First IA64 Windows Virus Released

NinjaPablo writes "W64.RugRat.3344 has been released as a proof of concept virus. It is the first virus which will only run on Windows on the IA64 platform, and uses APIs from 3 native DLLs to avoid crashing applications. It infects files that are in the same folder as the virus and in all subfolders. The author of the virus has also written other concept virii in the past."

A toast...

[BJZQ8]

Here's to a long and fruitful future for Win64 viruses...

somebody has to say it..

[hp46168]

I for one, welcome our new IA64 Win32 Script Kiddy overlords.

so...

[pb]

Now we hunt him down and execute him, right?

Critique of the virus

[prostoalex]

1) The virus uses native DLLs - it should've used .NET managed code to avoid common memory leaks and other mistakes
2) The virus does not run on 32-bit platform - so no chance of getting "Windows XP Compatible" logo.
3) The virus does not take advantage of the latest Longhorn, Avalon and Indigo features.

Overall, the work is impressive, but I am waiting for more robust and efficient viruses.

Re:Critique of the virus

[PetoskeyGuy]

2) The virus does not run on 32-bit platform - so no chance of getting "Windows XP Compatible" logo.

To bad about the logo, but it can work on 32bits...

From the Article

Note: A true 64 bit machine is not required for this virus, as it can be run on a 32 bit machine using 64 bit simulation software.

So just get your 64 bit emulator running and you too can enjoy tomorrows viruses today!

I'mii soii gladii Iii runii Linuxii

[King+of+the+Trolls]

Iii neverii getii anyii virii. Itii mustii beii painfulii toii runii windowii.

Does that mean

[gsfprez]

that 64 bit viruses are twice as powerful as 32-bit ones?

Re:Does that mean

[moZer]

No, they are 4294967296 times better.

Re:Does that mean

[leerpm]

They are 4,294,967,296 times more powerful.

So by RIAA math logic, this means that the virus writers are really causing $429,496,729,600,000,000 worth of damage!

Re:Does that mean

[whovian]

Or 4,000,000,000 times more powerful, according to hard drive manufacturers.

Virii/Viruses

Argh.

To try to stall everyone's almost certain flamewars regarding the correct plural form of virus, let me propose a new word.

Virusesii.

There, now everyone can use it, okay?

Re:Virii/Viruses

[Jugalator]

Hmm... You come from the KiB camp, right? ;-)

It's the second, not the first.

[WillAJ]

IA64 Windows was the first. (Someone had to say it)

Doesn't this blow...

[Flashpot]

a hole in the "people write virii for it because it's the biggest target" argument for the proliferation of Windows virii?

ah, me

[abscondment]

A true 64 bit machine is not required for this virus, as it can be run on a 32 bit machine using 64 bit simulation software.

Yes! You're no longer limited to slowing your computer by simulating an architecture you don't have--you can run their viruses, too!

What are the legal implications?

[ZosX]

So what are the legal implications of writing viruses?

Could the DMCA be evoked in such a case?

Or is it only illegal when they are executed and allowed to spread to the wild?

Just some questions.

Feel free to respond, thanks.

Re:What are the legal implications?

[prat393]

Umm... the DMCA doesn't really have anything to do with this; no copy-protection procedures have been circumvented, so no copyright violations have occurred here. In point of fact, the virus author hasn't broken any laws by writing and releasing this virus, assuming he hasn't been using it to damage any systems out there (besides his own).

Of course, if he actually were to try and damage someone's box with this virus he might have a hard time of it, since all it does is spread itself throughout the system... you get a minor to major slowdown and increase in file sizes, which can cause other things to break, but it's not very likely.

Wow, on the ball. Maybe MS should hire these guys.

[CarrionBird]

Then that 64 bit OS might actually get out the door sometime this decade.

Virii

[NinjaPablo]

I apologize for my horrid use of the word 'virii', and accept the standard and proper word, 'viruses'.

Must not have had enough coffee when I submitted that...

wow--oldskool

This looks pretty oldschool... no stupid RPC nonsense or VBScript, it's a virus that infects other programs, and is spread by copying infected executables around. Just like the old days with MS-DOS viruses passed around on BBS's.

Incidentally, you could probably limit your vulnerability if the program was installed by an Administrator but only run by users without write permission, or if you removed write permission from programs that you run in your own folders.

The really cool thing is that it's written in IA64 assembly code. That sounds like quite an impressive feat. From what I hear that is far worse even than the PPC64 assembly code I usually write.

Re:There's no such word as "virii"

Linguistic evolution is an ongoing process which can 't be controlled by an "official" standard for a word. Virii is the next step in this evolution, like it or not. You should find a job with the Quebec language police...who enforce a variant of French that has many "incorrect" features in comparison to "real" French. Neither variants is less legitimate than the other, or Cajun French for that matter. I suppose Chaucer's English should still exist. It doesn't. Get over it.

This isn't a big deal

Read the details, there's nothing special to see here. This isn't a worm, it doesn't gain root/admin access and it doesn't exploit any vunerabilities of the platform. It requires "direct execution" (i.e. the user has to run it manually). It's just a good old fashioned virus that inserts code into an exe. The proof of concept is that Windows leaves exes writable by default. You can prevent it by not making your application folders writable from userland, which is what any good admin should be doing anyway.

"The file infection routine is standard. The last section of the executable is marked as executable, the virus body is inserted into the
last section and a random number of bytes are appended to the end of the virus body."

Re:W32/Shrug

Don't say something like that. You're going to start an endless thread of "Back in my days we used [ancient technology] and liked it" ... "Yes, but when I was young, we used [even more ancient technology]!"

Where is the Open Source Virus?

[BigFire]

I'm still waiting for the fabled Open Source Cross Platform Virus that can be deliever to all mail system. Sure it require the recipient to uncompress and compile the virus, but it can hit ALL platforms.

Re:Where is the Open Source Virus?

[lpangelrob2]

And people say Macs are hard to get viruses onto...

bash-2.03$ tar -xf oscpv.tar
./configure
Remove home directory? (Y/N) Y
Enable spam zombie module? (Y/N) Y
Install keylogger? (Y/N) Y
Profit? (Y/N) N
bash-2.03$ make install
bash-2.03$ make

Must release this and take over the world!!! Latest version of make required.

*barf*

"l33+5p34k" is not acceptable and should not carry over into the official language just because a bunch of basement dwelling morons think so.

Re:There's no such word as "virii"

You're right, there's no such word as "virii." There are also no such words as "boxen," "*nix," "sysadmin," "interweb," and "teevee." "Awesome" means "awe-inspiring," "cool" refers to a temperature, "radical" is what we call a nutjob, and, to my knowledge, no one has ever gotten "jiggy" with anything. Purists would even say that using "google" as a verb is wrong. These are the same people who had a problem with "surfing" the "web."

It's called slang, and it's evolving and changing all the time. Were these people to use "virii" in an official capacity, such as in a company-wide memo, or an academic paper, there would be a problem. But this is Slashdot, for crying out loud. Get over yourself and have a little fun.

Re:W32/Shrug

Actually, it is a Latin phrase which means "You are a fucking moron".

Let me guess....

[teslatug]

The release is followed by a proof of concept jail sentence ;)

Those 5 people must be pissed!!

Of course I'm referring to total amount of Itanium users out there.

Re:There's no such word as "virii"

[yecrom2]

Sure. Next you'll tell me that the plural of box isn't boxen. It has to be. English is a totally consistent language and the plural of VAX is VAXen.

It is well known that the pluralizing of nouns in english is well defined:

ouse -> ice.
eg. house -> hice.
ata -> atabase.
eg. data -> database.
ink -> egnancy.
eg. drink -> pregnancy.
That one is a little tricky because it requires a change in the base word.

outer -> 0,000
cisco router -> $450,000
See previous example.

Just a thought.

Re:Boxen

[Profane+MuthaFucka]

Boxen is annoying too. It's fucking boxii.

This may be knit picking...

[AmishSlayer]

W64.Rugrat is a fairly simple proof-of-concept virus. However, it is the first known virus to attack 64-bit Windows executables on IA64 systems intentionally, and it does so successfully. The virus uses a handful of Win64 API-s from 3 different libraries, NTDLL.DLL, SFC_OS.DLL and KERNEL32 respectively.

From NTDLL.DLL the viruses uses the following 3 functions LdrGetDllHandle(), RtlAddVectoredExceptionHandler() and RtlRemoveVectoredExceptionHandler(). The virus supports vectored exception handling to avoid crashing during infections.

Yes, the virus uses three DLLs. It also uses a routine to avoid crashing itself while infecting the machine... it does not look like the virus cares about crashing other applications.

The thing to pay attention to here is that this is a fault tolerant virus. I have seen more and more effort lately (Sasser for example avoids shutdowns to help it propagate) from authors trying to make their creation survive.

Re:This may be knit picking...

[advance512]

Oh, and by the way...

[i]Nitpick[/i], the removal of lice eggs, came to mean detailed and precise criticism.

Not knit pick :)

Re:W32/Shrug

[rokzy]

indeed. Richard Of York Gave Battle In Vain.

presumably trying to fight for Windows' security is also in vain.

Re:There's no such word as "virii"

[Mournblade]

We need a "-1, Pedantic" moderation category.

IA64 = Itanium or AMD's x86-64?

[stratjakt]

And why is it a shock that a virus can be written for either?

When palladium comes out and someone writes a virus that can escape it's sandbox, infect executables (which I'd imagine would involve resigning them) and spread, I'll be impressed.

Roy g biv is the author of the virus

roy g biv is the author of the worm, and is a member of the 29A VX group. The group has been responsible for Donut (first .NET virus), Winux (the first virus to infect both Linux ELF binaries and Windows executables), as well as a few others of notoriety.

29A is probably the most elite malware group out there.

Re:There's no such word as "virii"

[TheRealMindChild]

Well, we can prove this a simple way... here

virus ( P ) Pronunciation Key (vrs) n. pl. viruses 1. 1. Any of various simple submicroscopic parasites of plants, animals, and bacteria that often cause disease and that consist essentially of a core of RNA or DNA surrounded by a protein coat. Unable to replicate without a host cell, viruses are typically not considered living organisms. 2. A disease caused by a virus. 2. Something that poisons one's soul or mind: the pernicious virus of racism. 3. Computer Science. A computer virus.

so when will win64 be released?

[RelliK]

aha! So that's what delayed the release of windows for amd64: it was not compatible with old viruses. Now that this obstacle has been overcome, how long until the release?

Re:There's no such word as "virii"

[uss_valiant]

I'm on a crusade. I intend to post a comment like this one whenever I see anybody use "virii." [...] The plural of "virus" isn't "virii." There is no such word. The plural of "virus" is "viruses."

And whenever I see a /. discussion about the plural of virus I wish it was below my threshold.

What about spending your time convincing people of more important issues like [insert anything else here]?

Re:Boxen

[Fizzlewhiff]

Boxii is the gimp kid from BSG with the robot dog.

I am the walrus, we are the walrii

Re:There's no such word as "virii"

[Durandal64]

Socially inept nerds making up (what they think to be) cool-sounding plural forms does not count as a valid step in the evolution of the English language. The plural for "virus" existed long before computers did, and there is absolutely no reason to change it when it refers to a computer virus. You can use the word "virii" if you want, but don't be surprised when people think that you're a fucking retard for doing so.

Flame Central

[gillbates]

Okay, just to collect all of the Microsoft trolls in one thread:

How can Windows ever be secure when exploits are released before the OS is available?!

It seems to me that Microsoft can't design a secure OS. After talking about security for more than 2 years, their latest incarnation is even less secure on its release date than Windows 95!

Microsoft: the Day Zero Exploit(tm) company

Re:Boxen

[Profane+MuthaFucka]

A beowulf cluster of boxii is boxiiii. Maybe boxiv for short.

Proof of concept viruses not terrible

[crawdaddy]

To all those saying that a proof-of-concept virus is still a virus and that this guy is doing a disservice to the world by writing one, I'd like to give an alternate way of viewing it. Writing proof of concepts that aren't spread in the wild (like the other viruses mentioned in the second link) help anti-virus groups in advancing knowledge on current/new techniques that may not have been known about or considered in the past.

IANAVWOAVG, though (I Am Not A Virus Writer Or Anti-Virus Guy)

Re:Boxen

[Didion+Sprague]

Um, no.

It's 'Boxi' -- second delclension plural as follows:

N: boxi
G: boxorum
D: boxis
Ac: boxum
Ab: boxis

Eunuch boxum Unix laudat.
("The eunuch praises Unix boxes.")

Something like that.

You -ing well don't know what -ing means.

[crovira]

Unless you read The Truth"

Pendantic

[Patrick]

You were using common slang in an informal forum, pendants seeking to impose their notion of linguistic orthodoxy notwithstanding.

A pendant is jewelry. You meant pedant, which is what I am being by responding. Like virii, your use of pendant is wrong. Not slang, just wrong.

If I referred to your sentence as "high-falutin'," that is slang. If I referred to it as "retartid," that is simply an incorrect spelling.

The English language isn't evolving new Latin-esque plurals. It's not slang. It's just ignorant pretension, which is the worst kind of pretension.

... as the actual poster admitted. Sheesh. Don't defend usage that the poster admitted was "horrid."