[4007] in bugtraq
Re: [linux-security] Linux virus
daemon@ATHENA.MIT.EDU (Jim Dennis)
Wed Feb 5 10:36:53 1997
Date: Wed, 5 Feb 1997 02:16:16 -0800
Reply-To: Jim Dennis <jimd@STARSHINE.ORG>
From: Jim Dennis <jimd@STARSHINE.ORG>
X-To: linux-security@redhat.com
To: BUGTRAQ@netspace.org
In-Reply-To: <Pine.SUN.3.94.970204120242.26570B@dfw.dfw.net> from "Aleph One"
at Feb 4, 97 12:02:42 pm
Aleph One seems to have said:
>
> ugh :)
>
> Today I became infected with the bliss virus, any info on this would be
> appreciated! How do I scan for files infected and is it possible to
> remove it? I first noticed the infection when running a program (not as
> root) messages flashed on the screen about transversing directories and
> such. The program (gimp) had been working fine since I downloaded the
> binary for gimp from their main site. The gimp people told me they have
> not been receiving complaints their binaries are infected, so something
> else must be the source.
....
>
> I am presently using this to scan for it in my home dir:
> grep infected /home/peter/**/*(xD/)
> Any help would be great!!!
>
> Rgds,
> Peter.
>
> [mod: It looks as if lots of debugging strings are still in the binary.
> Odd that this "debugging version" would be in the wild.
> Peter, can you verify that it indeed is a virus? Unless it knows of
> ways to become root, you should be safe if you add a new user-account,
> place an infected binary and a few uninfected binaries in that users
> account. Make sure that you have an unmodified version available for
> comparison.
> On one hand I don't like to approve this until Peter has verified this,
> but on the other hand if there is really a linux-virus on the loose, you
> all would like to hear about it ASAP right? -- REW]
Peter and all,
I've forwarded your message and the reply by Todd to
the Chief AV Researcher at McAfee Associates (the
premier PC Anti-virus company).
Jimmy is a friend of mine (I used to be the sysadmin
there) and has assured me that he will look into it
first thing in the morning (he's here at my house now).
This would be the first "live and in-the-wild" Linux
virus that I've ever heard of -- have I been missing
something?
In any event -- McAfee may be able to add this to
their existing uvscan product. uvscan scan Linux
filesystems for DOS and Windows (including Word Macro)
viruses. It may be possible for the AV team to
simply add bliss' signature to the next release -- and
it may even be possible for them to create a remover.
However -- the current version of this is almost
guaranteed not to detect or remove this (unless
someone at McAfee's AV team discovered this without
telling the boss).
I noticed your detection mechanism -- it seems like
we could add something to the zmagic file to allow
the stock Linux 'file' command to identify Bliss
infected binaries. Then a command like:
find / -print | { while read i; do
file $i | grep "Bliss Infected" && \
echo $i
#do something about the infected files
done
}
Would do the trick. An interim solution would be
to simply rm all infected files and restore from
CD or via FTP.
If you could cut a tape or other backup of your
system in its infected state it might be of
interest to the McAfee team.
Who knows how to update the zmagic file?
Jimmy has asked me to let everyone on this list
know that if you want updates on this issue -- or
if you have further information, please feel free
to forward it through me or directly to cjkuo@mcafee.com.
I suppose this would be a great time to recommend
that more people get and install 'tripwire' and
cops and that everyone use the 'chattr +i' command to
help protect their libs and binaries from lame attacks
such as these.
tripwire and cops are available at
the COAST archive at cs.purdue.edu
Information about using 'chattr' to
mark you files as immutable is in the
Linux-Tips HOWTO (actually submitted
to them by moi).
Note -- currently the immutable flag under
ext2fs is of limited security value since
any root run program that wants to can
simply chattr it back. However -- it would
be effective against crude and lame attacks
like this one (as described in Todd's excerpt).
The addition of a BSD-like 'securelevel'
(which is in the works for the 2.1 kernels)
will make the "immutable" flag a viable
security feature.
A final note:
This should serve as yet another reminder that we
must always be aware of the trust that we place in
the sources for all of our files.
The fact that a system is a single-user workstation
should not lull anyone of us into allowing the admin
of that system to neglect proper ownership and permissions
conventions.
Here's a one line script to find any files on your path
to which you have write access (run this under
your normal login id).
#! /bin/bash
## find.wx-files
find $(echo $PATH | tr : " ") -type f | \
{ while read i; do [ -x $i -a -w $i ] && ls -l $i ; done }
While doing this I discovered several files that
were writeable by me in my normal account (I was a
member of the 'root' group. Red Hat 3.03 leaves
a number of X11R6 binaries group writable.
I've fixed that now (and permissions don't prevail
over ext2fs attributes anyway).
--
Jim Dennis, info@mail.starshine.org
Proprietor, consulting@mail.starshine.org
Starshine Technical Services http://www.starshine.org
