Slashdot Mirror
Torvalds Creates Patch for Cross-Platform Virus
Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven that the virus does indeed not work with latest kernel version 2.6.16 and even released a patch in order to fix this "problem." From the article: "The reason that the virus is not propagating itself in the latest kernel versions is due to a bug in how GCC handles specific registers in a particular system call. [...] So the virus did a number of strange things to make this show up, but on the other hand the kernel does try to avoid touching user registers, even if we've never really _guaranteed_ that. So the 2.6.16 effect is a mis-feature, even if a _normal_ app would never care. It just happened to bite the infection logic of your virus thing."
Gotta admire how Linus calls a spade a spade even when that spade is a Good Thing. Imagine how MS would spin this if it happened to them.
that's one up for good ol' fashioned hacking...
An old-timer with old-timey ideas.
I think you misunderstand. He fixed a flaw in the kernel that kept the virus from *working*. The patched systems should be vulnerable.
You say
...that linux was patched so that the virus would now function as expected? I'd hate to think we left any program behind.
as a patch or a bug or a buggy patch?
Next week: "Torvalds Patches Kernel Against Cross-Platform Virus"
We don't see the world as it is, we see it as we are.
-- Anais Nin
Who says this bug didn't mess up with WINE libs, preventing OTHER programs from working correctly?
:)
Of course, we'll need a sandbox patch or something BEFORE windows viruses start affecting WINE+linux
Ok... now lets see Bill Gates issue his own patch. The clocks ticking Bill. :)
This is my sig. There are many like it but this one is mine.
Linus did not create a patch for the virus. Linus created a patch for the Linux kernel, to fix a bug which happened to have been discovered by looking at the virus.
Of course, if the story had been submitted with the correct title of "Linus fixes bug in Linux", it probably would never have been posted.
Tarsnap: Online backups for the truly paranoid
If it is a bug in the ABI relating to the kernel, you may have a problem. Binary apps such as those old Loki-ported games, or binary apps such as Oracle might have odd problems.
So it really is a good thing to patch.
Just because a bug is uncovered by a virus doesn't mean that it is not a bug.
LedgerSMB: Open source Accounting/ERP
Belief is not based on scientific evidence. Belief in this case is based on the reputation.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
I don't want to get enfected with any of them Windows viruses, Mac Worms, or Linux Diseases.
So I run NetBSD
On a VAX
I'm slow, but I'm not infected.
(that's what I tell my girl also)
I know it was a proof of concept but... does the virus perform better on Windows or Linux?
Some of the "fanboys" are applying the new patch, and the rest are looking at the contents of your hard drive right now.
If he provided a patch to ensure that it did work maybe :)
Are you an idiot? Linus patched the kernel so that the virus WOULD work. Why would he lie about it not working in the first place if he went ahead and fixed the problem?
I think the viruses cause damage only if the person uses his machine logged in as root. If he is logged in as an ordinary user, I wonder how it is going to make a difference? At the most, some of his personal files may be modified or his keystrokes logged or the virus may use his machine to propagate to other machines. So what is the hoopla about this proof of concept virus which was created in a lab in some anti-virus company? I suspect this is a conspiracy of these anti-virus companies to stay afloat by creating a buzz about a virus in Linux.
Linux Help
for all things on Linux
from TFA:
This lends support to the speculation that this virus is not new code at all, in spite of how Kaspersky Lab is trying to use it to drum up new business. [...] And shame on the anti-viral industry, Kaspersky Lab in particular, for its attempts to deceive the public by passing off old code as something new.
-- 'The' Lord and Master Bitman On High, Master Of All
Linus created a patch because of the virus. Thus, he created the patch for the virus. That is the meaning used in the article title.
What he patched was the Linux kernel. Thus, he created the patch for the kernel. You know this usage; however, it is not the only one. Your attempt at a correction was flawed.
Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven that the virus does indeed not work with latest kernel version 2.6.16 and even released a patch in order to fix this "problem."
Oh, um... Well, hmmm.
Thanks, Linus. I guess.
m-
You catch enchiladas by picking them up behind the head and holding them underwater until they don't kick anymore -VeGas
Today, we fix Linux to support a cross-platform virus, tommorow: support for Windows viruses.
This is a really good insight, I think. While the rest of us are thinking about the "virus" and wondering what it means for the future, Linus identifies all these ignored technical aspects.
The power of a mind untouched by Slashdot?
it would be virii path you kernel, not viruses...
To err is human; effective mayhem requires the root password!
http://dictionary.reference.com/search?q=viruses
Mod parent up. It's viruses, nothing else. Please. Certainly no viri*.
I can run Linux on a VAX, too!
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
_Damn!_ Linus is _really_ on the ball these days, _man_.
Yes, behold the beauty of the power of open source. Bugs get fixed quickly, even bugs that deal with virusses.
home
>2 words:
>middle management
PHB's.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Soon microsoft will release a patch to make the virus even more destructive on Windows, topping Torvalds patch that renables it on Linux.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Actually, Viruses would be correct.Z PA:2006-03,WZPA:en&defl=en&q=define:Virii&sa=X&oi= glossary_definition&ct=title
http://www.google.com/search?hl=en&lr=&rls=WZPA,W
A patch to make sure a virus runs gives a whole new meaning to the term "bug compatible".
"So the 2.6.16 [kernel] effect is a mis-feature, even if a _normal_ app would never care. It just happened to bite the infection logic of your virus thing."
Scott
©20014 angrykeyboarder & Elmer Fudd. All Wights Wesewved
I'm confident there are exactly zero slashdot readers who are unaware that "virii" isn't technically correct ... I'm thinking GP was making some sort of joke that flopped.
What changed under Obama? Nothing Good
Yes Open Source, gotta love it. Isn't it an open source virus? Now when will it be on Sourceforge for download?
-- Brought to you by Carl's JR
I'm floored that this was modded insightful. Maybe a +1 "common sense", or a +1 "off-topic zealot", but insightful?
The gcc bug adds value by looking after you. That's gotta be a win for GNU.
Engineering is the art of compromise.
Performance is only a small part of the issue. You have to look at the TCO of running viruses to appreciate Windows properly. With Linux it is far harder to run a virus and you've got to train all your users to chmod etc. With Windows it's much eaiser, just double click or drag and drop. Now that saves you a bundle in IT tech support when people ask "how do I install virus X on my PC. Further, with Windows you get a lot more choice. You can get a wide selection of popular viruses from easy to download sources. Linux is pretty short on choice, so if you switch to Linux you're limiting choice which is UnAmerican.
Engineering is the art of compromise.
AFIAK, there is no actual exploit in the code provided. The virus only does things that a regular program should be able to do, given the correct permissions.
The virus, written in assembly, calls the kernel via a depreciated interface (int 0x80 instead of syscall). It happens to have a value in the ebx register that it needs after the (buggy) system call.
The bug in the kernel is due to the fact that gcc assumes the system call doesn't change user registers (which the kernel isn't suppossed to as a policy) so gcc forms code to make the system call in less time (less instructions, less overhead) by not caring about user registers. The fix for the bug simply restores the value of the ebx register to what it was before the system call, hence the bug now works (as it has the correct value in the ebx register).
In fact, it would bite any program doing direct syscalls rather then using libc, so it might break linux handwritten asm code as well.
In a stunning turn of events, Bill Gates, in direct reaction to the so called `miraculous' work of his archnemesis `everyone else', specifically in this case one `Linus Torvalds', decended from the airy heights of his vaulted palace office and personally recoded a mere thirty seven megabyte section of the windows kernel such that when the cross-platform virus ran on windows, not only did it _merely_ operate, but also automatically rootkit'ed, automatically spread itself nimbly through outlook & express, rpc, and IIS, upstream hacked its way into windows update to be propagated worldwide, caused the usually subserviant office assistants to take up arms and attempt to revolt against their prior masters and lastly and most noticably, the virus now replaces all data on all drives with repititions of the word `cheese' excepting documents concerning ownership of military facilities, which are altered to state that all of the bases are owned by Mr.Gates.
When challenged by the media in a public park with allegations that this would destroy almost all of the personal computers and data stored on earth, he responded `Why are you on my land?'. Upon being informed he did not own the land, Mr.Gates purchased the park in an underhanded deal and having proved his point, graciously donated the land to the local landfill as an extension to help hold the plethora of `free hours' CDs some company had sent to everyone. Five or six times.
</VOICE>
They're there affecting their effect.
int $0x80 is how all syscalls are called that don't have libc wrapped around them. How is that deprecated?
Bran muffins and whiskey.
if id lose all my personal files (mails, mp3s, documents, code) that would suck man. my root-owned files .... pfft, id just re-install the damn distro
Basically, if I'm reading this correctly, the virus' correct operation depended on system calls to the Linux kernel keeping values of registers unchanged, which is the correct behavior. 2.6.16 broke this behavior, but since very little other code actually assumes this as well, we didn't get serious lossage, but we *might* for other code, and were the virus rewritten to not assume that register values were preserved by system calls, it might also work properly. At any rate, this virus would still have far less teeth on GNU/Linux than it would on Windows, unless someone was stupid enough to execute it as root. And well, if you're actually foolish enough to do something like that on GNU/Linux, then you're probably also foolish enough to enter rm -rf / or something equivalent as root at some point.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
I for one won't install proprietary viruses on my system. Unless the author releases it as Free software, I refrain from apt-getting it anytime soon..!
Then if someone replaces an executable, it should also have the same checksum. If changing the executable changes the checksum, then how does one recompile? If it doesn't change the checksum, then what protection is there?
The question is, how does one distinguish between authorized and unauthorized changing of executables? Would the anti-malware application simply reprompt the user for permission? If the user doesn't have permission to edit/delete/install the executable, then why should the user have permission to approve it?
Linus is the management...
Analogies don't equal equalities, they are merely somewhat analogous.
My point with Linux was definitely not to claim Linux was better for that platform - it isn't. It was half intended to be vaguely humerous and half intended to provoke any Linux user reading it into wondering just what else is out there in the way of extensions and capabilities that they don't know about. It's too easy to assume that the mainstream kernel (or the one that comes with the distro) is all there is, when really it's only the leading edge of the very first part of the beginning of what's available.
(I wouldn't presume to do that for NetBSD, but only because I don't know of any extensions for it. If I did, and I had enough familiarity with that kernel, I'd probably be looking to stretch a few mental muscles there as well.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Gotta be said, it speaks wonders for Linus' confidence in his security model. :)
Half the planet is running around screaming "There's a virus for Linux!!11!!", Linus looks at it, shrugs, and quietly patches the Kernel so the damn thing runs right. lol
It's like Linus is telling us: Yeah, it's a "virus", so what? It's just doing what any program *should* be able to do on Linux. lol, he ain't worried at all.
Some folks call it a virus, to him it's just a program like any other...
Linux: So secure we have to patch it to make viruses run.
I don't know how Ubuntu does it, but a common practice is to not allow listing of directories in /home, that way "rm -r /" won't be able to enter the home directories and erase what's in them.
If noone rtfa, then what's the slashdot effect?
Someone e-mails you a virus file shell script / bat file and you run it.
It looks something like this:
#!sh
cd ~
rm -fr *
And on the windows side (batch file):
del *.*
You then run to the closest NEWS site and report that your computer doesn't work anymore and you lost all your files.
Oh no! New virus!
All the windows loving NEWS editors with a IQ of less than 80 pick it up and run with it.
Must be a slow news day.
Sure, but is that a reason to get it modded up to "5, insightful" when all it contains is a smiley ? C'mon, modbots, there are many more insightful posts in this discussion that would appreciate some moderation boost !
In Soviet Russia, our new overlords are belong to all your base.
So let me get this right, Windows viruses exploit bugs in windows to work and windows has to patch the bugs to stop the virus.
In Linux the virus uses proper programing methodology to work, exposes a bug in the 2.6.16 kernel and will not run on 2.6.16, which Linus fixes. So now the virus works across the borad.
This seems to boil down to.
Windows == Oh my god a virus, quick fix the bug and stop the virus.
Linux == Hmmm, it works everywhere expect on the 2.6.16 kernel. Lets fix the kernel and make it work on all linux systems.
I guess it just shows that even a well writen virus on linux is no real threat.
What I tried to imply is this mental picture: someone posted a virus for Linux, and Linus wasn't worried about PR or any implication of "Linux is insecure". Instead, he was worried about a kernel/gcc bug that was exposed by the virus, although the bug actually could help to defeat the virus. And he went on to fix the bug and let the virus run.
This is quite a picture that shows how a geek reacts. He only sees the technical side of everything and is honest about it. No politics, no B.S. And here comes the title: this is what we call geeks. It's getting silly to have to elaorate. I thought people would get it, although I wasn't expecting either an OT or an Insightful. But with both replies to my posting arguing how it should have been modded, it seems I have to do this silly thing. I should remember that insightfulness surely is related to length of the text.
Perhaps you missed the 'as root' part.
(And if you go and try that, you are an even greater fool)
Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven...
HA! I know Slashdot is cultishly pro-linux, but the bias above is hilarious! I keep hearing Mr. Subliminal saying "Linus Torvalds (God) took a few minutes (every person in Seattle has been working at this individually and collectively this for weeks...) to prove (Bill Gates is just making stuff up, but anything Linus spends a few minutes perusing is proven. Oh, and despite the mobs developing Linux, )"
--Colin Jensen
colinandbethany.com
No I wouldn't try that, even to prove a point. Hurts too much if I'm wrong, or got my permissions set up errounosly.
Yeah, I missed the as root part, Ubuntu has no root account by default, so I just assumed it was as a regular user.
If noone rtfa, then what's the slashdot effect?
...despite the mobs developing Linux, Linus should be given all the credit, Amen.)"
--Colin Jensen
colinandbethany.com
Uh, hate to break it to you, but sysenter and sysexit are only supported on P6 and above. It is unlikely that int 0x80 is going away anytime soon.
LRC, the best-read libertarian site on the web