[3119] in WWW Security List Archive
Re: New and destructive word macro virus
daemon@ATHENA.MIT.EDU (John Cronin)
Sun Sep 29 15:23:50 1996
From: John Cronin <John.Cronin@oit.gatech.edu>
To: scorpios@cs.huji.ac.il (Nir Soffer)
Date: Sat, 28 Sep 1996 23:54:19 -0400 (EDT)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.91-heb-2.05.960928175308.728A-100000@bagel.cs.huji.ac.il> from "Nir Soffer" at Sep 28, 96 05:59:25 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Once upon a time, Nir Soffer told me this tale:
->
->Sorry to butt in like that, but I disagree -
-><newbie mode on>
->
->On Fri, 27 Sep 1996, David W. Morris wrote:
->> On Fri, 27 Sep 1996, John Cronin wrote:
->>
->> > I have to partially disagree here. While it is theoretically possible
->> > to write a virus for Unix for instance, for it to really do damage, it
->> > would have to be run as root. If a non-root user runs a program that
->>
->> Huh ... no theory here ... I would clasify the cancelbot which trashed
->> a bunch of alternate life style newsgroups earlier in the week as a
->> virus. The internet worm was a virus. Depending on what code is
->> executed in the user's environment, there is all kinds of risk.
Uh, I don't think the cancelbot was a virus (don't know much about it,
but it doesn't sound like a virus). Malicious code, certainly. And the
internet worm was a worm, not a virus. Subtle difference, but the internet
worm was pretty much the definition of a worm. Tunnels in through holes
in the network, then reproduces from the resources found there. A virus
hides in the code of a program until it is run, then infects the other code.
->That all depends on how you define a virus, I for one define a virus as a
->piece of code that replicates itself via other pieces of code, just like
->a real life virus does, lives parasitaclly (sic) on the host of the body
->until the body dies, and moves from diffrent cells to other cells. What
->you are describing here is what I define as a trojan - i.e - A piece of
->code that does something diffrent then you'd expect from it, often
->maliciously. AFAIK virii are impossible on all UNIX systems , since there
->is no way (I know of, please correct me if I'm wrong) to trap instances
->other processes are started and then infect them (I'm not even sure that
->it's possible to infect Unix binaries, but here I can be corrected again
->and would be gladly be corrected.)
Sure, if you have write access, you can infect the binaries by modifying the
files on disk. That's the catch - you have to have write access to modify
the files. To modify most interesting files, you have to hack root. Once
you have done this, there are a lot more interesting (and easier) things
to do than write a virus. A virus WOULD be a good way to ensure that if
you were caught, you would be able to get back in in the future (assuming
the virus was not found, and did something helpful once the program it was
infecting was run). But viruses for Unix are a bit more difficult to write
than viruses for PCs. Definitely not impossible though. More common are
imposter programs that replace things like login, passwd, ps, ls, ifconfig,
etc. These programs do things like grab password (login,passwd), hide
malevolent processes that are running (ps) and the files they create (ls),
and hide sniffers (ps and ifconfig). These kinds of things are done, and
they are quite sophisticated (match original files sizes, dates, checksums).
It can be very difficult to tell, but not impossible (so far). Admins should
keeps known safe versions of these in private (non bin directory) locations,
probably in encrypted tar files to ensure that you have a good version
(right off the factory CD-ROM). Other utilities such as top and lsof are
also useful on Unix systems to catch these kinds of programs. If you have
Sun's Solaris, take a look at the programs in /usr/proc/bin, and use truss
as well.
->> And so forth. Not all viruses cause direct damage. A typical UNIX system
->> has all kinds of world readible data which is presumed to be safe behind
->> the firewall but isn't if there is a backdoor based on imported code.
Nothing is safe on any system. Some are just safer than others. Even
when the hardware and software is secure, there is always the human element.
What hackers refer to as "social engineering"... It can be the most effective
way to get a password, and thus gain a foothold on a system from which to
search for further weaknesses from the inside.
->Again, you're describing what I define as a trojan, would you call the
->program known as 'socket daemon' which does exactly what you describe as
->a virus ?
The lines here can be pretty blurry. Many virii start as trojan horses
(ie they hide in supposedly, perhaps even truly, useful programs). The
main difference is that a virus will automatically reproduce by infecting
other binaries (and in DOS, the boot sector).
->> PC viruses have been popular with crackers because network access such as
->> enabled the worm has not been available so the crackers figured out an
->> alternative for spreading their grief. Then they used a time driven
->> trip wire to achieve the world wide effect achieved on interconnected
->> UNIX systems. In each case the problem surfaces over a wide area with
->> little warning.
Until the widespread use of remote control programs and disk sharing, there
was also damned little else you could do to a PC. Even if you got a modem
connected to a PC to answer, then what? It surely wouldn't ask you to login
(unless it was connected to a BBS or something) or anything exciting like
that. As PCs get smarter and better connected they get more vulnerable.
--
John Cronin
Office of Information Technology Customer Support Center 0710
Georgia Institute of Technology, Atlanta Georgia, 30332
Internet: john.cronin@oit.gatech.edu
phone: (404) 894-7563
