Fuzzy | ||||||
---|---|---|---|---|---|---|
1. | Pitanje vremena | 21:26 Rado | ||||
Nije neka fora objavljivati svoje stare članke, ali u duhu vijesti o OO.o makro virusu, slijedi jedan moj tekst iz 1999. godine. Vjerujem da ga se neki sjećaju... Viruses on Unix systems by Rado <r.dejanovic@vipnet.hr> Elk Cloner: The program with a personality It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner! Computer viruses are the most famous members of quite a large collection of electronic beasts. While they are in fact just as dangerous as any other malicious software written, they are the ugliest -- they replicate themselves and infect other files, nowadays including even innocent document files. And, they are the easiest to pick up and infect yourself. Ironically, but just like real life viruses, they are most present where the information infrastructure is high, and virtual hygiene is weak. They spread just everywhere, from times to times even there, where people think they have done everything to be 100% virus-safe. In fact, there is no OS that is completely safe from viruses. A virus is completely dependent on hosts replication mechanism. And computer viruses are highly dependent on the features and characteristics of the OS. Any OS, including Linux. Yes, just like any other OS, Linux may be infected, too. Like Windows NT or MacOS. Not only PCs with DOS or Windows, or Amiga, can host viral code. But then, why don`t we see more viruses on Linux or Windows NT? You might be surprised by the fact that some of the first computer viruses were Unix viruses (probably the first one is Elk Cloner, coded sometime between 1980 and 1982). Some early Unix viruses were written by Fred Cohen on VAX running 4BSD, one year after Elk Cloner appeared. Despite the usual belief, Unices are not protected from viruses automatically. Of course, the logic of the code is much different, so people who are used to think about viruses that run on DOS or Windows (except for NT) usually do not understand or underestimate the danger of Unix viruses. Common misconceptions The biggest misconception is that more powerful security systems prevent virus spread. Because we are used to DOS and its non-existence of any real memory and data protection, we think about viruses as masters of all computer resources. Yes, they are masters on DOS and "plain" Windows. Without any real memory and data protection a computer virus can grab them with both hands. In contrast to that, Unices and Windows NT have far superior protection systems. This prevents most virus infections, but not all. Such systems practically cease when the user runs everything as root or administrator. An intelligent virus will find it's way to every file on the filesystem; NT ownership or ACL are no serious problem then. Another misconception is that Linux is especially protected from infections because programs come as source code, not as binaries. This is really a protection because only small number of people (even administrators) have enough knowledge to find viral code in the sources. Ordinary users have a habit of exchanging binaries, because they do not like messing up with such complicated things as make config; make. The doors of Unix systems are opened wide enough to give viruses access to the system. Third misconception is that Unices are safe because the platforms are so different from each other. But today this is not a big deal. Viruses which transport ANSI C code to another machine and compile it to make compatible binaries are still is not spotted (for example there is a FILE virus written completely in C). Remember that this was one of techniques used by Morris' Internet Worm. And having standardized ELF binaries and libraries will not make the job tougher for virus writers. Shell scripts The whole story began with code that did not spread, but ate memory. It was natural, at least on Unices, to start using resources that are common between platforms. For the beginning: shell scripts. Shells on different Unices are quite similar. So Fred Cohen writes in his book Computers Under Attack: Intruders, Worms and Viruses (published 1990): "In the command language of Unix, evolutionary viruses have been written in under 200 bytes". Perhaps the most ironic proof of his words is the man page virus, a script that uses GNU troff's possibility to manipulate files and execute programs. This is probably the place where Linux and Windows world come closest to each other -- the similarity with macro viruses is tremendous. Man page virus can not spread on other computers, unless you have a habit to exchange formatted man pages with other people. However, this virus is the one that is close to the common understanding of computer virus. Someone could write another virus that will be able to use holes in mail readers. Imagine a Linux clone of the Melissa virus that uses a security hole of Pine (just for example) with to spread to every address it finds in the address book. Writing a shell script virus is one of easiest ways to produce an Unix virus. I am sure that someone will complain now that a virus is not really a virus if it is not written in Assembler. But the fact is that the main attribute of a virus is its spreading on the system, not the size or the language it is written in. In USENIX 1989 Volume 2 you can see Tom Duff's and M. Douglas McIlroy's code for shell viruses. Shell viruses are at the same time almost harmless and very vulnerable, because they are open to the eyes of administrators and users. However, most users will probably not understand even this: for %%f in (*.bat) do copy %%f + bfv.bat There is always someone who will trustfully run any script, no matter where he gets it from. But such people are the food for viruses -- human ignorance is real fuel for any virus; while it is not possible to avoid every virus attack, most of them could be avoided by educating people. Worms The other way to do harmful things is a technique that has been made widely known by Morris Worm: Using exploits -- if possible in combination with other techniques. His worm used a known sendmail vulnerability to get access to other hosts. In case of miss, the virus tried it with with rexec, fingerd and password guessing. After the successful break in, it compiled the source to make a local binary and executed it. There was even code that should cover the tracks -- but it was buggy. If it was not, administrators had a much tougher job on cleaning the systems than the few days they needed to get things under control. Internet Worms are viruses that use known exploits to gain administrator privileges. But such are short-living stars that exist only until the exploit has been fixed, because they loose the media which they need replicate themselves and infect more systems. Exploits are very dependent on the version of the software, even on the architecture, and they hardly spread on different platforms or even on the same platform if other computers do not have the same version of the software. Faked libraries Of course, you can always play on the user's foolishness. If you fool him into using the LD_PRELOAD environment variable, you can make him execute your own code that will replace the functions of the standard libraries with your routines. LD_PRELOAD is not Linux specific and it is used in case when some application (like an old StarOffice on a newer versions of Red Hat) have to use it's own (or older, or modified) libraries, because those which are installed do not fit it's needs. Quantum (author of the Staog viruses) presented this code on a unix-virus mailing list, to demonstrate the idea: extern int __open(char *, int, int); extern int execv(char *, char *[]); int open(char *path, int flags, int mode){ printf("open: %s\n", path); return __open(path, flags, mode); } /* note that this is lame and discards the envp.. better ways?! */ int execve(char *path, char *args[], char *envp[]){ printf("execve: %s\n", path); return execv(path, args); } This code takes over open and execv and modifies them to print out what they do and then jump to the real functions. The output looks like this: >gcc -shared tryld.c -o tryld >export LD_PRELOAD=./tryld >bash open: /home/trent/.bashrc open: /etc/bashrc open: /home/trent/.bash_history open: /home/trent/.bash_history open: /etc/inputrc This is just an example which does not hurt anyone, but demonstrates the principle. Kernel infectors At least, there are so called "kernel infectors", viruses which are able to infect kernel images, where they can get control of virtually every aspect of the system. Such viruses are still existing more in theory than praxis, but this does not mean that we will not see one of them some day. Platform compatible viruses The difference between architectures is not a big trouble for virus writers if the viral code can be written in ANSI C. All they need on the other side is a C compiler and a virus-compatible system. Such virus can be easily spread around, using user's .rhosts or similar technique. If there is no exploits in such code (probably not because the virus is multi-platform capable, thus it can not expect exploit to be everywhere), the amount of infectable platforms is wide and does not have to be tied just to one flavor of Unix. And of course, there are viruses written in Assembler. The most famous, but not the first Linux virus is Bliss, first reported in February 1997. Bliss infect ELF binaries, but does not do any harm. It can be even self-destructing if you run the infected binary with --bliss-disinfect-files-please as argument. If you wish to search for Bliss on your files, look for this pattern: E8ABD8FFFFC200003634 65643134373130363532 The first spotted Linux virus is Staog, half a year older than Bliss. It is written completely in Assembler and tries three exploits to gain privileges on /dev/kmem, to be able to infect everything that moves. Its pattern is: 215B31C966B9FF0131C0 884309884314B00FCD80 While we are at ELF binaries: Viruses which infect those files are the closest to the "standard" definition of computer virus -- they are written in Assembler and they infect executables like a typical virus under DOS. ELF code can be infected by adding code in padding space after the text segment, and the search on the directory tree for nice files with ET_EXEC and ET_DYN flags can be (more or less, depend on the presence and experience of the administrator) hidden by forking. No, it is not so easy. A virus can infect just the files that are owned by the user who ran the viral code, and if he is not root (and the virus does not use exploits to gain root privileges), only this user's data are jeopardized. But once a virus get administrator privileges everything is possible. Are we safe? The real problem is yet to come. In the near future we are safe. But day after that, problems may arise. Linux is becoming more and more popular, and becomes a challenge for virus makers. More users mean more potential virus makers, and if we count in the fact that ordinary users knowledge of Unix is declining (thank you, Redmond), we could be in trouble. There already are some anti-virus programs for Linux that do not just check DOS partition for DOS/Windows viruses. There's little known about them, even among the administrators and people we used to call professionals. It is quite interesting, this silence that covers the Unix viruses. Aafter the Worm appeared we could find many debates and articles, even books -- and then nothing. After the boom between 1989 and 1990, with sporadic themes up to 1996 and after that it looks like everyone has forgotten about Unix viruses. The popularization of Linux might start new wave of discussions about the issue, and let's hope there will be real anti-virus software, before we are really in trouble. A little sarcasm at the very end: Even if there will be some shiny new and powerful anti-virus software for Linux, someone will surely invent some sort of Outlook/Exchange combination for Linux to help Melissa clones spread on Linux platform. Luckily, this wo not be everyone's problem. Unix anti-viruses There already is some Unix anti-virus software. Most of it checks for DOS/Windows viruses on mounted space, which is not too helpful in homogeneous Unix environment. But there are some useful tools that check mail and/or ftp and http traffic to find and destroy malicious code, and some do even check for Linux viruses. Whis tool should choose? If you have mixed Unix/Windows environment, you will find programs that can detect and destroy Windows viruses quite useful. If you have a homogeneous Unix environment, you can get advantage of Unix anti-virus software and other tools that help you to keep track of your files and possible modifications on them. Tripwire is a quite usable software that does not detect viruses but will warn you if your files suddenly become different. And of course, checking the log files can help a lot. A third solution is anti-virus software that checks incoming mail and files for all kind of viruses. Try it, you will like it. The market for Unix anti-virus software is not as huge as it is for Windows viruses (lucky us), but there are already products that you can get today. Here are some products I found on the web, but those have not been tested by myself. So I can not say anything about them. You will have to try them yourself and decide which one of them is right for your purposes. Some of them clean Linux viruses, some of them do not: http://aachalon.de/AMaViS/ http://www.avp.ru/ ftp://ftp.hbedv.com /antivir/english/release/avlglibc.tgz http://www.Europe.Datafellows.com/ http://www.sophos.com /downloads/eval/savunix.html http://www.antivirus.com/products/isvw/ http://www.drsolomon.com/home/home.cfm http://www.mcafee.com/ All these can be run on Linux, but only F-Secure claims "We do clean Linux viruses". They also know about the most dangerous, most hidden, most infectable Tuxissa virus: http://www.Europe.Datafellows.com /v-descs/april1j.htm If you want to know more, you can subscribe to the unix-virus mailing list on majordomo@virus.beergrave.net (subscribe unix-virus), or try the following online resources. Papers by Doctor Fred Cohen: http://all.net/ ftp://coast.cs.purdue.edu/pub/doc/viruses/ http://virus.beergrave.net/resource.html http://www.heise.de/ix/artikel/1998/02/136/ http://www.ce.is.fh-furtwangen.de /~link/security/av-linux.php3 You could also read some of these papers: Rudimentary Treatise on the Constructions of Locks 1853 - Charles Tomlinson Experience with Viruses on UNIX Systems - Tom Duff Spring 1989 Volume 2 Number 2, USENIX Computing Systems ISBN 0895-6340 The Little Black Book of Computer Viruses - Mark Ludwig 1990, American Eagle Publications, Inc. ISBN 0-929408-02-0 The PC Virus Control Handbook - Robert V. Jacobean Second Edition 1990, Miller Freedman Publications ISBN 0-87930-194-5 Heterogeneous Computer Viruses In A Networked UNIX Environment - Peter Radatti 1991, 1996, CyberSoft, Inc. Computer Virus Awareness for UNIX - Peter V. Radatti May/June 1992, NCSA News - Volume 3, Issue 3, Page 8 Computer Viruses In UNIX Networks - Peter V. Radatti 1995, 1996, CyberSoft, Inc. The Giant Black Book of Computer Viruses - Mark Ludwig 1995, American Eagle Publications, Inc. ISBN 0-929408-10-1 | ||||||
| ||||||
PopnupBlog 2.00a created by Bluemoon inc. |