[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[seul-edu] Virus particulars
I did a bit of research today on Linux and viruses, and in the best GPL
spirit, thought I'd share it with you.
Symantec's DB returns the following viruses etc for a query on `Linux' (-: and
I've ignored hits on Linux in the `systems NOT affected' attribute :-) -
Name.Of.Virus Population/Damage/Virility
Linux.Lion.Worm Low/Medium/Low
Linux.Ramen.Worm Medium/Medium/Medium
Linux.Adore.Worm Medium/Medium/Medium (AKA Linux.Red)
Linux.Cheese.Worm Low/Low/Low
Linux.ADM.Worm ?/?/?
These exploit holes in obselete services. No major current Linux
distribution (and very few if any minor ones) is vulnerable to
them. In order to be vulnerable to the first two, you generally
have to make some fairly thick security decisions anyway. The
site hosting the third one's payload has closed. The fourth one
actually *fixes* some of the damage done by Lion. AFAICT, all
are x86-only.
Linux.Jac.8759 Low/Low/Low
The user has to run a binary, and it infects executables in the
$PWD directory in which it is run (ie, for most users, nothing).
It is x86-only.
Jac was announced by vnunet as `the first to hit the platform in
three months', compare this with Windows' average of _daily_. It
was with some vouyeristic pleasure that I also read this:
`Linux users typically crow about how much more secure it is than
the Windows platform, but this time they may be justified as Jac
has only been branded as a low threat. It is not expected to
spread in the wild and causes little damage.'
Linux.Hijacker.Worm Low/Low/Medium
Your system basically has to be already broken by another trojan
(ie have a network-accessible root shell) before Hijacker can do
anything. Like Cheese, it actually removes other worms and closes
up some well-known security errors. Apparently x86 only.
Linux.Backdoor.IN ?/?/? (probably AKA Linux.OSF.8759)
Infected files have to be run by the user; in order for infection
to spread to system files, the user must be root. Opens a UDP
backdoor at or above port 3049 which listens for toolkit commands.
This is excessively sneaky, it bails out if it's being debugged
or if the system has only been up for a few minutes. The payload
is modular (ie potentially updateable).
Linux.RST.A ?/?/?
Linux.RST.B ?/?/?
Similar to the above, but looks for an EGO (Exterior Gateway
Protocols) packet with a special sequence of data and may as a
consequence open a port pointed at a rootshell. Ironically,
RST.B was propagated as part of another exploit kit: it was
launched on and by people thinking that they were `only' using a
toolkit to gain access to someone else's box.
W32.Peelf.2132 Low/Low/Low
This is a multiplatform proof-of-concept virus and has not been
seen in the wild. In Linux, it will only spread within $PWD and
also leaves obvious tracks (files get bigger).
Linux.Pavid NOT/REALLY/VIRUS (aka Linux.Alfa)
Included in a collection of viruses sent to McAfee AVERT (ie
apparently not in the wild), it does not actually spread by
itself and has to be told what to `infect'.
Linux.Quasi NOT/REALLY/VIRUS
Linux.Elend NOT/REALLY/VIRUS
Linux.Dido NOT/REALLY/VIRUS
Linux.Cron NOT/REALLY/VIRUS
Linux.Obsid.gen NOT/REALLY/VIRUS
Linux.Emwerm.Worm NOT/REALLY/VIRUS
Linux.Kork.Worm NOT/REALLY/VIRUS
Linux.Eriz.Int NOT/REALLY/LINUX
Linux.Abulia NOT/REALLY/LINUX
Linux.Abditive.Worm NOT/REALLY/VIRUS
Linux.Silv5444 NOT/REALLY/VIRUS
Linux.Siilov.5916 NOT/REALLY/VIRUS
Linux.Dummy NOT/REALLY/VIRUS
Linux.Orig NOT/REALLY/VIRUS
Doesn't seem to be known to other virus co's. May be an AKA for
another virus. Symantec don't supply *any* details, not even a
threat rating.
Many of these are said to infect .COM and/or .EXE files, it
appears that the only Linux reference is in the name. Maybe someone
was trying to establish a market presence? )-:
Linux.Satyr NO/PAYLOAD
Linux.Diesel NO/PAYLOAD
Linux.Kagob NO/PAYLOAD
Linux.Nuxbee.1411 NO/PAYLOAD (also only runs if user is in admin group)
Linux.Lotek NO/PAYLOAD (AKA Linux.Winter)
Linux.Zipworm NO/PAYLOAD
Linux.Vit.4096 NO/PAYLOAD (second ever Linux virussy thing after Bliss)
No action other than infection (proof-of-concept?).
JS.Radex.mirc NOT/REALLY/LINUX
This is actually a Windows worm, propagating through MIRC, which attacks
(pointlessly) any .sh files it finds.
W32.Prolin.Worm NOT/LINUX
This is a Windows worm that renames filetypes to include the word LINUX
(-: specifically, `change atleast now to LINUX' :-).
Linux.Penguin Low/Low/Low
User has to run it as root; it mails off `system password file'
presumably including /etc/shadow.
Linux.Mandragore.666 NOT/LINUX
Linux.Dies.969 NOT/LINUX (`Die' is a family of Windows worms)
This is a Windows worm. Kaspersky don't even mention `Linux' in
connection with it.
Linux.Doggie NOT/LINUX
This is a Word macro virus. Kaspersky don't mention `Linux' in
connection with it.
Linux.DoS.Trinoo.ns ?/?/?
Linux.DoS.tfn2k.tfn ?/?/?
Linux.DDoS.MStream ?/?/?
These are DDoS toolkits, they are payloads, not viruses in themselves.
Perl.Rans
Cross-platform, and a Linux user has to run them by hand.
Linux.Bliss.A ?/?/?
Linux.Bliss.B ?/?/?
These are hilarous. This has to be the politest virus ever. Other than
growing files, they do no damage, keep track of what's been infected,
and if any infected program is run with a particular option,
disinfects itself. (-:
Quote from `The Answer Guy' in 1998: Although there as been one "virus"
for Linux (Bliss, a piece of sample code that actually managed to
honestly infect a couple of users), they are simply not a problem for
Linux, FreeBSD, or other Unix users.
CONCLUSIONS
* 8 Linux worms, two of which fix problems, all of which either rely on
obsolete services or the root user running stuff; plus
* 8 proof-of-concept or `demo' viruses that don't do anything but infect,
and one of which will disinfect on demand; plus
* 3 viruses which require the user to run them (Jac, Penguin and
Perl.Rans); totalling...
19 infection agents, all either pathetic or obsolete, and only 2 of which will
work at all on other than x86 platforms. Not bad for roughly 30,000
variations on 4,000 virus families. That's 0.5% of the total (ie 200x less
viruses) and all of them useless on a server, difficult to deploy on a
workstation.
It's worth noting that `Linux' worm attacks (some of them will probably run on
BSDs etc because they are x86 within an app) are generally fixed by closing
the hole, sometimes within hours of discovery, but Windows worm attacks are
often dealt with first by taking the service offline or adding virus scanner
definitions, and followed up with a fix (and on several occasions a defective
fix) weeks-to-months later.
Lest we get too cocky, there are *no* viruses for FreeBSD (although Ramen did
actually have some code, it was never activated), OpenBSD, NetBSD, Solaris,
HP-UX, Digital UNIX and many other systems. Solaris is only reported as
having one (SadMind, which also attacks Microsoft IIS) by the virus
companies.
Macintoshes are more vulnerable from Microsoft Office macro viruses than from
native infectors. I guess there's a message there.
All virus-scanner manufacturers - I suspect scenting a new market - got
really, really excited when Ramen hit, and again when Lion (1i0n) hit. No
major Linux distributions ship with any vulnerabilities; most have not
exposed a serious and exploitable vulnerability in the default configuration
in over a year (and that's counting *all* services shipped); contrast this
with OpenBSD's record of over 4 years, and Windows' record of about a week
(in Windows XP's case, they actually have a negative record: showstopper
cracks were released many weeks before the actual product).
Cheers; Leon