[1434] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Linux virus

daemon@ATHENA.MIT.EDU (Jim Dennis)
Wed Feb 5 09:12:45 1997

From: Jim Dennis <jimd@starshine.org>
To: linux-security@redhat.com
Date: Wed, 5 Feb 1997 02:16:16 -0800 (PST)
Cc: BUGTRAQ@netspace.org
In-Reply-To: <Pine.SUN.3.94.970204120242.26570B@dfw.dfw.net> from "Aleph One" at Feb 4, 97 12:02:42 pm
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

Aleph One seems to have said:
> 
> ugh :)
> 
> Today I became infected with the bliss virus, any info on this would be
> appreciated!  How do I scan for files infected and is it possible to
> remove it?  I first noticed the infection when running a program (not as
> root) messages flashed on the screen about transversing directories and
> such.  The program (gimp) had been working fine since I downloaded the
> binary for gimp from their main site.  The gimp people told me they have
> not been receiving complaints their binaries are infected, so something
> else must be the source.

	....

> 
> I am presently using this to scan for it in my home dir:
> grep infected /home/peter/**/*(xD/)
> Any help would be great!!!
> 
> Rgds,
> Peter.
> 
> [mod: It looks as if lots of debugging strings are still in the binary.
> Odd that this "debugging version" would be in the wild.
> Peter, can you verify that it indeed is a virus? Unless it knows of
> ways to become root, you should be safe if you add a new user-account,
> place an infected binary and a few uninfected binaries in that users
> account. Make sure that you have an unmodified version available for
> comparison.
> On one hand I don't like to approve this until Peter has verified this,
> but on the other hand if there is really a linux-virus on the loose, you
> all would like to hear about it ASAP right? -- REW]

	Peter and all,

	I've forwarded your message and the reply by Todd to
	the Chief AV Researcher at McAfee Associates (the
	premier PC Anti-virus company).

	Jimmy is a friend of mine (I used to be the sysadmin
	there) and has assured me that he will look into it
	first thing in the morning (he's here at my house now).

	This would be the first "live and in-the-wild" Linux 
	virus that I've ever heard of -- have I been missing
	something?

	In any event -- McAfee may be able to add this to 
	their existing uvscan product.  uvscan scan Linux
	filesystems for DOS and Windows (including Word Macro)
	viruses.   It may be possible for the AV team to 
	simply add bliss' signature to the next release -- and
	it may even be possible for them to create a remover.

[mod: Included in the virus, but neatly in the AV product would
also be nice.  -- REW]

	However -- the current version of this is almost 
	guaranteed not to detect or remove this (unless
	someone at McAfee's AV team discovered this without
	telling the boss).

[mod: Deleted a part about the possibility of detecting the bliss
virus using the "file" command. Yes Possible, No not very handy. --REW]

	Jimmy has asked me to let everyone on this list
	know that if you want updates on this issue -- or
	if you have further information, please feel free
	to forward it through me or directly to cjkuo@mcafee.com.


	I suppose this would be a great time to recommend 
	that more people get and install 'tripwire' and 
	cops and that everyone use the 'chattr +i' command to 
	help protect their libs and binaries from lame attacks 
	such as these.

		tripwire and cops are available at
		the COAST archive at cs.purdue.edu

		Information about using 'chattr' to 
		mark you files as immutable is in the
		Linux-Tips HOWTO (actually submitted
		to them by moi).  
		
		Note -- currently the immutable flag under 
		ext2fs is of limited security value since
		any root run program that wants to can
		simply chattr it back.  However -- it would
		be effective against crude and lame attacks
		like this one (as described in Todd's excerpt).

		The addition of a BSD-like 'securelevel'
		(which is in the works for the 2.1 kernels) 
		will make the "immutable" flag a viable 
		security feature.

	A final note:

	This should serve as yet another reminder that we
	must always be aware of the trust that we place in
	the sources for all of our files.  

	The fact that a system is a single-user workstation
	should not lull anyone of us into allowing the admin
	of that system to neglect proper ownership and permissions
	conventions.  

	Here's a one line script to find any files on your path
	to which you have write access (run this under
	your normal login id).


#! /bin/bash
	## find.wx-files
find $(echo $PATH | tr : " ") -type f | \
	{ while read i; do [ -x $i -a -w $i ] && ls -l $i ; done }
	
	While doing this I discovered several files that
	were writeable by me in my normal account (I was a
	member of the 'root' group.  Red Hat 3.03 leaves
	a number of X11R6 binaries group writable.

	I've fixed that now (and permissions don't prevail
	over ext2fs attributes anyway).


-- 
Jim Dennis,                                info@mail.starshine.org
Proprietor,                          consulting@mail.starshine.org
Starshine Technical Services              http://www.starshine.org


home help back first fref pref prev next nref lref last post