LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-07-2006, 02:36 PM   #1
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation New Cross-Platform Virus Proof of Concept


Quote:
Kaspersky Labs is reporting a new proof-of-concept virus capable of infecting both Windows and Linux systems.

The cross-platform virus is relatively simple and appears to have a low impact, according to Kaspersky. Even so, it could be a sign that virus writers are beginning to research ways of writing new code capable of infecting multiple platforms, said Shane Coursen, senior technical consultant at Kaspersky.
Complete Article


Quote:
Viruslist is reporting on a cross platform Proof of Concept (PoC) virus that works on both Linux and Windows machines. It is claimed to be capable of infecting both the linux ELF binaries and .exe's from windows.

The impact of the PoC at this point is very low in itself, but it is a sign the cross platform aspects are becoming important. As the developers of viruses continue to research this, we will see (more) cross platform malware come about in the future.
Complete Article


Quote:
To infect ELF files, the virus uses INT 80 system calls and injects its body into the file immediately after the ELF file header and before the “.text” section. This changes the entry point of the original file.

Infected files are identified with a 2-byte signature, 7DFBh, at 0Bh.

The virus uses the Kernel32.dll function to infect systems running Win32. It injects its code to the final section, and gains control by again changing the entry point. Infected PE files contain the same 2-byte signature as ELF files; the signature is placed in the PE TimeDateStamp header.
Complete Article

Last edited by win32sux; 04-08-2006 at 04:01 PM.
 
Old 04-07-2006, 04:12 PM   #2
weibullguy
ReliaFree Maintainer
 
Registered: Aug 2004
Location: Kalamazoo, Michigan
Distribution: Slackware-current, Cross Linux from Scratch, Gentoo
Posts: 2,734
Blog Entries: 1

Rep: Reputation: 224Reputation: 224Reputation: 224
It's bound to happen as *nix becomes more popular. I think the *nix community will be better equipped to deal with it though. Clearly, anything that can disrupt government/business should be taken seriously. As a "home" *nixer with my "pet" computer, it doesn't fill me with the same heartstopping dread new malicious Win code does.

I suspect it will provide the *nix community yet another opportunity to outshine that other somewhat popular OS. Most *nix users are hackers (in its original sense) and probably represent a greater threat to themselves just by their constant tweaking anyway!
 
Old 04-07-2006, 05:44 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Marketoid FUD doesn't impress me at all.

Last edited by unSpawn; 04-07-2006 at 05:48 PM. Reason: //Have keybd, cant type
 
Old 04-07-2006, 11:31 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Isn't this the same thing that Simile did? I don't see how this is any different/new.
 
Old 04-08-2006, 07:36 PM   #5
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,378

Rep: Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108
No, it isn't ... and the real defense is still the same (for both Windows and Linux): intelligent use of user-accounts and privileges.

Basically, you can't prevent a "rogue program" from getting run. But you can make sure that it can't do anything harmful to your computer -- just by making sure that you are not using an "all-powerful" user account. The account that you use every day should be an "ordinary joe." In Windows-land, that's a "limited user."

In order to be effective, a virus has to run with fairly godly privileges -- or it has to be run on a system where all of the available file-protection mechanisms aren't being used. And that .. unfortunately .. describes the garden-variety Windows machine as currently deployed.
 
Old 04-08-2006, 07:54 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by sundialsvcs
Basically, you can't prevent a "rogue program" from getting run. But you can make sure that it can't do anything harmful to your computer -- just by making sure that you are not using an "all-powerful" user account.
i respectfully disagree... deleting all of my precious documents and/or getting me in trouble with my ISP for sending 1,000 SPAMs or even virus infected emails per hour is pretty harmful in my book... and neither of those things require root privilages...

i do understand what you are saying, though, and it's true that the non-root user accounts do cut you some slack - as far as the system is concerned... but still, at the end of the day the most important thing we have is our data in /home/$USER... how many of us have our /home directories mounted noexec?? not many, and as such we could get hit hard by a "rogue program" if we aren't careful, or if we're too, ummm, overconfident about our non-root user accounts...

Last edited by win32sux; 04-08-2006 at 08:17 PM.
 
Old 04-08-2006, 11:45 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally Posted by sundialsvcs
No, it isn't ...
If that's in response to my post, then care to expand on why it's not?
 
Old 04-09-2006, 02:11 AM   #8
jack36987
LQ Newbie
 
Registered: Apr 2006
Distribution: Gentoo
Posts: 5

Rep: Reputation: 0
I think that in many ways its good that its been done and is public because linux has had a major virus problem heading its way for a while now and so the sooner we start to tighten up our virus security the better.
 
Old 04-09-2006, 02:31 AM   #9
reddazz
Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 73
Personally I don't think this deserved to be news at all. Firstly Linux has had viruses for ages and they have mostly been proof of concept so this is not new. This is just a way to create FUD and drive people away from Linux because they will think its security model is just as poor as Windows. One thing I worry about, is that some of these antivirus companies actually create these things to make money (call me a conspiracy theorist).

Last edited by reddazz; 04-09-2006 at 03:22 AM.
 
Old 04-09-2006, 03:10 AM   #10
MikeGS
LQ Newbie
 
Registered: May 2005
Location: New Zealand
Posts: 8

Rep: Reputation: 0
I'd like to ask a question based on win32sux's post.

I'm new to Linux (we've been a windows free household for 12 months as of two days ago) and I'm still learning, but having read win32sux's post I played around with making my home directory non-executable. This had the desired effect - no programs could be run, but obviously I still need to be able to run some programs from my user login.

Since my approach was obviously too simplistic, could someone please take the time to elaborate on win32sux's post and explain to me how I can make my home directory non-exec (to protect against malware), but still run the applications I need.

Mike.
 
Old 04-09-2006, 04:23 AM   #11
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 1,754

Rep: Reputation: 169Reputation: 169
Quote:
Originally Posted by Arow
It's bound to happen as *nix becomes more popular.
That's a misconception that is becoming all too common. Viruses in Unix-type systems will only ever be able to cause damage from a user's home account. Unless one is constantly using the root account for day-to-day tasks, one has very little to worry about. Intelligent system design which completely separates the system from the user ensures that we'll never see the same level of devastation under any of the *nixes that we see constantly under Windows.
 
Old 04-09-2006, 05:59 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
There's two things that always strike me in these articles, and people answering question on LQ about viruses. One is the lack of proper "translation" to NIX systems about threats in general. If you talk to wintendo users asking about viruses please include the threat of worms, exploits, rootkits on NIX platforms. Without mentioning those and our defenses no answer is complete in my opinion.

The second thing, and many pointed that out, is that due to Discretionary Access Control (DAC, std owner-based permissions) no virus can infect a whole system. The ancient DAC saves our hide each and every time. No Linux virus at this time has the capability to cross the DAC-line, but once anything foreign is on the system it has the advantage of simply being on the system: gaining a foothold is invaluable. Once there it has the time to do whatever because on most systems users are considered "trusted", period. So, how to stop it? What should be focussed on, on top of DAC, is Mandatory Access Control (MAC), which for instance GRSecurity or SELinux provide (* note they don't cooperate). MAC allows you to design rules that exactly name capabilities, limits and any type of access for an application. So you could have one that gives named application read rights on /etc/password but nothing else in the /etc tree, traversal and read rights in the /some/dir/www tree, but only read rights in /var/log/somedir. On a tightly configured system applications that don't have rules attached will not run.

Features in kernel patchsets that add MAC can also help answering one of the questions asked here:
@sundialsvcs: Basically, you can't prevent a "rogue program" from getting run. / @MikeGS make my home directory non-exec: Yes, you can. Enter "Trusted Path Execution" (TPE). GRSecurity, LSM and LIDS feature TPE. From the GRSecurity kernel patched kernel documentation:
Quote:
CONFIG_GRKERNSEC_TPE:
If you say Y here, you will be able to choose a gid to add to the
supplementary groups of users you want to mark as "untrusted."
These users will not be able to execute any files that are not in
root-owned directories writeable only by root. If the sysctl option
is enabled, a sysctl option with name "tpe" is created.
Does it stop there? No. Since Linux is "the networking workhorse" let me highlight one more feature GRSecurity provides: disallowing sockets. Simply by adding their group to a special group (defined at compiletime) you can deny (groups of) users any socket access, inbound (running services) or outbound (connecting as client).


We know Linux systems are powerful. Since it is much easier to find a vulnerable Linux system and use it's resources for profit (gain power or money instead of destroying it, which still is the trend) defending against the threat from worms, exploits and rootkits is what we should focus on in my humble opinion, so: discuss, plan, act.
 
Old 04-09-2006, 06:30 AM   #13
coolb
Member
 
Registered: Apr 2006
Location: Cape Town, South Africa
Distribution: Gentoo 2006.1(2.6.17-gentoo-r7)
Posts: 222

Rep: Reputation: 30
Quote:
Originally Posted by Arow
I think the *nix community will be better equipped to deal with it though.
ditto that!

We have a lot better understanding of IT security, than those stupid windoze users...
 
Old 04-09-2006, 03:45 PM   #14
weibullguy
ReliaFree Maintainer
 
Registered: Aug 2004
Location: Kalamazoo, Michigan
Distribution: Slackware-current, Cross Linux from Scratch, Gentoo
Posts: 2,734
Blog Entries: 1

Rep: Reputation: 224Reputation: 224Reputation: 224
Quote:
Originally Posted by rkelsen
That's a misconception that is becoming all too common. Viruses in Unix-type systems will only ever be able to cause damage from a user's home account.
My point was that as the number of *nix machines in the home grows, the OS is likely to become a more popular target. Even if the only thing that gets hosed is one user's account, it's still malicious, and that's what (I guess) motivates people to create viruses. But, you're right, the greatest security weakness on a *nix system is the user spending too much time as root.
 
Old 04-09-2006, 10:59 PM   #15
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
Quote:
Originally Posted by MikeGS
I'd like to ask a question based on win32sux's post.

I'm new to Linux (we've been a windows free household for 12 months as of two days ago) and I'm still learning, but having read win32sux's post I played around with making my home directory non-executable. This had the desired effect - no programs could be run, but obviously I still need to be able to run some programs from my user login.

Since my approach was obviously too simplistic, could someone please take the time to elaborate on win32sux's post and explain to me how I can make my home directory non-exec (to protect against malware), but still run the applications I need.

Mike.
Specifically, you found that no programs located in your home directory could be run. To run programs, therefore, you would place them someplace else on the system where executables were allowed.

Ideally this protects you since most malware is going to find itself in your home directory, having arrived in an email or some such, and if it can't execute then it can't do a thing to you.

Myself, I don't set my home as noexec; most people don't. Keep in mind that the security of a *nix system can be set waaaaaaay up, but the consequence is to make it annoying to use.

Set the security to deal with the most likely threats. Given that virii are not a big threat in the *nix world, and given that proper usage procedures minimize that threat still further, leaving exec turned on in /home/ is safe enough most of the time.

The real important thing is to not be root, unless you have to, and then only for so long as you have to. Also, don't put your home directory or your current directory into the path. Follow those two rules and you will more than likely be safe from what comes down the road.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cross platform macros dmail Programming 4 12-20-2005 09:16 PM
cross platform c++ nyomon Programming 6 07-03-2005 03:24 PM
cross platform filesystem z9_87 Linux - Hardware 5 03-20-2005 06:49 PM
LDAP + Proof Of Concept damicatz Linux - Networking 5 11-27-2004 04:50 PM
Cross Platform biggiefatts Linux - Software 4 06-04-2002 03:00 PM


All times are GMT -5. The time now is 09:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration