This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Security

The case of the non-viral virus

By Joe Barr on April 11, 2006 (8:00:00 AM)

Share    Print    Comments   

Have you heard the "news"? There's a new virus that attacks both Linux and Windows machines. Thus, once and for all, there is an end to the notion that Linux is somehow immune to the viral infections that plague the Windows world. Or at least so one anti-virus software vendor would have the world believe.

Of course, there are a few caveats behind the headlines. One minor thing is that the alleged virus -- called Virus.Linux.Bi.a -- being trumpeted far and wide by Kaspersky Lab is not really a virus, but rather "proof of concept" code, designed to show that such a virus could be written.

A second caveat is that for it to work on Linux, a user has to download the program and then execute it, and even then, it can only "infect" files in the same directory the program is in. Exactly how the program gets write permissions even in that directory is not explained.

And finally, it's not a virus at all. It can't replicate itself, which is one thing that makes a piece of malware a virus. According to Wikipedia, as stated in the first sentence of the entry for "computer virus," a virus is "a self-replicating/self-reproducing-automation program that spreads by inserting copies of itself into other executable code or documents." The entry goes on to explain why computer viruses have been given that name, saying, "A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an 'infection,' and the infected file (or executable code that is not part of a file) is called a 'host.'"

So the biggest question I had after reading the story in several different places, none of which provided any data beyond the blind repetition of the scare headline, was, "Why in the world are they calling this a virus, when one of the few facts they provide conclusively proves that it's not?"

Kaspersky Lab has not yet responded to my query about this.

Much smarter folks than I have pointed out that only idiots believe Linux is totally immune from such things. I agree with them. We can never safely assume that Linux is as secure as it can be. But when a Microsoft partner creates a tsunami of headlines with a story about a phony, fabricated "virus," which admittedly is not contagious, and which requires the user to execute it in order for it to do anything at all, I don't call it a virus. I call it BS.

Share    Print    Comments   

Comments

on The case of the non-viral virus

Note: Comments are owned by the poster. We are not responsible for their content.

"virus threat"

Posted by: Anonymous Coward on April 11, 2006 09:47 PM
Proof of concept, well if I tell synaptic to remove the kernel, it will ask me if I am sure that I want to hose my system. If I persist; it will indeed "hose my system"; where I can then "bellow" that you can crash Linux. Also it's a "proof of concept" that if you drive your car into a tree at high speed; you "could get hurt & likely killed." I know all of this sounds crazy, you can make anything usafe if you try. Heck; you can make windows unsafe just by going online.

#

Drive car into a tree...

Posted by: Anonymous Coward on April 11, 2006 10:49 PM
Also it's a "proof of concept" that if you drive your car into a tree at high speed; you "could get hurt & likely killed."




That's not such a good analogy. If that tree's in a forest and there's no one there to witness you allegedly driving into the tree, did it really happen? And does it matter?



What if it was your time? Then regardless of whether you allegedly drive into a tree...what if the tree is the same tree that falls in the forest when no one is there to hear it? Then just like this so-called GNU/Linux virus, 1) it doesn't matter, 2) it didn't happen 3) for everyone not in the forest, life goes on.

#

Re:"virus threat"

Posted by: Anonymous Coward on April 12, 2006 09:13 AM
Everyone but everyone is missing the point...the fundamental benefit of linux even if there was a real virus (and not just a concept) for linux out in the wild is that linux is not a monoculture, diversity is a BENEFIT...there are hundreds of distros of linux, there are more than 1 active browsers in use, more than 1 active email client in use etc ad infinitum...a virus writer has a MUCH harder job in linux due the security design AND the diversity.

#

Pain relief

Posted by: Anonymous Coward on May 28, 2006 02:07 PM
[URL=http://painrelief.fanspace.com/index.htm] Pain relief [/URL]

  [URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]

  [URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.com] Pain relief [/URL]
[URL=http://nervepainrelief.jeeran.com/painrelief<nobr>.<wbr></nobr> htm] Nerve pain relief [/URL]

#

Reading Comprehension

Posted by: Anonymous Coward on April 11, 2006 09:53 PM
Hello? It can infect files in the same directory! Therefore it meets the definition of being replicating. Before WORMS, and whiz-bang complex content email programs, the ONLY way a virus could spread was by infecting files on disks and hoping that those files were moved through human interaction to other machines by way of floppies or file transfer programs. A proof of concept virus can BE a virus. Nothing prevents a virus run by a user from modifying files in the user's own directory on a regular Linux machine. If the user has executables stored locally they can be infected on 99% of the Linux machines out there. Linux may not have significant virus problems now, but that does not mean that it cannot happen. Unintelligent advocacy is worse than no advocacy.

#

Re:Reading Comprehension

Posted by: Joe Barr on April 11, 2006 10:16 PM

Obviously, advocacy is not a prerequisite for stupidity.


Learn what the word "replicate" means. Here is a clue:


2: biology: reproduce or make an exact copy of; "replicate the cell"; "copy the genetic information"


Note that the phony, staged for the tres duh press and the imbeciles who believe it, alleged viral "proof of concept" does not replicate itself.


No replication, no virus.

#

Teapot-Kettle-Black

Posted by: Anonymous Coward on April 11, 2006 11:06 PM
When discussing a "computer virus", there is NO genetic information or a cell to copy. Thus, by your argument, NO computer virus replicates, there are no computer viruses, and the point is moot. Silly.

The low signal-to-noise ratio of your post makes communication impossible. The internet is closed. Go home. (Unless you are joking and you don't want to go home.)

#

Re:Teapot-Kettle-Black

Posted by: Joe Barr on April 11, 2006 11:34 PM

The DNA of a computer virus is made up of the bits that cause it to spread. It is a computer virus specifically because those bits are passed on. Ergo, if they are not passed on, it is not a virus.


As an example, pick any one of the eleventy-billion Windows-specific viruses that spread by attaching themselves to mail sent by Outlook, or to objects retrieved from a website by IE. See them? See them spread themselves? Those are viruses.


The subject of the story, regardless of how badly certain people want us to believe otherwise, is not a virus.

#

Re:Teapot-Kettle-Black

Posted by: Anonymous Coward on April 11, 2006 11:50 PM
Here is the description of the virus itself and how the bits are passed on:

"To infect ELF files, the virus uses INT 80 system calls and injects its body into the file immediately after the ELF file header and before the “.text” section. This changes the entry point of the original file."

Note the, "injects it's body into the file" part. This is *classic* virus behavior. Are you saying that word macro viruses are not viruses because they only infect files of their own type?

I hope that ends your confusion! Doesn't anyone here remember when "Good Times" was a joke?

#

Re:Teapot-Kettle-Black

Posted by: Joe Barr on April 12, 2006 01:16 AM

Read further. What is injected in a one line text message, not the virus itself.


Do you understand the difference that makes? It's sort of key to understanding the story, and viruses.

#

Re:Reading Comprehension

Posted by: Anonymous Coward on April 11, 2006 10:16 PM
A Linux-"virus" must be run with root-privileges to be a real danger to the system. Otherwise, it can only destroy directories and data which are writeble for the user executing this thing. If _any_ user has the idea to download some crap, make it chmod 755 and then<nobr> <wbr></nobr>./ it, well, he can also do a rm -rf ~/* ! Not my problem! He'll do this only for once...

#

Re:Reading Comprehension

Posted by: Anonymous Coward on April 12, 2006 01:01 AM
The reason for the system's existence *IS* the user. If a Linux or MS Windows machine cannot protect a user's files from the outside world, then it is useless as a desktop operating system. Browsers suck at security, email apps suck at security. It isn't the user's fault.

#

Re:Reading Comprehension

Posted by: Anonymous Coward on April 12, 2006 06:15 AM
As I understand it, the file only infects executables in ELF format in the same directory as the "virus". Any normally configured Linux install will<nobr> <wbr></nobr>/not/ have crucial executables writable by a normal user. The only executables a user should have access to are self-made programs. If these get infected, it's nothing more than an annoyance--the user probably has the source still and just has to recompile.

Of course, eventually there'll be something that writes to non-executable files. However, these probably won't have the executable bit set. Thus, it is not a virus and [insert correct term for malware that doesn't replicate but makes trouble nonetheless].

#

Re:Reading Comprehension

Posted by: Anonymous Coward on April 12, 2006 01:58 PM
Users on systems they do not administer themselves frequently install apps in their homes because that it is their only option. These could open source or even commercial. Thus their apps can be infected. If they allow other users to run their apps, there is the potential for cross-user infection. Think about large corporate systems with nfs<nobr> <wbr></nobr>/homes. I was just making the case that this *is* a virus though, not that it is a very effective one.

Once *any* malicious executable code is allowed to run on a Linux or MS box in a user account, that user account is essentially "owned". That account can't be trusted because the OS gives full user privledges to every process run by that user. A virus could easily uuencode a copy of itself inside your<nobr> <wbr></nobr>.bashrc, and be ready to pop out even after you deleted and reinstalled all your home based executables.

#

Did you RTFA? (NT)

Posted by: Anonymous Coward on April 11, 2006 10:18 PM
nt

#

Unintelligent criticism is worse than no criticism

Posted by: Anonymous Coward on April 11, 2006 10:19 PM
When a user downloads the "virus", inserts it into a directory with files in it, and executes it, it may infect files. Hmmm. I come over to your house, where you are asleep, having taken sleeping pills, I place a pistol in your hand, insert your finger into the trigger guard, and pull your finger back, BANG!, your partner is dead. You're a murderer? No.

Those virii on floppies, before worms, spread sporadically through social mechanisms and laziness on the part of users; i.e., sharing programs on floppies, and not removing floppies from the system, or setting the bios to skip the floppy boot. Virii did not generate the motive force that caused them to move, rather they hitchhiked with something else that moved around. The motive force that is going to cause a proof of concept virus to move is downloading for curiosity's sake.

Unless it has some ability that makes its transmission difficult to PREVENT, it is not actually infectious. I might be able to give you cancer with a properly executed medical procedure, but I can't give you cancer with even the most intimate physical contact, therefore cancer is not infectious.

Geek Unorthodox

PS Dont read to much into the cancer thing. It is an *analogy*, and therefore not identical in all aspects to the subject I am attempting to explain.

#

Re:Unintelligent criticism is worse than no critic

Posted by: Anonymous Coward on April 11, 2006 10:56 PM
Any readers of this post who think there are no mechanisms by which a linux executable might be triggered by clicking on a link and having code be executed are obviously not looking at the *daily* security alerts regarding common Linux applications. Human beings apparently can't write code that is simultaneously complex and secure. It doesn't matter if it is open source or not.

Protecting the *system* is pointless if what you are trying to protect is USER DATA, either from theft, deletion, or corruption. Root by itself is just an easy path to other user accounts. If the accounts can be compromised, then root protects almost nothing of value.

Users on systems they do not administer themselves frequently install apps in their homes because that it is their only option. These could open source or even commercial. Thus their apps can be infected. If they allow other users to run their apps, there is the potential for cross-user infection. Once the administrator's non-root account is taken, all bets are off. They frequently leave their non-root executables in their path because they are useful. Even if users do not have executables, the ability of a virus to modify things like<nobr> <wbr></nobr>.bashrc allows a virus to do virtually *anything*, including leaving back door insecurities to allow later access when some later local suid-root exploit is discovered.

Viruses, not worms, require that humans activate them to give them the ability to replicate. This could be through an exploit of a bug in your browser, or simply running a normal executable which is infected. If that infected executable has the ability to infect other executables, it is a virus.

I'm not saying windows is any better, but a well administered Windows box is more likely secure than a Linux box *adminstered*, (not just installed), by someone who doesn't know how to program in C and bash.

Linux zealots are worse than FUD. They make real linux advocates want to WRITE linux viruses. If you aren't knowledgeable enough to write a Linux virus, you should refrain from making statements about how it is impossible to for one to exist.<nobr> <wbr></nobr>:^P

#

Blah, blah. I remember Red Lion.

Posted by: Anonymous Coward on April 12, 2006 12:50 AM
Linux virii *do* exist, though I said nothing about that subject. I said that this thing is as much a virus as a bicycle is a Formula One car. One point, or even a couple points, of similarity is insufficient. Either you do all of the things that define a virus, and do them, or more to the point, *have* done them, in the real world, or it is a just a paper tiger.

And, yes, on your *completely* seperate point that you tried to disguise as the same, system security on Linux needs to properly administered, or it is worthless. It *is* arcane, and difficult, but Windows security so far is just a facade. If you can go from executing code as a user, to executing code as a system process, Windows is toast. This process is easy and quick on Windows, which is why every time a new version comes out, it falls victim to the same class of tweaked exploits as the last.

And as far as zealotry, or what erroneous conclusions someone might jump to based upon my post, that flaw lies entirely in the mind of the reader that does so. It in no way changes the validity (full, none, or somewhere in between) of my statements, just because I didn't preface them with the history of the computer virus, with a computer security primer thrown in as an appendix.

So, there.

Geek Unorthodox

#

Re:Blah, blah. I remember Red Lion.

Posted by: Anonymous Coward on April 12, 2006 01:15 AM
"Either you do all of the things that define a virus, and do them, or more to the point, *have* done them, in the real world, or it is a just a paper tiger."

According to the description of the code, it *is* a virus. If placed in my nfs-shared home based ~/bin directory and used by other users it would infect *their* files. The definition of a virus does not include a requirement that it be released, universally effective, seen in the wild, be successful, be destructive, etc.

Security on a linux system is not *fundamentally* better than windows, from a single user's point of view. If I can get code, ANY code, to run as you through any exploits whatsoever, your account is mine, period. Linux and MS Windows do nothing to prevent this. Both have extremely complex and buggy email and web applications. SELinux may be configurable enough to prevent this, but the complexity makes it unusable for the average user. If MS wanted to pay programmers to destroy the "myth" of Linux invunerability to viruses, I'm certain they easily could.

#

Re:Blah, blah. I remember Red Lion.

Posted by: Anonymous Coward on April 22, 2006 01:21 AM
"If MS wanted to pay programmers to destroy the "myth" of Linux invunerability to viruses, I'm certain they easily could."

It's a good thing MS doesn't have the money or the motive to do this type of thing since it could be so easily accomplished.

#

Re:Unintelligent criticism is worse than no critic

Posted by: Anonymous Coward on April 13, 2006 07:01 AM
Come on idiot.
I've seen the same post in two places.
You wrote "I'm not saying windows is any better, but a well administered Windows box is more likely secure than a Linux box *adminstered*"
You must be kidding.
Are you just another stupid micro$oftie?.

#

relief joint

Posted by: Anonymous Coward on May 30, 2006 01:18 AM
<tt>[URL=http://nervepainrelief.jeeran.com/painrelief<nobr>.<wbr></nobr> htm] Nerve pain relief [/URL]
[URL=http://www.back.painreliefnetwork.net/lowbac<nobr>k<wbr></nobr> pain.htm] Low back pain [/URL]
[URL=http://blog.gala.net/uploads/painreliefback/<nobr>b<wbr></nobr> ackpainrelief.htm] Back pain relief [/URL]
[URL=http://www.weblog.ro/usercontent/13155/profi<nobr>l<wbr></nobr> es/kneepainrelief.htm] Knee pain relief [/URL]
[URL=http://www.info.painreliefnetwork.net/Pain-R<nobr>e<wbr></nobr> lief.html] Pain relief [/URL]
[URL=http://www.sitefights.com/community/scifi/pa<nobr>i<wbr></nobr> nrelief/painreliefpreved.htm] Pain relief [/URL]
[URL=http://www.info.painreliefnetwork.net/Medica<nobr>t<wbr></nobr> ion-Pain-Relief.html] Medication pain relief [/URL]
[URL=http://www.info.painreliefnetwork.net/Natura<nobr>l<wbr></nobr> -Pain-Relief.html] Natural pain relief [/URL]

[URL=http://painrelief.fanspace.com/index.htm] Pain relief [/URL]
[URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]
[URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.c<nobr>o<wbr></nobr> m] Pain relief [/URL]
</tt>

#

Re:Reading Comprehension

Posted by: Anonymous Coward on April 13, 2006 07:51 AM
Easily fixed by setting<nobr> <wbr></nobr>/home as a non-executable filesystem. Likewise my executable files and important settings are in a read-only filesystem. As easy as adding a couple words to a text-file in Linux. Can Windows do that? That's not even counting the various ACL abilities Linux has which are powerful but a bit more complex to administer.

#

Re:Reading Comprehension

Posted by: Anonymous Coward on April 13, 2006 09:54 AM
Even if you cripple your Linux box for power users AND users who need commercial apps in their homes, there are still a zillion holes. A virus can modify scripts like<nobr> <wbr></nobr>.bashrc which are not executables. Scripts can create executables from data embedded inside them. Why not redirect the browser home to run a java program, How about making a shell alias for 'ls' that netcats your<nobr> <wbr></nobr>.gaimrc file to a remote machine?

All the desktop OS suck. Deal with it. I like Linux better than windows because it is open. It may have lots less viruses now, but it isn't due to an inherently better design.

(Windows has ACLs, and I think it has had them longer than most linux distros. Again, it is a config nightmare for users.)

#

Re:Reading Comprehension

Posted by: Anonymous Coward on April 13, 2006 02:18 PM
Came on microsoftie moron go home.
You don't understand the linux security model.
Let me tell you: any file you download from internet on linux boxes don't have executable bit set so the only way to run that file is setting explicitly ( by user action ) the executable bit of file. And more: if you want to install any software as user you can verify the autenticity of the file with md5 hash, it's a normal procedure.
Window$ is a security nightmare with all virus, trojan, malware running at all system levels.

#

you are SO wrong!

Posted by: Anonymous Coward on April 13, 2006 08:57 PM
Nothing prevents a virus run by a user from modifying files in the user's own directory on a regular Linux machine. If the user has executables stored locally they can be infected on 99% of the Linux machines out there.

1) You can bet that among GNU/Linux users 99.9999% would never put executables in<nobr> <wbr></nobr>/home . There are other directories for that.

2) in fact, a downloaded virus would not necessarily be with executable right

3) even in<nobr> <wbr></nobr>/home you can restric right on your files

All this is to say that on a normally configured machine even getting your 'virus' into<nobr> <wbr></nobr>/home would not have much of an impact, if any

#

well done Joe!

Posted by: Anonymous Coward on April 11, 2006 10:03 PM
Very good points. I also got really angry when a read the details about this "virus". You might as well distribute a text file with the instructions to wipe all hard drives.

Although this is abolutely not a virus, it is a proof-of-concept. It proves that, so far at least, it is almost impossible to write a real virus for GNU/Linux.

#

Re:well done Joe!

Posted by: Anonymous Coward on April 13, 2006 07:40 PM
It's been done. I was emailed an "Honour Virus" years ago, which asked me to delete a few random OS files. Fortunately I was running an honour-based anti-virus sytem at the time.

#

relief joint

Posted by: Anonymous Coward on May 28, 2006 06:02 PM
[URL=http://painrelief.fanspace.com/index.htm] Pain relief [/URL]
[URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]
[URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.com] Pain relief [/URL]
[URL=http://nervepainrelief.jeeran.com/painrelief<nobr>.<wbr></nobr> htm] Nerve pain relief [/URL]

#

Thou hast just received the Amish Virus

Posted by: Anonymous Coward on April 11, 2006 10:32 PM
As we haveth no technology nor programming experience, this virus worketh on the honour system. Please delete all the files from thy hard drive and manually forward this virus to all on thy mailing list.
We thank thee for thy cooperation.

— The Amish Computer Engineering Dept.<nobr> <wbr></nobr>... Linux user will have to switch to root entering thy root password.

#

relief joint

Posted by: Anonymous Coward on May 28, 2006 03:20 PM
<tt>[URL=http://painrelief.fanspace.com/index.htm] Pain relief [/URL]
[URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]
[URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.c<nobr>o<wbr></nobr> m] Pain relief [/URL]
[URL=http://nervepainrelief.jeeran.com/pa<nobr>i<wbr></nobr> nrelief.htm] Nerve pain relief [/URL]</tt>

#

Big Difference Between Linux and Windows

Posted by: Anonymous Coward on April 11, 2006 11:04 PM
There is a big difference between Linux/other opensource OSs and Windows wrt to viruses (i.e., non-worms -- programs that spread because you execute a program containing them), and that is under Linux and friends there is almost zero reason to run some random execute that is floating around on the internet.

I get pretty much any utility at all I want straight from the source, complete with all the code). It is either an apt-get of a signed binary package or a compilation from the original source (although last time I had to do that was years ago). Seriously, when was the last time any of you running Linux or friends ran a questionable executable on your machine?

Now how about on Windows? Was that closed-source freeware zip program obtained off of some unknown mirror last month just a zip program? How about that SSH client? Or those cool screensavers?

'nough said!

#

Re:Big Difference Between Linux and Windows

Posted by: Anonymous Coward on April 11, 2006 11:45 PM
Yeah, I imagine a "linux virus" readme file:

- To be able to infect your computer with this virus go to the virus' folder and type:<nobr> <wbr></nobr>./configure

then

make

and finally make install (get root permissions first)

#

Re:Big Difference Between Linux and Windows

Posted by: Anonymous Coward on April 11, 2006 11:50 PM
>
> I get pretty much any utility at all I want
> straight from the source, complete with all the
> code). It is either an apt-get of a signed binary
> package or a compilation from the original source
> (although last time I had to do that was years
> ago). Seriously, when was the last time any of
> you running Linux or friends ran a questionable
> executable on your machine?
>

Some random thoughts:

1) Do you read and perfectly understand the source code of each program you install?

2) If you don't (you would be a big liar to say you do ^_^"), are there really other people reading and perfectly understanding the source code, and reporting problems, of each program you install? (and if they report something, will you be aware of this report?)

3) What if you are using binary packages? (and you said you are). Signed packages mean nothing if the individual signing the package is evil... (or if the original source is infected and no one noticed).

The risk is not that much lower on Linux than on Windows... Having the source code available does not mean much if there's no one of trust (already a problem ^_^") reading the whole source code of each released tarball... (yeah, not just tracking the changes... if the CVS or SVN repository is infected, for example, then some changes might not be logged...) and has the power to report the problem for everyone to know...

There is no such thing as security. Never. Nowhere.

#

Re:Big Difference Between Linux and Windows

Posted by: Anonymous Coward on April 12, 2006 12:19 AM
Signing actually does work alright, since he's talking mainly about getting his programs from a repository. This means that each package is signed and must match the repo key (not literally) to be installed.

Code signing with a repo does not mean "its signed by anyone". Personally I feel that you can trust the repos as much as you can trust MS to provide you with a safe package. I've seen McAfee automatic updates hose systems before. So far I haven't had a single Linux update hose my system, and there are a lot of them coming out all the time.

#

Synaptic

Posted by: Anonymous Coward on April 12, 2006 12:29 AM
A typical Linux user will get everything they need from their installer such as synaptic, yast, yum etc. No compiling.

True that an official package could be evil.
This is true of any OS.
Microsoft has been proven to have evil packages (netscapeengineersareweenies etc).)

Open source software DOES have a higher exposure to scrutiny.

#

Re:Big Difference Between Linux and Windows

Posted by: Anonymous Coward on April 12, 2006 02:07 AM
Of course there is no such thing as perfect security. There is such a thing as accountability though. The thing I know about the Debian repository is:

1) The packages are compiled from source on dedicated build machines.
2) The package maintainer are actual known people who have their reputations on the line.
3) The same goes the original authors and those administering the build boxes.
4) If anything is compromised I'm going to hear about it.

That gives me a heck of a lot better feeling then I get when I'm download freeware packages off of a TuCows mirror for my Windows box to fill in all the missing tools (yes I could purchase everything I need, but at $25 per utility it is not going to be happening).

Hell, due to spy/adware and the inability to completely remove stuff once it is installed in Windows, I even feel better about the Debian repository then I do about commercial offerings.

#

Re:risk

Posted by: Anonymous Coward on April 12, 2006 02:52 AM
I agree that perfect security is unattainable... but you're wrong when you say that "the risk is not that much lower on Linux than on Windows". Risk has to do with the possibility of suffering harm or loss. In other words, we're talking about probabilities. Where are all these Linux virii that might infect my system?

Yes, it's possible to maliciously manipulate source code, but again, can you show me some examples? What is the probability of that occurring to me? Why is it that the tightly controlled MS APIs result in a higher probability of infection? You neglect the fact that Windows is inherently insecure by virtue of its design. To really make Windows secure, you'd have to start from scratch.

#

Re:risk

Posted by: Anonymous Coward on April 12, 2006 09:35 PM
>
> What is the probability of that occurring to me?
>

Probabilities mean nothing. Why would you care about a 99.99999999% probability of not having your computer data exploited/destroyed, if it still happens to you?

#

probabilities and risk

Posted by: Anonymous Coward on April 12, 2006 10:12 PM
Probabilities mean nothing

<a href="http://zapatopi.net/afdb/" title="zapatopi.net">http://zapatopi.net/afdb/</a zapatopi.net>

#

Re:Big Difference Between Linux and Windows

Posted by: Anonymous Coward on April 12, 2006 12:40 PM
"There is no such thing as security. Never. Nowhere."

Yes, and the truth is out there, Mulder.

Please recall your 1-2-3 random thoughts, and point to the kind of widespread havoc this has wrought.

Press clippings, Please?

#

'nough said! as a sure sign of stupidity

Posted by: Anonymous Coward on April 13, 2006 09:06 PM
In my entire life I have never seen a post ending with the words " 'nough said! " that was not absolutely, totally and comprehensively stupid.

It seems that intellectually challenged posters hope to somehow compensate their lack of intelligence with this desperate " 'nough said! ".

HEY - NEWSFORGE! How about including an anti "'nough said! " filter in your (otherwise useless) lameness filter?

#

Re:'nough said! as a sure sign of stupidity

Posted by: Anonymous Coward on April 14, 2006 02:55 AM
Argumentum ad hominem...

'nough said! : )

#

I don't understand...

Posted by: Anonymous Coward on April 12, 2006 12:35 AM
I don't understand both this article and the original news...

>
> A second caveat is that for it to work on Linux,
> a user has to download the program and then
> execute it, and even then [...]
>

Well, this is how work most today viruses/worms, spywares and spam... People open/execute/install whatever is clickable<nobr> <wbr></nobr>:/

>
> [...] it can only "infect" files in the same
> directory the program is in. Exactly how the
> program gets write permissions
> even in that directory is not explained.
>

If a user downloaded the file into some directory, then this user has write permissions inside this directory... and when executed inside the directory, then the executable inherit the permissions of the user and has write permissions inside the directory (at the very least -it will have write permissions in every directory for which the user has write permissions).

Are you waiting for another explication?<nobr> <wbr></nobr>:/

>
> And finally, it's not a virus at all.
> It can't replicate itself
>

You are criticizing a proof of concept because of a lack of functionality?

It can't replicate itself? It doesn't seem anything special to me... if it can't replicate, let's just add this very basic function to it, and voilà...!

If you have a local SMTP server, configured to allow the user to send mail (shouldn't be a problem ^_^"), then any program executed can send whatever it wants using it.

If you don't have an SMTP server, then let's just create one and bind it on a port >1024...

If there's a problem, then let's just use the SMTP servers used by the user (just search it's home directory for common mail clients and parse their configuration...).

You can use the user contact list just like with Outlook, if your virus support the user mail client and know where the contact list is located...

You can connect to anything the user has the right to connect to, if no password is required (or if the password has been saved).

User FTP account (with write permissions)? let's just connect and automatically add a link to the virus on every page (again, the password has to be saved).

Shared directories? (between Linux and Windows machines? ^_^") Let's just put the virus there... to get attention, let's remove every other files.<nobr> <wbr></nobr>... any people executing the virus will suffer the same fate.

Do you need other examples?

This is why I don't understand what's the big deal with "Linux viruses"... Of course, it might be a little harder to get root privileges (but there are lots of possibilities, from local vulnerabilities to keylogging -well, I'm not sure about keylogging without root privileges...), but there's absolutely no problem with replication and damage to personnal files... (as said by other people, why would I care about other kind of files on my system? (of course, with root privileges, you can hide the virus and its actions -like sending spam/viruses, if you don't have external controls/logs-, control all user accounts, etc.)).

Common viruses might be coded for Linux nealy as easily as for Windows. It's just you will infect far less people, because:

- A larger proportion of Linux users are more aware of security issues (but probably not even the majority, as more and more users install Linux).

- There are more diversity, so if you want to read the user contact list, for example, you'll have to support at least four or five mail clients, instead of just Outlook (well, there's probably as much diversity on Windows, and lot of mail clients work on both systems, but the diversity is more balanced on Linux than on Windows).<nobr> <wbr></nobr>... so no one care about coding a virus for Linux (for now)...<nobr> <wbr></nobr>... because viruses, worms, spywares and spam, right now, are about big, big, big money.

#

Re:I don't understand...

Posted by: Joe Barr on April 12, 2006 01:39 AM
>I don't understand both this article and the original news...


I agree with that statement.


>
>> A second caveat is that for it to work on Linux,
>> a user has to download the program and then
>> execute it, and even then [...]
>


>Well, this is how work most today viruses/worms, spywares and spam... People open/execute/install whatever is >clickable<nobr> <wbr></nobr>:/


Viruses exist almost exclusively in the Windows world and are spread primarily by insecure apps like Outlook and IE. That's a big reason why Thunderbird and FireFox are so popular _ON WINDOWS_ these days. Sometimes the user has to open a phony attachment, sometimes not. Once in place, the virus proceeeds to spread itself to other hosts by attaching itself to outgoing mail or documents or whatever.


You are criticizing a proof of concept because of a lack of functionality?


No viral concept has been proved. Both Windows and Linux users can download The Gimp, then execute it and it will be able to modify existing files for which the user has write permissions. By the logic and facts presented in this farcial, inane, deliberately misleading "news" story, The Gimp is a virus as well.


>>Are you waiting for another explication?<nobr> <wbr></nobr>:/


If you mean would I like more of the same BS you and the folks at the Windows anti-virus firm are serving up, no thanks.


>>You are criticizing a proof of concept because of a lack of functionality?


I am criticizing a proof of concept that claims a viral nature but doesn't possess one. It's bogus. It's a lie. It's BS.


>>It can't replicate itself? It doesn't seem anything special to me... if it can't replicate, let's just add >>this very basic function to it, and voilà...!


Show us the code. Or are you simply lying? For sure, you don't understand -- or you are pretending not to understand -- what a virus is. When you say "it doesn't seem anything special to me" you are admitting you don't have a clue as to what a virus is.


>>Do you need other examples?


No. I am absolutely convinced of your opening remark. You don't understand viruses or the story.

#

Re:I don't understand...

Posted by: Anonymous Coward on April 13, 2006 07:07 AM
sheesh, friendly crowd here..

#

Re:I don't understand...

Posted by: Anonymous Coward on April 12, 2006 05:59 AM
>Well, this is how work most today viruses/worms, spywares and spam... People open/execute/install whatever is clickable<nobr> <wbr></nobr>:/

Yes, people download everything. But if I download a file on a unixbox (from e.g a browser or emailapp) then the file shouldn't be executable. This makes me a lot more confident in handling untrusted files on unix. Of course that doesn't mean I am not carefull, we all should be, but at least it's a difference between executables and other files.

#

Re:I don't understand...

Posted by: Anonymous Coward on April 12, 2006 10:52 AM
The concept being prooved seems to be that a single binary can be executed on a windows machine, and also a linux machine. This is interesting because heretofor, a would be a windows binary(pe), or a linux binary(elf).

Have we seen this concept in a virus yet?
Where exactly would the impedus for this come from, a win/mac virus??

On the other topic, is this proof of concept a virus? Obviously not. It does stand to reason, however, that this concept will definately be appropriated by some enterprising virus author/hacker, and sooner rather than later.

#

Re:I don't understand...

Posted by: Anonymous Coward on April 12, 2006 11:50 AM
> The concept being prooved seems to be that a single binary can be executed on a windows machine, and also a linux machine. This is interesting because heretofor, a would be a windows binary(pe), or a linux binary(elf).

> Have we seen this concept in a virus yet?

Yup. Only a couple of years ago...in another POC, IIRC.

> On the other topic, is this proof of concept a virus? Obviously not. It does stand to reason, however, that this concept will definately be appropriated by some enterprising virus author/hacker, and sooner rather than later.

Great. More hysteria.
I have no write access to any elf binaries on my system, when operating as a normal user; which I happen to do about 99.999% of the time.

I have yet to see anything approaching a virus/worm/trojan that reaches into kernel space on Linux (so commonplace in the windoze world!); without the user doing something boneheaded--like downloading and executing something as root.

I'd imagine that we'll see something coming down the pike with "./configure; make; make install" instructions...and the world will herald--yet again--the vulnerability of Linux.

#

You are still vunerable...

Posted by: Anonymous Coward on April 12, 2006 02:17 PM
Scripting is both a blessing and a curse. A virus or exploit can pipe a copy of itself through an ascii encoder on your system, say uuencode, add a few script decoding instructions and append all that to your<nobr> <wbr></nobr>.bashrc file. Every time you start a shell, (or log in), it can run it's code. Your user account is now "owned". Uninstall uuencode you say? It can be done with sed or awk or perl instead. Have no<nobr> <wbr></nobr>.bashrc? It can install one for you. Make an empty<nobr> <wbr></nobr>.bashrc in your home owned by root? No good. The virus (as you) can still delete it. (Hint: You have write perms on your home directory.)

Linux users currently do NOT have the same kinds of virus problems that MS users have. The root(system) may be better protected, but root is only a convenient route to multiple users, and it usually protects nothing of real value in and of itself. If the user accounts aren't safe for their intended use, then the OS is poor desktop OS. I can't really tell you a good one, but Linux users should really refrain from saying their OS is "immune". We have buggy browsers and email apps just like MS users.

Our motto should be, "Linux sucks less than many popular operating systems", rather than, "Linux is virus proof"

#

Re:You are still vunerable...

Posted by: Anonymous Coward on April 12, 2006 05:24 PM
Let me help you out a little here...your accuracy is a bit fast and loose:

"A virus or exploit can" in theory "pipe a copy of itself...blah blah blah, etc"

You make it sound so very simple to "own" an account with a virus, yet there has yet to be any virus, PoC or otherwise, that does even half of the oh so simple things you explain to us.

Your next paragraph is cute too:
"Linux users currently do NOT have the same kinds of virus problems that MS users have."

Very clever use of the word "currently" to imply that it's only a matter of time before they will have the same problems.

"The root(system) may be better protected, but root is only a convenient route to multiple users, and it usually protects nothing of real value in and of itself."

Also clever: If the enemy (yes, it's clear you're here as an enemy to Linux) has a strength you can't think of a way to refute or match, discount its value.

"If the user accounts aren't safe for their intended use, then the OS is poor desktop OS."

Graceful. It's almost easy to forget that your "proof" of Linux's vulnerability was completely hypothetical and has never been backed up by any code anywhere.

" We have buggy..."
" Our motto should be..."

Wow, this is all spoken by one of our own, someone who claims to be one of the poor endangered Linux users - it must be true then, he wouldn't lie to me! Yeah right. I don't think anyone's buying that one.

""Linux sucks less than many popular operating systems", rather than, "Linux is virus proof""

Straw man. Nobody's claiming Linux is virus proof. All we're doing is pointing out the BS in the latest round of fearmongering.

#

Re:You are still vunerable...

Posted by: Anonymous Coward on April 13, 2006 10:10 AM
Sigh, I really don't want people like you on my side of an argument...

You are attacking the messenger rather than the message. I *am* the biggest Linux advocate I know, and I have *rational* reasons for using it. (I started with kernel 1.0.13 and Slackware back in the floppy days.) I have written driver kernel modules, and have a "pretty heavy degree". I'm not willing to cut linux or any other OS slack because there ARE weaknesses. God (or Linus) save us from fanboys.

#

Beat you to it.

Posted by: hosiah on April 12, 2006 12:34 PM
<a href="http://penguinpetes.com/b2evo/index.php?title=winux_proof_of_concept_meme_infects_onli&more=1&c=1&tb=1&pb=1" title="penguinpetes.com">http://penguinpetes.com/b2evo/index.php?title=win<nobr>u<wbr></nobr> x_proof_of_concept_meme_infects_onli&more=1&c=1&t<nobr>b<wbr></nobr> =1&pb=1</a penguinpetes.com>
I got this clear back on the 8th, same sarcasm and everything. What kept you?

Nevertheless, you'll be credited with providing the "antidote".

#

Re:Beat you to it.

Posted by: Joe Barr on April 12, 2006 02:46 PM
And a fine job you did, too. Don't let up on the bastards.<nobr> <wbr></nobr>;)

#

the source code

Posted by: Anonymous Coward on April 12, 2006 09:10 PM
the source code:
<a href="http://vx.netlux.org/src.php?info=clt.zip" title="netlux.org">http://vx.netlux.org/src.php?info=clt.zip</a netlux.org>

#

Thanks, it points out where this article is wrong

Posted by: Anonymous Coward on April 13, 2006 12:03 AM
Some things to mention here:

  • the virus fully replicates itself, though without directory crawling (which would be easy to add).

  • it has no worm-like behaviour, i.e. it doesn't connect to vulnerable machines on the net. Again, trivial to add. But mentioned behaviour is not needed for meeting the definition of a virus.

  • so: it definately is a virus. It can replicate its code into ELF and PE files.

  • stupidity and lack of information in article & most comments plus maybe the fact that there are school holidays in numerous countries made this one of the most ashaming reads reg. linux zealotry ever. The answer to FUD shouldn't be to annoy other people. Read the assembler (if you can) and then come back. I still don't know how this article could ever get published.


Thanks for posting the link, though.

#

Interesting claim, but...

Posted by: Joe Barr on April 13, 2006 03:09 AM

I don't believe it. Would you mind posting the before and after Linux elf samples? I'll bet you a dollar they don't contain the viral code, but rather just a few lines of text, as has been described in multiple places.

#

Re:Interesting claim, but...

Posted by: Anonymous Coward on April 13, 2006 04:21 AM
OK, I'll go into it as it makes a good exercise<nobr> <wbr></nobr>:-)

1. The most misinterpreted fact seems to be on the two sets of strings. Actually, the README of the virus in spe points to it: There's actually two code "lines" (dunno how to express it better). The virus code itself and a small "injection needle" program (which happens to be a Windows executable for this case, but it's just an initial jump pod).

2. into the code: (short note: I'm only able to access the parts that are linked from the web, not the full tarball. Shouldn't matter.)

  • First, the README should be consulted. It explains what's contained in each of the source files.

  • Just written there: vhost.asm is the code for the "jump pad" executable. This is the code that echos <tt>" VIRUS DROPPER (c) 2006 JPanic"</tt> and <tt>" VIRUS DROPPER (c) 2006 JPanic"</tt>, probably using a windows call to display a dialog box.

  • Interesting is the virus itself.

    • The section in question where it copies its own code into the mmap'ed ELF executable is actually in inf-elf.asm. First, it moves the sections to get some free space for its own code. Then it sets parameters and calls BuildVBody from vmain.asm. This procedure is also used by the windows infection code in inf-pe.asm. BuildVBody just copies the code into the mmap'ed file and sets the flag whether the virus is in an ELF or PE file.

    • vmain.asm contains the strings <tt>" (c) 2006 JPanic:"</tt>, <tt>"This is Sepultura signing off..."</tt>, <tt>"This is The Soul Manager saying goodbye..."</tt>, <tt>"Greetz to: Immortal Riot, #RuxCon!"</tt>. It doesn't echo them at all, as it seems.

    • the virus uses a bunch of other source files, too. They include some OS specific functions to scan the directory and to mmap'ing files for read/write. Other<nobr> <wbr></nobr>.asm files just include the data structs for file info and executable formats.




This all is very well described in Kaspersky Weblog: <a href="http://www.viruslist.com/en/weblog" title="viruslist.com">http://www.viruslist.com/en/weblog</a viruslist.com>
That virus code is absolutely typical for its species. It doesn't include malicious code but a good example of an OS dependant behaviour. It's well written and good documented, too<nobr> <wbr></nobr>:-)

-hwh

#

Re:Interesting claim, but...

Posted by: Joe Barr on April 13, 2006 05:38 AM

Missing sources...


So we can't even know if it makes properly, let alone do "make samples" to see before and after infected elf files?

#

Re:Interesting claim, but...

Posted by: Anonymous Coward on April 13, 2006 06:14 AM
What's missing is clearly not essential to understand how it works. It's missing the executables and a bunch of "assembler header" files. Those are created from c/c++-headers by a companion utility of tasm, i.e. they don't include new stuff. Enough to make a good proof of concept for me... What has been published here shouldn't make it too easy for the script kiddies, and it doesn't. It'll probably spread anyway through the net, I fear...

-hwh

#

Re:stupidity

Posted by: Anonymous Coward on April 13, 2006 03:31 AM
So anyone who disagrees with you is either stupid, uninformed, or a zealot? Look, you've made your points, they've been refuted, and readers can make up their own minds.

As far as how the article could ever get published, click here... <a href="http://software.newsforge.com/about.tmpl" title="newsforge.com">http://software.newsforge.com/about.tmpl</a newsforge.com>

Recognize any names? But then what do I know, I'm just a stupid and uninformed zealot.

#

Re:stupidity

Posted by: Anonymous Coward on April 13, 2006 04:59 AM
Yeah, I already regret having said this, the debate is already aflame by all means... Add to this that I'm not a native speaker and forgive me the hard words.


But I think that the reaction (to post this ranting article) was plain wrong. Simply claiming that the virus isn't infectuous and such is no virus at all is not a good thing to do if it can't be proven at all (I assert that the code wasn't accessible to the author when the article was written). Now, it even proves wrong, if I'm not totally wrong with my code analysis.



I have a short thing to add to the code inspection I posted before (not logged in, I didn't remember my password back then): The ELF infector simply moves the existing code in the<nobr> <wbr></nobr>.text section (yes, this is a code section, not a data-only section!) in the file and makes it larger. Before that code there's now a "hole". It resets the ELF headers to take into account that a) the whole executable is now larger, b) entry points for following sections are moved, c) the point in virtual memory where the code is going to be placed (original location minus virus lenght, such the original application code stays at its usual virtual address) and - after copying the code - d) the execution entry point.



Note that I'm by no means an assembler guru and everything might by chance be wrong. But it really doesn't look like that.

-hwh

#

Re:stupidity

Posted by: Anonymous Coward on April 13, 2006 05:55 AM
Okay, and I admit that I can't read Assembly. Assuming that a virus of this nature is developed and released, is it safe to say that the highest probability for being infected would be:
1) executables sent as emails. These would have to be saved and then executed by the user, or they would have to rely on a bug in the email client.
2) network worms.

If that's correct, aren't we back to basic system security?
1) Lock down unused services and use a firewall.
2) Don't run executables that are emailed to you. (& encrypt your addressbook.)
3) Back up your home directory regularly.
4) Only install software from trusted sources.

#

Re:stupidity

Posted by: Anonymous Coward on April 13, 2006 06:33 AM
Yes, you're completely right.

I'd even say that for this specific case there's no locking down of services/network needed. It even doesn't depend on an updated system. It's really all about execution policy.

Remember, it's a proof of concept thingy. If it would want to play nasty, it could have all the bad ways to dig into your system, test for buggy versions of programs and creep into your system through manipulated PDFs, TIFFs, web pages and whatnot. It's not new and it doesn't prove something particularly new. Back in the DOS days there were lots of virus programs that could infect COM files as well as boot sectors and EXE files. This virus uses two system call interfaces (and it would be easy to extend this for the most BSDs), which is seldom, but, again, not new.

The whole thing isn't worth much discussion. It wouldn't even be worth to discuss much if this thingy had network infection capabilities, malicious code, whatever. The gap between operating systems is not that big on the same architecture if the system's interface isn't too much off the road...

Still, virus writing on windows is easier since you can better rely on the ABI. For Linux, everything other than int 80h or - opposite - shell code would be cumbersome to implement reliably.

-hwh

#

The ELF Virus Writing HOWTO

Posted by: Anonymous Coward on April 13, 2006 08:08 AM
The concept does reek of BS.
A virus writing How-to for Linux (well, ELF to be specific) has been around for years. Refer to that if you want to get an idea of what further problems a Linux virus writer would have.
<a href="http://www.linuxsecurity.com/resource_files/documentation/virus-writing-HOWTO/_html/index.html" title="linuxsecurity.com">http://www.linuxsecurity.com/resource_files/docum<nobr>e<wbr></nobr> ntation/virus-writing-HOWTO/_html/index.html</a linuxsecurity.com>

#

Same BS from Kaspersky 5 years ago

Posted by: Joe Barr on April 13, 2006 10:53 AM
From their <a href="http://www.kaspersky.com/news?id=175" title="kaspersky.com">web site</a kaspersky.com> five years ago:


Predictions regarding a world epidemic of Linux-viruses have come true in the first quarter of 2001. The latest incidents caused by the Ramen Internet-worm and its numerous modifications, as well as the multi-platform virus Pelf (Lindose) and other Linux-targeted malicious code, have proved that this operating system, (previously considered as the most protected software), has fallen victim to computer viruses.



They were lying out their ass five years ago. Should we trust them now?

#

Pain relief

Posted by: Anonymous Coward on May 28, 2006 06:23 PM
[URL=http://painrelief.fanspace.com/index.htm] Pain relief [/URL]

  [URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]

  [URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.com] Pain relief [/URL]
[URL=http://nervepainrelief.jeeran.com/painrelief<nobr>.<wbr></nobr> htm] Nerve pain relief [/URL]

#

Back Pain relief

Posted by: Anonymous Coward on May 30, 2006 01:37 AM
<tt>[URL=http://nervepainrelief.jeeran.com/painrelief<nobr>.<wbr></nobr> htm] Nerve pain relief [/URL]
[URL=http://www.back.painreliefnetwork.net/lowbac<nobr>k<wbr></nobr> pain.htm] Low back pain [/URL]
[URL=http://blog.gala.net/uploads/painreliefback/<nobr>b<wbr></nobr> ackpainrelief.htm] Back pain relief [/URL]
[URL=http://www.weblog.ro/usercontent/13155/profi<nobr>l<wbr></nobr> es/kneepainrelief.htm] Knee pain relief [/URL]
[URL=http://www.info.painreliefnetwork.net/Pain-R<nobr>e<wbr></nobr> lief.html] Pain relief [/URL]
[URL=http://www.sitefights.com/community/scifi/pa<nobr>i<wbr></nobr> nrelief/painreliefpreved.htm] Pain relief [/URL]
[URL=http://www.info.painreliefnetwork.net/Medica<nobr>t<wbr></nobr> ion-Pain-Relief.html] Medication pain relief [/URL]
[URL=http://www.info.painreliefnetwork.net/Natura<nobr>l<wbr></nobr> -Pain-Relief.html] Natural pain relief [/URL]

[URL=http://painrelief.fanspace.com/index.htm] Pain relief [/URL]
[URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]
[URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.c<nobr>o<wbr></nobr> m] Pain relief [/URL]
</tt>

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya