Ambidextrous Linux/Windows Virus

Lam1969 writes "Kaspersky Labs has reported a new proof-of-concept virus that can infect both Windows and Linux systems. It's called Virus.Linux.Bi.a/Virus.Win32.Bi.a and affects ELF binaries and .exe's from windows. SANS has a brief item on the cross-platform virus as well, but no information about a patch or signature yet."

Re:How is it POC?

[EndlessNameless]

It seems that the reason it's considered a POC at this point is because it has no real payload. All it does is spread, and not nearly as heinously as Blaster/Welchia/Sasser.

As soon as it gets backdoor or downloader functionality... then it becomes a more serious threat. And really you, me, and the guys at Secunia/SARC/SANS/ISC/etc all know that's where this is headed.

So yes... in the sense of where this particular piece of malware is headed, this is a proof-of-concept. It's a live test of the progagation mechanism. The payload will be dropped into place soon... probably in the next version since this one looks like it's working fine.

Re:Not to worry

[Rosco+P.+Coltrane]

Windows users are prepared for viruses and the reason Linux users do not sweat them much is not because linux viruses do not exist; it is because system design makes their impact minimal.

Actually, you're quite wrong. Linux flaws have existed and are still found today that can be (and have been) taken advantage of. The reason Linux users don't sweat is because flaws are spotted quickly by many people who read the code, and fixed quickly too. That and people who code open-source tend to produce good code, as a matter of pride.

Oh and by the way, Windows has a "safe"(well, safer) operating mode in the form of a user account, but nobody uses it because it's a PITA, so everybody stays in supervisor mode and bad things happen.

Re:Limited to ASM?

[x2A]

It's not the first, I recall one before. And you don't even need detection code, you just write a different entry point address into the elf header as you would the exe header. You can have two different payloads, and two different copy mechanisms, as long as both copy both, not just themselves. In fact, there's no reason to stick to just 2. You can have a single virus that spreads across platforms/architectures, it just makes it bigger and easier to spot.

Re:Not to worry

[Reo+Strong]

Evern heard about the runas command? It is also known as Secondary Logon.

Remember, just because you don't know how to use it, it doesn't mean that the tool isn't there for you to use.

Re:RunAs

[E-Rock]

No, just think harder.

Run the Add/Remove Programs control panel applet as your admin account. Then use add new programs to run the installer. The other benefit is that the installer is running as admin, so you can browse to installs out on the network that live in places users can't reach.

Re:Linux Infection Instructions

[Xtifr]

That's fine, makes sense to me, but you will still need root access to install it properly.

Re:POC = Piece Of Crap?

[urbanriot]

Alas, deltree is gone in XP.

I wish I knew what the new equivalent was. Right now I just use cygwin's rm -rf :\

rd . /s /q

Been around since NT.

Re:Netcraft confirms...

[jlarocco]

Think of it - the kernel code is out there - it boots without any system libraries already being loaded. The printk (kernel print function) doesn't call the os at any point - it has enough knowledge to talk to the hardware directly.

Any real operating system (Windows NT and up, Linux, *BSD, ...) prevents you from doing any of the stuff you mentioned. You can't just load a program and start doing low level IO to ports. You can't just bypass the MMU and paging system and write directly to physical memory. You can't just write directly to video memory. You can't just have your program load and start acting like it's the operating system. Any operating system worthy of being called an operating system prevents that. Device drivers would come closest, but they most definitely need system calls.

So, do the same, and add enough functionality to read and write to the various filesystems out there, and you're home - you don't even need to do it in assembler ... just #include the appropriate pre-existing header files, and #include any code that you would normally call from a shared library.

Yeah...okay. For the moment, lets pretend it's possible to directly access the disk and filesystem from a user program, without system calls. To be any use at all as a cross platform virus, the program would need access to NTFS, ext2, FAT32, and ReiserFS. Writing filesystem code isn't trivial. I would be very impressed if a single person could implement any one of those filesystems in a reasonable amount of time, and all 4 would be nothing short of impossible. Let's just say that if somebody had the skill to do it, they'd be too busy making buttloads of money to waste their time.

#include the appropriate pre-existing header files, and #include any code that you would normally call from a shared library.

I'd love to hear your explanation on how to do that...

But, the whole thing is pointless. Even if you did manage to write filesystem support for all the required filesystems and were able to #include the code from the shared libraries the operating system would still stop you the instant you tried to read or write directly to the disk.

Re:Not to worry

[shaitand]

The marketshare argument has been made before again and again. Until Linux has a 90% desktop share this can not be tested. The best we can do is look to the other popular open source programs that do have a stronger marketshare.

Apache is an excellent example, Apache is the market leader in a much more financially appealing segment than the desktop. Strangely it is Microsoft's underdog IIS program that suffers from exploits and worms.

Remember the permissions model under linux does not allow you to simply click a link and execute code... not even local executable code.