[vox-tech] [OT] Now I have a virus. Argh!!!!!

Rick Moen rick at linuxmafia.com
Sun Jul 18 09:40:52 PDT 2004


Quoting boombox (boombox at cokeaholic.com):

> Of course, if you don't want to spring for antivirus, you could just make
> sure only to boot up in windows when you are playing, since I don't know
> of any Linux viruses. Makes you think.

I've been making a list of the known Linux viruses.  It turns out to be
really easy to make one, but (except during rare vulnerability windows
when there's a nice juicy security hole that's just been discovered and
that you've figured out how to exploit) damned near impossible to get
them to be executed and spread.

Staog, Bliss, Vit, RST (Remote Shell Trojan), Gildo, OSF, Kagob, Satyr,
Rike (Rike.1627), Winter (Lotek), Diesel, Nuxbee, Winux (PEElf, Pelf),
Svat, Obsidian.E, Simile (Etap), Jac, Pavid (Alfa.dr), Telf, Ynit,
Zipworm (distinctive only in that it likes to infect ELF files in Zip
archives), and Penguin:  These are all "ELF infectors", where "ELF" is the
standard Unix binary format.  To activate these, you must literally
decide to run a binary infected with them, e.g., someone mails you a
binary file and says "Please run this not-especially-trustworthy binary
executable." Doing so would of course be really dumb; the consequence of
being dumb in that particular fashion is that some number of Linux
executable binaries set to be writable by the user's account would get
modified to include a copy of the virus.  Note that the user is thereby
enable only to shoot at his _own_ foot:  No regular installed
applications could be affected, because those are not writable by
regular users: Only binary executables in /home/username/bin/ and such
could be affected (and seldom do users have any).

Note that none of the 100+ mail clients for Linux
(http://linuxmafia.com/faq/Mail/muas.html) auto-execute received
executables.  The user would have to save the attachment to
/tmp, run "chmod u+x" on it to make it executable, and then manually
run it -- in order to (finally) shoot himself (but not his system)
in the foot.

One last observation about ELF infectors:  They're all fundamentally
identical, and might as well all be the same virus.  Seen one, seen 'em
all.  (More to the immediate point:  Easily avoid running one, easily
avoid running 'em all.)

There's always some possibility of attack through various
types of "active content" received as attachments:  This is an area
under ongoing scrutiny, and it's wise for you (not just your
distribution's maintainers) to keep an eye on what your mailcap file's
willing to do.


All of the others (listed below) were "worm" automated attacks against
once-vulnerable network daemons.  Obvious lesson:  If you choose to run
network daemons, you're obliged to look out for security alerts and
disable or upgrade the daemons when those happen -- especially if you
run basket-case software like BIND8, lpd, and wu-ftpd.

Oh, and lesson #2:  There's no reason to expose NFS (No Frigging
Security; Network File System) its underlying RPC daemons, or print
servers to the public Internet.  Don't do that -- there's no reason to,
after all -- and you can't be bitten by vulnerabilities in them.


Cheese 
Worm.  May 22, 2001.  
BIND prior to 8.2.3.  TSIG exploit of Jan. 29, 2001.  Note BIND9 release, 
Sept. 15, 2000; BIND 9.1.0 release, Jan. 17, 2001.

1i0n (lion)
Worm.  March 23, 2001.
BIND prior to 8.2.3.  TSIG exploit of Jan. 29, 2001.  Note BIND9 release,
Sept. 15, 2000; BIND 9.1.0 release, Jan. 17, 2001.

Adore (Red)
Worm.  April 04, 2001.  
lprng input validation bug discovered December 12, 2000, rpc-statd input
validation bug discovered August 18, 2000, wu-ftpd 2.6 input validation
bug discovered July 7, 2000, and several BIND 8.2.3 buffer overflow and
input validation bugs discovered Jan. 29, 2001.

lpdw0rm (lpdworm)
Worm.  April 2001.  
lpd input validation bug fixed in Oct. 2000.

Ramen
Worm.  January 17, 2001.  
wu-ftpd 2.6 input validation bug of 2000-06-22, 
rpc.statd bug fixed summer 2000, and 
LPRng input validation bug of Aug. 2000.

Slapper (Cinik, Unlock)
Worm.  Sept. 13, 2002.  
Very specific and rare combination of Apache w/OpenSSL 0.9.6d /
0.9.7beta1 or earlier.  Overflow fixed July 2, 2002.

Mighty 
Worm.  Oct. 3, 2002.  
Very specific and rare combination of Apache w/OpenSSL 0.9.6d and
0.9.7-beta1 or earlier.  Overflow fixed July 30, 2002.

Adm
Worm.  May 1998.  
BIND8 buffer overflow prior to 8.1.2 (in the reverse query function,
"fake-iquery yes;", which is disabled by default).  Fix released April
8, 1998.  

SSHD22
Worm.  Oct. 2001.  
OpenSSH pre-2.3.0 exploit.  Old versions patched Feb. 27, 2001; 2.3.0
released November 2000.

Millen
Worm.  Nov. 18, 2002
wu_imapd buffer overflow fixed May 11, 2002,
qpopper buffer overflow fixed March 2002.
bind buffer overflow through 8.3.3 fixed Nov. 11, 2002,
rpc.mountd buffer overflow fixed in 1998.

Sorso
Worm.  July 02, 2003.
Buffer overflow prior to Samba 2.0.10 / 2.2.8a, which were released
April 7, 2003.

-- 
Cheers,                    Facta tua Restitueri ad Status Pristinus Eius.
Rick Moen                       (May your data be restored to
rick at linuxmafia.com            its original pristine condition.)


More information about the vox-tech mailing list