Ambidextrous Linux/Windows Virus

Lam1969 writes "Kaspersky Labs has reported a new proof-of-concept virus that can infect both Windows and Linux systems. It's called Virus.Linux.Bi.a/Virus.Win32.Bi.a and affects ELF binaries and .exe's from windows. SANS has a brief item on the cross-platform virus as well, but no information about a patch or signature yet."

How is it POC?

[liliafan]

I guess it is time for me to double check clamav is still updating without any problems on my systems.

In 2001, the sadmind/ISS worm exploited a hole in Sun Microsystems Inc.'s Solaris to infect systems running vulnerable versions of the operating system. Infected systems then scanned for and attacked servers running Microsoft Corp.'s IIS Web server software. That same year, another proof-of-concept virus named Winux infected both Windows and Linux systems.

I am curious about how this is a proof of concept virus if it has been done before surely the concept has already been proven?

Not to worry

[shaitand]

Windows users are prepared for viruses and the reason Linux users do not sweat them much is not because linux viruses do not exist; it is because system design makes their impact minimal.

which architectures?

[jon787]

The article says the worm was written in assembly and I assume it means x86 assembly. Can the worm infect non-x86 Linux hosts?

How does it work?

[Nazo-San]

I'm kind of curious how it works. You can't just take, say, C++ and simply write the exact same code and it will work in both Windows and Linux. Some of the basics like cout do, but, once you start getting a little more complicated and try to modify files, then it gets tricky. I'm guessing we aren't talking about a Java type thing (supposedly Java has securities in place, though I've never directly tested them -- I do know that it can delete or modify a file though.) They mentioned ELF and Win32 executable binaries, so if it's Java, then that's just a frontend obviously. They wouldn't call it an ambidexterious virus if specific code were written for each OS though, right? The only single thing I can think of is maybe make a system call and run "del so-and-so" which in linux's case would rely on an alias being in place to actually run rm.

Could anyone who knows more programming than I do (which, btw, isn't so hard so feel free to hop in here) give me just an idea of how this is even possible?

You know, suddenly I'm reminded of .hack. In it, one amazingly powerful virus was able to wipe out almost all major operating systems with the exception of the single one, and that one was neither windows nor linux. Ok, it's just a story, but, do you suppose some nut wants to see if they can make this come true in their own way?

Symantec

[rmsmith]

I find it interesting that this 'virus' appears shortly after Symantec reportedly gets cushy with the Linux press [newsforge.com]

Re:How does it work?

[alexhs]

I will give two possibilities :
1. "universal binary" : compile code for each platform you want to infect. That one might even work on other architectures

Code needs :
a. an algorithm to know which OS/Arch an executable is for (and needs to know if a file is an executable in the first place)
b. an algorithm to link the appropriate code part.

You have an Win/x86 trojan. He checks for files and finds an PowerPC/Linux ELF. He adds itself to the end of the file, finds a jump in the original code, reroutes it to the PowerPC/Linux part of the virus code. At the end of the virus code, does the appropriate jump so the original program still works.

2. checks for syscalls :
IA32 code (usually named x86) remains IA32 code, whatever your OS is. The biggest difference lies in syscalls.
have generic code (without syscall) checking what OS is running and set, say, CurrentOS. Each time you need a syscall, do a switch(CurrentOS) and execute the appropriate syscall.

The real difference: root vs. non-root

[davidwr]

The real difference, for now at least, is that most Windows users run applications and more importantly web browsers with administrative privilages.

Most Linux/*nix users do not.

By this time next year, when Vista's default web browser runs in a more-locked-down environment, MS-Windows users will be less vulnerable.

Blame the OS vendors and their OEMs - most people just take the defaults and run.

Re:Not to worry

[andreyw]

The problem isn't that it isn't there. The problem is that you need to do something to make use of it. On OS X, if there is some task that needs admin access, I get prompted accordingly. With windows, such functionality is only available in certain control panel applets.

Re:Is this another do-it-yourself?

[Anonymous Coward]

"How do you get this "virus"? You have to run infected code, right?"

One word.... Wine.

I run windows binaries in Wine all the time.
If the virus could detect it was running in Wine on a Linux box, then it could infect the machine.

Links?

[spaceturtle]

Hi could you give the links to the technology you are using. I am very interested in this field (giving applications less rights than the user). I have not heard of SAKs before.

BTW, Have you heard of Plash [beasts.org] or Systrace [umich.edu]?

Unfortunately I don't think that many Linux systems are set up the way you describe, though I intend to make it my personal quest to make sure they are.

Also, have you come across a way of stopping GUI applications taking over other GUI application via the X protocol?

I know that it is possible to run X applications in untrusted mode, but I understand that is still possible for untrusted applications to snoop on other untrusted applications via X, so we cannot simply run all applications in untrusted mode.