Cross-Platform Pseudo-Virus: Don't Panic

spam-it-to-me-baby writes: "It's only based on one reported sighting (i.e. it could be bulls**t), but anti-virus software hacks Central Command say they have found the first Windows/Linux cross-platform virus. It appears only to be a proof of concept with no malicious payload, and targets Windows PE files or Linux ELF files once it recognises the infected OS." There are stories at CNET and at Wired as well, not to mention at NewsForge. Despite the Wired story causually saying so, though, this is anything but an "equal opportunity" virus, except in that it seems to infect multiple media sources without discrimination. When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?

False Safety

An article from Reuters about it:

Reuters [yahoo.com]

Central Command says it has developed a cure for the virus at its Web site (Avx.Com [avx.com]).

Jethro

Virus Source

Rumor has it that the virus is spread by upper management, so let's look at the source:

GET FREE MONEY!!! You can get a lot of FREE MONEY if you send this file to everybody in your address book and delete all the files on your computer! Do it! All the cool people are doing it!!!!

Tell me what makes you so afraid
Of all those people you say you hate

Loads of people do this all the time

When was the last time you ran unknown programs (as root) on your machine, then manually copied them (and ran as root) on another machine as well?

Considering most people who run Windows run as root by default (9x, ME) or by choice (Administrator-equiv user on NT or 2k), it's not hard to conceive of them running as root on a workstation-based linux machine.

I definitely see less-sophisticated users running a Windows and Linux combo trying out a "cool win/linux app!" that their friends sent them. God knows that a major portion of morons where I work, in SPITE of the long history of trojans/viruses/general maliciousness via email will without question run .exes they get in the mail, especially if there's any chance of seeing a little skin or some cuss-filled animation.

Dual Boot systems at greater risk than Linux only

While only an idiot runs mystery software as root on a *nix system, what happens when you dual boot into Windows to play that favorite game or run that beloved flight simulator? At this point you *are* essentially running everything as "root", and Linux filesystems are potentially just as accessible and corruptable as windows filesystems (assuming the virus is smart enough to parse the inode map, or a ext2win type driver is loaded in windows).

The infection vector for Linux software may be more via the windows dual-boot option so many of us keep around, rather than the clueless newbie running a downloaded executable as root. If the virus author chooses a target intelligently, one which runs as root by default (for example, say, "getty" or "X"), your Linux system could well become a warren of virial activity no matter how secure the Linux portion of the configuration is.

Using an encrypted filesystem, inaccessible under windows, might prevent this sort of contagion, but of course that wouldn't prevent the windows incarnation of the virus from simply trashing the encrypted data and destroying the Linux installation outright.

The upshot is, if you have Windows installed on your system, and use it in any kind of promiscuous fashion (which, for an operating system as insecure as Windows must include having any kind of connection to the internet), any data anywhere on the hardware is at risk, and all the security Linux or FreeBSD offers you is for naught.

GPL'ed virus!

W32.Winux contains internal text strings. It also contains the following text: ?[Win32/Linux.Winux] multi-platform virus by Benny/29A? and ?'This GNU program is covered by GPL.?

It appears that the Free Software Foundation's message has finally reached the cracker community.

Re:Not a virus, not a worm

Code that has to be spread manually is not a "virus."

It doesn't have to be spread manually. Read the analysis - it searches for Windows PE exes and Linux ELF exes and infects them.

However, the analysis states that this virus only searches for and infects executables in its own directory and parent directories. This to me seems fairly harmless. If you were emailed a program infected with this virus, it would surely only infect your temp directory (and root dir, but who would have executables there?) And as you say, this one doesn't propogate over the internet, so the only way you're likely to catch it is running an infected prog emailed to you.

But as they say.. it's a "proof of concept". Where I work, we had a hell of a time with a virus that checked machines in the network neighbourhood for open shares (this was a Windows virus of course) and then searched them for executables to infect. Watch for a virus which can infect Windows exes and Linux ELF exes like this one, but which also aggressively searches shares, NFS mounts, etc. for more files to infect.. that might be something to take more seriously..

What worries me is...

A cross-platform virus that is spread initially through standard Microsoft Outlook or Word but knows how to probe for weaknesses in Unix servers.

Then it can replicate itself into every .doc file on the server, as well as root the servers for later nastyness. Yikes, makes my skin crawl just thinking about it.

Most people focus on hardening their externally visible servers, not the ones in the back room that are invisible to the outside world. Now we've got to worry about any server reachable from anything that runs Outlook or Word.

Arrg.

-- ac

"Idiots" and unknown software?

Fair enough, claim that only "idiots" run unknown software on their box, and that because you are so 133t, you compile all software you use.

Which proves what? That you've compiled some software, and *then* run it.

Did you study the source code at length? Check it personally that it didn't have any back doors whatsoever? Hmmmm? Sure it wasn't a trojaned source you downloaded (The server could have been hacked right?)

Just because you compiled from source, doesn't mean your newly-created binaries are therefore perfect and couldn't *possibly* contain a trojan of some sort.

Early April Fool

Smells very much like an early April Fool.
--
jambo
system.admin.without.a.clue

Re:Not a virus, not a worm

Code that has to be spread manually is not a "virus."

Sigh... well, I guess it's finally time for me to stop clinging to the proper usage of the terms "virus" [tuxedo.org], "worm" [tuxedo.org], and "trojan" [tuxedo.org]. I got all excited when I saw this article, because it was the first time in years that I had heard of a real virus, and not just another trojan or worm... and sure enough, I see arrogant slashdotters (-1 redundant) complaining about it.

Fine, I give up. Language evolves. But you're still getting smacked if I ever hear "worm virus" again.

Re:It's worse than that

It was Ken Thompson in an implementation of a C compiler. His paper on it can be found here [acm.org].

Re:Dual Boot systems at greater risk than Linux on

Only one problem I seee with this logic. When in windows, can you see an ext2 partition on the same drive? NOPE! Windows can't see ext2. The more dangerous one would be if you were logged in as root with your windows drives mounted. Then, you'd infect both partitions. So, if your in windows and get it, not a huge deal. You'd only loose Windows stuff. Personally, I can't see WHY someone would want to write a virus, especially one for Linux since anyone who knows anything about Linux will figure out WHY it's not a good idea to do certain things as root. It only takes one fug up and you will remember that for the rest of your life as you kick it in your head while watching your filesystem go bye bye!! :)

Re:Four Words...

You know that there have been Mac viruses before. There's about 40-50 or so non-Word macro viruses. The reason you don't see as many of them is that the Mac hasn't been as friendly to casual programmers as DOS and Windows have been, and the market penetration is lower. Thus, there are less people messing around with non-professional programming on the Mac who would get the virus-writing urge. It's lack of market penetration has also made it less desireable of a target.

There is no inherent safety to the Classic Mac OS that prevents viruses at all. In fact, the use of shared global memory resources, non-existant memory protection, and nearly non-existant file protection makes it very unsafe. It's just secured by obscurity.

Mac OS X will have all the same strengths and weaknesses of a UNIX system. Unfortunately, the UNIX layer makes basic worm and virus writing easier since the APIs are better known by more people. It won't be long until the first Mac OS X viruses begin propogating. I don't think we'll ever reach the level of DOS/Windows in its heyday, but don't kid yourself into thinking that the Mac is, has been, or ever will be completely immune from rouge code on the system.

Re:Dual Boot systems at greater risk than Linux on

(moderators - kick the parent AC up)

You can see an ext2 partition on the drive - Windows doesn't have the built in tools to parse the stream of data as a filesystem, but it is possible to write a win9x program to directly read the disk and interpret the filesystem for itself. In WinNT, there are third-party drivers to read ext2 partitions just like another mount.

Tell me what makes you so afraid
Of all those people you say you hate

GPL issue for Virus

Slightly OT, but just had a thought.

Your not allowed to redistribute a GPL program, unless you agree to the liscence (Basic copyright).

If you redistribute a GPL'd binary, you have to (at leat) have the source available freely, to those who you pass the binary on to.

Does this mean that if I infect someone with the virus (deliberatly), I must give them the source, on request? (Answear: Yes)

What if I give them the binary, unwittingly?

What if I intend to give them a different program (e.g. xbill) that is infected. The source is requested, then I give them the xbill source. But that's not the source for the binary - does this mean the GPL cannot be upheld in this cricumstance?

Extremly icy ground, and prbably best handled by lawyers, (one of which I am not), but even so, food for thought.

Stuey!
--

Re:"Idiots" and unknown software?

Did you study the source code at length? Check it personally that it didn't have any back doors whatsoever? Hmmmm?

What are you talking about? How do you know whether I check it or not? In fact, I run exclusively code I've compiled myself, after having read the complete code to check for security reasons.

This has saved me a lot of trouble. On the other hand it takes some time. Since I'm very strict in this thing, I only run a very dumbed down version of MINIX of which I had to study the code for my operating system classes. I hardly uses any utilities (http, smtp, news: everything can be done just fine directly over telnet).

I am preparing to run X and KDE in the future. I estimate I'll be ready in 5 years to start compiling the code. I can hardly wait..