Ambidextrous Linux/Windows Virus
Lam1969 writes "Kaspersky Labs has reported a new proof-of-concept virus that can infect both Windows and Linux systems. It's called Virus.Linux.Bi.a/Virus.Win32.Bi.a and affects ELF binaries and .exe's from windows. SANS has a brief item on the cross-platform virus as well, but no information about a patch or signature yet."
"For those thinking their "pet" computer is invulnerable to the virus threat -- it's not," SANS said.
Cue ominous thunder. (rolls eyes)
All this means is that data communications and storage has reached a point in time where no one (in theory) is going to notice that infected files get 3 or 4 megs chunkier. The virus writers still have to find vectors into these systems. If they can't find convenient vectors, then the ability to produce a fat binary is useless.
What is this need that security researchers have to claim that all systems are equally vulnerable? Are they worried they're going to be out of a job if everyone moves to more secure computing platforms? I mean, really. They should be encouraging mass migrations to other systems, as it diversifies the playing field and theoretically helps everyone remain safer. But I guess that's not their bread and butter.
Javascript + Nintendo DSi = DSiCade
No, but it is now ready of proof-of-concept cross-platform FUD.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
..to spread is the hard part.
i ndex.html
4
How to write a Linux virus.
http://virus.enemy.org/virus-writing-HOWTO/_html/
There are numerious reasons why this is true.
Reasons include:
GNU/Linux is a minority platform.
GNU/Linux is highly fragmented.
GNU/Linux security is refined and updated often.
GNU/Linux users are more educated.
Windows has numerious security design flaws that promote viruses, that GNU/Linux systems don't have.
Windows has numerious user interface design flaws that promote viruses, that GNU/Linux doesn't have.
Although this WILL CHANGE if certain Pro-GUI factions get their way.
Like having Gnome and KDE user interfaces ignore the traditional Unix permissions for certain types of files... http://thread.gmane.org/gmane.linux.xdg.devel/701
Damn stupid shit.
But as it stands now a combination of social and technical issues keeps Linux users safe.
One example of a flaw in Windows that causes easy transmission of viruses... Executable files are based on their file names, not based on a permission model.
And it's not just 'exe' or 'bat'.. Here is a partial list of executable file extensions in Windows.
ADE - Microsoft Access Project Extension
ADP - Microsoft Access Project
BAS - Visual Basic Class Module
BAT - Batch File
CHM - Compiled HTML Help File
CMD - Windows NT Command Script
COM - MS-DOS Application
CPL - Control Panel Extension
CRT - Security Certificate
DLL - Dynamic Link Library
DO* - Word Documents and Templates
EXE - Application
HLP - Windows Help File
HTA - HTML Applications
INF - Setup Information File
INS - Internet Communication Settings
ISP - Internet Communication Settings
JS - JScript File
JSE - JScript Encoded Script File
LNK - Shortcut
MDB - Microsoft Access Application
MDE - Microsoft Access MDE Database
MSC - Microsoft Common Console Document
MSI - Windows Installer Package
MSP - Windows Installer Patch
MST - Visual Test Source File
OCX - ActiveX Objects
PCD - Photo CD Image
PIF - Shortcut to MS-DOS Program
POT - PowerPoint Templates
PPT - PowerPoint Files
REG - Registration Entries
SCR - Screen Saver
SCT - Windows Script Component
SHB - Document Shortcut File
SHS - Shell Scrap Object
SYS - System Config/Driver
URL - Internet Shortcut (Uniform Resource Locator)
VB - VBScript File
VBE - VBScript Encoded Script File
VBS - VBScript Script File
WSC - Windows Script Component
WSF - Windows Script File
WSH - Windows Scripting Host Settings File
XL* - Excel Files and Templates
Good luck training users not to use those. And the fact that you can launch executable programs by double clicking email attatchments is another huge shitfest of bad designs.
I think you answered your own question in a way, if the host has x86 emulation, then why wouldn't it be able to? That said, it's a long way from a POC to a real live virus. I can write a virus today and claim a POC, nobody has ever said that Linux is immune to viruses. Viruses aren't that complicated. That said, an effective (ie. turn it lose and watch it spread) virus would be very difficult to achieve on Linux precisely because there isn't just one flavor of Linux, running the same binaries, on a single arch ... unlike another well known OS.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
it is because system design makes their impact minimal
Deleting everything in my home directory is anything but minimal.
Potentially exploting local privilage elevation exploits to get root is anything but minimal.
Infecting software after it has been compiled is anything but minimal.
Using social engineering to get root is anything but minimal. How many users do you know who would enter their superuser password to "get free screensavers"? Too many.
Pretending that you're protected by design to the problem indicates that you don't understand how viruses really work. Guess what? You can run as a non-root user in Windows, too. But you can still do a ton of damage as a normal user. Spam relays and DDOs botnets don't need root access, just the ability to send data over the network. How about modifying your GNOME or KDE menu to point to a fake terminal entry or fake admin tools? How do you know that the "gnome-terminal-emulator" you're now typing your password into (through sudo) isn't actually stealing it?
This is the real world. Attackers are smart, they are motivated by profit (because of the spambot racket), and they have plenty of time to find the next buffer overrun.
Here's a quick anecdote for you:
About a week ago, for various reasons, I decided to format my laptop and put Windows XP Professional on there. I previously had Slackware Linux 10.2 installed, but since my desktop has been dual-booting for a while, I figured I might as well get my money's worth and put Windows on the laptop (Linux also doesn't support the SD card reader, but that's another story). The installation went nicely, and I continued to do the tedious tasks that you do after a format. (validate windows, download patches, install drivers and apps, etc...) I installed a second user account for administrative uses and named it "Root".
I logged into my "Root" account, and installed Chessmaster 9000. When I logged back into my regular user account, the game wouldn't start. After a while, it dawned on me that Chessmaster installs the bulk of the data in your My Documents folder. So I uninstalled it, then tried to install it under my user's account. Now, if you're trying to install a program, and you're not the Administrator, a simple dialog will pop up and prompt you the password. However when the install finished, the program wouldn't start. Since I installed as Administrator (I had no choice), I the data was stored in the Administrator's My Documents folder. I tried to link to it - I even tried to install as Administrator, and put a link to his folder (and changing permissions) in the default folder so all users would use it.
Nothing worked properly. I ended up having to change my user account back to Administrator privileges, install the program, then change it back. And this is just for Chessmaster. Other programs are even worse. Doom 3, FarCry, and Call of Duty all install their data in the Program Files folder. So in order to play the game without being root, you have to change the permissions on the saved games folder.
The point of the story is this: Linux doesn't have the problems that Windows has, because it's more secure by design - not by luck. A significant amount of programs are designed for the user to have Administrator access, and assume that you will always run with such permissions. Windows didn't switch the masses to the NT design until XP, which was released 4th Quarter 2001. As a result, you have generations of programs that assume they can read/write whatever and wherever they want - leaving a mess for the end user to sort out. In the end, they'll just say to hell with it and run as Administrator.
(And that's not even addressing the masses that bought OEM pc's that run XP Home with Administrator priviledes by defaut)
Yeah, but even people that know about the "normal" user accounts quickly discover that almost all software written for windows doesn't handle non-admin accounts well. Ever try to install a program just in user space on Windows? If it works at all, you're lucky, and that isn't even scratching the surface of the problems. Got a network password? You can't just switch users to admin (like Linux) or use a sudo password (like Mac) - no, you need to log completely off of your user, then log on as the admin user, install the program, and log off as admin, then log back in as your regular user. Do you have any idea what a MASSIVE pain in the ass that is, especially when I have 20-30 windows open (many are Exceed based X sessions) and am trying to get work done? After 2 months of that and multiple programs that plain wouldn't work if they weren't running as an admin user, I switched back to running exclusively as an admin on Windows.
How do you get this "virus"? You have to run infected code, right?
Meh. Sounds like a non-issue to me. Especially considering the rarity of cross-platform Win32/Linux binaries.
Just how does this badboy get on to my system in the first place?
People need to understand that any system that permits a user to run unsigned executable code is susceptible to some kind of "malware", if you can call it that. I place these "viruses" in the same category of rm -r -f / wrapped into a shell script.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
There are lots of reasons why it's harder to infect 'NIX systems.
1. Since on many LiNuX distros, the single source of binaries is usually the distributions' package system, it is usually very easy to detect anything out of the ordinary. The trusted channel is a GOOD thing in these cases.
2. Add in a tool like AIDE (or Tripwire) and you can immediately see everything that is off with your system.
3. How about Linux (and most UNIX) not allowing ctime changes to anything but the current time? The ctime (often said as creation time, but wrongly so- it's the CHANGE time) on any update will always be the current time. The _only_ way around this is to change the system time before you modify files
4. Priv seperation is a big thing. Daemons aren't run as root (or if they do, they drop privs right away). There is no svchost.exe running your services at NT_AUTHORITY or SYSTEM like there is in Windows. Then of course there's no need to run your Web browser as a user with any rights at all. IE7/Vista will fix this of course. Personally I like making, even FireFox, setuid to some untrusted user with no access to files
5. Embedding scripting in every tool isn't as popular in the UNIX worlds, as the core tools work so well. There's no need for office software to have scripting capabilities to change all the files on teh system. There's no need for it!
So do cars, toasters, appliances, and pretty much every item. Welcome to the age where quality means nothing.
They produce good code because they do it for themselves. Most open-source developers are developing for themselves. Every project starts up as "this IMAP server doesn't suit my needs. I'll make a better one". Of course the people who do that are normally the technically able. People make projects for themselves because there's a need that hasn't been met or they're unhappy how it's being met by someone else. Otherwise there's lots of people wasting their time. DJB was unhappy with sendmail/BIND and made alternates. BincIMAP, COurier, and Dovecat folks make them because the others and UW-IMAP didn't do what they want. Patches are submitted to fix something that's affecting them, may affect them, or to add an enhancement they want. Time is money, and people ultimately want to contribute their time for their own benefit somewhere down the road.
Even then, you'd be surprised what you can accomplish to destroy the system. Keep in mind, if you're running a SINGLE USER system as a user in order to add security, you're protecting your LEAST valuable asset. I can blow away a system and install Windows/Office/Adobe and all the tools I need in a few hours and have it configured perfectly. I'm sure most people here can. Now replacing the data would take years! Replacing the productivity lost to viruses/spyware/virii can't be measured. Assessing the impact of leaked administrator and bank passwords could be huge!
-M
when you see the word 'Linux', drink!