Re: "Bugbear" virus in Linux?

From: Rod Smith (rodsmith_at_nessus.rodsbooks.com)
Date: 07/12/03 

Date: Fri, 11 Jul 2003 21:03:53 -0400

In article <7oineb.85a.ln@news.heiming.de>,
        Michael Heiming <michael+USENET@www.heiming.de> writes:
>
> Rod Smith <rodsmith@nessus.rodsbooks.com> wrote:
>> Michael Heiming <michael+USENET@www.heiming.de> writes:
>>>
>>> How should this virus attach to /bin/ls, without root permissions?
>
>> That gets back to the propagation issue, which I mentioned in parts
>> you've snipped. It'd be tough to do on a properly configured and
>> administered system, but I can think of several misconfigurations or
>> sloppy administrative practices that would make it much easier. For
>> instance, a floppy-based boot-sector virus might attach itself to key
>> Linux binaries if a system were accidentally booted with the floppy
>> inserted (and the system [arguably mis-]configured to boot from the
>> floppy before the hard disk);
>
> Which implies beside the boot order in BIOS, physical access to insert
> the floppy disk. But then if one has physical access he can do
> everything.

Yes and no. The person who inserts the disk certainly has physical access
to the computer, but that doesn't mean that the virus author has such
access. About a decade ago, a common means of propagation of DOS viruses
was via floppy disk boot sectors. The vector I just outlined is exactly
the same as the vector used by these viruses of old. The virus author
distributes a few infected floppies, or submits infected executables to
BBSes (or FTP sites, today), where they infect floppies, that get passed
around and infect other computers. The virus author doesn't need physical
access to the ultimate victim computers; the author relies on the
oversight of a user leaving an (unbeknownst to the user) infected floppy
disk inserted in the drive of an uninfected computer when it's powered
up. In principle, the same vector might work for Linux, although with
some caveats. Linux systems are booted less frequently than were DOS
systems, floppies are less commonly exchanged, and (I strongly suspect)
the process of infecting a Linux system would be more complex from a boot
floppy. The first two caveats would slow the spread of a Linux virus that
used this vector. The final caveat means that a Linux boot sector virus
would probably need to be bigger than a DOS boot sector virus, probably
occupying a hidden file or sectors marked as bad or some such on the
floppy. This would make detecting the virus easier.

>> or an administrator might foolishly run a
>> binary from an untrusted source; or a user-mode virus might be able to
>> take advantage of a bug in an SUID executable to attach itself to other
>> binaries; and so on.
>
> Someone running as root with no clue is always a danger.

I certainly agree with this assessment. My point isn't that such
practices are acceptable or that such people couldn't do damage in other
ways; just that they constitute a possible vector for hypothetical Linux
viruses.

> But the main
> reason that we have no virus, is simple. There's just no MUA as crappy
> as M$ Outlook, allowing to run attachments with a single click.

This is certainly a good point. The big target for viruses today is
Windows, simply because there are so many Windows systems and so much
Windows software still has gaping security holes in it that viruses can
exploit. If virus writers were to turn their attention on Linux, we'd
probably see an increase in Linux security problems. These problems might
not technically be viruses; the miscreants might choose to use worms or
other forms of malware. Some might choose to write viruses, though.
Ultimately, the real issue isn't whether something is a virus, a worm, or
whatever; it's how to protect against malicious code, of whatever name.

> Another reason might be, luckily we don't have all those clueless M$
> users, but I'm afraid we'll get them sooner or later.

Not to mention distributions tailored to their inexperience, such as
Lindows, which by default has users running everything as root. 

-- 
Rod Smith, rodsmith@rodsbooks.com
http://www.rodsbooks.com
Author of books on Linux, FreeBSD, and networking

Relevant Pages

  • Re: Dual boot and virus
    ... they may infect the OS in use or whatever they find on the ... but if you had a virus in the RAM and you ... |> systems and asking about viruses and worms. ... | Safest way is to use two separate removable hard drives. ...
    (microsoft.public.security.virus)
  • Remote Shell Trojan: Threat, Origin and the Solution
    ... At the 5th of September Qualys released a Security Warning regarding a Linux ... This virus was called the "Remote Shell Trojan" (RST) and it ... infect all binaries in /bin and the current working directory. ...
    (Incidents)
  • Remote Shell Trojan: Threat, Origin and the Solution
    ... At the 5th of September Qualys released a Security Warning regarding a Linux ... This virus was called the "Remote Shell Trojan" (RST) and it ... infect all binaries in /bin and the current working directory. ...
    (Bugtraq)
  • Re: Virus Acquisition
    ... Actually, even without knowing anything about viruses, it would be ... monitor proper virus removal. ... Find whatever virus or other malware you want to infect the computer ...
    (microsoft.public.windowsxp.general)
  • Re: ClamAv: is anyone paying attention?
    ... there are, currently, zero Linux viruses. ... Maybe we should agree on what a virus is, ... Why does Symantec and Sophos list a Linux 'virus' (Symantec lists ... Of course you will probably point out they are windows viruses so only ...
    (Ubuntu)