Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bug

Cross-Platform Pseudo-Virus: Don't Panic 202

spam-it-to-me-baby writes: "It's only based on one reported sighting (i.e. it could be bulls**t), but anti-virus software hacks Central Command say they have found the first Windows/Linux cross-platform virus. It appears only to be a proof of concept with no malicious payload, and targets Windows PE files or Linux ELF files once it recognises the infected OS." There are stories at CNET and at Wired as well, not to mention at NewsForge. Despite the Wired story causually saying so, though, this is anything but an "equal opportunity" virus, except in that it seems to infect multiple media sources without discrimination. When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?
This discussion has been archived. No new comments can be posted.

Cross-Platform Psuedo-Virus: Don't Panic

Comments Filter:

  • When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?

    Every day. I have not personally looked at the source for the vast majority of the daemons I use on all my linux boxes.
    --
    Give a man a match, you keep him warm for an evening.

  • by Jethro73 ( 14686 ) on Wednesday March 28, 2001 @05:15AM (#334508)
    An article from Reuters about it:

    Reuters [yahoo.com]

    Central Command says it has developed a cure for the virus at its Web site (Avx.Com [avx.com]).

    Jethro
  • but people more paranoid than both you and I sure have, and where would we be without the paranoids?
    ---
  • RedHat has two links on their front page at redhat.com [redhat.com]. Maybe they got scared, although there really isn't anything to be scared of with this particular virus. It is kind of cool that it afflict PE and ELF files.
  • Are thse daemons *.EXE files that can also run as a windows executable? No? I didn't think so.
  • As far as anyone can tell, this code does not propagate itself over the internet at all. It spreads to other applications on the same machine. That means only computer labs are vulnerable - Linux computer labs in which everyone gets root access, and I don't expect there are very many of those.

    When was the last time you copied a binary executable from one Linux machine to another, and then ran it on the second machine as root?

    Code that has to be spread manually is not a "virus." Code that exists only on one machine (!) is not a virus. This code is as much a "virus" on Linux as that text: "hi, I'm an email virus, copy me into your sig!" Reporting it as a "virus" is very irresponsible of Reuters.

    Jamie McCarthy

  • When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?

    Well, I haven't been getting enough sleep lately...

    "You want me to what? Okay sure. But then can I sleep?"

  • Forgot to mention the Intel preference for this virus -- it doesn't infect Sun hardware... how about AMD?

    Jethro
  • "Wide Open" reported it, not RedHat. That's a news grabber.

  • by bonzoesc ( 155812 ) on Wednesday March 28, 2001 @05:19AM (#334516) Homepage
    Rumor has it that the virus is spread by upper management, so let's look at the source:

    GET FREE MONEY!!! You can get a lot of FREE MONEY if you send this file to everybody in your address book and delete all the files on your computer! Do it! All the cool people are doing it!!!!

    Tell me what makes you so afraid
    Of all those people you say you hate

  • when I see it. Besides different file systems inherent in the two OS's, they have different enough hierachial architectures that something that will affect Windows one way will not affect Linux in the same way. Any virus will become malicious if the user is irresponsible wiht their own system (e.g. logging in as root).

    There are no bad virii, just bada users.

  • The article says that the virus is licensed under the GPL, so doesnt that mean it should infect all your executables with the source code as well, since the GPL states that you should be able to get the source in the same manner that you get the binaries.
  • by swb ( 14022 ) on Wednesday March 28, 2001 @05:20AM (#334519)
    When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?

    Considering most people who run Windows run as root by default (9x, ME) or by choice (Administrator-equiv user on NT or 2k), it's not hard to conceive of them running as root on a workstation-based linux machine.

    I definitely see less-sophisticated users running a Windows and Linux combo trying out a "cool win/linux app!" that their friends sent them. God knows that a major portion of morons where I work, in SPITE of the long history of trojans/viruses/general maliciousness via email will without question run .exes they get in the mail, especially if there's any chance of seeing a little skin or some cuss-filled animation.


  • ... the VBS/Word virus?

    Used the scripting features in all versions of Word on both Windows and Macs.
  • http://benny29a.cjb.net/
  • Why use binaries when there is the Source? Except for some non-opensoftware I am interested in, 99% of my machine works on homebuilt binaries, directly from source. Not only are these binaries optimised for my particular machine, I am also able to tweak things in the source myself.
    I have yet to see a virus which infects .c files.
    Apart from that: just take all binaries you use from sites you trust (eg. Netscape from http://www.netscape.com, Blender from http://www.blender.nl).
  • I would guess it would take to AMD, but PowerPC systems should be OK.
  • Portable Executable (Format)
  • by FreeUser ( 11483 ) on Wednesday March 28, 2001 @05:25AM (#334525)
    While only an idiot runs mystery software as root on a *nix system, what happens when you dual boot into Windows to play that favorite game or run that beloved flight simulator? At this point you *are* essentially running everything as "root", and Linux filesystems are potentially just as accessible and corruptable as windows filesystems (assuming the virus is smart enough to parse the inode map, or a ext2win type driver is loaded in windows).

    The infection vector for Linux software may be more via the windows dual-boot option so many of us keep around, rather than the clueless newbie running a downloaded executable as root. If the virus author chooses a target intelligently, one which runs as root by default (for example, say, "getty" or "X"), your Linux system could well become a warren of virial activity no matter how secure the Linux portion of the configuration is.

    Using an encrypted filesystem, inaccessible under windows, might prevent this sort of contagion, but of course that wouldn't prevent the windows incarnation of the virus from simply trashing the encrypted data and destroying the Linux installation outright.

    The upshot is, if you have Windows installed on your system, and use it in any kind of promiscuous fashion (which, for an operating system as insecure as Windows must include having any kind of connection to the internet), any data anywhere on the hardware is at risk, and all the security Linux or FreeBSD offers you is for naught.
  • Correct. Sorry. I meant RedHat posted it. Not actually found the virus and was the first to break the news.
  • I would assume that you downloaded all these daemons from reputable sources not as email attachments. This is also why most software is pgp signed.

  • Consumer versions of Windows are different from linux in that you don't have to type in a login/password on boot up. For most people, they want to avoid this.

    For linux you have to, so you might as well create other non-root users.
  • by jjohn ( 2991 ) on Wednesday March 28, 2001 @05:29AM (#334529) Homepage Journal

    W32.Winux contains internal text strings. It also contains the following text: ?[Win32/Linux.Winux] multi-platform virus by Benny/29A? and ?'This GNU program is covered by GPL.?

    It appears that the Free Software Foundation's message has finally reached the cracker community.

  • by Stormie ( 708 ) on Wednesday March 28, 2001 @05:30AM (#334530) Homepage

    Code that has to be spread manually is not a "virus."

    It doesn't have to be spread manually. Read the analysis - it searches for Windows PE exes and Linux ELF exes and infects them.

    However, the analysis states that this virus only searches for and infects executables in its own directory and parent directories. This to me seems fairly harmless. If you were emailed a program infected with this virus, it would surely only infect your temp directory (and root dir, but who would have executables there?) And as you say, this one doesn't propogate over the internet, so the only way you're likely to catch it is running an infected prog emailed to you.

    But as they say.. it's a "proof of concept". Where I work, we had a hell of a time with a virus that checked machines in the network neighbourhood for open shares (this was a Windows virus of course) and then searched them for executables to infect. Watch for a virus which can infect Windows exes and Linux ELF exes like this one, but which also aggressively searches shares, NFS mounts, etc. for more files to infect.. that might be something to take more seriously..

  • "
    Spread Method : by infecting files under both Windows and Linux operating system
    "

    So it infects files by infecting them, eh?

    Come on guys, at least make it look convincing, even if it is real...

    THL.
    --
  • OK, this is what we all expected, didn't we? Since Linux is by now so easy to use that even the dumbest wannabe-admin can have a go, the chance of survival for Linux-related viruses has grown by something. I'm sure there are quite a lot of people who ALWAYS log into their Linux-boxes as root because, well, it can be quite a pain not to be allowed to touch, read, change all of the files... I've seen Linux systems which were so tightly administered that they required root-rights to start a filemanager. But on the other hand, the guy working on these boxes never used an account other than root, as he didn't want to have to switch users all the time. So it goes... Even the best and most virus-proof OS fails if the operator using it is incompetent - or just lazy. I never switch on my computer - that's how I know it's virus-free :o)
  • by Anonymous Coward on Wednesday March 28, 2001 @05:31AM (#334533)
    A cross-platform virus that is spread initially through standard Microsoft Outlook or Word but knows how to probe for weaknesses in Unix servers.

    Then it can replicate itself into every .doc file on the server, as well as root the servers for later nastyness. Yikes, makes my skin crawl just thinking about it.

    Most people focus on hardening their externally visible servers, not the ones in the back room that are invisible to the outside world. Now we've got to worry about any server reachable from anything that runs Outlook or Word.

    Arrg.

    -- ac

  • by Anonymous Coward
    As long as you are carefull on what you exec, and you make use of wonderfull tools like:
    LIDS
    Tripwire
    Logcheck
    Portsentry
    etc.
    etc.
    etc.

    You have a big chance of stopping or in the worst case, minimize the impact of many, many, many possible "linux virus" that may appear now or in the future.

    And, for your daemons, services, etc., you can always search the code for something suspicious.

  • Some idiots have been pestering newsgroups with javascript based posts. This is cross platform and any browser/newsgroup reader that is javascript enhanced will be stung by it. So far it's only pop-up mail and pop-up browser windows but be careful if you have javascript turned on and you read newsgroups.

    DanH
    Cav Pilot's Reference Page [cavalrypilot.com]
  • by Mercenary ( 4036 ) on Wednesday March 28, 2001 @05:32AM (#334536) Homepage
    Fair enough, claim that only "idiots" run unknown software on their box, and that because you are so 133t, you compile all software you use.

    Which proves what? That you've compiled some software, and *then* run it.

    Did you study the source code at length? Check it personally that it didn't have any back doors whatsoever? Hmmmm? Sure it wasn't a trojaned source you downloaded (The server could have been hacked right?)

    Just because you compiled from source, doesn't mean your newly-created binaries are therefore perfect and couldn't *possibly* contain a trojan of some sort.
  • Fortunately, most people who dual-boot their systems between Linux and Windows are smart enough to recognize the risks involved in running viri. If you can set up two OSes to work on one computer, surely, you can install some sort of defense against viruses, be it a virus scanner, only downloading from known good sites, and other tactics. If not, then you are just asking for trouble.

    Tell me what makes you so afraid
    Of all those people you say you hate

  • Did anyone read the CNN article? They mention the virus is written a "Primitive" langauage called assembly. Um, eventually all programs are written in this language. I just found it funny that this article seemed to be written for either the housewife at home or the executives neither of which knows better. Being that it is in assembly, my guess this only works on intel only architectures and you would have to be dumb to double click on an unknown file. Oh wait, that has already been proven to be a normal thing for people to do.
  • To be "proof of concept" there needs to be proof.
    I have yet to see proof, only rumour.

    Yes, I am a cynic, do you have a problem with that?

    THL.
    --
  • by pixelix ( 169806 ) on Wednesday March 28, 2001 @05:35AM (#334540) Homepage
    Smells very much like an early April Fool.
    --
    jambo
    system.admin.without.a.clue
  • Last time I looked there were 5 known Linux viruses (including variants). None of them had t0rn as a payload, so they didn't actually do much harm, and none of them managed to propogate out of control like the recent bubble-boy onwards Windows stuff.

    THL.
    --
  • by Anonymous Coward
    http://benny29a.kgb.cz/viruses/winux.msg
  • by kaphka ( 50736 ) <1nv7b001@sneakemail.com> on Wednesday March 28, 2001 @05:37AM (#334543)
    Code that has to be spread manually is not a "virus."
    Sigh... well, I guess it's finally time for me to stop clinging to the proper usage of the terms "virus" [tuxedo.org], "worm" [tuxedo.org], and "trojan" [tuxedo.org]. I got all excited when I saw this article, because it was the first time in years that I had heard of a real virus, and not just another trojan or worm... and sure enough, I see arrogant slashdotters (-1 redundant) complaining about it.

    Fine, I give up. Language evolves. But you're still getting smacked if I ever hear "worm virus" again.
  • #!/bin/sh
    #save this as 'thisiscool.sh' and email to everyone
    rm -rf /home/*/*.jpg
    echo thanks for running my first Virus


    it removes all your jpegs, and spreads by mean people convincing stupid people to run this shell script. this viruis mostly hurts people you don't like.
  • This is no more than an Anti-Virus software vendor getting free publicity, trying to score brownie points over their competitors.
  • I forget the exact details, but some bloke demonstrated a trojaned compiler that would recognise that it was compiling the source to login, and insert a back door.

    It would also recognise when it was compiling its own source, and insert the code to insert the backdoor in login...

    Read the source all you like - the ultra-paranoid cannot even trust that :-)

    Cheers,

    Tim
  • You wouldn't need to infect the .c files, just the Makefile. :)

    Actually, considering all of the automated tools that are commonly used in the build process, (GNU autoconf, awk, flex, bison), I'll bet you could a write a source code virus... true hackers would never be affected, but someone who just downloads the .tar.gz file and blindly types './configure && make && make install' could easily have problems. How hard is to edit the 'configure' shell script to put a "stupid people" virus in it?

  • Why in the world would you ever leave Javascript on for mail and news? You're practically begging to be rooted/pestered. It's just a bad idea to automatically run code from anonymous sources, even if it is supposed to be "safe". Besides can your tell me one legitimate reason to embed Javascript in an email or news post?

    Down that path lies madness. On the other hand, the road to hell is paved with melting snowballs.
  • I guess I'll compile by hand from now on... (reads C, outputs assembly, repeats)
    New version of GNOME??? I give up.

    Tell me what makes you so afraid
    Of all those people you say you hate

  • ...but I would venture to say that most original viruses began as a 'proof of concept.' While this is all fine and good, the code inevitably seeps out to bored, frustrated, or extreme individuals. These people waste no time incorporating some kind of malicious intent into creative code. I imagine we'll see some zealot take ahold of this, make it damage Windows machines while displaying a colorful message to Linux users like 'aren't you glad you use Linux?' Of course, this may be pushing it but how many times have we seen this progression before?
  • When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?

    Uh pretty often. I don't care too much about security, so often I do all my work in root. But then I've never gotten a virus (both on Windows and Linux side), so I'm sure I'm not as paranoid as I could be.

  • I guess you were not really around when viruses were mostly spread by floppies? Was that really all that long ago?
  • by Foochar ( 129133 ) <foochar&gmail,com> on Wednesday March 28, 2001 @05:49AM (#334562) Journal
    It was Ken Thompson in an implementation of a C compiler. His paper on it can be found here [acm.org].
  • by Anonymous Coward
    So installing the new 3l337 version of "/sbin/init" that someone sent me isn't a good idea then?
  • by Anonymous Coward on Wednesday March 28, 2001 @05:51AM (#334565)
    Only one problem I seee with this logic. When in windows, can you see an ext2 partition on the same drive? NOPE! Windows can't see ext2. The more dangerous one would be if you were logged in as root with your windows drives mounted. Then, you'd infect both partitions. So, if your in windows and get it, not a huge deal. You'd only loose Windows stuff. Personally, I can't see WHY someone would want to write a virus, especially one for Linux since anyone who knows anything about Linux will figure out WHY it's not a good idea to do certain things as root. It only takes one fug up and you will remember that for the rest of your life as you kick it in your head while watching your filesystem go bye bye!! :)
  • by Valdrax ( 32670 ) on Wednesday March 28, 2001 @05:51AM (#334566)
    You know that there have been Mac viruses before. There's about 40-50 or so non-Word macro viruses. The reason you don't see as many of them is that the Mac hasn't been as friendly to casual programmers as DOS and Windows have been, and the market penetration is lower. Thus, there are less people messing around with non-professional programming on the Mac who would get the virus-writing urge. It's lack of market penetration has also made it less desireable of a target.

    There is no inherent safety to the Classic Mac OS that prevents viruses at all. In fact, the use of shared global memory resources, non-existant memory protection, and nearly non-existant file protection makes it very unsafe. It's just secured by obscurity.

    Mac OS X will have all the same strengths and weaknesses of a UNIX system. Unfortunately, the UNIX layer makes basic worm and virus writing easier since the APIs are better known by more people. It won't be long until the first Mac OS X viruses begin propogating. I don't think we'll ever reach the level of DOS/Windows in its heyday, but don't kid yourself into thinking that the Mac is, has been, or ever will be completely immune from rouge code on the system.
  • Hey, I meant no disrespect - it was merely that my lack-of-sleep addled brain couldn't remember his name :-)

    Cheers,

    Tim
  • To be "proof of concept" there needs to be proof. I have yet to see proof, only rumour.

    Ah, fair enough. OK, if it's not a proof of concept, it is surely at least a concept. And since it is a concept which seems to me to be perfectly possible, I'm sure that even if this virus is not genuine, other virus-writers will pick up the concept and one day soon there will be one that is.

    Yes, I am a cynic, do you have a problem with that?

    Not at all.. it's just that there is such a strong Slashbot response to scream "LIES!" whenever the words "virus" and "Linux" are mentioned in the same sentence. It irritates me, and if I'm irritated, I might not be thinking clearly, and might mistake cynicism for zealotry.

  • (and root dir, but who would have executables there?)

    Think COMMAND.COM

  • (moderators - kick the parent AC up)

    You can see an ext2 partition on the drive - Windows doesn't have the built in tools to parse the stream of data as a filesystem, but it is possible to write a win9x program to directly read the disk and interpret the filesystem for itself. In WinNT, there are third-party drivers to read ext2 partitions just like another mount.

    Tell me what makes you so afraid
    Of all those people you say you hate

  • Oh, come off it. This is an executable infector. It can only infect an executable you have 'write' permission too. This is not the uber 'it infects your compiler, and infects every program your compiler compiles thereafter' type virus. If you aren't clueless and don't download random executables from untrusted sources and run them as 'root', you should be fine.

  • NT definitely had this problem, but Win2k seems to have solved it (mostly). I used to run as an admin on NT 4, but now I run as a power user on Win2k. The "RUNAS" command line tool lets me do exactly what you suggest - run a command as another user, ie the local admin. (And it lets you run a new shell if you want too.)

    There's also the massively non-obvious-but-documented-if-you-know-where-to-lo ok feature that if you hold down shift while right-clicking a program (or something like that) the Explorer will let you do a run as.
  • by DarkMan ( 32280 ) on Wednesday March 28, 2001 @06:11AM (#334586) Journal
    Slightly OT, but just had a thought.

    Your not allowed to redistribute a GPL program, unless you agree to the liscence (Basic copyright).

    If you redistribute a GPL'd binary, you have to (at leat) have the source available freely, to those who you pass the binary on to.

    Does this mean that if I infect someone with the virus (deliberatly), I must give them the source, on request? (Answear: Yes)

    What if I give them the binary, unwittingly?

    What if I intend to give them a different program (e.g. xbill) that is infected. The source is requested, then I give them the xbill source. But that's not the source for the binary - does this mean the GPL cannot be upheld in this cricumstance?

    Extremly icy ground, and prbably best handled by lawyers, (one of which I am not), but even so, food for thought.

    Stuey!
    --
  • Furthermore it's probably quite possible to have an Administrator-enabled NT trojan that uses the disk manager API to search for and destroy ext2 partitions.
  • Remember, this is written in ASSEMBLER. Assembler is the level BELOW compiled code. So if you can do it in compiled code, you can do it (albeit with some difficulty!) in assembler. The file systems are different? OK then, it'll have two separate parts then, one for each OS. Not a problem, it just has to know how each file system constructs its files.

    The key thing though is that it can ONLY affect PCs. Other platforms are completely immune - they speak another language entirely (although they may crash when fed a bit of code which looks like total garbage to them). Chances are (from the article) it's specific to Intel Pentiums and above, too, so AMD may be immune as well. Interestingly, it's not really a virus either, since it doesn't attempt to provide a transmission vector to other machines - guess that's why it's just a proof-of-concept rather than an active, in-the-wild one.

    The Windows email virii have spread by being written in languages - Javascript and VBS - which are platform-independent, to get the maximum possible coverage. It's interesting that this one has managed to bust its way in by going completely in the other direction - making itself specific enough to the platform that it can work its way in. This is a real "back to basics" approach to virus-writing which hasn't been around since the early days of floppy disks.

    Grab.
  • I've been running pretty successfully as a Power User on NT4/5 for a number of years now.

    Big hint: use the RUNAS command (shift-rightclick), and NT4 had a similar facility on the resource kit cd. This will work for every thing but explorer.exe

    Really, the medium-privledge Power User login is pretty useful. You can stop-start services (such as mySQL). You can install programs that were designed for W2K into your personal space. There's also some privledge-escalation bugs, so I'd love to run as a plain ol' User, but certain software (ahhm - Netscape) doesn't like those file permissions.
  • Depends. AMD and Intel were identical up to the 486, but Intel added extra commands to the Pentium. So it depends if the beasty only uses x86 code or whether it uses any Pentium-specific extensions. IIRC the Pentium-specific stuff was all about throwing data around quickly so I doubt those extensions would be relevant to a virus - in which case AMD would be vulnerable.

    But it definitely won't corrupt files on your Sun, PowerPC, Mac or Amiga. Might crash it though - the code wouldn't make much sense on those platforms, which might have some odd effects.

    Grab.
  • Normally I don't reply to my threats I start myself but:
    This is exactly one of the reasons why package installers can be quite usefull. As long as a checksum can be download from a "trusted" site, the checksum from the tarballs can be compared with it, making this source trusted. As far as I know the BSD ports collection does this, and so does Debian.
  • --
    I'm a signature virus. Please put me in your .signature to help me spread.
  • by roguerez ( 319598 ) on Wednesday March 28, 2001 @06:37AM (#334601) Homepage
    Did you study the source code at length? Check it personally that it didn't have any back doors whatsoever? Hmmmm?

    What are you talking about? How do you know whether I check it or not? In fact, I run exclusively code I've compiled myself, after having read the complete code to check for security reasons.

    This has saved me a lot of trouble. On the other hand it takes some time. Since I'm very strict in this thing, I only run a very dumbed down version of MINIX of which I had to study the code for my operating system classes. I hardly uses any utilities (http, smtp, news: everything can be done just fine directly over telnet).

    I am preparing to run X and KDE in the future. I estimate I'll be ready in 5 years to start compiling the code. I can hardly wait..

  • Considering most people who run Windows run as root by default (9x, ME) or by choice (Administrator-equiv user on NT or 2k), it's not hard to conceive of them running as root on a workstation-based linux machine.

    This is one thing that I think is really cool about Mandrake 7.2 (a distro intended for a somewhat less tech savvy group). It is one of the few installs that I've seen that sets up additional users before finishing the install process and has the option of directly logging in a selected non-root user upon reboot directly into their window manager of choice.

    Obviously, thre is some security risk associated with havine the computer login for you, but it's a physical security problem and most home users probably aren't all that worried about physical security of their machines. Frankly, if someone I don't trust got into my house while I wasn't there I've got bigger problems than having them access my mp3 stash without a password.
    _____________

  • Unlike Windows and Linux, we have more than one Word Processor worth using.

    What? Linux only has one word processor? Lets see there is the word processor that comes with Applixware, StarOffice, WordPerfect, Abiword and maybe some others I don't know about. You talk as though MS Word was available for Linux.

    As for MacOS X being vunderable to virii, it has been out for over 8 months

    The previous posters point was 2 fold. First the system with the larger installed base will tend to have more virus writers focused on it. It may have been out for 8 months but only in Beta. It hasn't been officially released. Most using it are professional programmers and people just trying it out. That is not enough to attract the attention of virus writers.

    If MacOS X is so completely unimmune from viruses, lets see how many show up in the next year compared to Linux or Windows.

    Well I haven't seen a virus worth talking about on Linux. Ever. The virus can only do real damage if the user was running as root or if it takes advantage of a security hole but you can bet that the security hole would be fixed making that virus worthless. Windows will always have viri. You can bet on it. Linux might end up with some viri written for it that affect stupid users but the only reason why Linux would have a virus written for it before the Mac would be because it would have a larger installed base. If MacOS X does achieve success then you could be unpleasantly surprised.

    You waste your time, with the x86

    Who said Linux only ran on x86?
    Molog

    So Linus, what are we doing tonight?

  • This could infect users on linux systems but shouldn't affect the system itself.

    I share my home directory across the network to my windows machine, which would allow my windows machine to infect my user account on the linux box. However, it wouldn't affect other users of the system unless I had write access to their files.
  • It would be very annoying, but not as annoying as having to completely reinstall the OS and all the software after a virus hoses some vital DLLs
  • The more dangerous one would be if you were logged in as root with your windows drives mounted.

    Why root? On an "everyday" system that has a lot of data crossing between Windows and Linux, it makes sense to give your regular user account read/write access to at least one Windows partition (as opposed to having to su to root every single time you want to copy a file). Out of convenience/laziness/whatever, this'll usually wind up resulting in read/write access to all the Windows partitions.

    Ideally, I'd be able to specify read/write access to data and read-only access to the directories with program files. But between the fact that it's a VFAT partition and the fact that Windows likes to mix data, programs, and all sorts of other crap together, the grief would easily exceed the value.

  • According to the Wired article [wired.com],
    In a rather twisted mockery of open source spirit, the original virus code is then stored at the end of the ELF executable.

    Of course, the next question is whether a virus could fall under the GPL. According to the GPL [gnu.org] , it seems to only miss -one- detail:

    Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.
    1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

    Since the virus comes with its own source code, and it includes its copyright notice, and it has a notice that refers to the GPL license... I'd say it comes very close to fulfilling the GPL. If it contained a copy of the GPL as part of its payload, in my opinion, it would fully be part of the GPL.

  • Fair enough, but this has nothing to do with the original claim that Linux files could be infected by running this program in Windows. They can't.

    This isn't true. Lunux files can be infected from windows, if you load a utility which allows you access to the extended 2 filesystem. And yes, there are such utilities available for windows.

    If the files can be accessed, they can be modified, which means they can be infected. If you reread my original post you will notice that I refer to exactly such a utility (though the precise name escapes me ... its been over a year since I've messed around with it).
  • Actually it is possible to be quite tricky if you write in machine code. Here is what you do assuming we are using 68K and X86 code for this example.

    At the start of the program in 68K code you write a jump that goes to the 68K executable part of the program. But by choosing just the right machine code instructions a X86 CPU will skip your 68K code and then go onto a X86 executable and walluh you have a cross CPU virus loader. I did concept work on this once and it does work but I don't remeber it anymore and don't ask.
  • This issue has worried me from some time.

    One plus is that at least a certain percentage of us examine the source some of the programs we download, and hopefully in time any worms or trojans will be found out before they get too far.

    You do have one major advantage in building from source...your risk is lowered to include only intentional infections, and not accidental infections (which is the way most non-outlook viruses spread). The only virus I ever had on my DOS systems came from a sealed factory disk that was infected before the duplication master was made. That is where the risk comes in.

    This is a major complaint of mine with the .RPM-type binary packages. And it is unfortunate that the same people who are least familiar with Unix tend to run Red Hat (and always as root).

  • That is an old back door created by Ken Thompson. He disclosed it at the 1983 Turing Award lecture at ACM. http://www.tuxedo.org/~esr/jargon/html/entry/back- door.html [tuxedo.org] has details.

  • > Does this mean that if I infect someone with the virus (deliberatly), I must give them the source, on request? (Answear: Yes)

    I make sure all my viruses write their source to each partition after deleting everything else there. Wouldn't want to get in trouble for a license violation.

    --
  • As far as anyone can tell, this code does not propagate itself over the internet at all. It spreads to other applications on the same machine.

    Err, last I checked, that pretty much made it a virus. Check out the alt.comp.virus FAQ [landfield.com], specifically question 3. This code hits all of the criteria. It's worth pointing out that merely infecting applications on the same machine is how a lot of older viruses (before the Windows-based email worms became popular) spread themselves. This is, more or less, one of the "classic" virus types.

    Furthermore, while I don't disagree that the built-in security of Unix greatly restricts the flow of viruses, a cross-platform virus could wreak some serious havoc. A quick "find ~ -name \*.exe -print | wc -l" indicates that I've got 42 DOS executables sitting in my home directory. Some of these are for DOSemu, some are old files that'll never get run again (leftover CGIs from when work's website was NT-based), and a few sets of drivers that I downloaded for machines I was fiddling with. While I probably don't have anything to worry about in this case, it's not that hard to abstract it out to a case where it would spread.

    Finally, even if the virus completely failed to spread on any and every Linux platform (which, IMO, is overly optimistic), its behavior on Windows would still classify it as a virus.

  • Redistribution is one legal issue with this, but hardly the only one. You can't redistribute the binary version of GPL code linked to non-free code.

    so, then what's linking? does inserting the virus into the binary file count as linking it? if so, you can't give anyone your newly-infected program that's binary-redistributable. it's linked to GPL code and doing so would violate the license on the virus.

    honestly, is there any point at all to even having a license on a virus? especially the GPL, which has all sorts of bizarre legal quirks that merely propogating the virus would violate.

    on top of all of that, we need to think of the effects of this on the legal standing of the GPL. this can only serve to disredit it, for several reasons. first, it's a virus. almost nobody respects virus authors, and especially not non-technical judges and juries. this gives the GPL a sort of guilt by association for some people. second, there's no way the author could have possibly expected anybody to obey the terms of the GPL in redistibuting the virus. in essence, it's meaningless. that intended meaninglesness also detracts from the credibility of the GPL, at least in this instance.

  • Good point. I was refering mainly to the 9x branch, sorry for not making the distinction. Although with stuff like macro viri hitting Outlook it is easier for propagation on an NT system.
    Molog

    So Linus, what are we doing tonight?

  • Running as root is entirely unnecessary if you change permissions on your system properly. Add write access to members of the root group to directories, etc. and add your user account to that group. You can give yourself write access to /usr/local/* and then install all the software you want as yourself, etc. without the ability to trash your system with an rm -rf /
  • Dual-booting is the first thing that came to mind reading the editorial comment (could Slashdot editors do less of that -- they're often less than intelligent comments).

    If you dual-boot and mount your fat partitions from within Linux, it would infect your executables there.
  • From readme file:
    Ext2 0.04 for NT4 read-write

    Primary site: http://www.chat.ru/~ashedel [www.chat.ru]

    (Link added)

    Tell me what makes you so afraid
    Of all those people you say you hate

  • There is at least one utility I know of which allows read/write access to ext2 filesystems from within windows. My point stands ... any security you think you may have gained by running Linux or FreeBSD is completely circumvented the moment you boot windows, whether the offending program makes use of an ext2 tool under windows to infect Linux files (for example) or simply trashes the Linux partition.

    Either way your secure operating system has been successfully attacked, and the attack vector which bypasses said security is in fact running an insecure operating system via dual boot on the same hardware.

    As an unrelated aside (unrelated to your post, that is), I find it interesting that someone moderated my post down as "flaimbait" for pointing out a well documented security risk. Looks like some MS minions are excersizing their moderator priveleges today.
  • Last time I checked, none of the Windows/Linux native filesystems support Fat binaries, neither of the OSs support anything like packages (ie, OS X style), in fact I can think of NO WAY for a single file to have two exectables (one for Windows and one for Linux) on either of these OSs. Therefore this can't be a binary.

    Since the scripting languages for each OS are totally different (with the exception of software that supports Javascript and other web compliant software) from one another (perl,awk,sed,bash, vs. AcitiveX and its sister "technologies"), I can think of no way that a script can infect both systems, especially since it infects other files "in the same folder".

    This just looks like one big prank leading up to April Fools, people. Has anyone even heard of this company?

  • It most certainly is a virus. The traditional virus is always spread by human action. The 'viral 'nature involves attaching itself to executables so that when the executable is run, the virus then replacates to other executables. Later virii had memory-resident portions and such.

    Something that moves from computer to computer on a network is a worm.

    Something that spreads from executable to executable, using the executable as a primary launch mechanism is a virus.

  • Actually, Samba does an excellent job of making ext2 partitions available to Windows. In fact, that is it's primary purpose. I myself became quite familiar with it when one of our uses ran the Plan Columbia VB worm on their Win98 desktop and promptly nuked every JPEG file on our Solaris web server.

    True, only a moron would let Samba users mount /bin or something equally sensitive. But, don't pretend that Windows machines having access to file on a Linux system is anything but a common occurance. It would be quite easy to, for example, infect any files in your ~/bin/ directory via a Samba mount.
  • This all reeks of a publicity stunt or something. First off, the avx page has little to no information about how the virus is spread in Linux, yet gives specific api's for windows. Also, the fix is windows-only. Then, there's a fix at avx last night, when the story breaks. By this morning, CERT and McAfee have still not heard of the virus. Although benny/29A seems to exists, the needle of my bullshit meter is rising upwards.

  • If was moderating I would.
  • Ok I'm going to feed the troll.
    So you read all the code and compile it for security. And then you run telnet on the machine? LOL that was very funny.
  • Matter of convenience. Don't like typing root's password all the time.
  • But you see I DON'T CARE. I have no believe whatsoever that anyone would ever hack my machine (this is not security through obscurity -- it's security through practical knowledge). It is not hooked into the internet at all. I use it only as a development system.
  • Once again, I DON'T CARE. And I'm already using Outlook on the Windows side which -- surprise, surprise -- can be made more secure by turning off some features. Similar to the features you "turn off" when you run as a normal user.

    As I said, the system's not on the net. I have no personal data on it. It's a development system, and for that reason I could care less about running as a "regular user".

  • ...you run a backup...

    Worldcom [worldcom.com] - Generation Duh!
  • Although there have not been much lately, I seem to recall the whole publicity about "Viruses" started with Macintosh ones.

    In the original Mac system, due to the very structured executable file format (ie the resource fork) it was trivial to write a virus that infected *any* executable, and perhaps many documents, since you just had to add something to the resources. At the same time DOS (and I think the Unix a.out format) made it a lot more difficult because you had to modify the file so that the code at least jumped to the virus.

    This was also combined with the Mac's encouragement for people to mail floppys with stored files and programs around (these virii were transmitted by mail, mostly!)

    I'm not sure if the Macintosh system has been fixed, or it is just that it is even easier to write Word virii, but there have been far fewer of these lately. But they were the first well-known ones.

  • You were posting threats? Isn't that illegal? :)

    What's a trusted site? microsoft.net? :) Can you trust *any* site on the open Internet?

    While perhaps all virus writers aren't that sophisticated, that doesn't mean that aren't any that *are*. :)

  • I'm not talking about hacking. I didn't mention people hacking into your system. I was talking about you not doing something stupid to your own computer because you decided to establish good rules for your user account to prevent idiocy. If you're perfect, feel free to ignore this conventional wisdom. If you're human, like me, you'll find that not being able to run "rm -rf .*" a blessing when you do something like that by accident.
  • I don't think you understand. Those of us with correctly set security settings on our machines don't _need_ to type root's password to do our day to day work. I don't need a root password to install or remove software from my computer. I don't need root's password to burn CDs or to rip MP3s or watch video full screen. I don't need root access to do almost anything on my computer. I therefore am not in the (bad) habit of logging in as root on any computer. If its something I need to log in as root to do, the amount of time it takes me to type in the root password (which is probably my password if the computer is as insecure as you describe) is time spent deciding if its something I should be doing that way.

    You've described laziness, not convenience. You may be happy with that, but there are alternatives that require very little more thought or effort.
  • Yes, Unux permission stop an ordinary user from inmfecting other users on the system, and destroying the OS and other sopftware on the machine. Destroying the machine is one of the least damagiing things a virus can do. What's would be worse would be killing all the documents on your home directory, the files which *can't* be replaced off your OS CDs with a simple reinstall. There's absolutely nothing which would stop a virus which says `cool screensaver for Linux (or Unixlike systems)' - download me to your home dir and install me for a single user! going around the net and doing said cool thing for a short amount of time before writing some of /dev/urandom to all the files in your home dir. And, for that matter, any SetGiD directories you're sharing with other users. You *can* reinstall postfix if a virus (which ran as root) wiped it. You CAN'T reinstall your thesis if a virus which ran as a USER wipes it.
  • [Bah Submit as HTML button]

    Yes, Unix permission stop an ordinary user from infecting other users on the system, and destroying the OS and other sopftware on the machine. Destroying the machine is one of the least damagiing things a virus can do.

    What's would be worse would be killing all the documents on your home directory, the files which *can't* be replaced off your OS CDs with a simple reinstall. There's absolutely nothing which would stop a virus which says `cool screensaver for Linux (or Unixlike systems)' - download me to your home dir and install me for a single user! going around the net and doing said cool thing for a short amount of time before writing some of /dev/urandom to all the files in your home dir.

    And, for that matter, any SetGiD directories you're sharing with other users.

    You *can* reinstall postfix if a virus (which needs to run as root to destroy it) wiped it. You CAN'T reinstall your thesis if a virus (which merely needs to run as a USER) wipes it.

    And trust me, from the ignorance of the above I've seen in all the posts here, your thesis *will* be wiped.
  • The average Mac user double clicks on both applications and documents indiscriminately. That makes passing Trojans on the Mac a cinch. Just give an executable a Microsoft Word icon, or a QuickTime icon or whatever, and then mail it, encoded with MacBinary.

    If I wanted to write an Internet worm that affected the Mac, that would be easy too. I'd probably write it in AppleScript.

    It's been so long since Mac users really had to worry about viruses that most of them are complacent. Complacency does not equal security.

    BTW, please don't do the things I've described. As someone who's written a couple of viruses in my day (yes, I was even lame enough to use the non-word "virii"), viruses are trivial examples of programming that are annoying and a pain in the ass. There are countless better ways to demonstrate your superiority over other people than to waste everyone's time by writing viruses.

    Want to show off your programming skills? Write a word processor that's competitive with MS Word, so the world doesn't need to worry about macro viruses anymore. Writing applications is difficult, challenging, and time consuming. Writing 2K worth of virus code doesn't impress me.

    --
  • Knowing they exist and having to deal with them are two different deals. You assume every Mac user uses Word.

    Huh? When did I say that? I'm a long time Mac user, and I religiously avoid installing MS software on my home machine. I still use Appleworks (once Clarisworks) for the simple papers I have to write.

    As for MacOS X being vunderable to virii, it has been out for over 8 months (Public Beta - 1.5 years if you count MacOS X Server) and not one virus has shown up. Since normal usage of X prevents root access, viruses are going to be difficult to write.

    Oh, wow. 8 months. 8 months of Beta software used only by early adopters. Give it time.

    Having used the Public Beta for quite a while, I disagree with your assertion about root access. Very many system tasks, including installing software for all users to use, involves clicking a little lock icon and giving the software the root password. A trojan posing as a system tool or an installer could very easily get root access from an unsuspecting Mac user. Worse, a virus could hijack a user executed process that provides hooks into root access via a similar method.

    However, few viruses will need to play those kinds of tricks on the user. Root kits are an established problem in the UNIX world. Mac OS X brings a whole new installed base of unsophisticated UNIX admins running the same versions of the web server, FTP server, NFS server, etc. that come with Mac OS X. Just a click of a few button in the system panels, and you can publish a page to the web via your very own web server -- the same web server that is on every other Mac OS X machine. If an exploit is found against that version, it won't be long before a root kit could be made against every Mac OS X machine with their web server turned on. "Hello! You have root!"

    Mac OS X will be a UNIX cracker's dream. Hundreds of thousands of UNIX machines will be on-line with admins who don't know a thing about security. Why should they? The Mac's strength has been keeping that kind of thing out of the user's hair. With an installed base greater than Red Hat and a far less technically sophisticated person, on average, administrating each system, Mac OS X is a much more desireable target than Linux. UNIX worm writers will easily be able to apply their skills to Mac OS X without having the learn the radically different Classic Mac OS or Carbon APIs. Plus they are much easier to remotely administrate/exploit than Classic Mac OS machines. Trust me. UNIX is as much a weakness for the Mac as it is a strength.

    If MacOS X is so completely unimmune from viruses, lets see how many show up in the next year compared to Linux or Windows. I would rather use my computer to make money than fighting viruses. You waste your time, with the x86 -- I need a new pool boy...

    You know, if you'd bothered paying attention, it should've been obvious that I'm a Mac user myself. I'm also somewhat experienced with UNIX, and I think I know a little about the problems that it brings along with its strengths to the Macintosh. The last thing Mac users need is advocates who are insulting to people they think aren't Mac users and who spout dogma that is just plain wrong.

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...