[vox] Linux viruses?

[ME]

Micah J. Cowan said:
> On Sun, Jun 13, 2004 at 12:14:30PM -0700, ME wrote:
>> Marianne Waage said:
>> > Bill Kendrick said:
>> >>Noticed this article on my newsticker just now:
>> >> Antivirus vendors await first Linux worm
>> >> http://www.infomaticsonline.co.uk/News/1155836
>> >>However, one line in the article piqued my curiosity:
>> >> Symantec reported that it has found three Linux viruses in the wild
>> >> since the start of 2004.
>> >>Anyone have any references to these three?
>> >
>> > I always wondered what would happen if you got a virus through
>> something
>> > emulated like Outlook under wine. There was some other program that
>> let
>> > you run MS products under linux but I don't recall the name now.
>>
>> For the most part, viruses are not only architecture specific but also
>> perating System specific. In cases where a "virus" (or worm) is able to
>> hist more than one architecture, the virus (or worm) generally has two
>> parts (executable code for each architecture) while in cases where the
>> same architecture is the target but with different OS, the few viruses
>> (or
>> worms) which do this *usually* have each space separate. However, there
>> was one (a year or so back?) which came out which attacked two OS and
>> even
>> though is had code separate for different OS, a large part of the
>> malware
>> was shared between both parts.
>>
>> For the most part, a virus infecting files in an instance of wine or
>> vmware may infect files accessible from the windows session, but is
>> unlikely to infect files which are used in the Linux space. Certainly,
>> they could infect your windows files and harm them much like a windows
>> machine that was not being emulated would find.
>
> Actually, I read Marianne's message to mean a Linux-targeting virus
> that takes advantage of vulnerabilities in Microsoft products being
> emulated on the machine.

Risks for such a limited virus to propagate are even smaller, since the
scope of users who use Linux and wine and would check their mail and/or
swap files from wine are likely to be even smaller than the percent of the
market which uses Linux without wine.

One of the reasons MacOS 9 (an earlier) viruses did not spread to such
extremes as the present viruses in windows was due to percent of the
market who had and used Mac OS. Additionally, the creation of e-mail
clients which permitted e-mail messages to automagically run code on
recipients' machines compounded the issue making it possible for worm-like
activity from various forms of malware.

I assumed the questions being asked had two parts:
>>> I always wondered what would happen if you got a virus through
>>> something emulated like Outlook under wine.

Assuming a windows-based virus (and/or worm.)

>>> There was some other program that let you run MS products under linux
>>> but I don't recall the name now.

A request for the name of a program which also permitted users to run
windows software under a Linux host (I included vmware.)

I have not used wine in a while, but I seem to recall that it permitted
you to configure it to use images and raw devices (much like dosemu did.)
Though you could mount local *NIX filesystems, to have access to your
files, it was not necessary. Assuming only directories with text files
were made available from the host system to the windows session over
Linux, the risk for infection to any Linux files would be small. (As
mentioned by others) the risk for loss of files would still exist. I also
mentioned that any files which could be accessed by the Windows sessions
would be at risk.

If there existed a multi-stage cross-platform, worm to trojan to virus
which would target a Windows system initially and then trojan itself into
a *NIX file (such as .profile, .bash_profile , .bashrc, .chshrc, and/or
look for *nix executables within the *nix space on a windows/Linux system,
and then wait for root to "su - INFECTED_USER" or root to execute a binary
that was infected by the multistage piece of malware, then it is possible
for the system to eventually get corrupted.

Though such a thing is possible, the reward for a malware coder (infamy in
the press and/or notoriety if they released it with intent to cause harm,
or academic prestige in releasing the source without a payload as an
example of what is possible) the amount of reward might not be enough to
push them to create such a work. Such a beast would have to be smart
enough to figure out which files were actually from a *nix system, and be
able to infect the correct (incorrect?) files or included trojan code to
allow for future infection.

Don't get me wrong, as I stated in my original post with the
disclaimers.... the review of what is likely and unlikely is
time-sensitive. It is possible for such a thing to be built to target wine
to Linux systems. I just do not see this as a primary risk for *nix
systems. The bigger risk for *nix systems is one of being attacked an
infected by a worm. History shows that has been the biggest trend for *nix
systems, far exceeding the number of *nix viruses found in te wild, and
being far more wide spread when put into effect.

Linux viruses will likely be more common as time moves on, but I expect it
will be a few years before we see *nix viruses gain as much widespread
infection as *nix worms.

Right now, the only major vector I see for widespread *nix viruses in the
wild (not talking about worms here) is through the trojaning of a major
piece of software (like an apache package, an ssh package, an ssl package,
or even worse, a gcc/g++ package or any of these with a trojan in source.)

-ME