Viruses from Linux and cross contamination: a discussion
I have a mate who works as a programmer/researcher for symantec nz, I had occasion to ask about windows/linux cross contamination recently... the reply was good enough I figured it was worth sharing.
Note: this should not be treated as official symantec opinion - just an off-the-top-of-my-head from someone immersed in the feild. There are probably many others on this forum in a similar position, perhaps they'd like to comment?
SB: What sort of potential is there for linux/windows cross contamination?
Hybrid viruses have been created:
http://vil.nai.com/vil/content/v_99060.htm is one example. Although the
Windows and Linux file formats are different, they aren't *that*
different, at least if they are running on the same machine architecture
(x86 or x64).
The rising capability of Win32 platform emulators like Wine has meant
that they can also host Windows viruses and other malware on Linux,
although it generally won't spread out beyond the emulated subsystem.
Those emulators are quite incredibly faithful recreations of the Win32
API programming environment.
The Wine case is the one that does introduce real risks of
cross-transmission; it means that a hybrid attack like the one above
could enter via a PE file but modify native ELF binaries and thus
"escape" the platform emulation.
SB: But wouldn't the user need to have formally activated it by some action (opening an attachment, running a script)?
Normally, yes, although people do seem to do that kind of thing :-P
Another thing to consider is the use of things like Samba file sharing;
some Windows viruses go looking for network shares to infect; although
secure file sharing is possible, it's simply so easy and convenient to
create an open share, especially in a home networking environment.
Plus of course there are always worms that attack via buffer overflows
and the like. Usually those are sensitive to stack and memory layout and
so not cross-platform, but they can strike really any system. The one
most worthy of study is the Witty worm, which is an amazing piece of
malware http://www.icsi.berkeley.edu/~nweaver/login_witty.txt - it's a
SB:Many linux users are smug about the lack of threat to and by their system... is this justified?
Well, to be fair they have some good reason to. The single most
important thing about Linux in the past is that just about everyone
recompiled everything from source. That's less true nowadays, and with
current Linux their greatest real defense is that out of the box people
are installed without administrative privileges (this is also true of
MacOS X, by the way). Vista will be introducing exactly this for
Windows, and it'll be a big help (although it'll be a long transition
process, and painful for ISVs).
The fact that so many users are now installing binary Debian packages
rather than compiling from source - particularly true of distributions
like Ubuntu - mean that they are worth keeping an eye on. Although they
do have pretty good quality procedures, if a piece of hybrid malware was
able to *launch* via tainted submissions to one of those binary package
repositories it could get pretty far, pretty fast. People doing those
package installations routinely grant elevated privileges to the package
Although I wouldn't expect that to come from the major distribution
repositories, it shows that the Linux community is extending into the
kind of point-and-click mass-market environment where people can be
socially engineered into doing things to themselves.
All things even, I'll stick with Linux. I would trust Linux out of the box more than I would trust windoze even after a guru got a hold to it and locked it down tight. Linux is just made better.
:D :D :D :D :D
I have noticed that some misguided souls are running IE and Outlook under wine ...
Personally I run a virus scanner mostly to check files I may be passing from one windows machine to another. Though I tend to change certain file formats (ie DOC) on the way.
I think this guy has probably stuck his thumb right on things to watch in the future. I note that cross-platform malware is still in the concept stage.
The "point-and-click society" and "social engineering" comment strikes a chord. As usual, the biggest security threat is the user doing something dumb.
And what about multi-boot environments? I work in Linux, but I play and test under Windows, in the same machine. Is there a chance that a Windows virus could affect the Linux partition? I beleive it could be easy to alter files in the linux partitions by a virus accesing them from Windows.
But since windows doesn't include native support for linux file systems, the virus code itself would probably have to handle writing to the linux partition, which again makes this possibility even more unlikely.
There is a clear advantage here - the virus can spread primarily through windows as the more vulnerable, but can blindside folk who are too complacent about their lin partitions.
Personally, none of the dual boot machines I've set up have had windows knowing anything about the linx partitions. The only justification I've had for dual-boot is to keep the licence for those windows codecs and fonts etc on a laptop - since I've paid the redmond tax anyway.
An interesting question, from my end, then, is: can a win virus infect a lin partition even when the partition has not been assigned a drive letter in windows?
There are third party tools that allow you to access linux drives from windows, so obviously they needed to access the drive-letter-less partitions in the first place.
If these tools can do it, then why couldn't a virus?
Probably the only thing stopping them is that this task is too complicated for a typical virus writer.
FUD detector on.
Multi-os virii exist for something like 10 years, I can't remember the name but there was one created a long time ago as a proof of concept.
Multi Architecture virus, shellcodes exist for a long time, there has been some nice research on this.
For somebody having a good bookmark, a little bit clever, average coding skill, I would say that it would take 1 day to do, really. Copy paste primarly.
Even a virus searching on another disk (disabled in BIOS?) is theorically possible.
Encrypt your partition or don't use multi os... if you're really paranoid.
I understood that multi-boot environments were fairly new (post 1980?) so one would not expect to see a (say) Apple II binary executable to hunt the apple for DOS4 files to infect? It's possible in principle, but why would anyone write one? (Though, in those days, one could write malware as a BASIC program which could run on, pretty much, any platform. Cross-platform is only part of what I'm talking about.)
this isnt new...the logic bombs are shotty. its a great way to inject spyware though, be careful. if you make your own flavor, you will be safer.
|All times are GMT -5. The time now is 10:20 AM.|