Re: Linux Virus
On Wed, Mar 28, 2001 at 10:19:10PM -0500, Ben Collins wrote:
> Anyone can do that. I can write a C program and send it to you that
> emails me /etc/passwd and /etc/shadow. You still have to be dumb enough
> to execute it. That's not a virus, that's social trickery. Now, if it
> emails itself (and remember with Linux there are several dozen email
> programs, so finding the right address book format is pretty hard), then
> it is viral, sort of, since you still have to manually execute it.
Based on my reading of the relevant news stories, this thing looks like
a true virus in the old sense of the term: it infects other files and
uses them to spread itself. Although I don't expect it to get very far,
this sort of thing is potentially far more serious than the Outlook macro
worms that everyone is calling "viruses" these days. An old-style virus
only requires one person to be stupid enough to run it and then it hides
pretty well; a macro worm requires every victim to be stupid enough to
either run it manually or use a piece of software (Outlook, outdated BIND,
whatever) which allows it to execute without user intervention.
For instance, I could write a program, let's call it my_virus, which
infects all files in the current directory and its parent directory,
as this Winux virus is described as doing. I email it all over the
world and a copy happens to arrive in your sysadmin's mailbox while he's
working on something in /bin. His mind is out to lunch, so he reads
his mail and runs my_virus while still root. Every file in /bin and /
is now infected and will infect other files.
A week later, you rebuild your pet C project, super_time_waster, and
send a copy to your friend. You think it's perfectly benign - you have
the source, so how could it be a trojan, right? And /bin/ls tells you
it's the version you just buit 5 minutes ago. Too bad that /bin/ls just
infected everything in the directory (including super_time_waster) as
it told you that... (Worse, after the next reboot, you'll be running
an infected kernel, assuming it's at (or symlinked from) /vmlinuz.
Depending on the virus's structure, this could make your system unbootable
or rapidly infect every executable file on the system.)
Then your friend, of course, runs super_time_waster, confident in its
authenticity, and infects all of his files. Without a copy of the
original my_virus executable going anywhere near his system.
I hate to disagree with you Ben, but that's about as viral as it gets.
--
Linux will do for applications what the Internet did for networks.
- IBM, "Peace, Love, and Linux"
Geek Code 3.1: GCS d? s+: a- C++ UL++$ P++>+++ L+++>++++ E- W--(++) N+ o+
!K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r y+
Reply to: