Win32/Linux Cross-Platform Virus 582
An Anonymous Coward writes "Symantec reports on the first virus to infect both ELF and PE binaries on Linux and Win32. "The first Win32/Linux cross-infector, {Win32,Linux}/Peelf, uses two separate routines to carry out the infection on PE and ELF files. This variant of Simile shares a substantial amount of code between the two infection functions, such as the polymorphic/metamorphic engines, the only platform-specific parts being the directory traversal code and the API usage.""
Hmm, thats not the first PE/ELF virus. (Score:2, Informative)
For more information see:
http://www.europe.f-secure.com/v-descs/lind
Re:Use the source Luke! (Score:5, Informative)
url: http://online.securityfocus.com/archive/1/274927
Not the first (Score:5, Informative)
It is the first to use pretty much the same injection code routines for both, though. The previous virus I referenced had two separate infection routines for PE and ELF files.
Re:How to scan Linux (Score:3, Informative)
Re:How to scan Linux (Score:3, Informative)
I haven't used it in so long that I can probably throw it away: last time must have been 1997 or so ;)
Re:One more reason... (Score:2, Informative)
You mean setuid(root). Chroot means the root-directory of the software is changed, in effect putting it in a rather secure sandbox...
If one of these hundreds of apps were to become infected (chances are fair to good), than you can kiss your entire system good-bye.
No, they aren't. If the virus manages to infect one of these binaries, it already *has* root, so it can infect any other binary, too. Basically, it depends on if the virus is able to execute a local root compromise, which is easier than remote, but not *that* easy.
Regards, Ulli
Re:This is great news! (Score:3, Informative)
Re:How to scan Linux (Score:5, Informative)
The nice thing about this scanner is that it can both check for linux and windows viruses, and that it shares the regulary updated virus definition files for DOS/Windows.
Re:This is great news! (Score:3, Informative)
Re:This is great news! (Score:3, Informative)
http://www.antivirus.com/download/ [antivirus.com]
Re:No one has ever been infected? (Score:2, Informative)
Not Necessarily (Score:5, Informative)
When an infected file is run, it infects other Win32 files on the system. The virus prefers to hit applications written in the C language and is more likely to hit OS files then normal applications. This virus carries a string "Metaphor v1 by The Mental Driller/29A". It is not visible in infected files but this string (with the lettercase changed randomly) is displayed on the 17th of March, June, September and December:
On the 14th of May on systems with Hebrew character support the virus will display a message box saying "Free Palestine!".
This virus is polymorphic and uses entry-point obfuscation technique. When infecting, the virus replaces all "ExitProcess" calls in the host file with obfuscated jumps on a polymorphic decryptor. The obfuscated polymorphic jump, the polymorphic decryptor, and the encrypted body of the virus can be anywhere in the host file which makes detection a difficult task.
Although detection is complex, AVERT has decided to include detection using the ActiveDAT technology in the scanning engine and DATs. As a consequence, some users may notice a slight performance decrease after updating to 4189 DATs. This is a necessary tradeoff for obtaining detection of a known "in the wild" virus. To allow users some flexibility, AVERT has included detection for this virus ONLY when Program Heuristics are turned on. AVERT will continue to work on improving the detection of this virus to reduce the impact users may see. Improvements will eventually be noticed in future DATs.
The sample of this virus was sent on 14 Feb 2002 to fourteen different AV companies by the virus author. In about 2 weeks the virus sample was also circulated in an electronic magazine distributed by 29A virus writing group (version 1b). A slight modification of the same virus was created from the published ASM sources and it carries a different string ("Deutsche Telekom by Energy 2002*g**") displayed on the 18th of March, June, September and December:
Infects Win32 applications with ".EXE" extension only in folders not starting with letter "W". The virus also avoids programs with a letter "V" in the name or starting with "F-", "PA", "SC", "DR" and "NO". However it lists all available network drives and looks for potential writeable targets there. After the infection date and timestamp of files do not change.
In most targets the virus wipes out the relocation section of the host file. Files can still run but that makes proper cleaning impossible.
Found this (Score:4, Informative)
btw the linux version has been known about for a few weeks now according to their dates.
but anyways when the original variant came out in February they state...
The sample of this virus was sent on 14 Feb 2002 to fourteen different AV companies by the virus author. In about 2 weeks the virus sample was also circulated in an electronic magazine distributed by 29A virus writing group (version 1b).
lots of info about what it actually does to windows machines there, but almost nothing about what it does on Linux
how to infect your linux box (Score:5, Informative)
The reason that it's hard to infect a Linux (/Unix/anything with a decient permission structure) system is that hardly anyone runs daily activities as root and only updates their
The virus is "kinda neat" as far as it's ability to infect multiple platforms and avoid detection, but is really "no big deal" to most systems out there. Windoze(tm) users get viruses sent through email (usually via worms) that self execute when they're opened. This infects files that they have write permission to (usually all of them since 9x boxes have no permission structure and most users on NT systems are run in the Administrator's group) and causes system havoc. Since no Linux mail readers that I know of will execute binaries without at least asking, the user would have to specifically download the binary and run it. At that point, all I have to say is "duh".
So how do you infect your Linux box? On purpose...with a lot of effort. How does this effect the rest of us?
*pause* *giggles* </Bubbles>
--
Mike Nugent
What about compiler infection? (Score:2, Informative)
It's a little different from standard virus infection, but the techique could be easily modified. Here's [susx.ac.uk] a short description of the technique, and here's [acm.org] the full text of the speech (with slides).
Wake me up when a linux virus actually spreads (Score:1, Informative)
And if you want even better security for Linux goto the nsa.gov site and get the secure version of Linux that basicially runs every program in it's own security space, with only the access to the file system that it needs to perform it's work. Thus, a web server would have read only access to the files it was serving and append write access to it's own log files.
Re:This is great news! (Score:2, Informative)
for example good ones can be bought at
www.kaspersky.com
Re:One more reason... (Score:4, Informative)
Proof of Concept to me... (Score:3, Informative)
Of course, you could expect that. Basically, a virus relies on just one thing: privileges. Privileges means the possibility to mess other programs up. And because there are so much Windows virusses compared to other OS-es, it's easy to see Windows handles rights... differently... than a secure OS
I don't think Linux, or UNIX viruses in general, will become a real threat. As long as you use your brain and don't do everything as root (as about every guide warns you against anyway), you'd be rather safe. Can't mess up stuff without the rights to do so.
It's called a buffer overflow (Score:3, Informative)
A buffer overflow vulnerability [securityfocus.com] exists in the popular mail client Pine 4.21 (and possibly earlier versions), relating to the function which regularly checks for incoming email.
The real concern here is that this requires no user interaction to exploit.. a target need only be using a vulnerable version of pine. The overflow occurs when the user recieves new email. While typically not yielding root privileges (unless root reads email with pine AS root) this can be used by a remote, anonymous attacker to gain local access to the target host.
Do antivirus companies write viruses? No. (Score:5, Informative)
First, I'll explain who I am. I'm Alan Solomon, I'm a programmer, I designed and coded the engine in Dr Solomon's Antivirus, that engine is now also used in the McAfee (Network Associates) scanner (although I'm sure that by now it's somewhat different from the engine I wrote).
I worked in the AV world from 1988 to 1998. I'm doing other stuff now, I don't have any ownership in any antivirus companies. Also, caveat, I've been out of this business for a few years, so my knowledge-state isn't current. And, of course, I really can only speak for myself, and the company that bore my name. I can't really speak for other companies.
I used to get asked "Do antivirus companies write viruses?" a lot. It is, of course, a very insulting question, like asking firemen if they start fires, or dentists if they're the cause of tooth decay. However, I always tried to contain my irritation at the insult (on account of my guess that most people asking me this, don't realise it's an insult) and the answer is "No."
1. It's unethical. But I guess if you believe that the antivirus folks are a bunch of unethical scroats, that's not a very convincing reason. Actually, the technical folks in the AV industry have to be *very* ethical. Because unethical ones tend not to be accepted by the consensus, and thereby lose a crucial source of information exchange.
2. It's illegal (actually criminal, virus authors have been put in prison for this. Chris Pile (the "Black Baron") got 18 months, for example). And you can get caught (ask Pile). If you think a company could ask a programmer to write a virus, and hope that no-one else in the company would know about this, and that there's no risk of jail - think again. You have to be *really stupid* to write a virus when you're not able to guarantee anonymity. Of course, you have to be pretty stupid to write a virus at all. By the way, 99% of the viruses that I analysed were really crudely made; some didn't even work at all.
3. There's no point. Kids all over the world are writing viruses at no cost, providing an ample supply of new stuff.
4. It takes too long. I'd estimate that the Simile virus, as described, took months and months to develop. It took McAfee two weeks to do the detector; Symantec about the same. So, if the AV companies had to write the viruses as well as do the Antivirus, they'd need 10 or 20 times as many programmers. And you'd have to keep that lot a deadly secret, of course.
You can't imagine what it's like in a virus lab. There's N new viruses per month, where N isn't a fixed number. And there's M people to do the analysis and coding, and M is never enough. It was like being on a treadmill, and you know that the treadmill is getting faster all the time. Write new viruses?
So why do antivirus companies sometimes see viruses before any users? Simple. The virus authors send them. The first time this happened was over a decade ago; it surprised me then. And we thought it through at that time. Do we just delete it, and pretend it didn't happen? If you've been sent a virus, and you think you're the only person in the world who has a copy of that virus, you can destroy it, and the world has one virus less. But if there's a chance that the virus author has, or will, release it in the wild, you have to build detection for that virus.
Also, you have to give a copy to the other antivirus companies. Because we programmers made an agreement between ourselves that we wouildn't force users to buy three different products to detect three different viruses, that we wouldn't compete on the basis of "we can detect X virus and no-one else can". We'll compete on price, speed, accuracy, tech support, etc etc, but not by restriction of virus samples between trustworthy AV companies.
So, once the virus author gives it to one AV company, all the AV companies have a sample (shortly after) and that virus might not be in the wild, and might never get into the wild. But you can't be sure. For this virus, we read that the virus author sent it to 14 AV companies.
There's a separation in AV companies between the programmers, who do the virus analysis and coding, and the marketroids, who do the, uh, marketing. The marketroids are constantly trying to persuade people to buy AV software, the programmers constantly trying to hold them in some degree of responsible check. The progammers do have a degree of control, via mechanisms that we put in place a decade ago, but it's impossible to persuade anyone that when a new and technically interesting virus comes along, that people should not be told. You really can't, and shouldn't, try to keep a new and technically interesting virus, a secret. Of course, then the media get their paws on it, and blow up a scarestorm. How do we stop that? I don't think we can.
I haven't seen or analysed this virus, but from what I've read, it does look A) technically interesting, and B) a complete pig to design detection for (detection means, you always spot the virus when it's there, and you never give a false alarm when it isn't). This virus is technically interesting because it's cross-platform. And it's a complete pig to detect because B.1) it's polymorphic, meaning if you put several samples side by side, there isn't any byte-string that you can be sure will be in all of them, B.2) it's metamorphic (meaning, it's horribly horribly polymorphic, even after you decrypt it you don't have any constant byte-string) and B.3) entry-point obfuscation (which means you don't even know where to start looking for the virus, all you know is that it might be somewhere in the file).
The fact that the AVERT folks (McAfee) have admitted that this one virus will cause "a slight performance decrease" in the virus scanner, means that this is a significant virus; pretty much every virus causes a near-zero impact on scanning speed. I'd guess that "ActiveDAT technology" means "we've encoded some executable code in the DAT file which the scanner will run". In other words, they had to write a subroutine specifically for this virus.
That's something that you don't expect to do more than once every couple of years or so.
Next - can viruses infect Unix, despite the unix security system?
Yes.
First, I'd point out that Fred Cohen's doctoral thesis on viruses in 1986, was done using unix boxes. Viruses do not break system security. They infect wherever the system security allows them to, and that's sufficient for them to spread. I'm not expecting a sudden wave of infections on Linux boxes, but please don't think that viruses cannot work on Linux.
One problem, is that the distinction between an executable and a data file is very grey. Try this simple experiment. Take a simple perl script, test.pl, and change the permissions to 400. Now try to run it. Unix security stops you. Now try running "perl test.pl", and it will run fine.
And think about macros in documents. They will run even though the document has non-executable permissions.
See, it doesn't matter that you can't infect ls or ps or df. All it takes is for you to be able to infect your own user-written stuff.
And by the way, you can infect ls and ps and df. Every now and then, I log in as root, to do some maintenance-type thing, or install something. And while I'm root, if I run a virus-infected program, then the virus has root privilege, and can infect ls and ps and df and anything else it wants to.
OK, so now we've established that you can infect your own software, let's consider damage. A Linux virus will be prevented from deleting the system files, or from formatting the hard disk, by the system. But since it's running with the same privilege that I (as an ordinary user) has, it has the same read, write and delete access to my data files that I have. And, of course, my data files are the only files with real value on the computer. The Linux system itself can be reinstalled in minutes.
I've gone on too long already. I better stop before I write another book.
Re:Do antivirus companies write viruses? Maybe not (Score:2, Informative)
Before I started doing antivirus software, I ran one of the first data recovery companies, getting folks data off hard drives that didn't work any more. I didn't NEED viruses. When they happened, I decided it was something I wanted to get into.
The first virus I saw (1987) was Brain (allegedly written in Pakistan, I have doubts about that). And it was A) interesting technically, and B) I guessed that this would become an increasing problem on PCs. Well, I was right, I wrote a great scanning engine (you expected modesty?) and we sold product to loads of people.
I remember, in the spring/summer of 1989, a few months went by without any viruses appearing. There was a chap in the AV world I used to gossip with, and we talked about this. Have they stopped? Is it all over? About a dozen viruses, and that's it? It didn't occur to me, and I don't think it occurred to him, to "help things along" by writing a few viruses.
Now, there's a few hundred each month.
Incidentally, there are a few Linux scanners; that's what I was using to identify the Win32 viruses that people were inadvertently emailing me. NAI (McAfee) does one (porting the engine to Unix was my initiative, back when I ran the comapny that carried my name), so does F-Prot, so does Sophos, so does Norman and there's probably others. Some of these might still be beta; contact the companies to get the latest info. I think at least some of them might be free. Again, check for yourself.
There might be some open-source scanners, but I don't know of any.
"As for antivirus software? It is interesting that it often gets written BEFORE the virus is really discovered. "
Would you care to give several examples of this, so that I can disagree? Because if you're correct, that's a very incriminating smoking gun, and worth taking to the police authorities of the country where it happened.
Of course, you aren't referring to heuristics, which aim to work in a semi-generic way, or to entirely generic software (such as change-detection). And I guess you aren't referring to the fact that a detector for W32.nastyvirus.a might also detect W32.nastyvirus.b and
Your statement seems to say that the detection for a specific virus is *often* written before that specific virus is discovered, and I'd like to hear some instances of this situation.
Because my opinion is that this has never happened.