Re: Linux Virus

To: Debian-user <debian-user@lists.debian.org>
Subject: Re: Linux Virus
From: Dave Sherohman <esper@sherohman.org>
Date: Thu, 29 Mar 2001 08:04:19 -0600
Message-id: <[🔎] 20010329080419.B19259@sherohman.org>
Mail-followup-to: Dave Sherohman <esper@sherohman.org>, Debian-user <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20010328221910.T8462@visi.net>; from bcollins@debian.org on Wed, Mar 28, 2001 at 10:19:10PM -0500
References: <[🔎] 3AC2A414.2315FC29@ozemail.com.au> <[🔎] 3AC2A414.2315FC29@ozemail.com.au> <[🔎] 20010328220007.S8462@visi.net> <[🔎] 3.0.5.32.20010329130749.036a87b0@mailhost.capmon.com> <[🔎] 20010328221910.T8462@visi.net>

On Wed, Mar 28, 2001 at 10:19:10PM -0500, Ben Collins wrote:
> Anyone can do that. I can write a C program and send it to you that
> emails me /etc/passwd and /etc/shadow. You still have to be dumb enough
> to execute it. That's not a virus, that's social trickery. Now, if it
> emails itself (and remember with Linux there are several dozen email
> programs, so finding the right address book format is pretty hard), then
> it is viral, sort of, since you still have to manually execute it.

Based on my reading of the relevant news stories, this thing looks like
a true virus in the old sense of the term: it infects other files and
uses them to spread itself.  Although I don't expect it to get very far,
this sort of thing is potentially far more serious than the Outlook macro
worms that everyone is calling "viruses" these days.  An old-style virus
only requires one person to be stupid enough to run it and then it hides
pretty well; a macro worm requires every victim to be stupid enough to
either run it manually or use a piece of software (Outlook, outdated BIND,
whatever) which allows it to execute without user intervention.

For instance, I could write a program, let's call it my_virus, which
infects all files in the current directory and its parent directory,
as this Winux virus is described as doing.  I email it all over the
world and a copy happens to arrive in your sysadmin's mailbox while he's
working on something in /bin.  His mind is out to lunch, so he reads
his mail and runs my_virus while still root.  Every file in /bin and /
is now infected and will infect other files.

A week later, you rebuild your pet C project, super_time_waster, and
send a copy to your friend.  You think it's perfectly benign - you have
the source, so how could it be a trojan, right?  And /bin/ls tells you
it's the version you just buit 5 minutes ago.  Too bad that /bin/ls just
infected everything in the directory (including super_time_waster) as
it told you that...  (Worse, after the next reboot, you'll be running
an infected kernel, assuming it's at (or symlinked from) /vmlinuz.
Depending on the virus's structure, this could make your system unbootable
or rapidly infect every executable file on the system.)

Then your friend, of course, runs super_time_waster, confident in its
authenticity, and infects all of his files.  Without a copy of the
original my_virus executable going anywhere near his system.

I hate to disagree with you Ben, but that's about as viral as it gets.

-- 
Linux will do for applications what the Internet did for networks. 
    - IBM, "Peace, Love, and Linux"
Geek Code 3.1:  GCS d? s+: a- C++ UL++$ P++>+++ L+++>++++ E- W--(++) N+ o+
!K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r y+

Reply to:

References:
- Linux Virus
  - From: Mark Devin <mdevin@ozemail.com.au>
- Re: Linux Virus
  - From: Ben Collins <bcollins@debian.org>
- Re: Linux Virus
  - From: John Griffiths <john@capmon.com>
- Re: Linux Virus
  - From: Ben Collins <bcollins@debian.org>

Prev by Date: Power Management
Next by Date: Installation of third party software under Debian
Previous by thread: Re: Linux Virus
Next by thread: Re: Linux Virus
Index(es):
- Date
- Thread