, so my knowledge-state isn't current. And, of course, I really can only speak for myself, and the company that bore my name. I can't really speak for other companies.
I used to get asked "Do antivirus companies write viruses?" a lot. It is, of course, a very insulting question, like asking firemen if they start fires, or dentists if they're the cause of tooth decay. However, I always tried to contain my irritation at the insult (on account of my guess that most people asking me this, don't realise it's an insult) and the answer is "No."
1. It's unethical. But I guess if you believe that the antivirus folks are a bunch of unethical scroats, that's not a very convincing reason. Actually, the technical folks in the AV industry have to be *very* ethical. Because unethical ones tend not to be accepted by the consensus, and thereby lose a crucial source of information exchange.
2. It's illegal (actually criminal, virus authors have been put in prison for this. Chris Pile (the "Black Baron") got 18 months, for example). And you can get caught (ask Pile). If you think a company could ask a programmer to write a virus, and hope that no-one else in the company would know about this, and that there's no risk of jail - think again. You have to be *really stupid* to write a virus when you're not able to guarantee anonymity. Of course, you have to be pretty stupid to write a virus at all. By the way, 99% of the viruses that I analysed were really crudely made; some didn't even work at all.
3. There's no point. Kids all over the world are writing viruses at no cost, providing an ample supply of new stuff.
4. It takes too long. I'd estimate that the Simile virus, as described, took months and months to develop. It took McAfee two weeks to do the detector; Symantec about the same. So, if the AV companies had to write the viruses as well as do the Antivirus, they'd need 10 or 20 times as many programmers. And you'd have to keep that lot a deadly secret, of course.
You can't imagine what it's like in a virus lab. There's N new viruses per month, where N isn't a fixed number. And there's M people to do the analysis and coding, and M is never enough. It was like being on a treadmill, and you know that the treadmill is getting faster all the time. Write new viruses?
So why do antivirus companies sometimes see viruses before any users? Simple. The virus authors send them. The first time this happened was over a decade ago; it surprised me then. And we thought it through at that time. Do we just delete it, and pretend it didn't happen? If you've been sent a virus, and you think you're the only person in the world who has a copy of that virus, you can destroy it, and the world has one virus less. But if there's a chance that the virus author has, or will, release it in the wild, you have to build detection for that virus.
Also, you have to give a copy to the other antivirus companies. Because we programmers made an agreement between ourselves that we wouildn't force users to buy three different products to detect three different viruses, that we wouldn't compete on the basis of "we can detect X virus and no-one else can". We'll compete on price, speed, accuracy, tech support, etc etc, but not by restriction of virus samples between trustworthy AV companies.
So, once the virus author gives it to one AV company, all the AV companies have a sample (shortly after) and that virus might not be in the wild, and might never get into the wild. But you can't be sure. For this virus, we read that the virus author sent it to 14 AV companies.
There's a separation in AV companies between the programmers, who do the virus analysis and coding, and the marketroids, who do the, uh, marketing. The marketroids are constantly trying to persuade people to buy AV software, the programmers constantly trying to hold them in some degree of responsible check. The progammers do have a degree of control, via mechanisms that we put in place a decade ago, but it's impossible to persuade anyone that when a new and technically interesting virus comes along, that people should not be told. You really can't, and shouldn't, try to keep a new and technically interesting virus, a secret. Of course, then the media get their paws on it, and blow up a scarestorm. How do we stop that? I don't think we can.
I haven't seen or analysed this virus, but from what I've read, it does look A) technically interesting, and B) a complete pig to design detection for (detection means, you always spot the virus when it's there, and you never give a false alarm when it isn't). This virus is technically interesting because it's cross-platform. And it's a complete pig to detect because B.1) it's polymorphic, meaning if you put several samples side by side, there isn't any byte-string that you can be sure will be in all of them, B.2) it's metamorphic (meaning, it's horribly horribly polymorphic, even after you decrypt it you don't have any constant byte-string) and B.3) entry-point obfuscation (which means you don't even know where to start looking for the virus, all you know is that it might be somewhere in the file).
The fact that the AVERT folks (McAfee) have admitted that this one virus will cause "a slight performance decrease" in the virus scanner, means that this is a significant virus; pretty much every virus causes a near-zero impact on scanning speed. I'd guess that "ActiveDAT technology" means "we've encoded some executable code in the DAT file which the scanner will run". In other words, they had to write a subroutine specifically for this virus.
That's something that you don't expect to do more than once every couple of years or so.
Next - can viruses infect Unix, despite the unix security system?
Yes.
First, I'd point out that Fred Cohen's doctoral thesis on viruses in 1986, was done using unix boxes. Viruses do not break system security. They infect wherever the system security allows them to, and that's sufficient for them to spread. I'm not expecting a sudden wave of infections on Linux boxes, but please don't think that viruses cannot work on Linux.
One problem, is that the distinction between an executable and a data file is very grey. Try this simple experiment. Take a simple perl script, test.pl, and change the permissions to 400. Now try to run it. Unix security stops you. Now try running "perl test.pl", and it will run fine.
And think about macros in documents. They will run even though the document has non-executable permissions.
See, it doesn't matter that you can't infect ls or ps or df. All it takes is for you to be able to infect your own user-written stuff.
And by the way, you can infect ls and ps and df. Every now and then, I log in as root, to do some maintenance-type thing, or install something. And while I'm root, if I run a virus-infected program, then the virus has root privilege, and can infect ls and ps and df and anything else it wants to.
OK, so now we've established that you can infect your own software, let's consider damage. A Linux virus will be prevented from deleting the system files, or from formatting the hard disk, by the system. But since it's running with the same privilege that I (as an ordinary user) has, it has the same read, write and delete access to my data files that I have. And, of course, my data files are the only files with real value on the computer. The Linux system itself can be reinstalled in minutes.
I've gone on too long already. I better stop before I write another book.
..we would have some way to spread the virus on linux :)
Time travel is possible. We are quickly heading for 1984.
Like patch outlook,IE and IIS? change all the settings on outlook and grey out the checkboxes with the registry settings so the moron users won't set it back to use word as your mail reader...(and can we please disable that damned out of office assistant?)
99.997% of all virii spread because the virus writers know that the end users are dumb as a box of rocks... hell, how many times have we had email spread viruses, and people STILL open attachments without a thought.. (Wow dave's sending me nude pictures of his wife again!)
the only way to stop virus attacks are to either kill all the users (I wish!) or disable the dangerous options in the software they are using.
only then will we stop the virus problems.
Do not look at laser with remaining good eye.
Grabbing source and make installing it is about the same as grabbing a binary, as far as security goes. You just don't know what's in there.
True for round one. Most everybody.
Round two. There's always somebody that's gotta do things differently, and the nasty runs into some kind of incompatability. A few paranoid souls run diff on previous versions. Any hint of something nasty and the nasty gets a swarm of unwanted attention.
Round three. However it happened, somebody is gonna make pretty damn sure it doesn't happen again, kinda embarrasing.
It is, of course, a very insulting question, like asking firemen if they start fires, or dentists if they're the cause of tooth decay.
True story: My dentist, when I was a kid, would give out lollipops. Pure sugar, artificially-colored, decay-inducing lollipops. Swear to God.
Also: More than one fire department has been caught setting fires to put out. (It's especially prevalant among volunteer fire departments, which are often composed of people who enjoy playing with fires.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way