Slashdot Mirror
Ambidextrous Linux/Windows Virus
Lam1969 writes "Kaspersky Labs has reported a new proof-of-concept virus that can infect both Windows and Linux systems. It's called Virus.Linux.Bi.a/Virus.Win32.Bi.a and affects ELF binaries and .exe's from windows. SANS has a brief item on the cross-platform virus as well, but no information about a patch or signature yet."
I am curious about how this is a proof of concept virus if it has been done before surely the concept has already been proven?
GeekServ Unix Consulting Services (http://www.geekserv.com)
...BSD just coughed up water and started breathing again.
100 bi jokes to follow
"For those thinking their "pet" computer is invulnerable to the virus threat -- it's not," SANS said.
Cue ominous thunder. (rolls eyes)
All this means is that data communications and storage has reached a point in time where no one (in theory) is going to notice that infected files get 3 or 4 megs chunkier. The virus writers still have to find vectors into these systems. If they can't find convenient vectors, then the ability to produce a fat binary is useless.
What is this need that security researchers have to claim that all systems are equally vulnerable? Are they worried they're going to be out of a job if everyone moves to more secure computing platforms? I mean, really. They should be encouraging mass migrations to other systems, as it diversifies the playing field and theoretically helps everyone remain safer. But I guess that's not their bread and butter.
Javascript + Nintendo DSi = DSiCade
... linux is ready for the desktop? [ducks]
I reserve the right to be wrong.
Windows users are prepared for viruses...
What bizarro Earth are you from?
welcome our new cross-platform proof-of-concept viral overlords.
Its almost like playing buzzword bingo.
Windows users are prepared for viruses and the reason Linux users do not sweat them much is not because linux viruses do not exist; it is because system design makes their impact minimal.
Actually, you're quite wrong. Linux flaws have existed and are still found today that can be (and have been) taken advantage of. The reason Linux users don't sweat is because flaws are spotted quickly by many people who read the code, and fixed quickly too. That and people who code open-source tend to produce good code, as a matter of pride.
Oh and by the way, Windows has a "safe"(well, safer) operating mode in the form of a user account, but nobody uses it because it's a PITA, so everybody stays in supervisor mode and bad things happen.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Well it's about time! Finally inter-platform operability.
The race isn't always to the swift... but that's the way to bet!
I find it interesting that this 'virus' appears shortly after Symantec reportedly gets cushy with the Linux press
I have reverse-engineered the virus and discovered an insiduous distribution mechanism:
it is because system design makes their impact minimal
Deleting everything in my home directory is anything but minimal.
Potentially exploting local privilage elevation exploits to get root is anything but minimal.
Infecting software after it has been compiled is anything but minimal.
Using social engineering to get root is anything but minimal. How many users do you know who would enter their superuser password to "get free screensavers"? Too many.
Pretending that you're protected by design to the problem indicates that you don't understand how viruses really work. Guess what? You can run as a non-root user in Windows, too. But you can still do a ton of damage as a normal user. Spam relays and DDOs botnets don't need root access, just the ability to send data over the network. How about modifying your GNOME or KDE menu to point to a fake terminal entry or fake admin tools? How do you know that the "gnome-terminal-emulator" you're now typing your password into (through sudo) isn't actually stealing it?
This is the real world. Attackers are smart, they are motivated by profit (because of the spambot racket), and they have plenty of time to find the next buffer overrun.
It's not the first, I recall one before. And you don't even need detection code, you just write a different entry point address into the elf header as you would the exe header. You can have two different payloads, and two different copy mechanisms, as long as both copy both, not just themselves. In fact, there's no reason to stick to just 2. You can have a single virus that spreads across platforms/architectures, it just makes it bigger and easier to spot.
The revolution will not be televised... but it will have a page on Wikipedia
How do you get this "virus"? You have to run infected code, right?
Meh. Sounds like a non-issue to me. Especially considering the rarity of cross-platform Win32/Linux binaries.
Just how does this badboy get on to my system in the first place?
People need to understand that any system that permits a user to run unsigned executable code is susceptible to some kind of "malware", if you can call it that. I place these "viruses" in the same category of rm -r -f / wrapped into a shell script.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
To Infect your Linux box with Virus.Linux.Bi.a, please follow these instructions.
Enjoy
-- Will program for bandwidth
There are lots of reasons why it's harder to infect 'NIX systems.
1. Since on many LiNuX distros, the single source of binaries is usually the distributions' package system, it is usually very easy to detect anything out of the ordinary. The trusted channel is a GOOD thing in these cases.
2. Add in a tool like AIDE (or Tripwire) and you can immediately see everything that is off with your system.
3. How about Linux (and most UNIX) not allowing ctime changes to anything but the current time? The ctime (often said as creation time, but wrongly so- it's the CHANGE time) on any update will always be the current time. The _only_ way around this is to change the system time before you modify files
4. Priv seperation is a big thing. Daemons aren't run as root (or if they do, they drop privs right away). There is no svchost.exe running your services at NT_AUTHORITY or SYSTEM like there is in Windows. Then of course there's no need to run your Web browser as a user with any rights at all. IE7/Vista will fix this of course. Personally I like making, even FireFox, setuid to some untrusted user with no access to files
5. Embedding scripting in every tool isn't as popular in the UNIX worlds, as the core tools work so well. There's no need for office software to have scripting capabilities to change all the files on teh system. There's no need for it!
So do cars, toasters, appliances, and pretty much every item. Welcome to the age where quality means nothing.
They produce good code because they do it for themselves. Most open-source developers are developing for themselves. Every project starts up as "this IMAP server doesn't suit my needs. I'll make a better one". Of course the people who do that are normally the technically able. People make projects for themselves because there's a need that hasn't been met or they're unhappy how it's being met by someone else. Otherwise there's lots of people wasting their time. DJB was unhappy with sendmail/BIND and made alternates. BincIMAP, COurier, and Dovecat folks make them because the others and UW-IMAP didn't do what they want. Patches are submitted to fix something that's affecting them, may affect them, or to add an enhancement they want. Time is money, and people ultimately want to contribute their time for their own benefit somewhere down the road.
Even then, you'd be surprised what you can accomplish to destroy the system. Keep in mind, if you're running a SINGLE USER system as a user in order to add security, you're protecting your LEAST valuable asset. I can blow away a system and install Windows/Office/Adobe and all the tools I need in a few hours and have it configured perfectly. I'm sure most people here can. Now replacing the data would take years! Replacing the productivity lost to viruses/spyware/virii can't be measured. Assessing the impact of leaked administrator and bank passwords could be huge!
-M
when you see the word 'Linux', drink!
No, just think harder.
Run the Add/Remove Programs control panel applet as your admin account. Then use add new programs to run the installer. The other benefit is that the installer is running as admin, so you can browse to installs out on the network that live in places users can't reach.