Re: Viruses on Linux?

From: Tom Emerson (x_at_y.z.com)
Date: 04/27/04 

Date: Tue, 27 Apr 2004 03:45:40 GMT

Svein Hamnes Aaberge wrote:

> My brother asked my if I had virus on my machine. No way I said, I run
> Linux.

That sort of attitude is going to bite MILLIONS of us in the *** when a
"real" linux virus goes on a rampage :)

First point about viruses: it's a numbers game. If 90% of the computers are
running an easily compromised system, even though 50% of those systems are
monitored for virii, vs. 90% of the "hard to compromise" systems NOT being
monitored ['cause the owner has the above mindset] where do you think
you'll see an attack? You'll "see" an attack on the easily compromised
systems [because the 50% that are monitoring will get the word out fairly
quickly] You'll never "see" it on the other systems until it's too late,
and then we'll all be having crow for dinner...

> Anyway I did a virussears with Antivir when I came home and got the
> output:
> AntiVir / Linux Version 2.1.0-17
>
> checking drive/path (list): //
> //tmp/kde-svein/kontactUUwwfb.6/your_website.pif

took me a bit of digging, but I think I see how this happened: someone sent
YOU an infected e-mail [you probably dropped it as "spam"] **but** at some
point you "passed over it" in kmail/kontact and it "opened" the message,
placing the attached files
in /tmp/kde-<username>/kontact<randomdir>/<attachment>. Note that
"opening" a message in this manner does NOT TRY TO EXECUTE THE CONTENTS
[bubbleboy was one of the first to exploit an execute-upon-opening-message
hole in outlook, as I recall, hence my general aversion to "preview panes",
but "this is linux, and linux doesn't get viruses" ;) ]

<evil thought mode> if instead of naming the file "whatever.pif", which is a
windows executable, naming it ../../../../../../bin/ls would be
"devastating" on a linux system -- EXCEPT that (a) a "normal" user
shouldn't be able to write to /bin, so most likely this will cause the mail
reader to cough, and (b) even if it overwrote ls, it wouldn't necessarily
make it "executable" -- everything else would stop working and you couldn't
get a directory reading to find out why... </evil thought mode>

> //tmp/kde-svein/kontactUUwwfb.6/your_website.pif <<< Contains signature
> of the worm Worm/Netsky.D.3 not removable

not removable: either the virus scanner is running as someone other than
"you", or the file is still "in use" or [since it's in /tmp], perhaps the
"sticky" bit is set [wild conjecture -- don't mind me...] However, it IS
"in /tmp", meaning it should be cleaned up "shortly" [after closing kmail]
 
> //usr/lib/mailman/tests/msgs/nimda.txt
> Contains signature of the Windows virus W32/Nimda.eml not removable

in .../test/... -- very likely to be mailman's own viral scanning signature
and/or test-suite file to verify viral scanning is working. 'not
removable': this is more likely to be "owned" by root or "mailman", not you
[the "normal" user], hence you [running the scanner] don't have the proper
authority to remove the file [just like you wouldn't have the authority to
store a file in /bin "as a normal user"]
 
> The last file seems to be a file in the package "mailman", so it should
> not be dangerous. (I realy don't understand why antivir detected it
> though).

for the same reason "norton antivirus" might point out that a file in c
\program files\some_competitors_product\data\signatures contains "a whole
mess o' viruses" :)

> The big question though: Is this virus possible of doing any harm when I'm
> running Linux?

Only if you run something that will try to emulate a windows environment
[vmware, win4lin, wine, etc] and then *intentionally* seek out and try to
"execute" the file. [but the effects would be, shall we say, "limited"?]

> Will it use my adressbook and send virusmail to others?

only if YOU INTENTIONALLY send it to others [see also the "honor system
virus", a.k.a. "the amish virus" here:
http://en.wikipedia.org/wiki/Honor_system_virus for an example]

> Will it do any other harm?

only if THEY then open/read/execute the file you [intentionally] sent them 

-- 
Top o' the Blog: Google Nirvana gone bye-bye?
http://osnut.homelinux.net/mtblog/ya_index.html
Quantcast