Forgot your password?
typodupeerror
Security Microsoft Operating Systems Software Windows

First IA64 Windows Virus Released 479

Posted by CmdrTaco
from the that-didn't-take-long dept.
NinjaPablo writes "W64.RugRat.3344 has been released as a proof of concept virus. It is the first virus which will only run on Windows on the IA64 platform, and uses APIs from 3 native DLLs to avoid crashing applications. It infects files that are in the same folder as the virus and in all subfolders. The author of the virus has also written other concept virii in the past."
This discussion has been archived. No new comments can be posted.

First IA64 Windows Virus Released

Comments Filter:
  • A toast... (Score:5, Funny)

    by BJZQ8 (644168) on Thursday May 27, 2004 @01:09PM (#9268366) Homepage Journal
    Here's to a long and fruitful future for Win64 viruses...
  • by hp46168 (740846) on Thursday May 27, 2004 @01:10PM (#9268388)
    I for one, welcome our new IA64 Win32 Script Kiddy overlords.
  • so... (Score:5, Funny)

    by pb (1020) on Thursday May 27, 2004 @01:10PM (#9268389)
    Now we hunt him down and execute him, right?
  • by prostoalex (308614) * on Thursday May 27, 2004 @01:11PM (#9268404) Homepage Journal
    1) The virus uses native DLLs - it should've used .NET managed code to avoid common memory leaks and other mistakes
    2) The virus does not run on 32-bit platform - so no chance of getting "Windows XP Compatible" logo.
    3) The virus does not take advantage of the latest Longhorn, Avalon and Indigo features.

    Overall, the work is impressive, but I am waiting for more robust and efficient viruses.
    • There's also

      4) The virus doesn't also support x86-64, so it's not as CPU-independent as 64-bit Windows is.
      • by W2k (540424)
        In other words, us happy AMD owners are safe. Yay! Unfortunately, IA-64 is so unpopular among consumer users (the ones who are likely to be sloppy with their anti-virus protections and fall victim to this sort of thing) that future viruses for 64-bit Windows will likely be targeting the x86-64.
    • by PetoskeyGuy (648788) on Thursday May 27, 2004 @01:34PM (#9268748)
      2) The virus does not run on 32-bit platform - so no chance of getting "Windows XP Compatible" logo.

      To bad about the logo, but it can work on 32bits...

      From the Article
      Note: A true 64 bit machine is not required for this virus, as it can be run on a 32 bit machine using 64 bit simulation software.
      So just get your 64 bit emulator running and you too can enjoy tomorrows viruses today!
  • by King of the Trolls (740328) on Thursday May 27, 2004 @01:12PM (#9268414)
    Iii neverii getii anyii virii. Itii mustii beii painfulii toii runii windowii.
  • by gsfprez (27403) on Thursday May 27, 2004 @01:12PM (#9268418)
    that 64 bit viruses are twice as powerful as 32-bit ones?
  • by Anonymous Coward on Thursday May 27, 2004 @01:13PM (#9268421)
    Argh.

    To try to stall everyone's almost certain flamewars regarding the correct plural form of virus, let me propose a new word.

    Virusesii.

    There, now everyone can use it, okay?
  • by WillAJ (716404) on Thursday May 27, 2004 @01:13PM (#9268428)
    IA64 Windows was the first. (Someone had to say it)
  • by Flashpot (773365) on Thursday May 27, 2004 @01:13PM (#9268432)
    a hole in the "people write virii for it because it's the biggest target" argument for the proliferation of Windows virii?
  • ah, me (Score:5, Funny)

    by abscondment (672321) on Thursday May 27, 2004 @01:14PM (#9268441) Homepage
    A true 64 bit machine is not required for this virus, as it can be run on a 32 bit machine using 64 bit simulation software.

    Yes! You're no longer limited to slowing your computer by simulating an architecture you don't have--you can run their viruses, too!

  • by ZosX (517789) <.moc.liamg. .ta. .suivaxsoz.> on Thursday May 27, 2004 @01:15PM (#9268452) Homepage
    So what are the legal implications of writing viruses?

    Could the DMCA be evoked in such a case?

    Or is it only illegal when they are executed and allowed to spread to the wild?

    Just some questions.

    Feel free to respond, thanks.

    • In order for this to be a breach of the DCMA, he would have had to break a digital security measure.

      Seeing as this is Windows, it was less of a security measure and more of an invitation.
    • So what are the legal implications of writing viruses?

      Legal implications? C'mon, this is the real world, not the mirror and smoke universe of regulators and lawyers.

      It would be fun to see a virus/worm attacking the legal system itself. Kind of SCO. DDoSing courts, generating silly and contradictory jurisprudence and prompting for even more dumb laws and regulations until the judicial system comes to a grinding halt.

      How would you reboot Justice then? Would we need a foreign power to invade us and pr

    • by prat393 (757559) on Thursday May 27, 2004 @02:54PM (#9270017)

      Umm... the DMCA doesn't really have anything to do with this; no copy-protection procedures have been circumvented, so no copyright violations have occurred here. In point of fact, the virus author hasn't broken any laws by writing and releasing this virus, assuming he hasn't been using it to damage any systems out there (besides his own).

      Of course, if he actually were to try and damage someone's box with this virus he might have a hard time of it, since all it does is spread itself throughout the system... you get a minor to major slowdown and increase in file sizes, which can cause other things to break, but it's not very likely.

  • by CarrionBird (589738) on Thursday May 27, 2004 @01:15PM (#9268456) Journal
    Then that 64 bit OS might actually get out the door sometime this decade.
  • by twofidyKidd (615722) on Thursday May 27, 2004 @01:16PM (#9268468)
    We should have him executed, and collect the $1million+ he's worth.
  • by mikael (484) on Thursday May 27, 2004 @01:17PM (#9268484)
    Virus researchers have just announced that they developed a proof-of-concept virus that can spread on an 256-bit operating system that has as yet to be designed.

    According to spokesperson who didn't wish to be identified, he claimed that this had been the most infectious virus that he had seen in the twenty years of his career and had also proved to be worst to remove. He also recommended that all users should immediately buy the latest version of Anti-Virus-Sponge-Sentinel which would mop up all traces of the virus before it reached the system.
  • Virii (Score:5, Funny)

    by NinjaPablo (246765) <ninjapablo@@@smashtech...net> on Thursday May 27, 2004 @01:18PM (#9268495) Homepage Journal
    I apologize for my horrid use of the word 'virii', and accept the standard and proper word, 'viruses'.

    Must not have had enough coffee when I submitted that...
  • wow--oldskool (Score:5, Insightful)

    by Anonymous Coward on Thursday May 27, 2004 @01:18PM (#9268508)
    This looks pretty oldschool... no stupid RPC nonsense or VBScript, it's a virus that infects other programs, and is spread by copying infected executables around. Just like the old days with MS-DOS viruses passed around on BBS's.

    Incidentally, you could probably limit your vulnerability if the program was installed by an Administrator but only run by users without write permission, or if you removed write permission from programs that you run in your own folders.

    The really cool thing is that it's written in IA64 assembly code. That sounds like quite an impressive feat. From what I hear that is far worse even than the PPC64 assembly code I usually write.
    • Is PPC64 assembly that bad? I am just getting started on PPC, but it looks like decent ISA to me, much unlike crufty old x86, or new-cruft-on-old-cruft x86-64.
    • Wow, yeah. And the even cooler thing is that this the old techniques work perfectly fine on your average GNU/Linux or BSD system. (make install, .deb/RPM install scripts, etc.) I wonder when we'll move on to something better, like ZeroInstall.
  • by Anonymous Coward on Thursday May 27, 2004 @01:22PM (#9268567)
    Read the details, there's nothing special to see here. This isn't a worm, it doesn't gain root/admin access and it doesn't exploit any vunerabilities of the platform. It requires "direct execution" (i.e. the user has to run it manually). It's just a good old fashioned virus that inserts code into an exe. The proof of concept is that Windows leaves exes writable by default. You can prevent it by not making your application folders writable from userland, which is what any good admin should be doing anyway.

    "The file infection routine is standard. The last section of the executable is marked as executable, the virus body is inserted into the
    last section and a random number of bytes are appended to the end of the virus body."
  • by Jugalator (259273) on Thursday May 27, 2004 @01:23PM (#9268569) Journal
    Showing that you can write viruses for 64-bit system?

    Oh my god, I would never have thought that was possible! How can it be!? Mind boggling indeed! But it's great virus writers develop concept viruses to show us these amazing tasks that was previously thought impossible can actually be done!!
  • by BigFire (13822) on Thursday May 27, 2004 @01:23PM (#9268582)
    I'm still waiting for the fabled Open Source Cross Platform Virus [bbspot.com] that can be deliever to all mail system. Sure it require the recipient to uncompress and compile the virus, but it can hit ALL platforms.
    • Fsck that, just code it in Java or Python or some other interpreted language that most people already have the interpreter for.

      Actually, a Python e-mail worm might not even be hard to code: batteries included + low linguistic security = evil, evil fun.
    • by lpangelrob2 (721920) on Thursday May 27, 2004 @02:26PM (#9269462) Journal
      And people say Macs are hard to get viruses onto...
      bash-2.03$ tar -xf oscpv.tar
      ./configure
      Remove home directory? (Y/N) Y
      Enable spam zombie module? (Y/N) Y
      Install keylogger? (Y/N) Y
      Profit? (Y/N) N
      bash-2.03$ make install
      bash-2.03$ make
      Must release this and take over the world!!! Latest version of make required.
  • So is this how virus writers get away with it, just call it a "proof of concept"? Gee, thanks, but I really don't think there was any question at all that it could be done...
  • by teslatug (543527) on Thursday May 27, 2004 @01:27PM (#9268640)
    The release is followed by a proof of concept jail sentence ;)
  • by Anonymous Coward on Thursday May 27, 2004 @01:27PM (#9268642)
    Of course I'm referring to total amount of Itanium users out there.
  • by AmishSlayer (324267) on Thursday May 27, 2004 @01:32PM (#9268703) Homepage
    W64.Rugrat is a fairly simple proof-of-concept virus. However, it is the first known virus to attack 64-bit Windows executables on IA64 systems intentionally, and it does so successfully. The virus uses a handful of Win64 API-s from 3 different libraries, NTDLL.DLL, SFC_OS.DLL and KERNEL32 respectively.

    From NTDLL.DLL the viruses uses the following 3 functions LdrGetDllHandle(), RtlAddVectoredExceptionHandler() and RtlRemoveVectoredExceptionHandler(). The virus supports vectored exception handling to avoid crashing during infections.


    Yes, the virus uses three DLLs. It also uses a routine to avoid crashing itself while infecting the machine... it does not look like the virus cares about crashing other applications.

    The thing to pay attention to here is that this is a fault tolerant virus. I have seen more and more effort lately (Sasser for example avoids shutdowns to help it propagate) from authors trying to make their creation survive.
  • by stratjakt (596332) on Thursday May 27, 2004 @01:34PM (#9268732) Journal
    And why is it a shock that a virus can be written for either?

    When palladium comes out and someone writes a virus that can escape it's sandbox, infect executables (which I'd imagine would involve resigning them) and spread, I'll be impressed.
  • by RelliK (4466) on Thursday May 27, 2004 @01:37PM (#9268784)
    aha! So that's what delayed the release of windows for amd64: it was not compatible with old viruses. Now that this obstacle has been overcome, how long until the release?
  • by musikit (716987) on Thursday May 27, 2004 @01:41PM (#9268826)
    "Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched."

    someone must have mistyped that from this...

    "Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if a certain browser's vulnerabilities are not patched.
  • by CdBee (742846) on Thursday May 27, 2004 @01:45PM (#9268883)
    I would like to protest that although this is technically a 64-bit virus, it does not run on the more common and widely accepted Powermac G5, instead choosing to support only a badly cludged extended win32 API.
    Does anyone know of a 64-bit version of Bochs or VirtualPC which ould let me run this new and interesting piece of code in emulation?
  • Flame Central (Score:4, Insightful)

    by gillbates (106458) on Thursday May 27, 2004 @01:49PM (#9268940) Homepage Journal

    Okay, just to collect all of the Microsoft trolls in one thread:

    How can Windows ever be secure when exploits are released before the OS is available?!

    It seems to me that Microsoft can't design a secure OS. After talking about security for more than 2 years, their latest incarnation is even less secure on its release date than Windows 95!

    Microsoft: the Day Zero Exploit(tm) company

  • Wait a minute - I thought MS wasn't going to release a version for IA64? Is this some kind of joke or have I been making love too much to hear the news?
  • by crawdaddy (344241) on Thursday May 27, 2004 @01:55PM (#9269015)
    To all those saying that a proof-of-concept virus is still a virus and that this guy is doing a disservice to the world by writing one, I'd like to give an alternate way of viewing it. Writing proof of concepts that aren't spread in the wild (like the other viruses mentioned in the second link) help anti-virus groups in advancing knowledge on current/new techniques that may not have been known about or considered in the past.

    IANAVWOAVG, though (I Am Not A Virus Writer Or Anti-Virus Guy)
  • by dioscaido (541037) on Thursday May 27, 2004 @02:06PM (#9269160)
    People seem to be missing a major point here. This file doesn't do anything fancy, it just reads files and 'infects them'. There are no indications that this 'virus' is bypassing any kind of system security.

    From the article:
    "The SfcIsFileProtected() function of SFC_OS.DLL is used to avoid infecting executables that are protected by SFC (the System File Checker)."

    Any sensible XP64 installation would not allow system files to be write accessible to anyone but the Administrator.

    It's as if I wrote a c program that used fopen() and write() to destroy files, then declared I wrote a virus for linux. Whoo hoo.

"Indecision is the basis of flexibility" -- button at a Science Fiction convention.

Working...