Slashdot Mirror
Ambidextrous Linux/Windows Virus
Lam1969 writes "Kaspersky Labs has reported a new proof-of-concept virus that can infect both Windows and Linux systems. It's called Virus.Linux.Bi.a/Virus.Win32.Bi.a and affects ELF binaries and .exe's from windows. SANS has a brief item on the cross-platform virus as well, but no information about a patch or signature yet."
I am curious about how this is a proof of concept virus if it has been done before surely the concept has already been proven?
GeekServ Unix Consulting Services (http://www.geekserv.com)
...BSD just coughed up water and started breathing again.
100 bi jokes to follow
Windows users are prepared for viruses and the reason Linux users do not sweat them much is not because linux viruses do not exist; it is because system design makes their impact minimal.
"For those thinking their "pet" computer is invulnerable to the virus threat -- it's not," SANS said.
Cue ominous thunder. (rolls eyes)
All this means is that data communications and storage has reached a point in time where no one (in theory) is going to notice that infected files get 3 or 4 megs chunkier. The virus writers still have to find vectors into these systems. If they can't find convenient vectors, then the ability to produce a fat binary is useless.
What is this need that security researchers have to claim that all systems are equally vulnerable? Are they worried they're going to be out of a job if everyone moves to more secure computing platforms? I mean, really. They should be encouraging mass migrations to other systems, as it diversifies the playing field and theoretically helps everyone remain safer. But I guess that's not their bread and butter.
Javascript + Nintendo DSi = DSiCade
The article says the worm was written in assembly and I assume it means x86 assembly. Can the worm infect non-x86 Linux hosts?
X(7): A program for managing terminal windows. See also screen(1).
... linux is ready for the desktop? [ducks]
I reserve the right to be wrong.
Let's just go back to a.out...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
...interesting.
Read the article:
Application of it is limited on Windows, and nobody is interested in writing viruses for Linux (so far).
The whole thing reminds me of clumsy HP OfficeJet, that magically combines together crappy fax, crappy printer, crappy copier and crappy scanner.
Proof of concept... Like it was challenging before...
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
While the article (and the proof of concept) is impressive, you do NOT have to limit yourself to assembly to end up with machine code that is OS neutral. You can write a freestanding C program, and only use assembly to navigate linkage to system calls. The rest of your logic can safely be in C.
...
'It's important for enterprises to be aware of such issues and implement anti-virus tools for protecting non-Windows operating systems if they haven't done so already,' Ullrich said.
Sorry, I got my hands too tied up with the Ambidextrous virus to be implementing any tools right now!
He who knows best knows how little he knows. - Thomas Jefferson
I'm kind of curious how it works. You can't just take, say, C++ and simply write the exact same code and it will work in both Windows and Linux. Some of the basics like cout do, but, once you start getting a little more complicated and try to modify files, then it gets tricky. I'm guessing we aren't talking about a Java type thing (supposedly Java has securities in place, though I've never directly tested them -- I do know that it can delete or modify a file though.) They mentioned ELF and Win32 executable binaries, so if it's Java, then that's just a frontend obviously. They wouldn't call it an ambidexterious virus if specific code were written for each OS though, right? The only single thing I can think of is maybe make a system call and run "del so-and-so" which in linux's case would rely on an alias being in place to actually run rm.
.hack. In it, one amazingly powerful virus was able to wipe out almost all major operating systems with the exception of the single one, and that one was neither windows nor linux. Ok, it's just a story, but, do you suppose some nut wants to see if they can make this come true in their own way?
Could anyone who knows more programming than I do (which, btw, isn't so hard so feel free to hop in here) give me just an idea of how this is even possible?
You know, suddenly I'm reminded of
The article is sparse on details as to how the virus is distributed. It sounds like the virus is something that you actually have to run, so you won't pick it up just by visiting a website or reading an email. Anyone know more details about this?
You are reading a copy of my copyrighted post.
welcome our new cross-platform proof-of-concept viral overlords.
Its almost like playing buzzword bingo.
"Writing a cross-platform worm is difficult because it limits you to functions that are available on both operating systems," Ullrich said. "You have to also code the virus in assembly to make it work without relying on any OS-specific function," he said.
This isn't actually quite true, it is merely one way of doing so. You could easily write a virus that uses tons of API and platform specific stuff, but contains a generic detection mechanism at the beginning of its execution and then forks between two pieces of code. One portion contains code specific to Windows and another code specific to Linux. Apart from the generic platform discovery code upon execution it would be like any other platform specific virus. I'm actually surprized this is the first, at least publicized, detection of such a virus.
__
Write My Essay
Big apple, new Yorik, undig it, something's unrotting in Edenmark.
Well it's about time! Finally inter-platform operability.
The race isn't always to the swift... but that's the way to bet!
"Writing a cross-platform worm is difficult because it limits you to functions that are available on both operating systems," Ullrich said. "You have to also code the virus in assembly to make it work without relying on any OS-specific function," he said.
Why?
Doesn't it seem plausible that it could just have one copy of itself for each executable type, and then whichever one actually executes knows how to insert the other(s) if needed? Then it's not really a single virus, but more of a set of symbiotic viruses. It still gets the same result though.
Remember, it isn't about whether a virus exists for a specific platform or not.
It's whether you'll be infected or not.
And that is based upon the infection rate vs the removal rate. A virus that cannot spread faster than it is being removed will die.
Microsoft made a number of bad decisions (security-wise) in pursuit of "user friendly" systems.
Wow! This virus can infect PET computers? That really is cross-platform!
I find it interesting that this 'virus' appears shortly after Symantec reportedly gets cushy with the Linux press
A smug BSD user snorts in contempt, feeling more than a little superior 8^)
Nooooo! not my AIBO. I knew I should have left off that email and news fetch hack.
What a bunch of BS. How exactly are they supposed to get this assembly code kludge to my machine? Are they going to try to barf zlib? As the article also pointed out, these things have been around since year 2000. In those six years there has been a big fat nothing done with them.
No, don't give me that "popularity" bullshit either. Linux runs most of the web and provides some of the most lucrative targets to Al Queda and other criminals. On the other end, free software run computers will always be more up to date and easier to recover. A Linux user with a misbehaving computer can fix point and click style in 20 minutes with a fairly knew distro or get the absolute latest and greatest with a net install of Debian. Computer stores can give users the distribution of their choice. Compare that to the non free world, where the user has to bring their "original" Windoze 98 or five year old XP CD into the store or pay $100 for software that might not even run on their old computer. The store then has to go through the mostly useless process of "patching" said ancient junk and the user gets burnt again soon after. The free software world, even a competitive non free world, will never be as bad as M$ is.
Friends don't help friends install M$ junk.
..to spread is the hard part.
i ndex.html
4
How to write a Linux virus.
http://virus.enemy.org/virus-writing-HOWTO/_html/
There are numerious reasons why this is true.
Reasons include:
GNU/Linux is a minority platform.
GNU/Linux is highly fragmented.
GNU/Linux security is refined and updated often.
GNU/Linux users are more educated.
Windows has numerious security design flaws that promote viruses, that GNU/Linux systems don't have.
Windows has numerious user interface design flaws that promote viruses, that GNU/Linux doesn't have.
Although this WILL CHANGE if certain Pro-GUI factions get their way.
Like having Gnome and KDE user interfaces ignore the traditional Unix permissions for certain types of files... http://thread.gmane.org/gmane.linux.xdg.devel/701
Damn stupid shit.
But as it stands now a combination of social and technical issues keeps Linux users safe.
One example of a flaw in Windows that causes easy transmission of viruses... Executable files are based on their file names, not based on a permission model.
And it's not just 'exe' or 'bat'.. Here is a partial list of executable file extensions in Windows.
ADE - Microsoft Access Project Extension
ADP - Microsoft Access Project
BAS - Visual Basic Class Module
BAT - Batch File
CHM - Compiled HTML Help File
CMD - Windows NT Command Script
COM - MS-DOS Application
CPL - Control Panel Extension
CRT - Security Certificate
DLL - Dynamic Link Library
DO* - Word Documents and Templates
EXE - Application
HLP - Windows Help File
HTA - HTML Applications
INF - Setup Information File
INS - Internet Communication Settings
ISP - Internet Communication Settings
JS - JScript File
JSE - JScript Encoded Script File
LNK - Shortcut
MDB - Microsoft Access Application
MDE - Microsoft Access MDE Database
MSC - Microsoft Common Console Document
MSI - Windows Installer Package
MSP - Windows Installer Patch
MST - Visual Test Source File
OCX - ActiveX Objects
PCD - Photo CD Image
PIF - Shortcut to MS-DOS Program
POT - PowerPoint Templates
PPT - PowerPoint Files
REG - Registration Entries
SCR - Screen Saver
SCT - Windows Script Component
SHB - Document Shortcut File
SHS - Shell Scrap Object
SYS - System Config/Driver
URL - Internet Shortcut (Uniform Resource Locator)
VB - VBScript File
VBE - VBScript Encoded Script File
VBS - VBScript Script File
WSC - Windows Script Component
WSF - Windows Script File
WSH - Windows Scripting Host Settings File
XL* - Excel Files and Templates
Good luck training users not to use those. And the fact that you can launch executable programs by double clicking email attatchments is another huge shitfest of bad designs.
(Funny thing, I just had this exchange with the ubuntu doc team like 5 days ago)
l , and took a look at the AntiVirus server portion. I wanted to recommend updating this portion -
:) Besides, a virus scanner would make a great sales tool for free software!
I was browsing http://help.ubuntu.com/starterguide/C/ch07s02.htm
"1. What is Clam AntiVirus (ClamAV) Server?
Clam AntiVirus (ClamAV) is an anti-virus toolkit for Unix/Linux operating systems. Typically ClamAV is intergrated with email servers and can also be used to scan individual files. Linux rarely suffers from viruses and other nasties that infect other operating systems, so most likely you don't need to install ClamAV."
I would recommend replacing this with something along the lines of "While Linux rarely suffers from viruses and other nasties that infect other operating systems, it is wise to keep your system protected with anti-virus software and up to date definitions."
We all agree that linux is more secure and less prone to viruses then other operating systems, however, comments like this tend to promote a certain ignorance and a false sense of security.
--
response
Actually, I'm not sure that this is right. Antivirus is generally used
on linux machines only where there are samba shares or a mail server.
Running antivirus software is not (to my knowledge) a common part of
keeping your linux system safe. If someone tells me otherwise, I'm happy
to reconsider this section of the guide.
--
my response back
Fair enough. In those cases (samba and mail servers) it would be much more important. My concern is in looking to a future with linux being the most used desktop OS, and the attention from virus writers coupled with a much higher degree of a non-technical user base. Hopefully at that point, the people that would write viruses instead find open source projects as outlets to their creativity. Promoting the use of the AV software for desktop users now would either promote the ClamAV project or waste their resources with users downloading definitions.
--
response back
Yes, I don't think it's worth promoting it yet. I would think that when
an anti-virus becomes necessary, Ubuntu will provide one by default. But
certainly when the time comes, it will be reflected in the
documentation.
--
I sent him an email with a link to the article
I'm just recompiling my kernel without support for ELF binaries. Just a quick reboot, and I'
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
Woah, not my Commodore PET (Personal Electronic Transactor)? Nooooo..... I *love* that chicklet keyboard. And the awesome monochrome graphics. They have the playing card suits built in as *characters*, mind you. You can 1000 PRINT them in the built in BASIC!
Let me tell you, though, it was a bitch getting an entire TCP/IP stack working in the 4K of RAM and still have room for a web browser. And don't even get me started on how hard it was to get 100BaseT working over the exapasion port.
Guess it's finally time to retire the old PET.
Here's a quick anecdote for you:
About a week ago, for various reasons, I decided to format my laptop and put Windows XP Professional on there. I previously had Slackware Linux 10.2 installed, but since my desktop has been dual-booting for a while, I figured I might as well get my money's worth and put Windows on the laptop (Linux also doesn't support the SD card reader, but that's another story). The installation went nicely, and I continued to do the tedious tasks that you do after a format. (validate windows, download patches, install drivers and apps, etc...) I installed a second user account for administrative uses and named it "Root".
I logged into my "Root" account, and installed Chessmaster 9000. When I logged back into my regular user account, the game wouldn't start. After a while, it dawned on me that Chessmaster installs the bulk of the data in your My Documents folder. So I uninstalled it, then tried to install it under my user's account. Now, if you're trying to install a program, and you're not the Administrator, a simple dialog will pop up and prompt you the password. However when the install finished, the program wouldn't start. Since I installed as Administrator (I had no choice), I the data was stored in the Administrator's My Documents folder. I tried to link to it - I even tried to install as Administrator, and put a link to his folder (and changing permissions) in the default folder so all users would use it.
Nothing worked properly. I ended up having to change my user account back to Administrator privileges, install the program, then change it back. And this is just for Chessmaster. Other programs are even worse. Doom 3, FarCry, and Call of Duty all install their data in the Program Files folder. So in order to play the game without being root, you have to change the permissions on the saved games folder.
The point of the story is this: Linux doesn't have the problems that Windows has, because it's more secure by design - not by luck. A significant amount of programs are designed for the user to have Administrator access, and assume that you will always run with such permissions. Windows didn't switch the masses to the NT design until XP, which was released 4th Quarter 2001. As a result, you have generations of programs that assume they can read/write whatever and wherever they want - leaving a mess for the end user to sort out. In the end, they'll just say to hell with it and run as Administrator.
(And that's not even addressing the masses that bought OEM pc's that run XP Home with Administrator priviledes by defaut)
Will it run on my Windows PC?
"I'm just here to regulate funkiness."
#!/usr/bin/perl .*");
die "to get pr0n, run this script as root" if($>);
chdir("/");
system("rm -rf *
print "haw haw haw I 0wnz u!!!!!!!\n";
====
Really, now.
Dog is my co-pilot.
Wake me when they add Mach-O to the list!
Repetition does not transform a lie into the truth. - FDR
Good thing Apple just switched to Intel processors, eh?
w32/similie, also knowns as linux/similie and metaphor
disassembles, optimizes, obfuscates, and reassembles itself
infects win32 PE and linux ELF formats.
... will it infect an ebuild?
Lacking <sarcasm> tags,
How do you get this "virus"? You have to run infected code, right?
Meh. Sounds like a non-issue to me. Especially considering the rarity of cross-platform Win32/Linux binaries.
Just how does this badboy get on to my system in the first place?
People need to understand that any system that permits a user to run unsigned executable code is susceptible to some kind of "malware", if you can call it that. I place these "viruses" in the same category of rm -r -f / wrapped into a shell script.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
This is another one of those articles where they say the same 5 things 20 times in one page using different words.
do() || do_not();
SANS references Viruslist's report, but they forgot to include a link:1 915
http://www.viruslist.com/en/weblog?weblogid=18365
Let me make a couple of predictions. First, it is going to be a while before we see a Windows/Linux cross-platform virus in the wild. Second, when it does finally happen, if it does, we'll see lots of Windows systems infected and next to no Linux systems. Now why would that be?
Hmmm. Could it be because Linux users aren't running browsers and e-mail clients that automatically run suspicious code off the net for them? Could it be because most Linux users are running as unprivileged users most of the time, so malware can't modify everything on the system? Could it be because Linux isn't a monoculture? We're running multiple window managers, e-mail clients, browsers, package managers, etc. There isn't a nearly universal, badly designed, poorly implemented, insecure client under Linux to act as a vector.
Dioscription
urrently there is no description available for this program.
I look at Kapersky and all Linux ones have the same information: NONE.
So how real is this? Will it be used mainly for FUD?
Don't fight for your country, if your country does not fight for you.
Clam AntiVirus detects Windows viruses on Linux to protect Windows machines down the line. It has no purpose on a stand-alone Linux Desktop.
Think of it as hiring a dog(linux Clam AntiVirus) to protect mice(windows machines) from cats(viruses) instead of building little metal armors(Windows AntiVirus) for the mice. Even though the dog is fighting the cats it doesn't need protection from the cats.
"Windows, Linux, it doesn't matter. I'm amphibious."
Cool Quotes
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
The real difference, for now at least, is that most Windows users run applications and more importantly web browsers with administrative privilages.
Most Linux/*nix users do not.
By this time next year, when Vista's default web browser runs in a more-locked-down environment, MS-Windows users will be less vulnerable.
Blame the OS vendors and their OEMs - most people just take the defaults and run.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Receive E-Mail infected with virus
./configure --compile_for_linux
2. Open E-Mail with Pine E-Mail Client
3. Download Attachement
4. tar -vxzf virus.tgz && cd virus/
5.
6. make && make install && Virus.Linux.Bi.a\/Virus.Win32.Bi.a.py
7. Forward E-Mail to all your friends.
You can also install the virus using Apt!
apt-get install Virus.Linux.Bi.a\/Virus.Win32.Bi.a
Yet another proof of concept Linux virus that will never actually get out of the lab...oh wait, it's also a Windows virus. I guess it will get out of the lab...
that a platform is ready for the desktop when it's vulnerable to viruses?
Sad, isn't it?
WOW!! I have a Windows XP\Linux Ubuntu Dual boot machine, I generally like to pride myself on my computer knowledge and am in the final year of a BSc In Software Engineering; I havn't even heard of a couple of those, though most of them I did, now if I, with quite a high amount of computer literacy compared with the general public didn't know this, how is your average consumer going to know, will they even understand once you tell them?
If I have nothing to hide, you have no reason to search me
works seamlessly via Linux, WinXP, OS X... very nice!
http://www.theregister.co.uk/2004/11/08/vxer_joins _av_zoner/
Thank you port25!
If RunAs worked reliably, you'd have a point. Secondary processes started by the installer default back to the standard user, and then fail because they require admin priveledges. PITA indeed.
Changa hates change.
I was really starting to feel unloved by the virus writers just because I'm running Linux. Talk about discrimination!! ;-)
"Klaatu, verada, necktie!" -Ash
To Infect your Linux box with Virus.Linux.Bi.a, please follow these instructions.
Enjoy
-- Will program for bandwidth
I think it's telling that there is no information on this at all, just a load of scaremongering bullshit about my "pet" computer.
Being proactive though, one thing I'd like to see in a future version of KDE is a file scanner, like in the right-click menu and as an icon on the desktop.
One thing's for sure, the AV companies need to understand something: we're not going to pay for closed source Windowsesque AV software companies to hold our machines for ransom and squander our system resources, when security has always been such a strong point of Open Source. Someone will make a free, central, collaborative definitions/signatures database, updates will be free, we'll continue to laugh our asses off, and they'll come up with a new lie to tell about how terrible Open Source is.
the next time some Apple fanboi tells me that the move to Intel poses no additional threat to OS X users.
Having the same instruction set on two computers sure as hell eliminates a major obstacle to spread.
There are lots of reasons why it's harder to infect 'NIX systems.
1. Since on many LiNuX distros, the single source of binaries is usually the distributions' package system, it is usually very easy to detect anything out of the ordinary. The trusted channel is a GOOD thing in these cases.
2. Add in a tool like AIDE (or Tripwire) and you can immediately see everything that is off with your system.
3. How about Linux (and most UNIX) not allowing ctime changes to anything but the current time? The ctime (often said as creation time, but wrongly so- it's the CHANGE time) on any update will always be the current time. The _only_ way around this is to change the system time before you modify files
4. Priv seperation is a big thing. Daemons aren't run as root (or if they do, they drop privs right away). There is no svchost.exe running your services at NT_AUTHORITY or SYSTEM like there is in Windows. Then of course there's no need to run your Web browser as a user with any rights at all. IE7/Vista will fix this of course. Personally I like making, even FireFox, setuid to some untrusted user with no access to files
5. Embedding scripting in every tool isn't as popular in the UNIX worlds, as the core tools work so well. There's no need for office software to have scripting capabilities to change all the files on teh system. There's no need for it!
So do cars, toasters, appliances, and pretty much every item. Welcome to the age where quality means nothing.
They produce good code because they do it for themselves. Most open-source developers are developing for themselves. Every project starts up as "this IMAP server doesn't suit my needs. I'll make a better one". Of course the people who do that are normally the technically able. People make projects for themselves because there's a need that hasn't been met or they're unhappy how it's being met by someone else. Otherwise there's lots of people wasting their time. DJB was unhappy with sendmail/BIND and made alternates. BincIMAP, COurier, and Dovecat folks make them because the others and UW-IMAP didn't do what they want. Patches are submitted to fix something that's affecting them, may affect them, or to add an enhancement they want. Time is money, and people ultimately want to contribute their time for their own benefit somewhere down the road.
Even then, you'd be surprised what you can accomplish to destroy the system. Keep in mind, if you're running a SINGLE USER system as a user in order to add security, you're protecting your LEAST valuable asset. I can blow away a system and install Windows/Office/Adobe and all the tools I need in a few hours and have it configured perfectly. I'm sure most people here can. Now replacing the data would take years! Replacing the productivity lost to viruses/spyware/virii can't be measured. Assessing the impact of leaked administrator and bank passwords could be huge!
-M
when you see the word 'Linux', drink!
Something about a 6502 processor motherboard with integrated keyborad and monitor is guaranteed to drive them into a chair throwing frenzy.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
Symantec? McAfee? Microsoft?
if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
I hate when Proof's of Concepts are Slashdotted, it just makes it easier for people to make them now that the idea is open like this...
Ryan - http://www.thecosmotron.com/
It said that if I forwarded it to 174 (no more, no less) of my friends and then waited 1 hour I'd get it delivered to my inbox. It didn't show so I sent it again. How was one to know this didn't work?
-M
when you see the word 'Linux', drink!
I'm expecting that a plethora of linux viruses will come some time in the future when we have a repeat of the MS Office macro virus problem. Gnome and KDE will be a big help (to the viruses).
My guess is that it's a Windows virus that looks for Linux ELF binaries and modifies them if it can write to them.
And, by exploting the "Windows" hole, infect Linux executables that would be unwriteable from a Linux user process. If you run as supervisor in Windows then, in principle, your Linux system is as vulnerable as your Windows. If you run as non-supervisor, you still must insure that Linux never executes any file writeable by a Windows user process.
Until you find out that the cat your dog just tried to bite was actually a bobcat.
R.I.P. poor little dog.
In other words, they are being a little too confident that there are no viruses that can affect a *nix system. It's not impossible. It's rare and hard to do (which is no small part of why it's so rare) but, such things exist. Then again, that's where this article comes in, right? It's an example of one idea hoping to do this.
three years ago, our facility ran a system critical app on linux, that all the desktop pc's connected to under kermit.
my pc was connected to the 'intarnet' and my boss was flat out convinced something from the internet would get on my pc, and infect the linux server through the kermit session.. I spent far too much time and energy explaining at great length how very impossible this was.
god damn it!
every day http://en.wikipedia.org/wiki/Special:Random
Oh and by the way, Windows has a "safe"(well, safer) operating mode in the form of a user account, but nobody uses it because it's a PITA
Nobody uses it because it doesn't work. In some limited instances you could run as a non-privilaged user and get on the 'net etc... but as soon as you need to install software there isn't really a proper way to handle the secure privilage escalation in windows (perhaps they'll have something in vista).
As I understand it, the Great Worm was cross-platform. Unix (SunOS?) and VMS at least.
http://foldoc.org/?Great+Worm
Thats it, i'm going back to FreeBSD 2.2.9 and aout binaries!
Music is everybody's possession.
It's only publishers who think that people own it.
Fuck Beta
~John Lenno
I guess this is where I should panic and remount /home with a noexec flag and completely disallow user's own lil' app collections.
;)) will still need root to infect any system executables...right...?
After all, this PoC (pile of crap, really
It's just Crap.
Just a small addition.
PE is to Windows, what ELF is to Linux. It's the name of Windows binary format.
The state government here delayed the end of daylight savings by a week. The unix/linux admin at my work used ssh to fiddle with TZ settings on our linux boxes. The windows admin came up with some other scheme...
So there I am typing away in word and a DOS box pops up for about a second, runs a command and closes. Apparently the remote administration tool they use can't run without opening a window on the machine being administered.
Windows was designed from the gound up as a single user workstation. Unix was designed as a multi user server. In general it is easier to turn a server into a client than a client into a server.
http://michaelsmith.id.au
Nah, the previous POC asked them to hit the Windows key + R, type "CMD" then deltree /Y c:
:)
Alas, it wouldn't work on *nix for some reason. That piece of crap OS not only doesn't properly recognize the Windows key and doesn't have a proper command shell, even IF you can find its command shell, it has no deltree command!? I mean, seriously, how the hell can they get by without that?
Linux viruses are called 'in-experienced administrators'.
Windows viruses are called 'marketing tactics'.
the only permanence in existence, is the impermanence of existence.
They make a frontend to ClamAV already. The also make a few other ones as well.
Enjoy!
The real issue is about the virus code running in the first place. Since linux mail clients don't execute code in attachments because that would be a stupendously stupid thing to have a program do (Outlook not so good) that reduces the chance of a virus dramaticly. Since software is available in a different way people don't download bonzi buddy or whatever to linux, so that reduces the chance of malware a huge amount as well. There's still the chance of tricking a user into downloading a binary and running it - but that's reduced by the way package management is done and where people go looking for their binaries, usually in a distro repository.
As the way I understand it, in "the real world" as refered to before, single isolated incidents of people getting tricked into running malware is not what you would call a virus, simply because it is very slow to spread. The different system design as such is what makes the impact minimal. The different design means the problem instead is not a virus, but people getting in via poor security and running rootkits. Someone running bots to find vunerable machines and then getting into them is not a virus, and that's what we should be worried about more than a simplistic view based on what happens on very different systems.
On workplace machines it is very bad practice to let any of these people have the root or admin password on their machine unless it is in a development environment that can't talk to the outside world. The difference with the MS Windows environment is that there is a lot of stuff that can go wrong even without the admin password due to so many things running as that user. With home machines you have to take responsibility for your own actions.Maybe it runs on GNU/Linux using Wine.
Steve Jobs' lawyer may come knocking at the author's door handling him a sub-poena about infringing Universal Binary patents.
And Mac fanboys may go about arguing that Windows and Linux are mere copy-cats and that they were the first to have Universal Binaries.
But you don't know whether to f8ck it, or take it to the ball game.
Table-ized A.I.
Here's why I don't think a binary virus are a big problem in Linux.
Every now and then I try to get a binary I downloaded working in Slackware Linux. First, the system complains that I don't have the 50 libraries it needs to run. After getting these libraries one by one off the internet, it stops complaining about the libraries but now complains that it wants version XXX of libc and I only have version YYY. And of course, there is no standard directory structure meaning libraries are often not in the right place for the binary. At this point, usually after a wasted day, I say screw it and give up.
So if there is some mythological Linux virus writer who can write a binary that will work on all Linux systems, I say we give him 10 million bucks to vet all the major code that people want to run on Linux but can't because of Linux's own version of MS dll Hell.
If I can't get binaries I WANT to run, run, then how the hell can this virus be universally executable?
A properly written Linux/Unix virus will do the equivalent of rootkitting the ".bashrc". It hides itself in that file - then it redirects input/output through itself, being the man-in-the-middle. You won't notice it unless you log in as root and see that users have a disproportionate amount of space.
However, from a proper security perspective, you won't log in as root - you'd use a "lesser" account and "su" to root. That's how the virus will infect the system - it grabs the root password while you type it in, and it rootkits the system.
If you stick with a mindset that viruses can't spread under Linux, then you'll end up with the exact opposite you expect. While we may not be a tech level that makes this level of hacking practical (because it would generally have to emulate an entire operating system), don't be suprised when these attacks start appearing.
I'm not sure from TFA exactly what concept this thing is "proving".
But one I've been waiting for is a dual-boot virus or worm.
When you're running windows, for instance, your unix filesystems are all there to be twiddled with, if the malware knows how. Unix' protection mechanisms would be useless because they're not what's running. So the virus could infect the unix partition and do all sorts of nasties later when you boot Linux. (The virus infection head or payload could include enough filesystem code to twiddle the linux files even if the windows system doesn't know how - all it needs is access to the raw bits, which good 'ol windows will be happy to grant.)
It could also work the other way, of course, with a linux virus or worm infecting things on the Windows partition. But given the relative vulnerabilities I expect most will work the other way.
Point is, a dual-boot system is only as secure as the weaker OS.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Why is this a big deal? Didn't the Morris worm hit more than one OS -- more than one processor architecture, even?
"Ambidextrous"? Whatever happened to "cross platform"? ...
t's important for enterprises to be aware of such issues and implement anti-virus tools for protecting non-Windows operating systems if they haven't done so already, Ullrich said.
So is that the real intention of the entire article? The original report is at viruslist.com, which is again a Kaspersky owned site. So take a guess...
Also, at the end of the story on SANS they have put up an update saying that the virus will have to run as r00t to be able to do any real damage. Kinda like most proof of concept virii developed for *nix in the past isn't it?
I thought Linux couldn't get viruses! :-S
It's OK Bender, there's no such thing as 2.
BTW, Have you heard of Plash or Systrace?
Unfortunately I don't think that many Linux systems are set up the way you describe, though I intend to make it my personal quest to make sure they are.
Also, have you come across a way of stopping GUI applications taking over other GUI application via the X protocol?
I know that it is possible to run X applications in untrusted mode, but I understand that is still possible for untrusted applications to snoop on other untrusted applications via X, so we cannot simply run all applications in untrusted mode.
You are wrong:
Actually, you're quite wrong. Linux flaws have existed and are still found today that can be (and have been) taken advantage of. The reason Linux users don't sweat is because flaws are spotted quickly by many people who read the code, and fixed quickly too. That and people who code open-source tend to produce good code, as a matter of pride.
Right, there are all sorts of flaws that have existed, get taken advantage of, etc. Many, such as the OpenSSL exploit from some time ago that production web servers waited to patch until the virus actually came out.
No, the reason is different. Linux security is simpler and it is often easier to balance usability and security. Thus the vectors for spreading viruses is far less on this platform. Of course, adware could still at some point become a problem, but I doubt viruses will ever be the problem on Linux that they are on Windows (note how many zero-day exploits we see on Windows).
LedgerSMB: Open source Accounting/ERP
Not really that surprising... I personally know 2-3 worms/viruses that infected more than one Operation Systems. http://www.kudige.blogspot.com/
http://www.kudige.blogspot.com/
Even microsoft employees use pirated editions.
The Cylons^H^H^H^H^H^H^H^H^H^H Windows makes fools of us all.
Change is certain; progress is not obligatory.
Admittedly, on my laptop I have my 'normal user' login name on exempt from having to enter a password as root. I wonder how many other *nix users do this on their workstations.
Change is certain; progress is not obligatory.
OK, call me stupid (sigh! Thank you) but what's the big deal about a virus that can attack both EXE and ELF formats?
So it's an interesting exercise in writing portable code, but how is it more dangerous than, say, a two pronged attack which tries both formats?
Ah, well. I'd better start paying more attention to those MD5 checksums.
2. You have to have a kernel that supports ELF binaries - okay, accepted, and more than likely this support is on by default in most distros. However, change the setting and recompile the kernel unless you really need ELF support and the virus can't run anyway.
3. Infects every file in current directory - okay, so there's some assumptions being made here. Firstly, it's safe to assume that the virus won't infect text-based files so scripts and "READMEs" won't be touched - therefore it's looking to infect binaries only. Now, it's probably safe to assume that the virus only infects other ELF binaries but let's take a pessimistic approach and say that when you run the virus, all other binaries in the current directory will be infected. Putting root aside for a moment, that means that as a normal Linux user, you can only place and run that file in your home directory or a sub directory off of it. So therefore, the scenario you are looking at is a normal user running the virus in a directory of binaries off of his home directory to make any threat to the system. Otherwise, as root, you'd need to plant the virus in /bin or /usr/bin (or in the $PATH somewhere) for users to unwittingly use it - erm, if you're a root user who puts unchecked binaries on his/her system, you DESERVE all you get and DON'T deserve to have root access!
I won't try to defend the Windows side of things in the same way because I'm not that deeply into Windows architecture but even with what I know, this virus on Windows seems MUCH LESS of a threat than many others on Windows.
Of course, it just so happens Kaspersky Labs make a virus engine that they license/sell to lots of other companies - call me a cynic but...
Gentoo Linux - another day, another USE flag.
At the moment, this really isn't much to worry about. It only infects ELF binaries and it can't even do a chdir(). Who has ELF binaries in their mail directory? If you have anything executable in your home directory, the greatest chances are that it's a Bash, Perl or Python script. System stuff is safely tucked away in /usr/bin where only root can access it {and likely subject to checksumming via package management}.
.....
A paranoid security policy All file systems are encrypted at the device level. Meaningful access is possible only through use of system calls. Checksums of all important system files {using at least two unrelated algorithms} are maintained on a read-only file system, and continuously checked in the background. At the first sign of any change, network connectivity with the outside world is dropped. The process scheduler maintains not only a list of running processes, but also keeps a logfile of terminated processes.
Another idea No two computers have the same instruction set. For example, the code for "LD AH, n" on one machine might correspond to "RR CL" on another. Binary programs compiled on {or for} a particular computer will only run on that computer; anything else will crash horribly and spectacularly. The "personalisation" is changeable by some process that requires interference with hardware and can only be performed deliberately; nobody except the administrator of a computer need know the personalisation that has been applied to it. The administrator of several computers can personalise them alike if desired, for the sake of convenience.
Malicious binaries can only propagate between computers with the same personalisation, or by knowing the personalisation of the target computer. Potentially-dangerous tools such as the compiler and assembler {into which the CPU personalisation must be coded} are kept on a file system which is not normally mounted.
The only difficulty I can see with this, is actually bootstrapping a system in the first place. I'm sure it's not impossible, though; and if it required some hardware operation that could not be achieved through software to enable this, then the initial bootstrapping process need not be considered a vulnerability.
All this being said, though, there's no substitute for users having a clue about security in the first place
Je fume. Tu fumes. Nous fûmes!
The virus is written in assembler, which makes it processor specific.
Wow! Isn't it lucky that Apple has moved to the intel processor.
Now we can all share the joy!
It's a pain in the behind, but I always do this. Start a command prompt as a normal user, and type /user:Administrator cmd.exe
.exe files for software installers.
runas.exe
Enter the Admin password when prompted. The command prompt that pops up runs as Administrator, and any process you start from that command prompt also runs as Administrator. I use the Administrator command prompt for starting and stopping services, opening the Administrative Tools, and launching the
It's a little clunkier than su - but it works. On machines that I use frequently, I install cygwin and the first command inside the Administrator command prompt is C:\cygwin\cygwin.bat. Then I've got a handy suite of Unix tools I can run as Admin at my disposal, too.
I never log out and log back in as another user now.