Slashdot Mirror
Torvalds Creates Patch for Cross-Platform Virus
Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven that the virus does indeed not work with latest kernel version 2.6.16 and even released a patch in order to fix this "problem." From the article: "The reason that the virus is not propagating itself in the latest kernel versions is due to a bug in how GCC handles specific registers in a particular system call. [...] So the virus did a number of strange things to make this show up, but on the other hand the kernel does try to avoid touching user registers, even if we've never really _guaranteed_ that. So the 2.6.16 effect is a mis-feature, even if a _normal_ app would never care. It just happened to bite the infection logic of your virus thing."
Gotta admire how Linus calls a spade a spade even when that spade is a Good Thing. Imagine how MS would spin this if it happened to them.
that's one up for good ol' fashioned hacking...
An old-timer with old-timey ideas.
I think you misunderstand. He fixed a flaw in the kernel that kept the virus from *working*. The patched systems should be vulnerable.
You say
...that linux was patched so that the virus would now function as expected? I'd hate to think we left any program behind.
as a patch or a bug or a buggy patch?
... not a bug.
Next week: "Torvalds Patches Kernel Against Cross-Platform Virus"
If Bill Gates had said that he proved this virus doesn't work on Windows, we're supposed to believe him, too?
MS's engineers and spin-meisters are the same people
am i rite guys?!?!
Who says this bug didn't mess up with WINE libs, preventing OTHER programs from working correctly?
:)
Of course, we'll need a sandbox patch or something BEFORE windows viruses start affecting WINE+linux
Ok... now lets see Bill Gates issue his own patch. The clocks ticking Bill. :)
This is my sig. There are many like it but this one is mine.
Linus did not create a patch for the virus. Linus created a patch for the Linux kernel, to fix a bug which happened to have been discovered by looking at the virus.
Of course, if the story had been submitted with the correct title of "Linus fixes bug in Linux", it probably would never have been posted.
Tarsnap: Online backups for the truly paranoid
If it is a bug in the ABI relating to the kernel, you may have a problem. Binary apps such as those old Loki-ported games, or binary apps such as Oracle might have odd problems.
So it really is a good thing to patch.
Just because a bug is uncovered by a virus doesn't mean that it is not a bug.
LedgerSMB: Open source Accounting/ERP
Heh, there would even be 0 comments if you had gotten first post.
The proper unit is "comments per minute", which at the time of this writing is 30 comments / 26 minutes = 1.15 comments/minutes. Now fixing your post:
"A pro-linux piece on slashdot with only 1.15 comments per minute?! Hell must have frozen over, where's all the rampant fanboyism and microsoft bashing?"
I don't want to get enfected with any of them Windows viruses, Mac Worms, or Linux Diseases.
So I run NetBSD
On a VAX
I'm slow, but I'm not infected.
(that's what I tell my girl also)
I know it was a proof of concept but... does the virus perform better on Windows or Linux?
Some of the "fanboys" are applying the new patch, and the rest are looking at the contents of your hard drive right now.
So Linus, found a bug in the linux kernel by looking at why the virus *didn't* propogate in the 2.6.16 kernel... and then patched that bug so that the virus now propogates correctly? So now the virus works as intended... talk about virus-friendly. Given its a good thing that a bug was fixed, but an exploit was also fixed as well... joy.
I think the viruses cause damage only if the person uses his machine logged in as root. If he is logged in as an ordinary user, I wonder how it is going to make a difference? At the most, some of his personal files may be modified or his keystrokes logged or the virus may use his machine to propagate to other machines. So what is the hoopla about this proof of concept virus which was created in a lab in some anti-virus company? I suspect this is a conspiracy of these anti-virus companies to stay afloat by creating a buzz about a virus in Linux.
Linux Help
for all things on Linux
from TFA:
This lends support to the speculation that this virus is not new code at all, in spite of how Kaspersky Lab is trying to use it to drum up new business. [...] And shame on the anti-viral industry, Kaspersky Lab in particular, for its attempts to deceive the public by passing off old code as something new.
-- 'The' Lord and Master Bitman On High, Master Of All
duh... why mod up the other dorky comments when the parent is the best?
The one time a Soviet Russia joke actually is appropriate for a news story and the poor guy still gets modded Redundant =/
Linus created a patch because of the virus. Thus, he created the patch for the virus. That is the meaning used in the article title.
What he patched was the Linux kernel. Thus, he created the patch for the kernel. You know this usage; however, it is not the only one. Your attempt at a correction was flawed.
Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven that the virus does indeed not work with latest kernel version 2.6.16 and even released a patch in order to fix this "problem."
Oh, um... Well, hmmm.
Thanks, Linus. I guess.
m-
You catch enchiladas by picking them up behind the head and holding them underwater until they don't kick anymore -VeGas
"So the 2.6.16 effect is a mis-feature, even if a _normal_ app would never care. It just happened to bite the infection logic of your virus thing."
Rule one of defective products:
If you can't fix it, feature it!
.. get the author of the virus to sign it off?
Today, we fix Linux to support a cross-platform virus, tommorow: support for Windows viruses.
This is a really good insight, I think. While the rest of us are thinking about the "virus" and wondering what it means for the future, Linus identifies all these ignored technical aspects.
The power of a mind untouched by Slashdot?
it would be virii path you kernel, not viruses...
To err is human; effective mayhem requires the root password!
http://dictionary.reference.com/search?q=viruses
Mod parent up. It's viruses, nothing else. Please. Certainly no viri*.
I can run Linux on a VAX, too!
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
_Damn!_ Linus is _really_ on the ball these days, _man_.
Yes, behold the beauty of the power of open source. Bugs get fixed quickly, even bugs that deal with virusses.
home
>2 words:
>middle management
PHB's.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Soon microsoft will release a patch to make the virus even more destructive on Windows, topping Torvalds patch that renables it on Linux.
Well.. maybe. Or Maybe not. But Definitely not sort of.
You can shorten that. Just say "Management."
W^L+
Actually, Viruses would be correct.Z PA:2006-03,WZPA:en&defl=en&q=define:Virii&sa=X&oi= glossary_definition&ct=title
http://www.google.com/search?hl=en&lr=&rls=WZPA,W
A patch to make sure a virus runs gives a whole new meaning to the term "bug compatible".
"So the 2.6.16 [kernel] effect is a mis-feature, even if a _normal_ app would never care. It just happened to bite the infection logic of your virus thing."
Scott
©20014 angrykeyboarder & Elmer Fudd. All Wights Wesewved
I'm confident there are exactly zero slashdot readers who are unaware that "virii" isn't technically correct ... I'm thinking GP was making some sort of joke that flopped.
What changed under Obama? Nothing Good
Yes Open Source, gotta love it. Isn't it an open source virus? Now when will it be on Sourceforge for download?
-- Brought to you by Carl's JR
Are you saying that the linux kernel hasn't been saving and restoring registers properly ?
Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven that the virus does indeed not work with latest kernel version 2.6.16 and even released a patch in order to fix this "problem."
Is this similar to MS declaring that a virus is not a problem if the user has kept their machine up to date with patches? ie in theory they should have but in practice a lot of people are still using a less than fully patched OS?
Blessed are the 1337, for they shall pwn the earth.
a post entitled "This is what we call geeks" was modded OT on /.?
what has the world come to??
I'm floored that this was modded insightful. Maybe a +1 "common sense", or a +1 "off-topic zealot", but insightful?
The gcc bug adds value by looking after you. That's gotta be a win for GNU.
Engineering is the art of compromise.
Performance is only a small part of the issue. You have to look at the TCO of running viruses to appreciate Windows properly. With Linux it is far harder to run a virus and you've got to train all your users to chmod etc. With Windows it's much eaiser, just double click or drag and drop. Now that saves you a bundle in IT tech support when people ask "how do I install virus X on my PC. Further, with Windows you get a lot more choice. You can get a wide selection of popular viruses from easy to download sources. Linux is pretty short on choice, so if you switch to Linux you're limiting choice which is UnAmerican.
Engineering is the art of compromise.
AFIAK, there is no actual exploit in the code provided. The virus only does things that a regular program should be able to do, given the correct permissions.
The virus, written in assembly, calls the kernel via a depreciated interface (int 0x80 instead of syscall). It happens to have a value in the ebx register that it needs after the (buggy) system call.
The bug in the kernel is due to the fact that gcc assumes the system call doesn't change user registers (which the kernel isn't suppossed to as a policy) so gcc forms code to make the system call in less time (less instructions, less overhead) by not caring about user registers. The fix for the bug simply restores the value of the ebx register to what it was before the system call, hence the bug now works (as it has the correct value in the ebx register).
In fact, it would bite any program doing direct syscalls rather then using libc, so it might break linux handwritten asm code as well.
In a stunning turn of events, Bill Gates, in direct reaction to the so called `miraculous' work of his archnemesis `everyone else', specifically in this case one `Linus Torvalds', decended from the airy heights of his vaulted palace office and personally recoded a mere thirty seven megabyte section of the windows kernel such that when the cross-platform virus ran on windows, not only did it _merely_ operate, but also automatically rootkit'ed, automatically spread itself nimbly through outlook & express, rpc, and IIS, upstream hacked its way into windows update to be propagated worldwide, caused the usually subserviant office assistants to take up arms and attempt to revolt against their prior masters and lastly and most noticably, the virus now replaces all data on all drives with repititions of the word `cheese' excepting documents concerning ownership of military facilities, which are altered to state that all of the bases are owned by Mr.Gates.
When challenged by the media in a public park with allegations that this would destroy almost all of the personal computers and data stored on earth, he responded `Why are you on my land?'. Upon being informed he did not own the land, Mr.Gates purchased the park in an underhanded deal and having proved his point, graciously donated the land to the local landfill as an extension to help hold the plethora of `free hours' CDs some company had sent to everyone. Five or six times.
</VOICE>
They're there affecting their effect.
an Anti-Virus/Malware Built Straight into the OS
Before any executable can be executed for the first time, the user will be prompted. Once the use accepts, some random data is attached as metadata to the executable and all of its dependencies. In the OS files, a checksum of that executable will be kept, matched with the name of the executable. For an application of start, the checksum of the random data attached must match the records of the OS. This way, no application can be executed without the user's knowledge.
Of course, when installing the OS, the included tools will generate its own junk and checksum to avoid having the user approve every single little tool.
For this to be effective, it must be built directly into the OS to prevent malware from bypassing it.
==========
What do you think?
int $0x80 is how all syscalls are called that don't have libc wrapped around them. How is that deprecated?
Bran muffins and whiskey.
if id lose all my personal files (mails, mp3s, documents, code) that would suck man. my root-owned files .... pfft, id just re-install the damn distro
It makes sense to me. Insightful is close enough to common sense here.
Basically, if I'm reading this correctly, the virus' correct operation depended on system calls to the Linux kernel keeping values of registers unchanged, which is the correct behavior. 2.6.16 broke this behavior, but since very little other code actually assumes this as well, we didn't get serious lossage, but we *might* for other code, and were the virus rewritten to not assume that register values were preserved by system calls, it might also work properly. At any rate, this virus would still have far less teeth on GNU/Linux than it would on Windows, unless someone was stupid enough to execute it as root. And well, if you're actually foolish enough to do something like that on GNU/Linux, then you're probably also foolish enough to enter rm -rf / or something equivalent as root at some point.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
I for one won't install proprietary viruses on my system. Unless the author releases it as Free software, I refrain from apt-getting it anytime soon..!
Linus is the management...
Analogies don't equal equalities, they are merely somewhat analogous.
Please. I tried rm -r /* in Ubuntu. It said "permission denied". why did it not remove items in /home/user?
My point with Linux was definitely not to claim Linux was better for that platform - it isn't. It was half intended to be vaguely humerous and half intended to provoke any Linux user reading it into wondering just what else is out there in the way of extensions and capabilities that they don't know about. It's too easy to assume that the mainstream kernel (or the one that comes with the distro) is all there is, when really it's only the leading edge of the very first part of the beginning of what's available.
(I wouldn't presume to do that for NetBSD, but only because I don't know of any extensions for it. If I did, and I had enough familiarity with that kernel, I'd probably be looking to stretch a few mental muscles there as well.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Linux: So secure we have to patch it to make viruses run.
I don't know how Ubuntu does it, but a common practice is to not allow listing of directories in /home, that way "rm -r /" won't be able to enter the home directories and erase what's in them.
If noone rtfa, then what's the slashdot effect?
Someone e-mails you a virus file shell script / bat file and you run it.
It looks something like this:
#!sh
cd ~
rm -fr *
And on the windows side (batch file):
del *.*
You then run to the closest NEWS site and report that your computer doesn't work anymore and you lost all your files.
Oh no! New virus!
All the windows loving NEWS editors with a IQ of less than 80 pick it up and run with it.
Must be a slow news day.
sysenter/sysexit is the preferred way now, and eventually the kernel may drop the int routines entirely (hence why dynamically linking to libc is recommended for anything that is intended to actually be used).
Not to mention the fact that if everyone were to use those routines directly, linux would be very limited in what things could be changed safely. It's alot harder to change the syntax of an interrupt call when everything relies on it, compared to changing the syntax of a library call that is mapped into the process's address space in userland.
Welcome to my world, Linux users!
So let me get this right, Windows viruses exploit bugs in windows to work and windows has to patch the bugs to stop the virus.
In Linux the virus uses proper programing methodology to work, exposes a bug in the 2.6.16 kernel and will not run on 2.6.16, which Linus fixes. So now the virus works across the borad.
This seems to boil down to.
Windows == Oh my god a virus, quick fix the bug and stop the virus.
Linux == Hmmm, it works everywhere expect on the 2.6.16 kernel. Lets fix the kernel and make it work on all linux systems.
I guess it just shows that even a well writen virus on linux is no real threat.
Perhaps you missed the 'as root' part.
(And if you go and try that, you are an even greater fool)
Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven...
HA! I know Slashdot is cultishly pro-linux, but the bias above is hilarious! I keep hearing Mr. Subliminal saying "Linus Torvalds (God) took a few minutes (every person in Seattle has been working at this individually and collectively this for weeks...) to prove (Bill Gates is just making stuff up, but anything Linus spends a few minutes perusing is proven. Oh, and despite the mobs developing Linux, )"
--Colin Jensen
colinandbethany.com
No I wouldn't try that, even to prove a point. Hurts too much if I'm wrong, or got my permissions set up errounosly.
Yeah, I missed the as root part, Ubuntu has no root account by default, so I just assumed it was as a regular user.
If noone rtfa, then what's the slashdot effect?
...despite the mobs developing Linux, Linus should be given all the credit, Amen.)"
--Colin Jensen
colinandbethany.com
http://vx.netlux.org/src.php?info=clt.zip
Uh, hate to break it to you, but sysenter and sysexit are only supported on P6 and above. It is unlikely that int 0x80 is going away anytime soon.
LRC, the best-read libertarian site on the web