-   Linux - Security (
-   -   Viruses from Linux and cross contamination: a discussion (

Simon Bridge 04-11-2006 11:09 PM

Viruses from Linux and cross contamination: a discussion
I have a mate who works as a programmer/researcher for symantec nz, I had occasion to ask about windows/linux cross contamination recently... the reply was good enough I figured it was worth sharing.

Note: this should not be treated as official symantec opinion - just an off-the-top-of-my-head from someone immersed in the feild. There are probably many others on this forum in a similar position, perhaps they'd like to comment?

SB: What sort of potential is there for linux/windows cross contamination?

Hybrid viruses have been created: is one example. Although the
Windows and Linux file formats are different, they aren't *that*
different, at least if they are running on the same machine architecture
(x86 or x64).

The rising capability of Win32 platform emulators like Wine has meant
that they can also host Windows viruses and other malware on Linux,
although it generally won't spread out beyond the emulated subsystem.
Those emulators are quite incredibly faithful recreations of the Win32
API programming environment.

The Wine case is the one that does introduce real risks of
cross-transmission; it means that a hybrid attack like the one above
could enter via a PE file but modify native ELF binaries and thus
"escape" the platform emulation.

SB: But wouldn't the user need to have formally activated it by some action (opening an attachment, running a script)?

Normally, yes, although people do seem to do that kind of thing :-P

Another thing to consider is the use of things like Samba file sharing;
some Windows viruses go looking for network shares to infect; although
secure file sharing is possible, it's simply so easy and convenient to
create an open share, especially in a home networking environment.

Plus of course there are always worms that attack via buffer overflows
and the like. Usually those are sensitive to stack and memory layout and
so not cross-platform, but they can strike really any system. The one
most worthy of study is the Witty worm, which is an amazing piece of
malware - it's a
sobering paper.

SB:Many linux users are smug about the lack of threat to and by their system... is this justified?

Well, to be fair they have some good reason to. The single most
important thing about Linux in the past is that just about everyone
recompiled everything from source. That's less true nowadays, and with
current Linux their greatest real defense is that out of the box people
are installed without administrative privileges (this is also true of
MacOS X, by the way). Vista will be introducing exactly this for
Windows, and it'll be a big help (although it'll be a long transition
process, and painful for ISVs).

The fact that so many users are now installing binary Debian packages
rather than compiling from source - particularly true of distributions
like Ubuntu - mean that they are worth keeping an eye on. Although they
do have pretty good quality procedures, if a piece of hybrid malware was
able to *launch* via tainted submissions to one of those binary package
repositories it could get pretty far, pretty fast. People doing those
package installations routinely grant elevated privileges to the package

Although I wouldn't expect that to come from the major distribution
repositories, it shows that the Linux community is extending into the
kind of point-and-click mass-market environment where people can be
socially engineered into doing things to themselves.

dalek 04-12-2006 02:44 AM

All things even, I'll stick with Linux. I would trust Linux out of the box more than I would trust windoze even after a guru got a hold to it and locked it down tight. Linux is just made better.


:D :D :D :D :D

Simon Bridge 04-12-2006 04:23 AM

I have noticed that some misguided souls are running IE and Outlook under wine ...

Personally I run a virus scanner mostly to check files I may be passing from one windows machine to another. Though I tend to change certain file formats (ie DOC) on the way.

I think this guy has probably stuck his thumb right on things to watch in the future. I note that cross-platform malware is still in the concept stage.

The "point-and-click society" and "social engineering" comment strikes a chord. As usual, the biggest security threat is the user doing something dumb.

edmundo_ba 04-12-2006 08:09 AM

And what about multi-boot environments? I work in Linux, but I play and test under Windows, in the same machine. Is there a chance that a Windows virus could affect the Linux partition? I beleive it could be easy to alter files in the linux partitions by a virus accesing them from Windows.

Slick666 04-12-2006 08:40 AM


All things even, I'll stick with Linux. I would trust Linux out of the box more than I would trust windoze even after a guru got a hold to it and locked it down tight. Linux is just made better.
While my sentiments are pretty much the same I do feel that all computer users, not just those who could get infected, are responsible to limit the propagation of viruses. I also feel that if we in the Linux community are too careless we will find ourselves having more and more in common with our Windows cousins.

geeman2.0 04-12-2006 08:49 AM


Is there a chance that a Windows virus could affect the Linux partition?
Certainly there is, it's just very unlikely to see a windows virus that targets linux partitions.
But since windows doesn't include native support for linux file systems, the virus code itself would probably have to handle writing to the linux partition, which again makes this possibility even more unlikely.

Simon Bridge 04-12-2006 08:59 AM


And what about multi-boot environments?
If you peruse the links in the first post to this thead, you'll see there exists already a win32 virus which looks for linux file systems, and tries to infect ELF binaries on those file systems. Something that is particularily an issue in multi-boot environments.

There is a clear advantage here - the virus can spread primarily through windows as the more vulnerable, but can blindside folk who are too complacent about their lin partitions.

Personally, none of the dual boot machines I've set up have had windows knowing anything about the linx partitions. The only justification I've had for dual-boot is to keep the licence for those windows codecs and fonts etc on a laptop - since I've paid the redmond tax anyway.

An interesting question, from my end, then, is: can a win virus infect a lin partition even when the partition has not been assigned a drive letter in windows?

geeman2.0 04-12-2006 09:16 AM


An interesting question, from my end, then, is: can a win virus infect a lin partition even when the partition has not been assigned a drive letter in windows?
I would assume so.
There are third party tools that allow you to access linux drives from windows, so obviously they needed to access the drive-letter-less partitions in the first place.
If these tools can do it, then why couldn't a virus?

Probably the only thing stopping them is that this task is too complicated for a typical virus writer.

nx5000 04-12-2006 11:06 AM

FUD detector on.

Multi-os virii exist for something like 10 years, I can't remember the name but there was one created a long time ago as a proof of concept.
Multi Architecture virus, shellcodes exist for a long time, there has been some nice research on this.

For somebody having a good bookmark, a little bit clever, average coding skill, I would say that it would take 1 day to do, really. Copy paste primarly.
Even a virus searching on another disk (disabled in BIOS?) is theorically possible.

Encrypt your partition or don't use multi os... if you're really paranoid.

Simon Bridge 04-12-2006 05:27 PM

I understood that multi-boot environments were fairly new (post 1980?) so one would not expect to see a (say) Apple II binary executable to hunt the apple for DOS4 files to infect? It's possible in principle, but why would anyone write one? (Though, in those days, one could write malware as a BASIC program which could run on, pretty much, any platform. Cross-platform is only part of what I'm talking about.)

operator10001 04-16-2006 11:04 PM

this isnt new...the logic bombs are shotty. its a great way to inject spyware though, be careful. if you make your own flavor, you will be safer.

Simon Bridge 04-17-2006 12:28 AM


Originally Posted by operator10001
this isnt new...

I'm sorry? Dual boot computers are not new?

All times are GMT -5. The time now is 11:57 PM.