Ambidextrous Linux/Windows Virus 361
Lam1969 writes "Kaspersky Labs has reported a new proof-of-concept virus that can infect both Windows and Linux systems. It's called Virus.Linux.Bi.a/Virus.Win32.Bi.a and affects ELF binaries and .exe's from windows. SANS has a brief item on the cross-platform virus as well, but no information about a patch or signature yet."
How is it POC? (Score:5, Interesting)
I am curious about how this is a proof of concept virus if it has been done before surely the concept has already been proven?
Not to worry (Score:2, Interesting)
which architectures? (Score:4, Interesting)
How does it work? (Score:2, Interesting)
Could anyone who knows more programming than I do (which, btw, isn't so hard so feel free to hop in here) give me just an idea of how this is even possible?
You know, suddenly I'm reminded of
Symantec (Score:5, Interesting)
Re:How does it work? (Score:3, Interesting)
1. "universal binary" : compile code for each platform you want to infect. That one might even work on other architectures
Code needs :
a. an algorithm to know which OS/Arch an executable is for (and needs to know if a file is an executable in the first place)
b. an algorithm to link the appropriate code part.
You have an Win/x86 trojan. He checks for files and finds an PowerPC/Linux ELF. He adds itself to the end of the file, finds a jump in the original code, reroutes it to the PowerPC/Linux part of the virus code. At the end of the virus code, does the appropriate jump so the original program still works.
2. checks for syscalls :
IA32 code (usually named x86) remains IA32 code, whatever your OS is. The biggest difference lies in syscalls.
have generic code (without syscall) checking what OS is running and set, say, CurrentOS. Each time you need a syscall, do a switch(CurrentOS) and execute the appropriate syscall.
The real difference: root vs. non-root (Score:1, Interesting)
Most Linux/*nix users do not.
By this time next year, when Vista's default web browser runs in a more-locked-down environment, MS-Windows users will be less vulnerable.
Blame the OS vendors and their OEMs - most people just take the defaults and run.
Re:Not to worry (Score:4, Interesting)
Re:Is this another do-it-yourself? (Score:1, Interesting)
One word.... Wine.
I run windows binaries in Wine all the time.
If the virus could detect it was running in Wine on a Linux box, then it could infect the machine.
Links? (Score:2, Interesting)
BTW, Have you heard of Plash [beasts.org] or Systrace [umich.edu]?
Unfortunately I don't think that many Linux systems are set up the way you describe, though I intend to make it my personal quest to make sure they are.
Also, have you come across a way of stopping GUI applications taking over other GUI application via the X protocol?
I know that it is possible to run X applications in untrusted mode, but I understand that is still possible for untrusted applications to snoop on other untrusted applications via X, so we cannot simply run all applications in untrusted mode.