Skip to comments.Virus threatens PCs running Linux or Windows
Posted on 04/10/2006 5:53:52 AM PDT by Halfmanhalfamazing
Hackers have released a sample code for a virus that could infect both Linux and Windows PCs. The virus, which was given the double name Virus.Linux.Bi.a/ Virus.Win32.Bi.a, was reported Friday by security firm Kaspersky Lab. Security researchers worry that the malicious code may be part of a disturbing new trend of viruses that can run on Windows, as well as other operating systems that have been largely ignored by hackers.
(Excerpt) Read more at computerworld.com.sg ...
All your linux, macos, and windows are belong to virus writers.
Does anyone have more details? How does it gain access to non-userspace processes or disk under Linux?
Crossplatform virus - the latest proof of concept
Kostya April 07, 2006 | 07:32 GMT
Weve received a new sample: another cross platform virus. This sample is the latest attempt to create malicious code which will infect both Linux and Win32 systems. Its therefore been given a double name: Virus.Linux.Bi.a/ Virus.Win32.Bi.a
The virus is written in assembler and is relatively simple: it only infects files in the current directory. However, it is interesting in that it is capable of infecting the different file formats used by Linux and Windows - ELF and PE format files respectively.
To infect ELF files, the virus uses INT 80 system calls and injects its body into the file immediately after the ELF file header and before the .text section. This changes the entry point of the original file.
Infected files are identified with a 2-byte signature, 7DFBh, at 0Bh.
The virus uses the Kernel32.dll function to infect systems running Win32. It injects its code to the final section, and gains control by again changing the entry point. Infected PE files contain the same 2-byte signature as ELF files; the signature is placed in the PE TimeDateStamp header.
Infected files contain the following text strings:
This is Sepultura signing off...
This is The Soul Manager saying goodbye...
Greetz to: Immortal Riot, #RuxCon!
The infector itself contains the following strings:
[CAPZLOQ TEKNIQ 1.0] VIRUS SUCCESFULLY EXECUTED!
The virus doesnt have any practical application - its classic Proof of Concept code, written to show that it is possible to create a cross platform virus.
However, our experience shows that once proof of concept code is released, virus writers are usually quick to take the code, and adapt it for their own use.
Detection for Virus.Linux.Bi.a/ Virus.Win32.Bi.a was added to the Kaspersky Anti-Virus databases shortly after the sample was received.
So, this appears to be a proof of concept, not an actual threat (yet). It's an interesting bit of code in that it can run on both MS-Windows and Linux. I gotta wonder if aspects of this code could be used in the cause of good, by making regular programs that could run on either platform.
The way this code is described, it reminds me a lot of a program I used to have many years ago that would convert ".com" files into standard ascii text that were still executable. It was cool, in that you could actually print the program itself, yet the same string of ascii text would do whatever the original program did. Needless to say, this increased the size of the executable considerably. I had a program called "beep.com" that was a whopping 6 bytes(!) long. It was the smallest functional program I'd ever seen on DOS. All it did was make your PC's speaker beep it's default beep once. I used it a lot in batch files to annoy folks :-) Anyway, when converted to an ascii executable, it was something like 200 or so bytes.
This isn't the first virus that runs on both linux and windows, although you generally have to have WINE running on linux to make this happen. :-)
Been thinking about this a little while, and I've very much like to see how this type of virus/worm will operate in practice.
Most likely, it will require a bit of social engineering for Alice to get Bob to execute the payload. Given the same bit of code that is, say, attached to an email. Let's examine how they would possibly operate.
Alice sends Bob and Charlie an email with a malicious payload as an attachment. "Wow! Look at this great picture of Al Franken being tossed from the Empire State building!" Being good republicans, their interest is piqued. Bob, who is an MS-Windows user either saves the file (IAmNotAVirus.jpg.com) then double-clicks on it, or just double-clicks the attachment. =Poof=, Bob is 0wn3d!
Charlie uses Linux. He either saves the file (IAmNotAVirus.jpg.com) to disk, or double-clicks the attachment to open it. Either way, the file itself won't run automatically? Why not? Well, in order for a file to execute under Linux, it has to be made executable. Just calling it somefile.com or somefile.exe or even somefile.sh is just not enough for the system to execute the file, because Linux doesn't act on a specific type of file based on its filename.
So, most likely, even with an identical virus/worm with the identical payload, under most circumstances, it will still be much more dangerous to MS-Windows users than Linux users.
So, either I'm missing something, the write-up is wrong/incomplete/misleading, or this isn't really a "cross-platform virus".
Thanks, I feel better .....browsing with a Linux system.
How can that be???? Are you actually insinuating that a reporter does not understand his/her subject matter?
Multiplatform viruses. I was wondering when some hackers would get the idea to create something like this.
Indeed! What could I have been thinking to even insinuate such a thing?????????
Quick question: What's the easiest way to change the background in Flux?
Once upon a time, I knew...but no more. Are you running DSL? It has a menu in the control panel to configure the background (I always use that, which is why I forgot how to do it manually -- about the only time I run Flux anymore).
Found this, though... http://www.newlinuxuser.com/howto-set-background-wallpaper-in-fluxbox/
Just installed Zenwalk on an old laptop today. Pretty sweet...433mhz and 198 mb of RAM, still boots up in under a minute. XFce has come a long way since the first time I ever used it.
Gonna get the wireless working tomorrow, mainly because the driver disk is upstairs and I'm lazy.
Though it'd be kinda cool if I could also use it for KDE. :)
"Much smarter folks than I have pointed out that only idiots believe Linux is totally immune from such things. I agree with them. We can never safely assume that Linux is as secure as it can be. But when a Microsoft partner creates a tsunami of headlines with a story about a phony, fabricated "virus," which admittedly is not contagious, and which requires the user to execute it in order for it to do anything at all, I don't call it a virus. I call it BS."
Great quote. No OS is completely invulnerable, though VMS comes pretty darn close. I take precautions on my Linux boxes even though the threat is low. Anyone who doesn't is asking for trouble.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.