Slashdot Mirror
First IA64 Windows Virus Released
NinjaPablo writes "W64.RugRat.3344 has been released as a proof of concept virus. It is the first virus which will only run on Windows on the IA64 platform, and uses APIs from 3 native DLLs to avoid crashing applications. It infects files that are in the same folder as the virus and in all subfolders. The author of the virus has also written other concept virii in the past."
Here's to a long and fruitful future for Win64 viruses...
I for one, welcome our new IA64 Win32 Script Kiddy overlords.
Now we hunt him down and execute him, right?
pb Reply or e-mail; don't vaguely moderate.
1) The virus uses native DLLs - it should've used .NET managed code to avoid common memory leaks and other mistakes
2) The virus does not run on 32-bit platform - so no chance of getting "Windows XP Compatible" logo.
3) The virus does not take advantage of the latest Longhorn, Avalon and Indigo features.
Overall, the work is impressive, but I am waiting for more robust and efficient viruses.
I'm surprised that this tiresome topic wasn't raised before the third post.
Iii neverii getii anyii virii. Itii mustii beii painfulii toii runii windowii.
that 64 bit viruses are twice as powerful as 32-bit ones?
guns kill people like spoons make Rosie O'Donnell fat.
Argh.
To try to stall everyone's almost certain flamewars regarding the correct plural form of virus, let me propose a new word.
Virusesii.
There, now everyone can use it, okay?
IA64 Windows was the first. (Someone had to say it)
a hole in the "people write virii for it because it's the biggest target" argument for the proliferation of Windows virii?
That which does not kill her only prolongs my agony.
Yes! You're no longer limited to slowing your computer by simulating an architecture you don't have--you can run their viruses, too!
So what are the legal implications of writing viruses?
Could the DMCA be evoked in such a case?
Or is it only illegal when they are executed and allowed to spread to the wild?
Just some questions.
Feel free to respond, thanks.
zosxavius photography
Then that 64 bit OS might actually get out the door sometime this decade.
Free Mac Mini Yeah, it's
We should have him executed, and collect the $1million+ he's worth.
Hades, PoD: Official Advocate
Virus researchers have just announced that they developed a proof-of-concept virus that can spread on an 256-bit operating system that has as yet to be designed.
According to spokesperson who didn't wish to be identified, he claimed that this had been the most infectious virus that he had seen in the twenty years of his career and had also proved to be worst to remove. He also recommended that all users should immediately buy the latest version of Anti-Virus-Sponge-Sentinel which would mop up all traces of the virus before it reached the system.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
I apologize for my horrid use of the word 'virii', and accept the standard and proper word, 'viruses'.
Must not have had enough coffee when I submitted that...
SmashTech - No smashing of tech involved
This looks pretty oldschool... no stupid RPC nonsense or VBScript, it's a virus that infects other programs, and is spread by copying infected executables around. Just like the old days with MS-DOS viruses passed around on BBS's.
Incidentally, you could probably limit your vulnerability if the program was installed by an Administrator but only run by users without write permission, or if you removed write permission from programs that you run in your own folders.
The really cool thing is that it's written in IA64 assembly code. That sounds like quite an impressive feat. From what I hear that is far worse even than the PPC64 assembly code I usually write.
Linguistic evolution is an ongoing process which can 't be controlled by an "official" standard for a word. Virii is the next step in this evolution, like it or not. You should find a job with the Quebec language police...who enforce a variant of French that has many "incorrect" features in comparison to "real" French. Neither variants is less legitimate than the other, or Cajun French for that matter. I suppose Chaucer's English should still exist. It doesn't. Get over it.
Read the details, there's nothing special to see here. This isn't a worm, it doesn't gain root/admin access and it doesn't exploit any vunerabilities of the platform. It requires "direct execution" (i.e. the user has to run it manually). It's just a good old fashioned virus that inserts code into an exe. The proof of concept is that Windows leaves exes writable by default. You can prevent it by not making your application folders writable from userland, which is what any good admin should be doing anyway.
"The file infection routine is standard. The last section of the executable is marked as executable, the virus body is inserted into the
last section and a random number of bytes are appended to the end of the virus body."
Showing that you can write viruses for 64-bit system?
Oh my god, I would never have thought that was possible! How can it be!? Mind boggling indeed! But it's great virus writers develop concept viruses to show us these amazing tasks that was previously thought impossible can actually be done!!
Beware: In C++, your friends can see your privates!
Don't say something like that. You're going to start an endless thread of "Back in my days we used [ancient technology] and liked it" ... "Yes, but when I was young, we used [even more ancient technology]!"
I'm still waiting for the fabled Open Source Cross Platform Virus that can be deliever to all mail system. Sure it require the recipient to uncompress and compile the virus, but it can hit ALL platforms.
I know what ING means. What does shrug mean?
"l33+5p34k" is not acceptable and should not carry over into the official language just because a bunch of basement dwelling morons think so.
You're right, there's no such word as "virii." There are also no such words as "boxen," "*nix," "sysadmin," "interweb," and "teevee." "Awesome" means "awe-inspiring," "cool" refers to a temperature, "radical" is what we call a nutjob, and, to my knowledge, no one has ever gotten "jiggy" with anything. Purists would even say that using "google" as a verb is wrong. These are the same people who had a problem with "surfing" the "web."
It's called slang, and it's evolving and changing all the time. Were these people to use "virii" in an official capacity, such as in a company-wide memo, or an academic paper, there would be a problem. But this is Slashdot, for crying out loud. Get over yourself and have a little fun.
Actually, it is a Latin phrase which means "You are a fucking moron".
Nah, it's a historical critique of the military strategy of Richard the Third.
--
E_NOSIG
The release is followed by a proof of concept jail sentence ;)
Of course I'm referring to total amount of Itanium users out there.
Sure. Next you'll tell me that the plural of box isn't boxen. It has to be. English is a totally consistent language and the plural of VAX is VAXen.
It is well known that the pluralizing of nouns in english is well defined:
ouse -> ice.
eg. house -> hice.
ata -> atabase.
eg. data -> database.
ink -> egnancy.
eg. drink -> pregnancy.
That one is a little tricky because it requires a change in the base word.
outer -> 0,000
cisco router -> $450,000
See previous example.
Just a thought.
Boxen is annoying too. It's fucking boxii.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
W64.Rugrat is a fairly simple proof-of-concept virus. However, it is the first known virus to attack 64-bit Windows executables on IA64 systems intentionally, and it does so successfully. The virus uses a handful of Win64 API-s from 3 different libraries, NTDLL.DLL, SFC_OS.DLL and KERNEL32 respectively.
From NTDLL.DLL the viruses uses the following 3 functions LdrGetDllHandle(), RtlAddVectoredExceptionHandler() and RtlRemoveVectoredExceptionHandler(). The virus supports vectored exception handling to avoid crashing during infections.
Yes, the virus uses three DLLs. It also uses a routine to avoid crashing itself while infecting the machine... it does not look like the virus cares about crashing other applications.
The thing to pay attention to here is that this is a fault tolerant virus. I have seen more and more effort lately (Sasser for example avoids shutdowns to help it propagate) from authors trying to make their creation survive.
indeed. Richard Of York Gave Battle In Vain.
presumably trying to fight for Windows' security is also in vain.
"radical" is what we call a nutjob
A nutjob might be radical to you and those who use the fake word 'virii'.
To those who use the word 'viruses', getting a nutjob is commonplace. Women really like a man who can speak English properly.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Evolution indeed. As Darwin would say, once there was a virus, then it started reproducing, evolving, mutating, whatever you want to call it. The result? A number of viruses here, a number of virii there...
We need a "-1, Pedantic" moderation category.
And why is it a shock that a virus can be written for either?
When palladium comes out and someone writes a virus that can escape it's sandbox, infect executables (which I'd imagine would involve resigning them) and spread, I'll be impressed.
I don't need no instructions to know how to rock!!!!
The plural of penis ought to be penes, if you were sticking to Latin plurals. Fortunately we aren't, and it isn't.
roy g biv is the author of the worm, and is a member of the 29A VX group. The group has been responsible for Donut (first .NET virus), Winux (the first virus to infect both Linux ELF binaries and Windows executables), as well as a few others of notoriety.
29A is probably the most elite malware group out there.
Of course, languages never evolve over time.
For great justice.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
aha! So that's what delayed the release of windows for amd64: it was not compatible with old viruses. Now that this obstacle has been overcome, how long until the release?
___
If you think big enough, you'll never have to do it.
And whenever I see a
What about spending your time convincing people of more important issues like [insert anything else here]?
"Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched."
someone must have mistyped that from this...
"Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if a certain browser's vulnerabilities are not patched.
Just like hacker doesn't (only) mean hacker anymore but (also) means cracker. So stop the moaning about it, that's how language works, as the parent explained.
Boxii is the gimp kid from BSG with the robot dog.
I am the walrus, we are the walrii
'Same speed C but faster'
I would like to protest that although this is technically a 64-bit virus, it does not run on the more common and widely accepted Powermac G5, instead choosing to support only a badly cludged extended win32 API.
Does anyone know of a 64-bit version of Bochs or VirtualPC which ould let me run this new and interesting piece of code in emulation?
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Socially inept nerds making up (what they think to be) cool-sounding plural forms does not count as a valid step in the evolution of the English language. The plural for "virus" existed long before computers did, and there is absolutely no reason to change it when it refers to a computer virus. You can use the word "virii" if you want, but don't be surprised when people think that you're a fucking retard for doing so.
Okay, just to collect all of the Microsoft trolls in one thread:
How can Windows ever be secure when exploits are released before the OS is available?!
It seems to me that Microsoft can't design a secure OS. After talking about security for more than 2 years, their latest incarnation is even less secure on its release date than Windows 95!
Microsoft: the Day Zero Exploit(tm) company
The society for a thought-free internet welcomes you.
A beowulf cluster of boxii is boxiiii. Maybe boxiv for short.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
To all those saying that a proof-of-concept virus is still a virus and that this guy is doing a disservice to the world by writing one, I'd like to give an alternate way of viewing it. Writing proof of concepts that aren't spread in the wild (like the other viruses mentioned in the second link) help anti-virus groups in advancing knowledge on current/new techniques that may not have been known about or considered in the past.
IANAVWOAVG, though (I Am Not A Virus Writer Or Anti-Virus Guy)
Um, no.
It's 'Boxi' -- second delclension plural as follows:
N: boxi
G: boxorum
D: boxis
Ac: boxum
Ab: boxis
Eunuch boxum Unix laudat.
("The eunuch praises Unix boxes.")
Something like that.
No, I'm pretty sure it's some other acronym... I just haven't figured it out yet.
/presumably?
In order to continue using virii, I shall now spell virus as virius.
Damn windows virius.
Rod Taylor
People seem to be missing a major point here. This file doesn't do anything fancy, it just reads files and 'infects them'. There are no indications that this 'virus' is bypassing any kind of system security.
From the article:
"The SfcIsFileProtected() function of SFC_OS.DLL is used to avoid infecting executables that are protected by SFC (the System File Checker)."
Any sensible XP64 installation would not allow system files to be write accessible to anyone but the Administrator.
It's as if I wrote a c program that used fopen() and write() to destroy files, then declared I wrote a virus for linux. Whoo hoo.
if you knew absolutely anything about language, you'd know that there is no wrong or right, just understandable or not understandable.
just because a word is not in a dictionary, it doesn't mean that it doesn't exist. if your view of language was right then language wouldn't have existed before dictionaries were invented and new words would never be formed.
i'm on a little crusade of my own to stomp out pedantic assholes like you who feel the need to dictate to everyone else how they should use language.
this comment isn't informative, it's moronic.
Nah, it's obviously a nod to Paranoia, the old RPG game...
"Of course the computer is my friend, why do you ask?"
Reason why there is hope for the future generation #364:
"I wish my grass was emo so it could cut itself."
Moderators: with your help, we can wipe out "virii" in our lifetime!
Nope, you can't wipe out the word "virii". It just keeps spreading. As soon as one guy uses it around his two friends, it spreads to them. Then they each use the word around two other friends, who catch it. At this point it stops for a while, since those seven geeks don't have any other friends. But then one of them posts it online, and it spreads to hundreds of others.
Despite your efforts to stop it, the word "virii" will continue to spread to more and more people, like some sort of computer "worm".
Actually language is simply what people use to communicate verbally and writen and is defined by said usage.
What determines what is a word is NOT some definition of correctness. Useage is what defines the language. So if enough people were to use virii as the plural of virus it would be so.
This is pretty much a summation of the statement a language expert and senior editor of a well known, dictionary (who's name escapes me), said during an NPR interview a few months ago.
I'm shure if you looked around you could find pleny of examples of words that started out as manipulations by a subset of the population that gained popularity and are now considered regular english.
'Hacker', for example, is one such word twice over at least. It started as a reference to people who used hand axes to make furniture.
now look where that word is used.
Mycroft
https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea
Not really true -- "boxen" is more obviously a joke / play on words, whereas writing "virii" just makes you look ignorant. "Virii" is written like "radii" but while "radius" is a real word, "virius" is not.
Actually, 64-bit Windows XP is already out there and available for purchase, but only for the IA64 architecture (itanium) - support for AMD's 64 bit chips is still in beta (although relatively stable, from what I hear).
Unless you read The Truth"
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
A pendant is jewelry. You meant pedant, which is what I am being by responding. Like virii, your use of pendant is wrong. Not slang, just wrong.
If I referred to your sentence as "high-falutin'," that is slang. If I referred to it as "retartid," that is simply an incorrect spelling.
The English language isn't evolving new Latin-esque plurals. It's not slang. It's just ignorant pretension, which is the worst kind of pretension.
no dowt you can figur aut what this sentance is ment to meen two but that doesnt meen its not ridled with tyops. It's irritating to have to translate someone's text into English before I can read it (more accurately as I read it). If you want to communicate you should make every reasonable effort to achieve correctness of language. If you want to argue the descriptive-vs-prescriptive nature of dictionaries then feel free to substitute the word 'consistency' for 'correctness'. That is consistency with others, not self-consistency. 'Virii' has nowhere near enough support to be considered a meaningful word.
Using a word to annoy people is not a pleasant behaviour whether or not you agree with them on this one issue.
More descriptive? At best 'virii' carries the same meaning as 'viruses'. At worst it carries no meaning. 'Viruses' follows standard English rules of pluralisation - again, if you object to prescriptive language feel free to substitute the word 'conventions' for 'rules' - so that anyone who knows the word 'virus' can discern its meaning. 'Virii' follows no standard rule, not even the imaginary Latin rule that spawned it.
Of course it does, because that version ('viri', not 'virii') at least sounds like it could be a real word like in the common Latin '-us' becomes '-i' rule (note that this isn't a general rule for Latin words; see elsewhere for where this perception comes from).
Why is anything anything?
I was merely trying to make the point that there is no secure OS's if you consider a single exploit sufficient to disqualify it as you were.
I'm not going to attempt to refute all of your arguments (and perhaps I can't anyway), but I think your analysis lacks a bit of perspective as well.
For example, IBM's mainframes for most of their existence were not connected to anything outside of IBM so if there were buffer overruns etc, they could not be exploited. Even today, it's likely that most mainframes are not directly connected to the Internet but are on a private net within an organization. In addition, knowledge of the architecture of a mainframe is more obscure and thus it takes more effort to exploit any holes. Finally, the administration of mainframes is performed more carefully then the average Windows box (or Linux box, for that matter).
The bottom line is that you can't just talk about relative numbers of exploits, you have to take the entire environment and history into account to determine relative security or quality.
Surely if MS had been willing to throw away backward compatibilty and make Windows as hard to administer and use as Unix they could have created an OS that was at least as secure as Unix (It's not rocket science after all.) The reason they didn't was that that's not what their customers wanted and they would have lost a lot of their business if they had.
Now their customers are becoming more interested in security over ease of use and they have been making changes in that direction.