Forgot your password?
typodupeerror

Torvalds Creates Patch for Cross-Platform Virus 195

Posted by ScuttleMonkey
from the just-here-to-make-things-work dept.
Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven that the virus does indeed not work with latest kernel version 2.6.16 and even released a patch in order to fix this "problem." From the article: "The reason that the virus is not propagating itself in the latest kernel versions is due to a bug in how GCC handles specific registers in a particular system call. [...] So the virus did a number of strange things to make this show up, but on the other hand the kernel does try to avoid touching user registers, even if we've never really _guaranteed_ that. So the 2.6.16 effect is a mis-feature, even if a _normal_ app would never care. It just happened to bite the infection logic of your virus thing."
This discussion has been archived. No new comments can be posted.

Torvalds Creates Patch for Cross-Platform Virus

Comments Filter:
  • mis-feature (Score:5, Insightful)

    by Douglas Simmons (628988) * on Tuesday April 18, 2006 @05:13PM (#15152722) Homepage
    Gotta admire how Linus calls a spade a spade even when that spade is a Good Thing. Imagine how MS would spin this if it happened to them.
    • Re:mis-feature (Score:3, Interesting)

      by Anonymous Coward
      Imagine how /. is going to spin this as "not a linux problem".
    • Re:mis-feature (Score:5, Interesting)

      by shotfeel (235240) on Tuesday April 18, 2006 @05:20PM (#15152753)
      From TFA:

      Leave it to open source hackers to debug and fix aging viral code so that it works correctly.

      That's what I find amazing -fixing things so the virus will run properly.
      • Re:mis-feature (Score:5, Informative)

        by dhasenan (758719) on Tuesday April 18, 2006 @05:50PM (#15152951)
        The virus in question apparently wasn't infecting system files--it didn't have an elevation-of-privileges feature, so it couldn't access /bin, /usr, etc. (And /etc, too, though that's not relevant.)

        So if a 'virus' is using standard OS features that legitimate applications also use, and suddenly the virus stops working, there's obviously been a change, and it breaks those legitimate applications.

        In short, Torvalds didn't want to remove a feature without prior discussion.
        • privilege escalation isn't really a big problem in the short term, infection is more important in the early stages. Escalation will come eventually.

          Don't take my word for it :

          http://www.maht0x0r.net/pdf/tom_duff_-_unix_viruse s.pdf [maht0x0r.net]

          • Is that the same Duff as Duff's Device? (Really neat switch/case "feature".)
          • That's a nice link to a bit of history. But I think you missed the parent's point. The point of mentioning elevating privileges is due to most privilege elevation schemes take advantage of some bug in a system. This is not the case here. Fixing the bug, and essentially enabling the virus, is actually fixing a bug... not re-introducing a bug the virus is dependent on.

            Discussions on how toe elevate privileges is another subject. And your link... more to do with history than anything really provoking - a
    • If it is a bug in the ABI relating to the kernel, you may have a problem. Binary apps such as those old Loki-ported games, or binary apps such as Oracle might have odd problems.

      So it really is a good thing to patch.

      Just because a bug is uncovered by a virus doesn't mean that it is not a bug.
  • by microbee (682094) on Tuesday April 18, 2006 @05:15PM (#15152731)
    :)
  • one-man army (Score:2, Insightful)

    goes to show that if one person has complete mastery over a piece of code (e.g. the kernel), and if they're decently competent, they should be able to fix it very quickly and very soon. imagine this floating around a programming group -- being passed from one person to the next, each with their partial understanding of the whole system.

    that's one up for good ol' fashioned hacking...

    • Re:one-man army (Score:3, Insightful)

      by Skiron (735617)
      Not only the 'one' person, but a clean code base that makes a small fix. I expect the others would need a few hundred MB patch and lots of breakage/bundled/undocumented updates to fix it (as normal).
    • Fix it? (Score:5, Informative)

      by gnuadam (612852) on Tuesday April 18, 2006 @05:20PM (#15152756) Journal
      I think you misunderstand. He fixed a flaw in the kernel that kept the virus from *working*. The patched systems should be vulnerable.
      • Re:Fix it? (Score:3, Interesting)

        by Anonymous Coward
        yes, but it was a flaw in the operating system nonetheless. Just because a virus discovered the flaw doesn't mean the flaw shouldn't be fixed.

        If someone validates your website, and points out to you that it's invalid, do you complain that they use IE? No, you correct the page to make it valid again. (of course, it still won't work in IE, but c'est la vie)
      • Um, no... the system running the updated kernel would still not be vulnerable in the normal sense. Did you really think normal users were able to infect linux system binaries with this "virus"?

        One thing that is vulnerable would be an instance of windoze running in linux under wine, since everything in wine is owned by the user running it.

        Of course, as some will quickly remind me, if you were to log into a linux system as root, deliberately "infect" a system binary, and then run the infected binary as root,
      • Re:Fix it? (Score:5, Funny)

        by FhnuZoag (875558) on Tuesday April 18, 2006 @09:05PM (#15154123)
        Well, one more step towards making Linux ready for the desktop.
    • imagine this floating around a programming group -- being passed from one person to the next, each with their partial understanding of the whole system.

      Imagine if that group had a manager!!! It would float around a board of directors, being passed from one department head to the next, each with their limited or non-existant understanding of anything related to the project. Finally, after weeks of meetings, it would be assigned to the development manager who would dump it into the lap of the programming gro
    • ...each with their partial understanding of the whole system.

      More to the point, the one person who might understand enough to debug it will be continually hectored by others who don't understand what is going on, but whose egos are so wound up in appearing smart that they can't resist giving advice, suggesting alternative paths, etc.

      This will ensure two things: that the bug will take many times as long to fix, and when the one person who does know what is going on finally fixes it despite all the "help" so
  • by RealBothersome (838593) on Tuesday April 18, 2006 @05:21PM (#15152761)
    ...that linux was patched so that the virus would now function as expected? I'd hate to think we left any program behind.
  • by EraserMouseMan (847479) on Tuesday April 18, 2006 @05:22PM (#15152768)
    as a patch or a bug or a buggy patch?
  • Next week: (Score:5, Funny)

    by moochfish (822730) on Tuesday April 18, 2006 @05:25PM (#15152795)
    Next week: "Torvalds Patches Kernel Against Cross-Platform Virus"
  • A bug is a bug. (Score:4, Interesting)

    by Spy der Mann (805235) <<spydermann.slashdot> <at> <gmail.com>> on Tuesday April 18, 2006 @05:36PM (#15152861) Homepage Journal
    Who says this bug didn't mess up with WINE libs, preventing OTHER programs from working correctly?

    Of course, we'll need a sandbox patch or something BEFORE windows viruses start affecting WINE+linux :)
  • by Foofoobar (318279) on Tuesday April 18, 2006 @05:37PM (#15152870)
    Ok... now lets see Bill Gates issue his own patch. The clocks ticking Bill. :)
  • Incorrect title (Score:5, Informative)

    by cperciva (102828) on Tuesday April 18, 2006 @05:38PM (#15152874) Homepage
    Linus did not create a patch for the virus. Linus created a patch for the Linux kernel, to fix a bug which happened to have been discovered by looking at the virus.

    Of course, if the story had been submitted with the correct title of "Linus fixes bug in Linux", it probably would never have been posted.
    • So there was a bug to be fixed anyway, and the virus just happened to uncover it?
      • Re:Incorrect title (Score:5, Informative)

        by cperciva (102828) on Tuesday April 18, 2006 @05:44PM (#15152922) Homepage
        So there was a bug to be fixed anyway, and the virus just happened to uncover it?

        Yes -- and it's quite possible that this bug was affecting other code, but with programs any more complicated than a virus, nobody debugged far enough to figure out that it was a kernel bug.
        • Technically, it appears to be a bug in GCC - Linus patched the kernel to work around the bug.
          • Re:Incorrect title (Score:3, Insightful)

            by abb3w (696381)
            Technically, it appears to be a bug in GCC - Linus patched the kernel to work around the bug.

            Actually, it's easy to make a case that both had bugs. GCC made the assumption that the Kernel does not mess with user registers. Since the assumption was wrong (and not required to be true under the kernel spec), it is a bug [jargon.net] in the compiler. Since the assumption was reasonable (although not required), it is a bug (or at least a wart [jargon.net]) in the kernel. Hopefully, the GCC will eventually get patched, too.

    • Re:Incorrect title (Score:5, Informative)

      by Anonymous Coward on Tuesday April 18, 2006 @05:44PM (#15152915)
      Sorry, it was not a bug in the kernel either. A correct title would be "Linus patches kernel with workaround for GCC bug uncovered by cross platform virus". RTFA next time smartass, MMmmmkay?
      • Re:Incorrect title (Score:3, Informative)

        by Anonymous Coward
        Most specifically, GCC made an assumption about the kernel that should have been correct (won't touch user registers) but wasn't guaranteed to be correct, and as of 2.6.16 was no longer correct. The kernel was patched to restore the assumption to correctness, since it really was a reasonable assumption.
        • Not quite write. It's GCC that generates the code that erroneously twiddles the registers. The change in 2.6.16 was using an optimization flag by default that uncovered the bug.

          The kernel patch doesn't restore the assumption, it works around the bug in GCC that breaks the assumption for userspace programs.
      • A bug in the kernel's behavior caused by some underlying tool is still a kernel bug which the kernel team needs to address. Pushing it off on gcc would have been very un-Linux like, and in fact, Linus wrote a fix (yes, it's a workaround for a gcc limitation... there are many such fixes in Linux).

        Sarcastic RTFA comments aside, I think you're looking to have a very Windows-like world where vendor A blames vendor B who blames Microsoft who says that it's an application problem, and they don't support that. I'm
      • Now THAT sounds more like something Bill Gates would say... Good Job!
    • by dhasenan (758719)
      Linus created a patch because of the virus. Thus, he created the patch for the virus. That is the meaning used in the article title.

      What he patched was the Linux kernel. Thus, he created the patch for the kernel. You know this usage; however, it is not the only one. Your attempt at a correction was flawed.
    • Re:Incorrect title (Score:2, Informative)

      by aqfire (885545)
      You could say that Linus patched the Linux kernel "for" the virus, so that it would run better. ;)
  • by Anonymous Coward on Tuesday April 18, 2006 @05:41PM (#15152893)
    I don't want to get enfected with any of them Windows viruses, Mac Worms, or Linux Diseases.
    So I run NetBSD
    On a VAX

    I'm slow, but I'm not infected.
    (that's what I tell my girl also)
    • (that's what I tell my girl also) [emphasis mine]

      Something's wrong with that sentence. What's wrong?

      s/girl/mom. That's more like it.

      Now enjoy your NetBSD-running VAX in your mom's basement.

    • I can run Linux on a VAX [sourceforge.net], too!
    • Hey, that's not funny!

      (I'm running NetBSD on a Cobalt RaQ2 (and a Qube2)).

      On the bright side, I haven't been hacked yet...

      but system builds are a bitch.
    • My VIC20 never got a virus either...
  • by tktk (540564) on Tuesday April 18, 2006 @05:41PM (#15152894)
    I know it was a proof of concept but... does the virus perform better on Windows or Linux?
    • Now, let's not get caught up in a "My OS is better than your OS" war over viruses and other malware. We all know Windows beats all competitors in quantity of malware supported. But, if malware were produced with Unix ware in mind, Linux would run the viruses/malware most beautifully and most efficient on it. I am sure of it.
      • Yeah, after manually running ./configure --prefix=/opt/pwn3d && make && sudo make install, the virus will run quite well.
        • Yeah, after manually running ./configure --prefix=/opt/pwn3d && make && sudo make install, the virus will run quite well.
          No kidding. The Unix Way sucks. The Microsoft Way is much better--after a long time of trying to buy out the virus's vendor, they just bought out a competing virus and it will be installed in every copy of Windows Vista! How's that for service?
    • My answer (Score:5, Funny)

      by EmbeddedJanitor (597831) on Tuesday April 18, 2006 @08:27PM (#15153911)
      Performance is only a small part of the issue. You have to look at the TCO of running viruses to appreciate Windows properly. With Linux it is far harder to run a virus and you've got to train all your users to chmod etc. With Windows it's much eaiser, just double click or drag and drop. Now that saves you a bundle in IT tech support when people ask "how do I install virus X on my PC. Further, with Windows you get a lot more choice. You can get a wide selection of popular viruses from easy to download sources. Linux is pretty short on choice, so if you switch to Linux you're limiting choice which is UnAmerican.
    • I'm a small company IT guy so performance isn't the issue for me. What I need to know is my ROI and my TCO going to be better on Linux or Windows once I get infected.

      Charts, graphs and lots of PR-speak laced "facts" would be most welcome.
  • by ravee (201020) on Tuesday April 18, 2006 @05:48PM (#15152942) Homepage Journal
    I think the viruses cause damage only if the person uses his machine logged in as root. If he is logged in as an ordinary user, I wonder how it is going to make a difference? At the most, some of his personal files may be modified or his keystrokes logged or the virus may use his machine to propagate to other machines. So what is the hoopla about this proof of concept virus which was created in a lab in some anti-virus company? I suspect this is a conspiracy of these anti-virus companies to stay afloat by creating a buzz about a virus in Linux.
    • <BLINK>SATIRE</BLINK>
    • by Anonymous Coward
      if id lose all my personal files (mails, mp3s, documents, code) that would suck man. my root-owned files .... pfft, id just re-install the damn distro
    • by Phroggy (441) *
      For a typical home user, malware that wipes out the user's home directory can be absolutely devastating, while malware that only wipes out the operating system isn't really a big deal. The OS can be reinstalled fairly easily. Most of your personal data probably isn't backed up.
      • Isn't your personal data the stuff that *should* be backed up. You can re-install your OS quite easily. If a virus (unlikely) or a harddrive failure or accidental deletion (far more likely) causes you to lose your data then backups are the only way out of that.
  • Best part (Score:5, Interesting)

    by slashflood (697891) <flow@@@howflow...com> on Tuesday April 18, 2006 @05:49PM (#15152948) Homepage Journal
    from TFA:

    This lends support to the speculation that this virus is not new code at all, in spite of how Kaspersky Lab is trying to use it to drum up new business. [...] And shame on the anti-viral industry, Kaspersky Lab in particular, for its attempts to deceive the public by passing off old code as something new.

  • Gee. (Score:5, Funny)

    by ultramk (470198) <ultramk&pacbell,net> on Tuesday April 18, 2006 @06:02PM (#15153030)
    Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven that the virus does indeed not work with latest kernel version 2.6.16 and even released a patch in order to fix this "problem."

    Oh, um... Well, hmmm.

    Thanks, Linus. I guess.

    m-
  • Goal :)? (Score:5, Funny)

    by suv4x4 (956391) on Tuesday April 18, 2006 @06:08PM (#15153072)
    Today, we fix Linux to support a cross-platform virus, tommorow: support for Windows viruses.
  • by caffeination (947825) on Tuesday April 18, 2006 @06:10PM (#15153080)
    From Newsforge [newsforge.com]
    We sent an email to Linus Torvalds to let him know about our testing. He replied:

    That said, it sounds like it's a regular program that just happens to work on both Windows and Linux, and that happens to do things that are perfectly OK per se (i.e. writing to files that are owned by the user). So it's interesting just because of the "works on both Linux and Windows" angle, not because of any viral nature.

    This is a really good insight, I think. While the rest of us are thinking about the "virus" and wondering what it means for the future, Linus identifies all these ignored technical aspects.

    The power of a mind untouched by Slashdot?

  • _Damn!_ Linus is _really_ on the ball these days, _man_.
  • by TekPolitik (147802) on Tuesday April 18, 2006 @06:53PM (#15153312) Journal
    A patch to make sure a virus runs gives a whole new meaning to the term "bug compatible" [jargon.net].
  • by dido (9125) <dido@NOsPAm.imperium.ph> on Tuesday April 18, 2006 @10:11PM (#15154441)

    Basically, if I'm reading this correctly, the virus' correct operation depended on system calls to the Linux kernel keeping values of registers unchanged, which is the correct behavior. 2.6.16 broke this behavior, but since very little other code actually assumes this as well, we didn't get serious lossage, but we *might* for other code, and were the virus rewritten to not assume that register values were preserved by system calls, it might also work properly. At any rate, this virus would still have far less teeth on GNU/Linux than it would on Windows, unless someone was stupid enough to execute it as root. And well, if you're actually foolish enough to do something like that on GNU/Linux, then you're probably also foolish enough to enter rm -rf / or something equivalent as root at some point.

  • Linux: So secure we have to patch it to make viruses run.
  • So let me get this right, Windows viruses exploit bugs in windows to work and windows has to patch the bugs to stop the virus.

    In Linux the virus uses proper programing methodology to work, exposes a bug in the 2.6.16 kernel and will not run on 2.6.16, which Linus fixes. So now the virus works across the borad.

    This seems to boil down to.

    Windows == Oh my god a virus, quick fix the bug and stop the virus.

    Linux == Hmmm, it works everywhere expect on the 2.6.16 kernel. Lets fix the kernel and make it work on all
  • Newsforge is reporting that Linus Torvalds took a few minutes to review the cross-platform proof of concept virus covered yesterday and has proven...

    HA! I know Slashdot is cultishly pro-linux, but the bias above is hilarious! I keep hearing Mr. Subliminal saying "Linus Torvalds (God) took a few minutes (every person in Seattle has been working at this individually and collectively this for weeks...) to prove (Bill Gates is just making stuff up, but anything Linus spends a few minutes perusing is proven.

If you hype something and it succeeds, you're a genius -- it wasn't a hype. If you hype it and it fails, then it was just a hype. -- Neil Bogart

Working...