glug-nith-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Glug-nith-discuss] virus for linux

From: navneet sharma
Subject: [Glug-nith-discuss] virus for linux
Date: Mon, 13 Apr 2009 11:53:59 +0530


A Word on Computer Viruses
Viruses are, by definition, malicious pieces of code that replicate themselves. They can do this through a variety of methods, including infecting  other executable files or disseminating macros and other forms of executable content.Viruses are most commonly spread by users sharing files, particularly through email, and also other means. Viruses are well known to have been causing problems to the Windows users.
But the question remains, Are there any Linux virus? And if yes, should I worry??? The answer is yes to the first question and no to the second one. Let me tell you my experience. On my dual boot home PC I primarily work on Linux partition but ocassionally have to boot into the Windowspartition (usually to do such works like checking a MS Word document's formatting, a document that was originally made using Linux/OpenOffice.org Writer and saved as a MS Wordfile; this is another issue where a user is forced to use such proprietary software, because a particular agency needs a document in a proprietary format however).

Coming back to the original issue, I almost always find some new virus that has infected the Windows partition. These viruses either creap in through the e-mail or shared folders over the network and mainly through pen drive now a days.
But I have never had a single incidence of a Linux virus attack in my Linux box. Though, the fact remains, that viruses for Linux do exist but you can count them on your finger tips. This article tries to enlist and explain these known Linux viruses and some of the antivirus software available.

Known Linux Viruses?
  • Linux.Bliss
  • Linux.Diesel
  • Linux.Gildo
  • Linux.Kagob
  • Linux.Nuxbee
  • Linux.Satyr
  • Linux.Vit.4096
  • Linux.Winter
  • Linux.Zipworm

1. Linux.Bliss
These are nonmemory resident parasitic viruses written in GNU C. They infect Linux OS only - infected files may be executed, and the virus may spread itself only under Linux. The viruses search for executable Linux files (ELF internal format) and infect them. While infecting, the viruses shift the file body down, write themselves to the beginning of the file and append to the end of file the ID-text:

"Bliss.a": infected by bliss: 00010002:000045e4

"Bliss.b": infected by bliss: 00010004:000048ac

It seems that the former hex number in these lines is a virus version, and the latter is the virus length - the virus lengths are 17892 and 18604 bytes.

When an infected file is run, the "Bliss.a" virus searches for not more than three non-infected files and infects them. "Bliss.b" infects more files (It is not known how much). If there are not any infected files in the current directory, the virus scans the system and infects the files in other directories. After infecting, the viruses return control to the host program, and it will work correctly.

Linux is an access-protected system; i.e., users and programs may access only files that they have permission to. The same goes for a virus - it may infect only the files and directories that are declared as "write-able" for the current username. If the current username has total access (system administrator), the virus will infect all the files on the computer.

2. Linux.Diesel
This is a relatively harmless, non-memory resident parasitic virus. It searches for Linux executable files in system directories and subdirectories, then writes itself to the middle of the file. Before searching files, the virus reads its code from the host file. It moves the original bytes to the end oNow you may ask "Why we don't have viruses to the same proportion under Linux as we have for other proprietary OSes?" The answer to this can be found hef the file and increases the size of the previous section. After finishing its work, the virus restores the host and transfers control to it. The virus contains the text string:
/ home root sbin bin opt
[ Diesel : Oil, Heavy Petroleum Fraction Used In Diesel Engines ]


3. Linux.Gildo
It is not a dangerous, memory resident parasitic virus. It was written in the assembler language. It uses system calls (syscall) while working with files. The virus infects ELF files. It writes itself to the middle of the file.

After starts the virus divides a main process and continues its work. The resident part scans the directories from the root. The virus checks the access right for each found file. If file has a write access the virus will infect it. While infecting file the virus increases its code section size on 4096 bytes and writes its code to the free space. After that the virus changes parameters for the ELF file upper sections and setups a new Entry point for it. The virus displays the message on each start:

Gildo virus
email address@hidden (for comments)

The virus contains the text strings:

hello, nice boys, I hope you will enjoy this program written with nasm. I want to say thanks to all my programmers friend.Bye from Gildo. The Netwide Assembler 0.98 .symtab .strtab .shstrtab .text .data .sbss .bss .comment

It also contains the debug strings from the compiler:

virus.asm parent parent_process ahah scan_dir c_stat others_permissions user_permissions group_permissions c_permissions is_regular_file c1_is_regular_file c2_is_regular_file is_directory c1_is_directory l_readdir skip_l_readdir e_l_readdir error_stat error_opening_file e_scan_dir infect_file open no_open_error file_length mmap c_mmap is_suitable error_suitable c1_is_suitable read_ehdr c_ehdr is_suitable_space patch_ehdr patch_e_entry patch_e_sh_offset patch_phdrs l_read_ph dont_patch_phtext dont_patch_ph patch_shdrs l_read_sh dont_patch_shtext dont_patch_sh find_current_entry_point write suit_error munmap mmap_error close open_error __exit __bss_start main _edata _end

4. Linux.Kagob
It is a harmless nonmemory resident parasitic Linux virus. The virus itself is Linux executable module (ELF file). It searches for other ELF files in the system, then infects them.

While infecting the virus moved victim file contents down, and writes itself to file header. To release control to the host file the virus "disinfects" it to a temporary file and executes it.

The virus does not manifest itself in any way. It body contains the "copyright" text string:

Linux.Kaiowas by Gobleen Warrior//SMF

5. Linux.Nuxbee
This is a relatively harmless, non-memory resident parasitic Linux virus. It searches for ELF files in the directory bin, then writes itself to the middle of the file. The virus infects files if the current user has administrator rights. It writes itself to the Entry point offset, encrypts and saves original bytes at the end of a file.

To restore an original file, the virus reads and encrypts the original bytes from the host file. It uses file mapping functions to infect files. All system functions are summoned by INT 80h (Sys call). The virus contains the following text string:

NuxBee by Bumblebee - The NeXt Frontier

6. Linux.Satyr
This is a harmless non-memory resident parasitic Linux virus. The virus is a Linux executable module (ELF file). It searches for other ELF files in the system, and then infects them. The virus infects files in the following directories:

current directory
parent directory
~/ (user root directory)
~/bin (user /bin directory)
~/sbin (user /sbin directory)
/bin
/sbin
/usr/bin
/usr/local/bin
/usr/bin/X11
While infecting, the virus moves a victim's file contents down, and writes itself to the file header. To release control to the host file, the virus "disinfects" it to a temporary file and executes it.

The virus does not manifest itself in any way. Its body contains the "copyright" text string:

unix.satyr version 1.0 (c)oded jan-2001 by Shitdown [MIONS], http://shitdown.sf.cz

7. Linux.Vit.4096
This is a nonmemory resident parasitic virus. The virus has the internal ELF format, replicates under Linux OS and infects Linux executable files. Linux is a access-protected system; i.e., users and programs may access only files that they have permission to. The same is true for a virus - it may infect only the files and directories that are declared as "write-able" for the current username. If the current username has total access (system administrator), the virus will infect all the files on a computer.

When an infected file is executed, the virus takes control, searches for executable ELF files in the current directory and infects them into the middle. While infecting, the virus analyzes the internal file formats (ELF headers), locates the first code section, makes a "cave" by shifting this and the following sections down by 4096 bytes, writes its code to this "cave," modifies the file entry address and corrects necessary fields in the ELF headers.

The virus looks for duplicate infection and prevents it, and, in addition, the virus infects files quite accurately: in tests, not all infected files were corrupted, and the virus was able to replicate itself from them.

While infecting, the virus uses the temporary VI324.TMP file. This file name was the reason behind the selecting of the virus name(VIxxx.Txx).

8. Linux.Winter
This is a harmless non-memory resident parasitic Linux virus. It is extremely small in size for a Linux virus - just 341 bytes (in the known virus version).

When an infected file is run, the virus gains control, searches for ELF files (Linux executable files) in the current directory, then writes itself to the middle of the file to the non-used "Notes section" if there is one and it has enough size. While infecting, the virus overwrites "Notes" data in the section, but the program runs properly after that.

The virus contains the text string:
LoTek by Wintermute

The virus has a routine that sets a host name (computer name) to "Wintermute", but this routine never gains control.

9. Linux.Zipworm
It is harmless Linux virus affecting ZIP archives.

When the virus is run, it looks for ZIP archives in current directory and add its copies to there. While infecting the virus does not use any external ZIP processing tool, but parses ZIP internal formats by itself. The virus files in archives have one of five possible names:

Ten motives why linux sux!
Why Windows is superior to Linux!
Is Linux for you? Never!
Is Linux immune to virus? NO!
zipworm!

The virus also contains the "copyright" text:

elf zip worm vecna

Available Antiviruses Against Linux Viruses?

My personal experience says that you will never need an antivirus as the incedence of virus attacks hardly exists in a Linux world. But just to be on a safer side for the unseen to happen some day, latest version one of the antivirus should be kept handy at all times. The following is a list of some of the better known antivirus software for the Linux platform.

Antivirus Name and Description
 Interface
AMaViS Virus Scanner: A Mail Virus Scanner scans e-mail attachments for viruse. Console
AntiVir: This is an anti-virus scanner for Linux. Console
Clam Antivirus: Basically made for UNIX. Console
Kaspersky Anti-Virus for Linux Workstation: This is a comprehensive anti-virus defense system for Linux workstations. Console
McAfee VirusScan Validate: This is one of the most popular virus scanning packages available for any platform Console
RAV AntiVirus Desktop for Linux: Powerful and wisely designed to protect your data from a Linux environment. X11
SAVget: SAVget is a bash script that aims to be a clone of the Windows SGET utility. Console
TkAntivir: This is a graphical front end to the antivirus program H+BEDV AntiVir/X written in Tcl/Tk. X11
Vexira Antivirus For Linux Server: This is a complete antivirus system designed specifically for Linux servers. Console
Vexira Antivirus for Linux Workstation: This program provides antivirus protection for Linux workstations. Console
Vexira MailArmor - Linux antivirus for mail servers: This is a high-speed Linux antivirus program for mail servers. Console

Many of these are under GPL, some under subscription scheme and few commercial ones.

Use Linux Feel Free & Open.

Regards
navneet sharma



reply via email to
[Prev in Thread] Current Thread [Next in Thread]