Posted on 04/07/2006 12:34:25 PM PDT by Senator Bedfellow
APRIL 07, 2006 (COMPUTERWORLD) - Kaspersky Labs is reporting a new proof-of-concept virus capable of infecting both Windows and Linux systems.
The cross-platform virus is relatively simple and appears to have a low impact, according to Kaspersky. Even so, it could be a sign that virus writers are beginning to research ways of writing new code capable of infecting multiple platforms, said Shane Coursen, senior technical consultant at Kaspersky.
In a note on its Web site, the SANS Internet Storm Center (ISC) in Bethesda, Md,. said the new virus “is a sign the cross-platform aspects are becoming important. As the developers of viruses continue to research this, we will see more cross-platform malware come about in the future.”
The new virus, which Kaspersky calls Virus.Linux.Bi.a/Virus.Win32.Bi.a, is written in assembler and infects only those files in the current directory. “However, it is interesting in that it is capable of infecting the different file formats used by Linux and Windows,” Kaspersky said.
“It isn’t surprising that we are seeing a multiplatform virus,” given the growing popularity of Linux on enterprise desktops, Coursen said. “This is simply proof-of-concept code to show this kind of thing can be done.”
The new virus shows that malicious hackers may be exploring ways of getting new systems into bot networks, according to Johannes Ullrich, chief technology officer at the SANS ISC. But crafting such multi-platform malware is not particularly easy, he said.
“Writing a cross-platform worm is difficult because it limits you to functions that are available on both operating systems,” Ullrich said. “You have to also code the virus in assembly to make it work without relying on any OS-specific function,” he said.
The relatively small number of systems running on non-Windows platforms also makes it less appealing for hackers to go to the trouble of crafting cross-platform viruses, he said.
Though rare, this is not the first instance of such a virus appearing in the wild. In 2001, the sadmind/ISS worm exploited a hole in Sun Microsystems Inc.’s Solaris to infect systems running vulnerable versions of the operating system. Infected systems then scanned for and attacked servers running Microsoft Corp.’s IIS Web server software. That same year, another proof-of-concept virus named Winux infected both Windows and Linux systems.
“Even today, Web sites sending exploits to their visitors tend to detect what browser/platform the visitor is using and send a matching exploit to install some malware,” SANS said in its note.
It’s important for enterprises to be aware of such issues and implement anti-virus tools for protecting non-Windows operating systems if they haven’t done so already, Ullrich said.
“For those thinking their “pet” computer is invulnerable to the virus threat -- it’s not,” SANS said.
Since it's written in assembler, shouldn't this virus be more properly called an "x86 virus" rather than a "Windows virus" or a "Linux virus"?
I think the distinction is because it understands how to infect both sorts of executable files. Some other x86 operating system - e.g., OS X, BeOS, whatever - would presumably not be vulnerable.
I still don't see this as a problem since it only affects executables in your home directory. It would be different if it somehow could run those executables in a chroot or sudo environment. Then I'd be worried.
Exactly. This isn't going to work very well on a PowerPC or Sparc machine running Linux.
Now that all platforms are essentially running on Intel chips, I would expect virus writers to move to machine code. I'm surprised they haven't already.
Gotta be honest with you, and say that I've never really understood that logic. Basically, what you're saying is that it's okay if your investment records, tax returns, bank records, the kids' baby pictures, your father's will, your nearly complete Great American Novel, and the report you've been working on for six months, the one your boss is expecting on Friday - it's okay if all that stuff gets wiped out, as long as the core OS is safe. Nevermind that the OS would take you half an hour to reinstall in a pinch, whereas the stuff in your home directory may not be replaceable at all.
As with any sensitive data you should have a good backup plan. I do it for Winders as well as for Linux. CDs and DVDs are dirt cheap and are excellent backup media.
Well, yeah. I'm just saying that restricting and limiting the damage to the current user's home directory makes sense and is very valuable in a large, multi-user environment - you're toast, but at least everyone else is protected. OTOH, in a single-user environment, who cares if the OS is safe? Give me access to your home directory, and I'll wreck your whole day in such a way that still being able to boot up and log in won't do much to cheer you up ;)
It also only affects executables so anything you have in your home would be fine as long as its not a binary executable.
Presumably it's changing executables in order to propagate itself. Who knows what else it can be modified to do while executing?
As a virus, knock yourself out....
/dev/mapper/Volgrp0-home /home xfs rw,noexec,nosuid 0 2
That works because it can't traverse directories for the moment. Give it that ability, land it in /usr/bin, and watch it zero out your home directory. Obviously, that's easier said than done, but it'll get you there.
MUCH easier said than done. On a standard Linux system root owns all of the bin directories. The virus would have to escalate to root privledges just to write there.
I'd worry more about a meteorite crashing into my PC.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.