This is just marketing fluff. I've seen this so many times.
He was being interviewed by Wired, and wanted to make gruff noises about the virus issue. He's a COO, so obviously he isn't technical enough to know what he's talking about. The danger, of course, is that because he's a COO, some dimwit doesn't realise that COOs don't know anything, might take him seriously.
If this did ever happen, it would be disastrous for Symantec and the whole antivirus industry. Not because there would be fewer viruses - that would be almost unchanged.
The disaster happens in the sharing of specimens of viruses. In order to code up detection, identification and repair, you have to have one of the things youj're trying to handle. So, where do antivirus companies get specimens?
Two sources. 1) from their customers. This legislation would make it illegal for customers to send speciments to the AV companies using email or whatever. So what you gonna do, copy it onto a floppy disk and put it in the post? Not likely.
2) From the other AV companies. There's been an agreement in place for a great many years between the techies of the AV companies, that specimens get shared, so that when a new thing surfaces, customers aren't forced to buy an AV from any one source, customers still have choice. That specimen sharing would become criminalised.
I've just written to some people to explain that if they really want people like me (and you and you and you) to send them specimens of things that turn up, then they mustn't criminalise that.
I bumped into this several years ago, in the antivirus field. "Get the product certified", said the marketing department. "Some big corporates want to see an official certification" said our sales people.
So I looked into it. At the time, it was called "Itsec", now it's "Common Criteria". It was run, in those days, by the electro-spooks, based in Cheltenham.
When I found what it was, I was absolutely ROFL.
I, the vendor, was expected to state the functionality of the product, what it was supposed to do, security-wise. They call this the TOE, "Target of Evaluation"
They, the evaluators, would check that it met that functionality, and give me a certificate if it did.
So far, so good. But what's the right functionality? In my case, what functionality should an antivirus have (rhetorical question, please don't tell me, except it isn't as simple as you might think).
So, I said to the people who ran the scheme, Suppose I define my functionality as "Comes in a blue box". Could I get an Itsec certification for that? The answer boiled down to "Yes, but that isn't a security issue". "Yes it is," I said.
Um. Who defines what is a security issue and what isn't? I was saying that the lack of a blue box, was a security issue. How do you say it isn't? Anyway, that's my TOE, please certify it. Well, it never got that far, that was just my way of telling them that their scheme was a joke.
So I went to a pal of mine who ran the security department at a university, suggested that he set up a certification scheme, and got the product certified under that instead. That made our marketing people happy, also our sales people. Customers had a certification to pin on the wall, everything was tickety-boo.
Except the government people, who knew they were being made monkeys out of, because I threw that "Comes in a blue box" thing at them at every conference and seminar I went to, and I heard that it started to seriously embarrass them, because people started asking questions about the value of their certifications. There's more in that thread - things did start to change, but the change didn't happen in the end.
Now, I'm not suggesting that the Microsoft certification says "Comes in a blue box." But until you've read the TOE, you don't actually know what security functions have been certified.
"Antivirus companies NEED viruses, and they don't just happen."
Before I started doing antivirus software, I ran one of the first data recovery companies, getting folks data off hard drives that didn't work any more. I didn't NEED viruses. When they happened, I decided it was something I wanted to get into.
The first virus I saw (1987) was Brain (allegedly written in Pakistan, I have doubts about that). And it was A) interesting technically, and B) I guessed that this would become an increasing problem on PCs. Well, I was right, I wrote a great scanning engine (you expected modesty?) and we sold product to loads of people.
I remember, in the spring/summer of 1989, a few months went by without any viruses appearing. There was a chap in the AV world I used to gossip with, and we talked about this. Have they stopped? Is it all over? About a dozen viruses, and that's it? It didn't occur to me, and I don't think it occurred to him, to "help things along" by writing a few viruses.
Now, there's a few hundred each month.
Incidentally, there are a few Linux scanners; that's what I was using to identify the Win32 viruses that people were inadvertently emailing me. NAI (McAfee) does one (porting the engine to Unix was my initiative, back when I ran the comapny that carried my name), so does F-Prot, so does Sophos, so does Norman and there's probably others. Some of these might still be beta; contact the companies to get the latest info. I think at least some of them might be free. Again, check for yourself.
There might be some open-source scanners, but I don't know of any.
"As for antivirus software? It is interesting that it often gets written BEFORE the virus is really discovered. "
Would you care to give several examples of this, so that I can disagree? Because if you're correct, that's a very incriminating smoking gun, and worth taking to the police authorities of the country where it happened.
Of course, you aren't referring to heuristics, which aim to work in a semi-generic way, or to entirely generic software (such as change-detection). And I guess you aren't referring to the fact that a detector for W32.nastyvirus.a might also detect W32.nastyvirus.b and.c, although not.d, because the explanation for that is pretty obvious - the viruses are very similar.
Your statement seems to say that the detection for a specific virus is *often* written before that specific virus is discovered, and I'd like to hear some instances of this situation.
Because my opinion is that this has never happened.
It's viruses, not viri. And I'm not going to discuss that further, that's a Latin and English grammar issue, of no real interest to most people.
The thing is:
A) Like I said in the first place, I can really only speak for myself and for the company that carried my name. But! As of 1998, I knew the technical people in many (most) of the other AV companies (it was a small and friendly world, the techies used to gather a couple of times each year at the big AV conferences). And it really was anathema to write and release a virus.
Here's an example of how small and tight-knit the techies were. I got a phone call one evening from a guy in the virus lab at a competitor. He had a virus to do (write the driver for), he'd done a zillion already today, he was punch-drunk on coding, and his management were screaming at him for the fix for that virus, could I...
And I told over the phone, exactly how to detect and repair infected files for that virus. Why? Because I felt close to him as a fellow AV techie with Pointy-Haired Management on his back.
Heh. A few years later, I hired him to work for my company:-)
Anyway. We knew each other as well as that. And I really don't think that any of those guys were writing and releasing viruses.
B) And I don't have any proof that I didn't write a virus. Like I don't have any proof that I never killed a cat. I don't even have any *evidence* that I never killed a cat, let alone proof. Ultimately, you either believe me or you don't. There's nothing I can give you to help you make that choice.
And I guess that there might be some dentists who hand out sweets in order to hasten tooth decay, and some firemen who start fires for fun and profit. But if you tell a fireman that to his face, don't be surprised if he gets angry. What I'm saying, is that you're free to insult people, please just be aware that you're issuing an insult.
Writing viruses doesn't test an antivirus. Like I said in a recent post, it's trivially easy to write a virus that any given AV won't detect.
But what we did do, was think about possible future viruses and virus-writing techniques. And once you've dreamed up a new way to kill a cat, you don't actually have to kill a bunch of cats to prove that it works, all you need to do is improve your anti-cat-killer so it prevents that new technique.
By the way, if some virus author actually uses this hypothetical technique, it'll probably be somewhat different from how you thought anyway.
And the virus lab, where viruses are sent for analysis, had better have good physical security. We used a self-locking door, and a "one-way" rule for diskettes, and an isolated local network, and several non-networked machines. Even today, years later, when I see a red coloured diskette, I get wary.
And what came out of the virus lab, every now and then, was the source code for the drivers (that's the DAT file, it's actually written in a language I invented called Virtran). And the source code for the AV engine.
We never had an escape.
But here's a funny story.
It was at an Eicar (European Institute for Computer Antivirus Research) conference. One of the main techies (and a well-respected guy) for a company had his laptop along with a Powerpoint presentation. And there at the conference, we found that his laptop was infected with a boot sector virus (I think it was AntiEXE, or was it AntiCMOS? Can't remember.). Big oops. But no harm done.
No. There's really no point is writing viruses to test your antivirus. With a virus-specific detector, the question is, "can it detect Smeg", so you make a million instances of Smeg, and check that it spots 100%. With a heuristic, you *know* you aren't going to get 100%, so it tells you nothing if you find a virus it can't detect.
The other big test is the false alarm test. We used a massive accumulation of software to check for false alarms; the objective is zero, and nothnig else would pass the QC.
And it's still true. I don't use AV software. Instead, I have a bunch of procedures that I follow.
For some months in 2001, I did use an antivirus, because I was getting emails including Sircam, Magistr, Badtrans etc, and I wanted to email back to the sender to tell him which virus he had, and how to get rid of it. Now I'm getting dozens per week, the reply address is spoofed, I've stopped telling the sender that he has a virus, so I no longer have a need to know which virus I just got sent; all I need to do is delete it.
To most people, there's no difference whatsoever. To AV folks, a worm is just a particular subset of the class of viruses.
Klez, the number one virus today, is a worm. I haven't checked the numbers, but right now, I'm guessing that email accounts for 99% of virus (i.e., worm) transmission. And I'd guess that the majority of in-the-wild viruses today, are worms.
How could a virus get widespread on Unix? First, you have to drop the assumption that all Unix users are sophisticated/. readers. Increasingly, as Linux becomes more and more popular, Linux users are going to be no more sophisticated than the average user today.
And when Mr Average User is running his point-and-click email system on Gnome, and a known and trusted friend (spoofed address) sends him "Funny Joke" or "Useful Program" the likelihood of him clicking on it is just as great whatever OS he's running.
OK, clicking on it won't work, it's 0644. Or will it be? And does it matter if it's 0644, maybe it can still get executed?
I haven't tried to write a virus (see my original posting), but you can be sure that whenever AV folks get together and have a few beers (beer is crucial to the AV industry) one of the subjects that comes up is "what if?". And we talk about techniques for writing interesting and difficult-to-handle viruses. This speculation is useful, of course, it makes us think ahead. Well, that's how it was a few years ago, I guess it's the same now.
So, let's speculate a little (and I haven't tested any of these ideas with any mailers or Linux UIs).
What if you emailed a tar file, and the mailer is set to untar it (AOL has a neat feature, when someone receives a zip file, AOL automatically unzips it)? Now you have a 755 file, right? User executable - now all you need to do is persuade the user to click on it, which has never been a difficulty. "Click here".
Or how about your suggestion. Persuade the user to open a terminal window and type perl funnyjoke. Mr Average User really doesn't understand the consequences of doing that, especially when the original email came from a trusted source (or so he thought). It doesn't feel to him like he's bypassing a security system. I mean, what kind of security system is it that can be bypassed so easily?
Or how about this. In the user's home directory, there's.bash_profile. That's 644, the user can overwrite it, or change it (and if the user can do that, maybe some mailers can replace it with an incoming enclosed file, the mailer has at least the same privilege as the user). And then the next time that user logs in, he runs that revised script.
The distinction between executable and non-executable isn't as black and white as one might have thought.
Now consider Word (and Office in general). A lot of people have opined that the non-existence of a good Linux Word-compatible program is one of the barriers to Linux acceptance in the corporate world. So, suppose someone made such a clone. Now you have the whole macro-execution thing to worry about. Users get emailed a document written in Word for Windows; the macros also work under Linux, because the platform is Word, not Windows or Linux. Word for Windows macros work just fine on Word for Mac (at least, they did a few years ago, things might have changed since I was current, but I doubt it).
And Jane User has write access to all her own documents. And then emails one to a colleague...
Now, what about us sophisticated folks, how could we get hit by a virus?
Well, I don't know about you, but when I download and compile a tarball, I don't actually read through megabytes of source code looking for a self-replicator. I trust the source. I guess almost everyone does the same. And what is the source? Well, I trust RedHat CDs, I trust the Red Hat web site almost as much (assuming no sneaky DNS spoofing...)
OK, so the RedHat site is OK, but I also go to DaveCentral, and Freshmeat, and SourceForge, and the CGI Resource, and I follow links from there to the web site that the software came from....
In other words, I get software from *all over*, and I'd guess that other folks do too.
And your point is that *you* get to make the decision about who to trust; my point is that Mr Average User gets that *badly* wrong, and I will too, sometimes. It's a balance. I *really want* this program that synchronises my system clocks, and the site I got it from certainly looks OK, I mean, all the words are spelled pretty much right and there's not a single "31334" there.
And we all know, you can't have a virus on Linux, so I don't actually have to be the least bit careful, right? Wrong.
"I'm not worried about viruses"
I agree, you don't have to be worried. But I'd suggest that you be at least a little bit *careful*.
So, why should you care if Mr Average user hoses his data?
A) because you're his tech support person, and you're the one he'll complain to B) because he's now sending worms to everyone else on the subnet, because that's that this worm does C) because some worms choose a random file to mail out, and that can be *really embarrassing*.
On your final point about virus scanners; you're assuming that a heuristic searches for unlink; I doubt if any heuristics do that. I personally never wrote a heuristic (it wasn't needed when I was in the game), but I know folks who wrote the ones that are in scanners that are in very common use today, and I remember one of them telling me about one of the heuristics in the scanner for Word viruses, and it was looking for something I'd never heard of, that was to do with copying macros. You don't look for the damage routine, you look for the self-copying routine. And there's probably a lot more on heuristics; like I said, I never wrote one, so I don't know.
It is *trivially easy* to write a virus that today's scanners can't detect. A scanner is looking for a particular bunch of things; all you need to do is keep changing your virus until the scanner doesn't detect it any more.
And you don't need to be knowledgable to write a virus. A virus is just a program that copies itself. You could write that in perl in not many minutes. Add the code to look for another.pl program, and have the virus edit that to include your virus. You could add calls to copy across the net in a few minutes more. And it's at that point that you can start getting fancy. Please don't assume that virus authors are all really great programmers; more than 99% of them are not. I know because, I used to disassemble their code.
Today, there isn't a significant virus problem in Linux. I hope it stays that way.
Your rootly precautions are good; my point is that a user doesn't need root privilege to get infected and lose data, and a file doesn't need executable privilege in order to get executed.
At worst?
Destroying data files isn't what you should worry about; as you pointed out, that's easy to fix.
Far more worrying is a virus that makes minor changes to your data files. And how long will it be before you notice? And how old a backup will you restore?
The short answer is no. The longer answer is given below.
First, I'll explain who I am. I'm Alan Solomon, I'm a programmer, I designed and coded the engine in Dr Solomon's Antivirus, that engine is now also used in the McAfee (Network Associates) scanner (although I'm sure that by now it's somewhat different from the engine I wrote).
I worked in the AV world from 1988 to 1998. I'm doing other stuff now, I don't have any ownership in any antivirus companies. Also, caveat, I've been out of this business for a few years, so my knowledge-state isn't current. And, of course, I really can only speak for myself, and the company that bore my name. I can't really speak for other companies.
I used to get asked "Do antivirus companies write viruses?" a lot. It is, of course, a very insulting question, like asking firemen if they start fires, or dentists if they're the cause of tooth decay. However, I always tried to contain my irritation at the insult (on account of my guess that most people asking me this, don't realise it's an insult) and the answer is "No."
1. It's unethical. But I guess if you believe that the antivirus folks are a bunch of unethical scroats, that's not a very convincing reason. Actually, the technical folks in the AV industry have to be *very* ethical. Because unethical ones tend not to be accepted by the consensus, and thereby lose a crucial source of information exchange.
2. It's illegal (actually criminal, virus authors have been put in prison for this. Chris Pile (the "Black Baron") got 18 months, for example). And you can get caught (ask Pile). If you think a company could ask a programmer to write a virus, and hope that no-one else in the company would know about this, and that there's no risk of jail - think again. You have to be *really stupid* to write a virus when you're not able to guarantee anonymity. Of course, you have to be pretty stupid to write a virus at all. By the way, 99% of the viruses that I analysed were really crudely made; some didn't even work at all.
3. There's no point. Kids all over the world are writing viruses at no cost, providing an ample supply of new stuff.
4. It takes too long. I'd estimate that the Simile virus, as described, took months and months to develop. It took McAfee two weeks to do the detector; Symantec about the same. So, if the AV companies had to write the viruses as well as do the Antivirus, they'd need 10 or 20 times as many programmers. And you'd have to keep that lot a deadly secret, of course.
You can't imagine what it's like in a virus lab. There's N new viruses per month, where N isn't a fixed number. And there's M people to do the analysis and coding, and M is never enough. It was like being on a treadmill, and you know that the treadmill is getting faster all the time. Write new viruses?::laughs hysterically:: We barely had time to post on alt.comp.virus in Usenet.
So why do antivirus companies sometimes see viruses before any users? Simple. The virus authors send them. The first time this happened was over a decade ago; it surprised me then. And we thought it through at that time. Do we just delete it, and pretend it didn't happen? If you've been sent a virus, and you think you're the only person in the world who has a copy of that virus, you can destroy it, and the world has one virus less. But if there's a chance that the virus author has, or will, release it in the wild, you have to build detection for that virus.
Also, you have to give a copy to the other antivirus companies. Because we programmers made an agreement between ourselves that we wouildn't force users to buy three different products to detect three different viruses, that we wouldn't compete on the basis of "we can detect X virus and no-one else can". We'll compete on price, speed, accuracy, tech support, etc etc, but not by restriction of virus samples between trustworthy AV companies.
So, once the virus author gives it to one AV company, all the AV companies have a sample (shortly after) and that virus might not be in the wild, and might never get into the wild. But you can't be sure. For this virus, we read that the virus author sent it to 14 AV companies.
There's a separation in AV companies between the programmers, who do the virus analysis and coding, and the marketroids, who do the, uh, marketing. The marketroids are constantly trying to persuade people to buy AV software, the programmers constantly trying to hold them in some degree of responsible check. The progammers do have a degree of control, via mechanisms that we put in place a decade ago, but it's impossible to persuade anyone that when a new and technically interesting virus comes along, that people should not be told. You really can't, and shouldn't, try to keep a new and technically interesting virus, a secret. Of course, then the media get their paws on it, and blow up a scarestorm. How do we stop that? I don't think we can.
I haven't seen or analysed this virus, but from what I've read, it does look A) technically interesting, and B) a complete pig to design detection for (detection means, you always spot the virus when it's there, and you never give a false alarm when it isn't). This virus is technically interesting because it's cross-platform. And it's a complete pig to detect because B.1) it's polymorphic, meaning if you put several samples side by side, there isn't any byte-string that you can be sure will be in all of them, B.2) it's metamorphic (meaning, it's horribly horribly polymorphic, even after you decrypt it you don't have any constant byte-string) and B.3) entry-point obfuscation (which means you don't even know where to start looking for the virus, all you know is that it might be somewhere in the file).
The fact that the AVERT folks (McAfee) have admitted that this one virus will cause "a slight performance decrease" in the virus scanner, means that this is a significant virus; pretty much every virus causes a near-zero impact on scanning speed. I'd guess that "ActiveDAT technology" means "we've encoded some executable code in the DAT file which the scanner will run". In other words, they had to write a subroutine specifically for this virus.
That's something that you don't expect to do more than once every couple of years or so.
Next - can viruses infect Unix, despite the unix security system?
Yes.
First, I'd point out that Fred Cohen's doctoral thesis on viruses in 1986, was done using unix boxes. Viruses do not break system security. They infect wherever the system security allows them to, and that's sufficient for them to spread. I'm not expecting a sudden wave of infections on Linux boxes, but please don't think that viruses cannot work on Linux.
One problem, is that the distinction between an executable and a data file is very grey. Try this simple experiment. Take a simple perl script, test.pl, and change the permissions to 400. Now try to run it. Unix security stops you. Now try running "perl test.pl", and it will run fine.
And think about macros in documents. They will run even though the document has non-executable permissions.
See, it doesn't matter that you can't infect ls or ps or df. All it takes is for you to be able to infect your own user-written stuff.
And by the way, you can infect ls and ps and df. Every now and then, I log in as root, to do some maintenance-type thing, or install something. And while I'm root, if I run a virus-infected program, then the virus has root privilege, and can infect ls and ps and df and anything else it wants to.
OK, so now we've established that you can infect your own software, let's consider damage. A Linux virus will be prevented from deleting the system files, or from formatting the hard disk, by the system. But since it's running with the same privilege that I (as an ordinary user) has, it has the same read, write and delete access to my data files that I have. And, of course, my data files are the only files with real value on the computer. The Linux system itself can be reinstalled in minutes.
I've gone on too long already. I better stop before I write another book.
Slashdot Mirror
This is just marketing fluff. I've seen this so many times.
He was being interviewed by Wired, and wanted to make gruff noises about the virus issue. He's a COO, so obviously he isn't technical enough to know what he's talking about. The danger, of course, is that because he's a COO, some dimwit doesn't realise that COOs don't know anything, might take him seriously.
If this did ever happen, it would be disastrous for Symantec and the whole antivirus industry. Not because there would be fewer viruses - that would be almost unchanged.
The disaster happens in the sharing of specimens of viruses. In order to code up detection, identification and repair, you have to have one of the things youj're trying to handle. So, where do antivirus companies get specimens?
Two sources. 1) from their customers. This legislation would make it illegal for customers to send speciments to the AV companies using email or whatever. So what you gonna do, copy it onto a floppy disk and put it in the post? Not likely.
2) From the other AV companies. There's been an agreement in place for a great many years between the techies of the AV companies, that specimens get shared, so that when a new thing surfaces, customers aren't forced to buy an AV from any one source, customers still have choice. That specimen sharing would become criminalised.
I've just written to some people to explain that if they really want people like me (and you and you and you) to send them specimens of things that turn up, then they mustn't criminalise that.
I bumped into this several years ago, in the antivirus field. "Get the product certified", said the marketing department. "Some big corporates want to see an official certification" said our sales people.
So I looked into it. At the time, it was called "Itsec", now it's "Common Criteria". It was run, in those days, by the electro-spooks, based in Cheltenham.
When I found what it was, I was absolutely ROFL.
I, the vendor, was expected to state the functionality of the product, what it was supposed to do, security-wise. They call this the TOE, "Target of Evaluation"
They, the evaluators, would check that it met that functionality, and give me a certificate if it did.
So far, so good. But what's the right functionality? In my case, what functionality should an antivirus have (rhetorical question, please don't tell me, except it isn't as simple as you might think).
So, I said to the people who ran the scheme, Suppose I define my functionality as "Comes in a blue box". Could I get an Itsec certification for that? The answer boiled down to "Yes, but that isn't a security issue". "Yes it is," I said.
Um. Who defines what is a security issue and what isn't? I was saying that the lack of a blue box, was a security issue. How do you say it isn't? Anyway, that's my TOE, please certify it. Well, it never got that far, that was just my way of telling them that their scheme was a joke.
So I went to a pal of mine who ran the security department at a university, suggested that he set up a certification scheme, and got the product certified under that instead. That made our marketing people happy, also our sales people. Customers had a certification to pin on the wall, everything was tickety-boo.
Except the government people, who knew they were being made monkeys out of, because I threw that "Comes in a blue box" thing at them at every conference and seminar I went to, and I heard that it started to seriously embarrass them, because people started asking questions about the value of their certifications. There's more in that thread - things did start to change, but the change didn't happen in the end.
Now, I'm not suggesting that the Microsoft certification says "Comes in a blue box." But until you've read the TOE, you don't actually know what security functions have been certified.
"Antivirus companies NEED viruses, and they don't just happen."
.c, although not .d, because the explanation for that is pretty obvious - the viruses are very similar.
Before I started doing antivirus software, I ran one of the first data recovery companies, getting folks data off hard drives that didn't work any more. I didn't NEED viruses. When they happened, I decided it was something I wanted to get into.
The first virus I saw (1987) was Brain (allegedly written in Pakistan, I have doubts about that). And it was A) interesting technically, and B) I guessed that this would become an increasing problem on PCs. Well, I was right, I wrote a great scanning engine (you expected modesty?) and we sold product to loads of people.
I remember, in the spring/summer of 1989, a few months went by without any viruses appearing. There was a chap in the AV world I used to gossip with, and we talked about this. Have they stopped? Is it all over? About a dozen viruses, and that's it? It didn't occur to me, and I don't think it occurred to him, to "help things along" by writing a few viruses.
Now, there's a few hundred each month.
Incidentally, there are a few Linux scanners; that's what I was using to identify the Win32 viruses that people were inadvertently emailing me. NAI (McAfee) does one (porting the engine to Unix was my initiative, back when I ran the comapny that carried my name), so does F-Prot, so does Sophos, so does Norman and there's probably others. Some of these might still be beta; contact the companies to get the latest info. I think at least some of them might be free. Again, check for yourself.
There might be some open-source scanners, but I don't know of any.
"As for antivirus software? It is interesting that it often gets written BEFORE the virus is really discovered. "
Would you care to give several examples of this, so that I can disagree? Because if you're correct, that's a very incriminating smoking gun, and worth taking to the police authorities of the country where it happened.
Of course, you aren't referring to heuristics, which aim to work in a semi-generic way, or to entirely generic software (such as change-detection). And I guess you aren't referring to the fact that a detector for W32.nastyvirus.a might also detect W32.nastyvirus.b and
Your statement seems to say that the detection for a specific virus is *often* written before that specific virus is discovered, and I'd like to hear some instances of this situation.
Because my opinion is that this has never happened.
It's viruses, not viri. And I'm not going to discuss that further, that's a Latin and English grammar issue, of no real interest to most people.
...
:-)
The thing is:
A) Like I said in the first place, I can really only speak for myself and for the company that carried my name. But! As of 1998, I knew the technical people in many (most) of the other AV companies (it was a small and friendly world, the techies used to gather a couple of times each year at the big AV conferences). And it really was anathema to write and release a virus.
Here's an example of how small and tight-knit the techies were. I got a phone call one evening from a guy in the virus lab at a competitor. He had a virus to do (write the driver for), he'd done a zillion already today, he was punch-drunk on coding, and his management were screaming at him for the fix for that virus, could I
And I told over the phone, exactly how to detect and repair infected files for that virus. Why? Because I felt close to him as a fellow AV techie with Pointy-Haired Management on his back.
Heh. A few years later, I hired him to work for my company
Anyway. We knew each other as well as that. And I really don't think that any of those guys were writing and releasing viruses.
B) And I don't have any proof that I didn't write a virus. Like I don't have any proof that I never killed a cat. I don't even have any *evidence* that I never killed a cat, let alone proof. Ultimately, you either believe me or you don't. There's nothing I can give you to help you make that choice.
And I guess that there might be some dentists who hand out sweets in order to hasten tooth decay, and some firemen who start fires for fun and profit. But if you tell a fireman that to his face, don't be surprised if he gets angry. What I'm saying, is that you're free to insult people, please just be aware that you're issuing an insult.
Writing viruses doesn't test an antivirus. Like I said in a recent post, it's trivially easy to write a virus that any given AV won't detect.
But what we did do, was think about possible future viruses and virus-writing techniques. And once you've dreamed up a new way to kill a cat, you don't actually have to kill a bunch of cats to prove that it works, all you need to do is improve your anti-cat-killer so it prevents that new technique.
By the way, if some virus author actually uses this hypothetical technique, it'll probably be somewhat different from how you thought anyway.
And the virus lab, where viruses are sent for analysis, had better have good physical security. We used a self-locking door, and a "one-way" rule for diskettes, and an isolated local network, and several non-networked machines. Even today, years later, when I see a red coloured diskette, I get wary.
And what came out of the virus lab, every now and then, was the source code for the drivers (that's the DAT file, it's actually written in a language I invented called Virtran). And the source code for the AV engine.
We never had an escape.
But here's a funny story.
It was at an Eicar (European Institute for Computer Antivirus Research) conference. One of the main techies (and a well-respected guy) for a company had his laptop along with a Powerpoint presentation. And there at the conference, we found that his laptop was infected with a boot sector virus (I think it was AntiEXE, or was it AntiCMOS? Can't remember.). Big oops. But no harm done.
No. There's really no point is writing viruses to test your antivirus. With a virus-specific detector, the question is, "can it detect Smeg", so you make a million instances of Smeg, and check that it spots 100%. With a heuristic, you *know* you aren't going to get 100%, so it tells you nothing if you find a virus it can't detect.
The other big test is the false alarm test. We used a massive accumulation of software to check for false alarms; the objective is zero, and nothnig else would pass the QC.
Yes, that's me.
And it's still true. I don't use AV software. Instead, I have a bunch of procedures that I follow.
For some months in 2001, I did use an antivirus, because I was getting emails including Sircam, Magistr, Badtrans etc, and I wanted to email back to the sender to tell him which virus he had, and how to get rid of it. Now I'm getting dozens per week, the reply address is spoofed, I've stopped telling the sender that he has a virus, so I no longer have a need to know which virus I just got sent; all I need to do is delete it.
Worm ... virus ...
/. readers. Increasingly, as Linux becomes more and more popular, Linux users are going to be no more sophisticated than
.bash_profile. That's 644, the user can overwrite it, or change it (and if the user can do that, maybe some mailers can replace it with an incoming enclosed file, the mailer has at least the same privilege as the user). And then the next time that user logs in, he runs that revised script.
...
...)
....
.pl program, and have the virus edit that to include your virus. You could add calls to copy across the net in a few minutes more. And it's at that point that you can start getting fancy. Please don't assume that virus authors are all really great programmers; more than 99% of them are not. I know because, I used to disassemble their code.
To most people, there's no difference whatsoever.
To AV folks, a worm is just a particular subset of the class of viruses.
Klez, the number one virus today, is a worm. I haven't checked the numbers, but right now, I'm guessing that email accounts for 99% of virus (i.e., worm) transmission. And I'd guess that the majority of in-the-wild viruses today, are worms.
How could a virus get widespread on Unix? First, you have to drop the assumption that all Unix users are sophisticated
the average user today.
And when Mr Average User is running his point-and-click email system on Gnome, and a known and trusted friend (spoofed address) sends him "Funny Joke" or "Useful Program" the likelihood of him clicking on it is just as great whatever OS he's running.
OK, clicking on it won't work, it's 0644. Or will it be? And does it matter if it's 0644, maybe it can still get executed?
I haven't tried to write a virus (see my original posting), but you can be sure that whenever AV folks get together and have a few beers (beer is crucial to the AV industry) one of the subjects that comes up is "what if?". And we talk about techniques for writing interesting and difficult-to-handle viruses. This speculation is useful, of course, it makes us think ahead. Well, that's how it was a few years ago, I guess it's the same now.
So, let's speculate a little (and I haven't tested any of these ideas with any mailers or Linux UIs).
What if you emailed a tar file, and the mailer is set to untar it (AOL has a neat feature, when someone receives a zip file, AOL automatically unzips it)? Now you have a 755 file, right? User executable - now all you need to do is persuade the user to click on it, which has never been a difficulty. "Click here".
Or how about your suggestion. Persuade the user to open a terminal window and type perl funnyjoke. Mr Average User really doesn't understand the consequences of doing that, especially when the original email came from a trusted source (or so he thought). It doesn't feel to him like he's bypassing a security system. I mean, what kind of security system is it that can be bypassed so easily?
Or how about this. In the user's home directory, there's
The distinction between executable and non-executable isn't as black and white as one might have thought.
Now consider Word (and Office in general). A lot of people have opined that the non-existence of a good Linux Word-compatible program is one of the barriers to Linux acceptance in the corporate world. So, suppose someone made such a clone. Now you have the whole macro-execution thing to worry about. Users get emailed a document written in Word for Windows; the macros also work under Linux, because the platform is Word, not Windows or Linux. Word for Windows macros work just fine on Word for Mac (at least, they did a few years ago, things might have changed since I was current, but I doubt it).
And Jane User has write access to all her own documents. And then emails one to a colleague
Now, what about us sophisticated folks, how could we get hit by a virus?
Well, I don't know about you, but when I download and compile a tarball, I don't actually read through megabytes of source code looking for a self-replicator. I trust the source. I guess almost everyone does the same. And what is the source? Well, I trust RedHat CDs, I trust the Red Hat web site almost as much (assuming no sneaky
DNS spoofing
OK, so the RedHat site is OK, but I also go to DaveCentral, and Freshmeat, and SourceForge, and the CGI Resource, and I follow links from there to the web site that the software came from
In other words, I get software from *all over*, and I'd guess that other folks do too.
And your point is that *you* get to make the decision about who to trust; my point is that Mr Average User gets that *badly* wrong, and I will too, sometimes. It's a balance. I *really want* this program that synchronises my system clocks, and the site I got it from certainly looks OK, I mean, all the words are spelled pretty much right and there's not a single "31334" there.
And we all know, you can't have a virus on Linux, so I don't actually have to be the least bit careful, right? Wrong.
"I'm not worried about viruses"
I agree, you don't have to be worried. But I'd suggest that you be at least a little bit *careful*.
So, why should you care if Mr Average user hoses his data?
A) because you're his tech support person, and you're the one he'll complain to
B) because he's now sending worms to everyone else on the subnet, because that's that this worm does
C) because some worms choose a random file to mail out, and that can be *really embarrassing*.
On your final point about virus scanners; you're assuming that a heuristic searches for unlink; I doubt if any heuristics do that. I personally never wrote a heuristic (it wasn't needed when I was in the game), but I know folks who wrote the ones that are in scanners that are in very common use today, and I remember one of them telling me about one of the heuristics in the scanner for Word viruses, and it was looking for something I'd never heard of, that was to do with copying macros. You don't look for the damage routine, you look for the self-copying routine. And there's probably a lot more on heuristics; like I said, I never wrote one, so I don't know.
It is *trivially easy* to write a virus that today's scanners can't detect. A scanner is looking for a particular bunch of things; all you need to do is keep changing your virus until the scanner doesn't detect it any more.
And you don't need to be knowledgable to write a virus. A virus is just a program that copies itself. You could write that in perl in not many minutes. Add the code to look for another
Today, there isn't a significant virus problem in Linux. I hope it stays that way.
Your rootly precautions are good; my point is that a user doesn't need root privilege to get infected and lose data, and a file doesn't need executable privilege in order to get executed.
At worst?
Destroying data files isn't what you should worry about; as you pointed out, that's easy to fix.
Far more worrying is a virus that makes minor changes to your data files. And how long will it be before you notice? And how old a backup will you restore?
The short answer is no. The longer answer is given below.
::laughs hysterically:: We barely had time to post on alt.comp.virus in Usenet.
First, I'll explain who I am. I'm Alan Solomon, I'm a programmer, I designed and coded the engine in Dr Solomon's Antivirus, that engine is now also used in the McAfee (Network Associates) scanner (although I'm sure that by now it's somewhat different from the engine I wrote).
I worked in the AV world from 1988 to 1998. I'm doing other stuff now, I don't have any ownership in any antivirus companies. Also, caveat, I've been out of this business for a few years, so my knowledge-state isn't current. And, of course, I really can only speak for myself, and the company that bore my name. I can't really speak for other companies.
I used to get asked "Do antivirus companies write viruses?" a lot. It is, of course, a very insulting question, like asking firemen if they start fires, or dentists if they're the cause of tooth decay. However, I always tried to contain my irritation at the insult (on account of my guess that most people asking me this, don't realise it's an insult) and the answer is "No."
1. It's unethical. But I guess if you believe that the antivirus folks are a bunch of unethical scroats, that's not a very convincing reason. Actually, the technical folks in the AV industry have to be *very* ethical. Because unethical ones tend not to be accepted by the consensus, and thereby lose a crucial source of information exchange.
2. It's illegal (actually criminal, virus authors have been put in prison for this. Chris Pile (the "Black Baron") got 18 months, for example). And you can get caught (ask Pile). If you think a company could ask a programmer to write a virus, and hope that no-one else in the company would know about this, and that there's no risk of jail - think again. You have to be *really stupid* to write a virus when you're not able to guarantee anonymity. Of course, you have to be pretty stupid to write a virus at all. By the way, 99% of the viruses that I analysed were really crudely made; some didn't even work at all.
3. There's no point. Kids all over the world are writing viruses at no cost, providing an ample supply of new stuff.
4. It takes too long. I'd estimate that the Simile virus, as described, took months and months to develop. It took McAfee two weeks to do the detector; Symantec about the same. So, if the AV companies had to write the viruses as well as do the Antivirus, they'd need 10 or 20 times as many programmers. And you'd have to keep that lot a deadly secret, of course.
You can't imagine what it's like in a virus lab. There's N new viruses per month, where N isn't a fixed number. And there's M people to do the analysis and coding, and M is never enough. It was like being on a treadmill, and you know that the treadmill is getting faster all the time. Write new viruses?
So why do antivirus companies sometimes see viruses before any users? Simple. The virus authors send them. The first time this happened was over a decade ago; it surprised me then. And we thought it through at that time. Do we just delete it, and pretend it didn't happen? If you've been sent a virus, and you think you're the only person in the world who has a copy of that virus, you can destroy it, and the world has one virus less. But if there's a chance that the virus author has, or will, release it in the wild, you have to build detection for that virus.
Also, you have to give a copy to the other antivirus companies. Because we programmers made an agreement between ourselves that we wouildn't force users to buy three different products to detect three different viruses, that we wouldn't compete on the basis of "we can detect X virus and no-one else can". We'll compete on price, speed, accuracy, tech support, etc etc, but not by restriction of virus samples between trustworthy AV companies.
So, once the virus author gives it to one AV company, all the AV companies have a sample (shortly after) and that virus might not be in the wild, and might never get into the wild. But you can't be sure. For this virus, we read that the virus author sent it to 14 AV companies.
There's a separation in AV companies between the programmers, who do the virus analysis and coding, and the marketroids, who do the, uh, marketing. The marketroids are constantly trying to persuade people to buy AV software, the programmers constantly trying to hold them in some degree of responsible check. The progammers do have a degree of control, via mechanisms that we put in place a decade ago, but it's impossible to persuade anyone that when a new and technically interesting virus comes along, that people should not be told. You really can't, and shouldn't, try to keep a new and technically interesting virus, a secret. Of course, then the media get their paws on it, and blow up a scarestorm. How do we stop that? I don't think we can.
I haven't seen or analysed this virus, but from what I've read, it does look A) technically interesting, and B) a complete pig to design detection for (detection means, you always spot the virus when it's there, and you never give a false alarm when it isn't). This virus is technically interesting because it's cross-platform. And it's a complete pig to detect because B.1) it's polymorphic, meaning if you put several samples side by side, there isn't any byte-string that you can be sure will be in all of them, B.2) it's metamorphic (meaning, it's horribly horribly polymorphic, even after you decrypt it you don't have any constant byte-string) and B.3) entry-point obfuscation (which means you don't even know where to start looking for the virus, all you know is that it might be somewhere in the file).
The fact that the AVERT folks (McAfee) have admitted that this one virus will cause "a slight performance decrease" in the virus scanner, means that this is a significant virus; pretty much every virus causes a near-zero impact on scanning speed. I'd guess that "ActiveDAT technology" means "we've encoded some executable code in the DAT file which the scanner will run". In other words, they had to write a subroutine specifically for this virus.
That's something that you don't expect to do more than once every couple of years or so.
Next - can viruses infect Unix, despite the unix security system?
Yes.
First, I'd point out that Fred Cohen's doctoral thesis on viruses in 1986, was done using unix boxes. Viruses do not break system security. They infect wherever the system security allows them to, and that's sufficient for them to spread. I'm not expecting a sudden wave of infections on Linux boxes, but please don't think that viruses cannot work on Linux.
One problem, is that the distinction between an executable and a data file is very grey. Try this simple experiment. Take a simple perl script, test.pl, and change the permissions to 400. Now try to run it. Unix security stops you. Now try running "perl test.pl", and it will run fine.
And think about macros in documents. They will run even though the document has non-executable permissions.
See, it doesn't matter that you can't infect ls or ps or df. All it takes is for you to be able to infect your own user-written stuff.
And by the way, you can infect ls and ps and df. Every now and then, I log in as root, to do some maintenance-type thing, or install something. And while I'm root, if I run a virus-infected program, then the virus has root privilege, and can infect ls and ps and df and anything else it wants to.
OK, so now we've established that you can infect your own software, let's consider damage. A Linux virus will be prevented from deleting the system files, or from formatting the hard disk, by the system. But since it's running with the same privilege that I (as an ordinary user) has, it has the same read, write and delete access to my data files that I have. And, of course, my data files are the only files with real value on the computer. The Linux system itself can be reinstalled in minutes.
I've gone on too long already. I better stop before I write another book.