Virus researchers at Kaspersky Lab have found proof-of-concept code for a cross-platform virus capable of infecting both Windows and Linux systems. In an alert posted to Viruslist, Kaspersky said the sample virus has been given a dual name – Virus.Linux.Bi.a/ Virus.Win32.Bi.a – and highlighted the way attackers are targeting multiple platforms in malware attacks. “The virus doesn’t have any practical application,” the company said in the alert. “It’s classic proof-of-concept code, written to show that it is possible to create a cross-platform virus.”
if it uses Kernel32.dll function and it is coded in assembly which must be windows assembly like masm then, how can this infect linux systems as well as windows? it seems there’s not much information in this article. or did i miss something?. is that a similar thing like the one infected linux file system from windows which falsely reported as a linux virus quite a long ago? i should check out at viruslist site to find out what it is all about..
http://www.viruslist.com/en/weblog?weblogid=183651915
Explains it all.
You should, I think, read the article first before commenting like that.
“The virus uses the Kernel32.dll function to infect systems running Win32. ”
Like already stated, read first.
if it uses Kernel32.dll function and it is coded in assembly which must be windows assembly like masm then, how can this infect linux systems as well as windows?
Wine? I don’t know anyone running it, but a lot of people do.
And original page only describes Windows infection, linux information is missing
From the first link in the article:
To infect ELF files, the virus uses INT 80 system calls and injects its body into the file immediately after the ELF file header and before the “.text” section. This changes the entry point of the original file.
Again, http://www.viruslist.com/en/weblog?weblogid=183651915 <– details.
The implications of a virus on linux systems are MUCH minor than those of win32…
just reinstall/restore whatever application(s) a user has installed, since the rest of the system should still be running as happily as ever…
Of course, this doesn’t mean there isn’t any danger on linux (security should always be a real concearn), it just means it’s too damn hard to affect an entire system if the usual precautions are taken.
It’s a proof of concept. It would be trivial to modify this so that it corrupts, deletes, or transmits private user data; or, more likely, act as a spam relay or zombie DoS launcher. Likewise, one could well make use of one of the plentiful privilege escalations available to hose the entire system.
It’s a proof of concept. It would be trivial to modify this so that it corrupts, deletes, or transmits private user data; or, more likely, act as a spam relay or zombie DoS launcher. Likewise, one could well make use of one of the plentiful privilege escalations available to hose the entire system.
So?!?
The point is, a linux virus can’t easily propagate to the rest of the system, period!
worst case cenario – SOME files from ONE user would be damaged.
unix filesystem is not windows, so for me this proof of concept is as good as… close to nothing.
– any user can download untrusted software with mallicious code.
– it will eventually start happening in linux.
– will it make a BIG difference? nope…
Edited 2006-04-11 01:15
SO WHAT?
The system is the data that can most easily replaced on desktop machines. Just fricking reinstall. Amen.
On a normal Desktop machine the USER’s data is what’s valuable there. Got tons of research papers on your machine? Very valuable construction plans or some other important USER DATA? If that data’s gone (and you know how much making backups is not a habit with many desktop users) it means big problemo.
So your babbling that a virus can only delete the data of one user so it’s not an issue on Linux is completely besides the point. It’s exactly this one users data that counts. Nobody give a flying f–k about your system files and apps. These can be restored by reinstalling. Big deal.
Full ack. The system itself may be more important on a server etc, where e.g. database usually are somewhere in /var and not in and home dirs. On my desktop system, what I NEED is my user data, if my system gets corrupted, I pop the Ubuntu CD in again and reinstall, thats a matter of 30 minutes. But I DO backups 🙂
“But I DO backups :-)”
Yes, but if a “virus happens”
that corrupt your data you should assume that the virus will not say you:
“hey those are the good files and those other the corrupted ones, please restore them from backups”
That would be definitely be a nice thing but reality is somewhat different; you should take in account subtle, malicious modifications that may go undiscovered for several working days and several backup, making you take wrong decision based on wrong data, publish crippled results and so on, forcing you eventually to restore quite old father or granfather backup (if you do them and not simply a flat backup strategy) with an high payload of work to put the data up to date.
Even if you rely on an advanced backup system helping you in finding that little nasy modified files, it can be made very difficult to understand what are the legitimate modifications made to user files and those made by the virus running with the same privileges, moreover any modification can be covered finding a collision in the hashing or, more easy and trivial, the checksum strategy of the backup.
you should take in account subtle, malicious modifications that may go undiscovered for several working days and several backup, making you take wrong decision based on wrong data, publish crippled results and so on, forcing you eventually to restore quite old father or granfather backup (if you do them and not simply a flat backup strategy) with an high payload of work to put the data up to date
BS. This can’t be a general virus. You’re saying the virus can analyse what kind of file it is editing, and knows how to modify some file types, to generate valid but modified files. The virus will need to know what the file is about for this to work.
This makes no sense from a virus writer POV : it’s lots of hard work (nobody can program sth like that yet) for really little annoyance.
Even if you rely on an advanced backup system helping you in finding that little nasy modified files, it can be made very difficult to understand what are the legitimate modifications made to user files and those made by the virus running with the same privileges, moreover any modification can be covered finding a collision in the hashing or, more easy and trivial, the checksum strategy of the backup
It’s even worse here : you’re saying the virus can universally make modifications to files, in context, without most people noticing it for days.
That means the virus is more intelligent than millions of people.
I can tell you the AI in this virus we’ll be so much a revolution, the writer will rather work in the AI field, it will be much more rewarding, and will make him instantly rich.
All of this is BS anyway, as you still don’t know how the virus will run in Linux, and a hard disk failure or a user error (‘rm -f *’ equivalent) is far far more likely that your science-fiction virus.
“This can’t be a general virus. You’re saying the virus can analyse what kind of file it is editing, and knows how to modify some file types, to generate valid but modified files.”
I can imagine two easy way to accomplish it:
– simpler: the virus open a way to an human to do it and cover the tracks of the work dome by the human attacker… a problem, the user may not have the right to access the net… however firstly in this case it’s very improbable that he got infected, if he got the virus, probably got it by the net, and voilà, the virus opens connections as the user would do legitimately;
– quite simple: read and change numbers (with adjacent ones, plausible but definitely wrong values) in spreadsheet or database, insert embarassing comment in text files and e-mail (like “note for the boss (remove this in final version of the document): if the cient sign this contract he should be totally a ***”).
It’s only very basical programming for text and only little more complicated for other common file formats… and to alter specifical format (that would be worthless try to automatize) there is the first option.
“It’s even worse here : you’re saying the virus can universally make modifications to files, in context, without most people noticing it for days.”
It’s totally unrealistic! Users tend to have thousands work files and to work, say in a given month, on a very little subset of those files. In 15 years in IT, I was asked more often to recover something lost since some time than something the user was aware to have found broken with recent activity.
Who is the user that read carefully (and count carefully each number in his databeses and spreadsheet) ALL of his files every day?
Who is the user that stay at work until the backup start (in deep night) to be sure that something will not alter his files when he went home and let the workstation doing the long boring math calculations all the night, then restoring an apparently normal situation and finally after some days messing up anything (done with truivial timers)?
Assume that a virus alter the content of an archive or an encrypted files the user uses only seldom (say, update once a week), data that have no mean for human, how can he be aware of the modification before eventually he need the specifical file?
Assume that a virus alter the content of an email inserting a insulting sentence before it is sent, what could the user do? Maybe he/she will never go in “sent” folder to see what actuallty was sent!
Assume that a virus insert “no” into some of your text files or document or in email text randomly, changing timestamps to avoid you be aware of the editing. Would you notiche two chars in a 20 pages document you jet red 10 times? Anyone would probably give a (bored, tired, superficial) look at it without even reading it carefully (not mentioning reading carefully everyday every single document!) and without noticing a world that may radically change the meaning of the document.
There are plenty (simple) ways for things to go worse than with a ‘rm -f *’!
Edited 2006-04-11 13:06
– simpler: the virus open a way to an human to do it and cover the tracks of the work dome by the human attacker
But what you describe is not a virus, it’s a trojan or a rootkit. A virus just has 3 main things to do : propagate itself, hide itself, and replicate itself.
Then, it can make other actions, but as long as it can’t do the 3 things above, it’s not a virus. A program that gives access to a human means the human is doing the work, not the virus itself anyway.
quite simple: read and change numbers (with adjacent ones, plausible but definitely wrong values) in spreadsheet or database, insert embarassing comment in text files and e-mail.
It’s only very basical programming for text and only little more complicated for other common file formats…
But yet, the number or text change has to be done in context for it not to be noticed.
It’s totally unrealistic! Users tend to have thousands work files and to work, say in a given month, on a very little subset of those files
But the person I was replying to specifically talked about files modified regularly.
In 15 years in IT, I was asked more often to recover something lost since some time than something the user was aware to have found broken with recent activity
And archiving is the solution to this. Old important files that aren’t touched are archived. Otherwise, a disk failure is a way more probable disaster waiting to happen.
Assume that a virus alter the content of an archive or an encrypted files the user uses only seldom (say, update once a week), data that have no mean for human, how can he be aware of the modification before eventually he need the specifical file?
He can’t. However, unless the virus has the godly AI I talked about, the virus can’t know which file to modify to achieve this either.
Assume that a virus alter the content of an email inserting a insulting sentence before it is sent, what could the user do? Maybe he/she will never go in “sent” folder to see what actuallty was sent!
…
Well, OK. I have no need to debunk all the things a virus can do. I have only one thing to ask :
If what you say is true and people or businesses care so much about their personal data, why do they still run Windows ?
Because among the hundreds of thousands of virus on Windows, there is a high possibility that such viruses hide themselves in there.
As for this supposed Linux virus, it tries only to infect executables, so we’re safe as for this kind o threat.
There are plenty (simple) ways for things to go worse than with a ‘rm -f *’!
Of course, but on Linux, ‘rm -f *’ is more a threat than the virus we talk about here.
” A virus just has 3 main things to do : propagate itself, hide itself, and replicate itself.
Then, it can make other actions, but as long as it can’t do the 3 things above, it’s not a virus.”
It does, so it’s a virus. Plus, has the payload I described only about damaging some complex, custom file type.
What’s the problem? That make it a mixed threat, nor make it a “non-virus”.
“But the person I was replying to specifically talked about files modified regularly.”
That make more sense, I was talking of *all* user’s files, however as typos may pass undetected to human eyes and formally correct word that make no sense pass undetected to auto spelling check, we should not expect that a single superficial look can say us if a file is valid or forged. When numerical data is involved, humans are even less efficient in quickly spot an error. When collaboration is taken in account the situation is even whorse, find who written what and why may be very difficult without appropriate cryptographically strong authentication and validation groupware.
Forget the os war for a second, why should minds like Schneier, Wagner and so on spend so much time on authentication algorithm if authomatic spelling control or humans would be so efficient in finding forgery?
In a scenery involving a malicious modification, automated or not, even non authenticated MACs, non talking of even weaker checksums and CRCs, are not trusted!
“Old important files that aren’t touched are archived.”
That not solve the problem of files needing to be seldomly accessed like something you do on a regular monthly (or each some months) schedule, that is very likely for many kind of users.
“He can’t. However, unless the virus has the godly AI I talked about, the virus can’t know which file to modify to achieve this either.”
No great AI involved, simple programmiung tecniques can tell waht files are old, but not too much to be obsolete (very trivial pseudocode read timestamp, if now-timestamp<x and > y do payload). The rest is even more basical programming skill for most file types, and for the other we should not exclude a mixed threat payload as in first paragraph, adding to the full functional virus even troyan horse capabilities. Adding those capabilities will not make it a “non-virus” but will make it a mixed threat.
“Of course, but on Linux, ‘rm -f *’ is more a threat than the virus we talk about here.”
I thought it was clear, I’m not comparing linux and windows!
I’m talking about what can be done having user rights. Having user’s right can be done plenty things very more nasty than an easy to detect ‘rm -f *’ even on a system with perfect (and perfectly setted) user’s right policies.
Unavoidable user rights allow to propagate and replicate objects, while lacking of specific cryptographic authentication tools allow quite trivial ways for hiding objects: that’s a virus.
If instead of scripting ‘rm -f *’ you script or program some ones of the annoying things discussed before and trick the user to trigger it (like many Win32 virus does, and not for this reason are not considered viruses) or try to trick, like in this proof of concept, the machine.
And even the user is a guru, the operating system is perfect and the machine doesn’t accept tricks, there are always application level bugs that may be used (that is the most common security issue left on pro environment, see Berkley…) malware and malware fighting is more a matter of not lacking imagination!
have you seen most user’s data. it is the most worthless material ever.
They can lose it, and thebiggest annoyance is the fact their music is gone.
The user’s data can and should easily be backed up. Losing the system is a pain in the ass to the person doing the fixing (cause it aint the user)
Hey, and from our perspective, we dont care about the users data, but rather the system files, the user data can be retrieved from that cdrom backup they should have been doing every once in a while (or zipdisk etc)
“oh you mean you havent been backing anything up, well im sorry. here is a bill for fixing your computer, ill show you how to backup…oh you mean you know how to backup you just chose not to. well tough luck, pay me.”
You seem to overestimate the average user’s personal data, music, some email, an address book. That sums up the average user. Some tax stuff (which forces backups)
On a normal Desktop machine the USER’s data is what’s valuable there. Got tons of research papers on your machine? Very valuable construction plans or some other important USER DATA? If that data’s gone (and you know how much making backups is not a habit with many desktop users) it means big problemo.
Worst Argument Ever. I hear it and see it all the time but it makes absolutely no sense. If you don’t do backups then you WILL lose your data, even without viruses. You hard drive will fail. It happens all the time. If it doesn’t fail how are you going to get your information into your new computer when you buy one?
Ever tried writing socket asm? I wouldn’t call it trivial
.
I don’t yet understand how this can propagate on both.
“It would be trivial to modify this so that it corrupts, deletes, or transmits private user data; or, more likely, act as a spam relay or zombie DoS launcher.”
Finding and exploiting an ingress vector is not trivial though.
“The implications of a virus on linux systems are MUCH minor than those of win32…
just reinstall/restore whatever application(s) a user has installed, since the rest of the system should still be running as happily as ever…”
Er, your assumption is true in any system (even win32), if policies are correcltly setted and the virus doesn’t exploit a secondary system hole to excalate privileges (in those cases, in any system, the os will be totally doomed, stopping the work of all users and not of only one).
However, while programs and configurations for a user or a whole system may be easily restored, it is the work of the user(s) that cannot be rebuild from nothing!
The real danger is the corruption of user(s) works that may be undiscovered and pass on the backsup progressively overwriting righteous copies (or even the backup system, if poorly designed, may be compromised as well!) and imposing to the users a progressively higher payload to restore the corrupted works.
Moreover, even the corruption is detected and automatically restored to a quite up to date version (with little work payload for the user to update and validate the works) there is the risk, in the meantime, of making decision on or publish corrupted data with unpredictable drawbacks!
The real danger is the corruption of user(s) works that may be undiscovered and pass on the backsup progressively overwriting righteous copies (or even the backup system, if poorly designed, may be compromised as well!) and imposing to the users a progressively higher payload to restore the corrupted works.
Moreover, even the corruption is detected and automatically restored to a quite up to date version (with little work payload for the user to update and validate the works) there is the risk, in the meantime, of making decision on or publish corrupted data with unpredictable drawbacks!
I agree with this. I’m not saying possible virus is harmless on linux – it isn’t.
What i’m trying to say is that without the means for a virus to propagate to the rest of the linux system, wich is NOWHERE as easy as it is in windows (though not impossible), the real threat of viruses in linux is mitigated somewhat.
Of course user files are important, but here are two points i’m trying to make:
– normally, users install software in linux as root, and the software is “owned” by the system, not a single user. So, assuming security is a concearn, it should be EXTREMLY difficult for a virus to propagate to the system
– wether we like it or not, malicious code exists, so our precious user files are only as secure as our habits. this has nothing to to with viruses.
IMHO these points are what makes me think that the “virus” threat on linux systems is nowhere near the importance of the one on win32.
is there a risk? YES. but i still think it’s not a big deal.
Why is it Windows users always hope and pray that articles about Linux virus is “the one” ?
I am a Linux user, but I had the fact that Windows gets hit so hard with malware, but I do not gloat about it.
Windows users on here seem ready to shout ” Told you so, Linux is just as insecure” all the time, but get their hopes dashed when it is proved the malware is nowhere near as damaging on Linux as it is on Windows…
Ah Well….. maybe the next one !
… Who is gloating? I see no one gloating.
Hey dude it’s the same with Mac OS X. Just hear the uproar every time there’s some really far fetched proof of concept virus on the Mac. You can really hear the Windows guys shouting “see? OS X is just as bad as Windows, you’ve got viruses too!!!! Neener neener neener!”.
So what? Even if it were THE ONE. This would make the count look something like 1 : 245876876245876 I’d still take Linux or OS X over Windows.
Anti-virus companies are just waiting to rake in the cash on this one. Proof of concept viruses for Linux have been around for a long time, but there are few to none in the wild because they just don’t last.
By the way, anyone who claims that the install base of Linux has to do with it’s existing security is desperately grasping at straws, the linuxcounter.org site estimates that the current number of Linux users is between over two million and sixty nine million people, my own estimate would be more along the lines of 50 million. Linux is hard to infect with viruses, it’s got a solid security model and security holes get patched within 36 hours.
BTW. Just to be fair, it’s true that Windows systems can be secured fairly well with a negligible investment of time and effort, and it doesn’t require more knowhow than can be expected from users.
In my experience, the Virii out there today (or at least a year or so ago) was really pretty sloppy stuff. I can’t imagine many virus writers even have the skills or knowhow to even create anything in Assembly, let alone a cross platform one that is self propagating (either by stupid people who open attatchments, or stupid people who don’t employ a firewall of some kind) enough to make it worth their while.
This is a proof of concept only, I sincerely doubt any UNIX/Linux users are going to open binary attatchments in their mail labeled “hawt celebretty pix”. Even if people were stupid enough to open this stuff, and drop their root passwd for it I don’t think anyone’s going to write a virus in assembly unless they’ve got a really good reason to.
There isn’t enough consistency between distributions to allow easy cross-distribution installation of desired software. (ie you need a distribution-specific source)
Windows on the other hand is backwards compatible back to dirt so it’s trivial to write a virus that infects multiple versions of the OS.
To infect ELF files, the virus uses INT 80 system calls and injects its body into the file immediately after the ELF file header and before the “.text” section. This changes the entry point of the original file.
Sure, its always been possible to write a Linux virus. The problem (for virus writers) is that when you download a file with Linux, it’s not executable. Thanks to umask, file permissions will be set to either chmod 644 or 600 (that is, umask 022 or 077). In order for the malware to execute, the user would first have to make it executable using the chmod command. That would be a dumb thing to do.
After years of trying, no one has yet been able to create a practical Linux virus. Rootkits, yes, viruses, no. Or have I missed something?
In addition, virus writers will have to deal with active security systems like SELinux found on Fedora Core/RHEL and AppArmor on Novell SLES making their life harder. Starting from FC5, packages have now SElinux policies included.
After years of trying, no one has yet been able to create a practical Linux virus. Rootkits, yes, viruses, no. Or have I missed something?
It’s impossible to write a practical Linux virus, as the marketshare is so little it would never spread. A cross-platform virus has more potential, but the added pay-off in exchange for a massive jump in complexity and thus buggyness and detectability wouldn’t be worth it.
However, to infect Linux files, it’s simply a matter of infecting Windows, loading the appropiate filesystemdriver (ext2 driver for windows is available, ext3/reiser not, and fat could be used for shared files), infecting the right files, and setting permissions right. Trivial is otherwise of course
PS: hardly anyone writes viruses these days. Any self-replicating code these days is simply a worm. To infect Linux systems undetectably code-inserting will be necessary however.
One of the reason why viruses are so popular on Windows is because many users run Windows as Administrators instead of limited users. Every application launched by those users, including the viruses, run with Administrator privilege and can do anything.
On the contrary, most Linux users run their systems traditionally with a limited user account, and only perform administrative works with root account through su or using sudo.
So what happens when the virus is run as a limited user? I think it can create some damage to the users home directory. But can it infect the system so badly as on Windows?
I think it is time to see how useful limited user accounts are on Linux platforms.
I think it is time to see how useful limited user accounts are on Linux platforms.
Yes, instead of infecting system files which can be replaced in 5 minutes, viruses can only affect user-data. Great! /sarcasm
About virii that aren’t on OSX…
About virii that aren’t on OSX…
Good thing too. What with having to worry about executable shell scripts disguising themselves as image files on a web page and executing automatically, those poor users have enough to worry about.
What have you been smoking?
They dont really say what they mean by “cross-platform”. Is it the same source that builds on both Windows and Linux (likely and not that difficult) or is it the same executable that runs on both platforms (unlikely and very difficult, if not impossible). Or do they mean something else entirely?
The text sounds very much like it is the same *executable* that runs on both systems. Note how it explains the two different syscall methods – executables on a single processor type (x86) but with different OSes usually differ in two things: loading format and syscall method. The virus *infects* other programs (it’s not a program by itself), thus it has no loading format by itself, but it knows about the loading format of the programs it infects (PE / ELF).
The syscall method is a more complicated thing: This virus (as it sounds) detects the file type of the executable to infect, and chooses its syscall method by that, reasonably assuming that if it finds a PE file, it is running under Windows and can use the Windows syscall method, ID number, and argument format. Likewise for ELF -> Linux. This means that the virus will fail if there is a mismatch, for example a PE file under linux which the user intended to run in Wine. In that case, the virus would try to issue a Windows-like syscall under Linux, which would just cause a violation exception of some type (depends on the actual syscall methods which I don’t know) and kill the already-infected process without touching the PE file at all. Same if an ELF file is found on an infected Windows system.
EDIT: The article could also mean (I’m not sure) that the virus sets a switch when infecting a file, based on the file type. In that case, the running virus could choose the syscall method based on the type of the already-infected file, instead of the file-to-infect, and thus the correct syscall method is always used.
Edited 2006-04-11 12:43
“The text sounds very much like it is the same *executable* that runs on both systems.”
It would be even more interesting to know if/how they accomplished this because I cant think of how. Linux does not execute PE binaries and Windows does not execute ELF ones.
There is basically no information how it works in Linux.
Prove following:
1. How does the virus comes to a Linux based computer in first place?
2. Once the virus is successfully copied into a Linux computer, is it executable? If so, how? If the virus is not executable, how does it get executable before its running?
3. Once the virus is executable, how to get it running to infect ELF files? does it run as root or the user who logs in? If it runs as root, how does it get root privileges? If it runs as user, how does it injects its body to a ELF file in /usr directory which user has no write privileges?
We do not need to know how the virus is programmed. Please, please, please, don’t hide, explain how did your proof-of-concept virus crossed the above 3 hurdles.
For others, its wise to read this: http://www.tomahawkcomputers.com/virus.html.
That’s an awful site for the non-technical. They use the term “firewall” in the definition of a worm. Worms can spread when firewall’s run, especially if the worm is dependent on a flaw in the firewall.
Maybe it improves on down, but the start was awful so I quit reading.
But I agree that the link doesn’t explain how this virus works on Linux machines other than that Linux machines use ELF binaries.
Its obvious that the target of all virus its to the most used OS=Windows…
Linux its Free and has a minority of users so its a waste of time doing it…
Always the same objection: in the server market windows has the minority of users, but is nonetheless the most attacked OS.
And the server market is a much more interesting target, bear in mind.
Always the same objection: in the server market windows has the minority of users, but is nonetheless the most attacked OS.
You must not be paying attention to OSNews 🙂
http://osnews.com/comment.php?news_id=14296
“With more than 80 million Web sites on the Internet, Microsoft now claims a 25.2 percent share, up 4.7 percent from March. Apache still leads by a wide margin, however it was down close to 6 percent to 62.7 percent. Sun remained a distant third, down slightly to 2.36 percent.””
The only majority I know of is in web servers, and that’s Apache.
Windows holds a strong share, just like many others, in server markets.
But yes, they’re not dominant. So, I’m not disagreeing with you, simply pointing out that they are not a minority.
You’re an independent writer whose fiction works get published in several magazines. You’re almost finished with this month’s articles when a virus strikes.
Which do you value more: your operating system integrity, or your documents?
As people use computers for more and more things, the value of personal information greatly outweighs the value of your operating system.
After all, a quick re-install will fix your operating system. Not necessarily bring it back to the pinnacle of stability, but you can still recover your documents, right?
What are you going to do when your /Articles directory gets fragged and you’ve got nothing to show your editors at the end of the month?
Let’s face it: most people are concerned with the safety of their documents, and /only/ their documents. Who do you know that makes a backup of their /operating system/?
System security isn’t enough anymore. We need document-level security. Being able to say, “OK, all your personal files are gone, but your computer still works” isn’t the greatest answer in the world.
It’ll be great when technology has progressed to the point of instant back-ups of your files to a remote server every time they’ve been altered. But, until then, losing hours of work to a virus (going back to your last backup) shouldn’t be considered an acceptable state of affairs, at all, ever.
We can do better than this
If you have valuable data (as in “valuable for my work, in real money”) on your hd you should back it up regularly.
Over the network, if at all possible.
But not because of viruses: because hard disks *break*. And they do it relatively often. And motherboards fry. And PSUs burn, taking the MB and the HD with them.
If you have valuable data you should back it up. Otherwise well, whatever happens to it it’s your fault.
Um they should have been saving their files to a thumbdrive every once in a while….
People are only concerned with their documents as long as they dont have to do anything, when they have to god forbid, put a zipdisk or thumbdrive in and copy their stuff that is tooo much work
Better systems can be developed, automated read only rsync’s to another location with a history of file sets. That isnt even that difficult. But as an admin or a friend helping someone out, my concern is to get hte computer running, not save your years of work (which obviousely you didnt value because you never bothered to take the 20 seconds to ask how to back it up)
What are you going to do when your /Articles directory gets fragged and you’ve got nothing to show your editors at the end of the month?
What if your hard drive failed? Same result no matter what operating system you are using. You should ALWAYS have backups.
Let’s face it: most people are concerned with the safety of their documents, and /only/ their documents. Who do you know that makes a backup of their /operating system/?
Now you mention backups. Like I said before, it is the only way to maintain availability of documents.
System security isn’t enough anymore. We need document-level security. Being able to say, “OK, all your personal files are gone, but your computer still works” isn’t the greatest answer in the world.
Oh trust me it is a big issue to people who have to repeatedly bring their systems to their local PC repair shop and pay technicians over and over again to reinstall their systems because they don’t know how.
I think his point about document level security is one that should be taken to heart though.
Not that we should be worried our documents are going to dissappear: This is like protecting your precious white elephants from theft; no one wants them, trust me.
However what I mean is documents that are capable of holding a virus. IE, documents that get executed. It’s a vicious thing to have documents which get executed, and I’d make sure to keep it in mind when you’re thinking about what document to use!
Your text files can’t hold virus’s. So you know the backup is safe to bring back in.
Please Note, I’m not against documents which can script. However, bad implementations of scripting in documents is the biggest problem, and making a good implementation is very hard. It’s more of a “be wary”, not a “never use”.
Edited 2006-04-11 17:54
Man, I wish you guys would have read the tail end of my post. Now I feel kind of silly having to point this out to everyone.
“But, until then, losing hours of work to a virus (going back to your last backup) shouldn’t be considered an acceptable state of affairs, at all, ever.” — me.
See? I’ve acknowledged that people should back-up regularly. That’s not the point. The issue is nobody wants to lose work, /ever/. Not even an hour or a day’s worth.
“The virus is written in assembler and is relatively simple”
you do realize if you write something in assembler, its not OS specific, its hardware specific. So it doesn’t make virus “cross-platform”, just specific for the hardware it was programmed for. So with OSX using Intel, this proof-of-concept can “infect” Win32, OSX and Linux on i386.
Its not infact important how virii is programmed; no OS can know for sure if the input it is getting is coming from user in a bad day or from a program gone bad. What is important is how you can get the payload to your victim. And here is where power of open source kicks in. Bugs, which are used as exploits to deliver the payload will get fixed faster when the code is open.
Its not proof-of-concept for Windows and Linux. Its proof-of-concept for x86.
you do realize if you write something in assembler, its not OS specific, its hardware specific. So it doesn’t make virus “cross-platform”, just specific for the hardware it was programmed for. So with OSX using Intel, this proof-of-concept can “infect” Win32, OSX and Linux on i386.
That only goes as far as pure instructions. You have to take into account difference in file-layout, and difference in API and system calls. Attempted direct manipulation of hardware, by my knowledge, is intercepted by Linux and Windows kernels.
Incorrect. I’m no shell code expert, but from what I know; you can’t even write shell script to work on Linux and BSD because both have different system call techniques (BSD’s is shorter btw
).
At the c level most of it is the same. At the asm level each OS has subtle, and sometimes major, differences.
The neat part about FOSS is that some things are massively different depending on the build. When you distribute source with a variety of build options you’ll see a variety of deployed builds.
I doubt this does more than stop a quarter of attacks, but it should have some moderate affects. And I think it makes room for larger affects as well.
Building with different compilers, optimizations, different build options, different dependency versions, etc, etc, etc. One of FOSS’s biggest “problems” is, in my mind, one if its best allies.
There’s a lot of neat stuff going on on OpenBSD in the area of making stack and heap attacks harder just by making each run of a program different.
I think you misunderstand the nature of modern malware. Contemporary virus writers could care less about destroying your files. What they really want is to use your PC as a spam relay station, or as a bot for DDoS attacks. To achieve this they need root access.
The virus threat has evolved. Meanwhile, if you have valuable data on your PC and you don’t do backups, then you’re just asking for trouble, and not only because of potential malware threat: hard drives are known to fail, or your computer could get stolen, etc.
“To achieve this they need root access.”
Now they dont. Any application can bind to a listening port and any application can initiate connections (not taking into account selinux, systrace and the like).
Any application can bind to a listening port and any application can initiate connections
But they have to run first. For now, the very first question, which is “how does the virus appear on your system ?”, is still unanswered.
Then it’s “how does it become executable ?”. You haven’t even answered that, and you’re already in the executing part.
So all you say is BS for now.
“For now, the very first question, which is “how does the virus appear on your system ?”, is still unanswered.”
Buffer overflows resulting in remote exploitation, social engineering to name a few.
“Then it’s “how does it become executable ?”
The remote exploit could run chmod +x, sh <script>, ld <executable> or equivalent. Or you could trick the user into doing it.
“So all you say is BS for now.”
On the contrary, it’s quite possible but not really that feasable for an attacker. It is currently so much easier to just find some unpatched Windows box and have it do your dirty deeds.
You are describing the normal path of a remote attack to a *remote* vulnerability.
What does this have in common with viruses?
Remote vulns have existed forever, and (btw) are very few in number in *nix os’s. I hope you do not count badly written PHP scripts as OS vulnerabilities.
Besides, with SELinux or AppArmor even PHP scripts will do much much less damage.
So the virus they talk about can not propagate itself ?
Therefore it’s not a threat at all.
So you just made my point easier : this supposed virus is not even a virus, you need another worm to make it work, which is just stupid. The worm would be the threat, not this thing. And then again, the average user would have to run a server providing external services, which is even less likely.
And as for the user, making the /home not running executables is enough to destroy even social engineering like you described. And no, ‘ld <executable>’ does not work since several releases of glibc.
Now they dont. Any application can bind to a listening port and any application can initiate connections (not taking into account selinux, systrace and the like).
But they can’t set themselves up to run as a service (i.e. remain on after a reboot), nor can they open up ports in the firewall…
“But they can’t set themselves up to run as a service (i.e. remain on after a reboot)”
True but they could just add themselves to your .profile (or .bashrc or KDE autostart or whatever) and run with nohup the first time you log in.
“nor can they open up ports in the firewall…”
True but they could still make outbound connections.
True but they could just add themselves to your .profile (or .bashrc or KDE autostart or whatever) and run with nohup the first time you log in.
That’s not very alluring for a spam relay or botnet. Also, the fact that there’s no single way of doing it (i.e. what if it wants to add itself to KDE Autostart and I use gnome…) means that it’s less effective to do so.
True but they could still make outbound connections.
I don’t think that network routing can be run as a normal user. You may be able to establish outbound connections, but setting up a spambot or Internet relay (two of the malware writer’s most common goals these days) would be quite problematic.
It’s not that doing this is impossible on Linux, it’s just that it’s too difficult to bother. Like everything else in life, malware writers will follow the path of least resistance, and right now that path is through Windows. It’s not the popularity of the platform per se, but rather the fact that Windows is just an easier target.
However, you do bring up a valid point, i.e. that Linux firewalls don’t monitor outbound connections by default. I believe that Firestarter does include the ability to define outbound policies, but it’s not as user-friendly as, say, Zonealarm.
You’re an independent writer whose fiction works get published in several magazines. You’re almost finished with this month’s articles when a virus strikes.
See my response above. If you’re writing something important and you don’t do backups, you’re asking for trouble, but not because of viruses. Look up the current highly active viruses: few if any will try to delete user files.
Fortunately, you can’t make files executable under Linux simply through its file extension. That’s enough to stop the majority of malware attacks dead in their tracks.
Of a company in trouble, they see there future not so bright, Vista will have a built in virus protection so they need a new market.
Since Microsoft took over RAV virus companies started to
woory about how Microsoft would invoke RAV in their system. What is next? (Anit)Virus companies writing there own virusses? nah!