LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-11-2006, 11:09 PM   #1
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Viruses from Linux and cross contamination: a discussion


I have a mate who works as a programmer/researcher for symantec nz, I had occasion to ask about windows/linux cross contamination recently... the reply was good enough I figured it was worth sharing.

Note: this should not be treated as official symantec opinion - just an off-the-top-of-my-head from someone immersed in the feild. There are probably many others on this forum in a similar position, perhaps they'd like to comment?

SB: What sort of potential is there for linux/windows cross contamination?

Hybrid viruses have been created:
http://vil.nai.com/vil/content/v_99060.htm is one example. Although the
Windows and Linux file formats are different, they aren't *that*
different, at least if they are running on the same machine architecture
(x86 or x64).

The rising capability of Win32 platform emulators like Wine has meant
that they can also host Windows viruses and other malware on Linux,
although it generally won't spread out beyond the emulated subsystem.
Those emulators are quite incredibly faithful recreations of the Win32
API programming environment.

The Wine case is the one that does introduce real risks of
cross-transmission; it means that a hybrid attack like the one above
could enter via a PE file but modify native ELF binaries and thus
"escape" the platform emulation.


SB: But wouldn't the user need to have formally activated it by some action (opening an attachment, running a script)?

Normally, yes, although people do seem to do that kind of thing :-P

Another thing to consider is the use of things like Samba file sharing;
some Windows viruses go looking for network shares to infect; although
secure file sharing is possible, it's simply so easy and convenient to
create an open share, especially in a home networking environment.

Plus of course there are always worms that attack via buffer overflows
and the like. Usually those are sensitive to stack and memory layout and
so not cross-platform, but they can strike really any system. The one
most worthy of study is the Witty worm, which is an amazing piece of
malware http://www.icsi.berkeley.edu/~nweaver/login_witty.txt - it's a
sobering paper.


SB:Many linux users are smug about the lack of threat to and by their system... is this justified?

Well, to be fair they have some good reason to. The single most
important thing about Linux in the past is that just about everyone
recompiled everything from source. That's less true nowadays, and with
current Linux their greatest real defense is that out of the box people
are installed without administrative privileges (this is also true of
MacOS X, by the way). Vista will be introducing exactly this for
Windows, and it'll be a big help (although it'll be a long transition
process, and painful for ISVs).

The fact that so many users are now installing binary Debian packages
rather than compiling from source - particularly true of distributions
like Ubuntu - mean that they are worth keeping an eye on. Although they
do have pretty good quality procedures, if a piece of hybrid malware was
able to *launch* via tainted submissions to one of those binary package
repositories it could get pretty far, pretty fast. People doing those
package installations routinely grant elevated privileges to the package
installers.

Although I wouldn't expect that to come from the major distribution
repositories, it shows that the Linux community is extending into the
kind of point-and-click mass-market environment where people can be
socially engineered into doing things to themselves.
 
Old 04-12-2006, 02:44 AM   #2
dalek
Senior Member
 
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Blog Entries: 2

Rep: Reputation: 65
All things even, I'll stick with Linux. I would trust Linux out of the box more than I would trust windoze even after a guru got a hold to it and locked it down tight. Linux is just made better.

Later

 
Old 04-12-2006, 04:23 AM   #3
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Original Poster
Rep: Reputation: 197Reputation: 197
I have noticed that some misguided souls are running IE and Outlook under wine ...

Personally I run a virus scanner mostly to check files I may be passing from one windows machine to another. Though I tend to change certain file formats (ie DOC) on the way.

I think this guy has probably stuck his thumb right on things to watch in the future. I note that cross-platform malware is still in the concept stage.

The "point-and-click society" and "social engineering" comment strikes a chord. As usual, the biggest security threat is the user doing something dumb.
 
Old 04-12-2006, 08:09 AM   #4
edmundo_ba
LQ Newbie
 
Registered: Jun 2004
Location: Buenos Aires
Distribution: slackware 12
Posts: 26

Rep: Reputation: 15
And what about multi-boot environments? I work in Linux, but I play and test under Windows, in the same machine. Is there a chance that a Windows virus could affect the Linux partition? I beleive it could be easy to alter files in the linux partitions by a virus accesing them from Windows.
 
Old 04-12-2006, 08:40 AM   #5
Slick666
Member
 
Registered: Feb 2006
Distribution: Ubuntu 8.04; Debian Etch
Posts: 167

Rep: Reputation: 33
Quote:
All things even, I'll stick with Linux. I would trust Linux out of the box more than I would trust windoze even after a guru got a hold to it and locked it down tight. Linux is just made better.
While my sentiments are pretty much the same I do feel that all computer users, not just those who could get infected, are responsible to limit the propagation of viruses. I also feel that if we in the Linux community are too careless we will find ourselves having more and more in common with our Windows cousins.
 
Old 04-12-2006, 08:49 AM   #6
geeman2.0
Member
 
Registered: Feb 2005
Location: Ontario, Canada
Distribution: Gentoo, Slackware
Posts: 345

Rep: Reputation: 30
Quote:
Is there a chance that a Windows virus could affect the Linux partition?
Certainly there is, it's just very unlikely to see a windows virus that targets linux partitions.
But since windows doesn't include native support for linux file systems, the virus code itself would probably have to handle writing to the linux partition, which again makes this possibility even more unlikely.
 
Old 04-12-2006, 08:59 AM   #7
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Original Poster
Rep: Reputation: 197Reputation: 197
Quote:
And what about multi-boot environments?
If you peruse the links in the first post to this thead, you'll see there exists already a win32 virus which looks for linux file systems, and tries to infect ELF binaries on those file systems. Something that is particularily an issue in multi-boot environments.

There is a clear advantage here - the virus can spread primarily through windows as the more vulnerable, but can blindside folk who are too complacent about their lin partitions.

Personally, none of the dual boot machines I've set up have had windows knowing anything about the linx partitions. The only justification I've had for dual-boot is to keep the licence for those windows codecs and fonts etc on a laptop - since I've paid the redmond tax anyway.

An interesting question, from my end, then, is: can a win virus infect a lin partition even when the partition has not been assigned a drive letter in windows?
 
Old 04-12-2006, 09:16 AM   #8
geeman2.0
Member
 
Registered: Feb 2005
Location: Ontario, Canada
Distribution: Gentoo, Slackware
Posts: 345

Rep: Reputation: 30
Quote:
An interesting question, from my end, then, is: can a win virus infect a lin partition even when the partition has not been assigned a drive letter in windows?
I would assume so.
There are third party tools that allow you to access linux drives from windows, so obviously they needed to access the drive-letter-less partitions in the first place.
If these tools can do it, then why couldn't a virus?

Probably the only thing stopping them is that this task is too complicated for a typical virus writer.
 
Old 04-12-2006, 11:06 AM   #9
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
FUD detector on.
BEEEEPPPPP

Multi-os virii exist for something like 10 years, I can't remember the name but there was one created a long time ago as a proof of concept.
Multi Architecture virus, shellcodes exist for a long time, there has been some nice research on this.

For somebody having a good bookmark, a little bit clever, average coding skill, I would say that it would take 1 day to do, really. Copy paste primarly.
Even a virus searching on another disk (disabled in BIOS?) is theorically possible.

Encrypt your partition or don't use multi os... if you're really paranoid.

Last edited by nx5000; 04-12-2006 at 11:09 AM.
 
Old 04-12-2006, 05:27 PM   #10
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Original Poster
Rep: Reputation: 197Reputation: 197
I understood that multi-boot environments were fairly new (post 1980?) so one would not expect to see a (say) Apple II binary executable to hunt the apple for DOS4 files to infect? It's possible in principle, but why would anyone write one? (Though, in those days, one could write malware as a BASIC program which could run on, pretty much, any platform. Cross-platform is only part of what I'm talking about.)
 
Old 04-16-2006, 11:04 PM   #11
operator10001
Member
 
Registered: Mar 2006
Distribution: debian sarge
Posts: 222

Rep: Reputation: 30
this isnt new...the logic bombs are shotty. its a great way to inject spyware though, be careful. if you make your own flavor, you will be safer.
operator
 
Old 04-17-2006, 12:28 AM   #12
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Original Poster
Rep: Reputation: 197Reputation: 197
Quote:
Originally Posted by operator10001
this isnt new...
I'm sorry? Dual boot computers are not new?
 
  


Reply

Tags
desktoplinux, interesting, malware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
viruses in linux? chemdawg Linux - Newbie 7 01-28-2005 01:31 AM
linux and viruses im_ka Fedora 2 02-13-2004 06:12 PM
module contamination? pbjazzy007 Linux - Networking 6 09-29-2003 07:38 PM


All times are GMT -5. The time now is 01:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration