*A Word on Computer Viruses
*Viruses are, by definition, malicious pieces of code that replicate
themselves. They can do this through a variety of methods, including
infecting other executable files or disseminating macros and other forms of
executable content.Viruses are most commonly spread by users sharing files,
particularly through email, and also other means. Viruses are well known to
have been causing problems to the Windows users.
But the question remains, Are there any Linux virus? And if yes, should I
worry??? The answer is yes to the first question and no to the second one.
Let me tell you my experience. On my dual boot home PC I primarily work on
Linux partition but ocassionally have to boot into the Windowspartition
(usually to do such works like checking a MS Word document's formatting, a
document that was originally made using Linux/OpenOffice.org Writer and
saved as a MS Wordfile; this is another issue where a user is forced to use
such proprietary software, because a particular agency needs a document in a
proprietary format however).
Coming back to the original issue, I almost always find some new virus that
has infected the Windows partition. These viruses either creap in through
the e-mail or shared folders over the network and mainly through pen drive
now a days.
But I have never had a single incidence of a Linux virus attack in my Linux
box. Though, the fact remains, that viruses for Linux do exist but you can
count them on your finger tips. This article tries to enlist and explain
these known Linux viruses and some of the antivirus software available. *
Known Linux Viruses?*
- Linux.Bliss
- Linux.Diesel
- Linux.Gildo
- Linux.Kagob
- Linux.Nuxbee
- Linux.Satyr
- Linux.Vit.4096
- Linux.Winter
- Linux.Zipworm
*
1. Linux.Bliss* These are nonmemory resident parasitic viruses written in
GNU C. They infect Linux OS only - infected files may be executed, and the
virus may spread itself only under Linux. The viruses search for executable
Linux files (ELF internal format) and infect them. While infecting, the
viruses shift the file body down, write themselves to the beginning of the
file and append to the end of file the ID-text:
"Bliss.a": infected by bliss: 00010002:000045e4
"Bliss.b": infected by bliss: 00010004:000048ac
It seems that the former hex number in these lines is a virus version, and
the latter is the virus length - the virus lengths are 17892 and 18604
bytes.
When an infected file is run, the "Bliss.a" virus searches for not more than
three non-infected files and infects them. "Bliss.b" infects more files (It
is not known how much). If there are not any infected files in the current
directory, the virus scans the system and infects the files in other
directories. After infecting, the viruses return control to the host
program, and it will work correctly.
Linux is an access-protected system; i.e., users and programs may access
only files that they have permission to. The same goes for a virus - it may
infect only the files and directories that are declared as "write-able" for
the current username. If the current username has total access (system
administrator), the virus will infect all the files on the computer.
*2. Linux.Diesel*
This is a relatively harmless, non-memory resident parasitic virus. It
searches for Linux executable files in system directories and
subdirectories, then writes itself to the middle of the file. Before
searching files, the virus reads its code from the host file. It moves the
original bytes to the end oNow you may ask "Why we don't have viruses to the
same proportion under Linux as we have for other proprietary OSes?" The
answer to this can be found he <http://librenix.com/?inode=21
*Viruses are, by definition, malicious pieces of code that replicate
themselves. They can do this through a variety of methods, including
infecting other executable files or disseminating macros and other forms of
executable content.Viruses are most commonly spread by users sharing files,
particularly through email, and also other means. Viruses are well known to
have been causing problems to the Windows users.
But the question remains, Are there any Linux virus? And if yes, should I
worry??? The answer is yes to the first question and no to the second one.
Let me tell you my experience. On my dual boot home PC I primarily work on
Linux partition but ocassionally have to boot into the Windowspartition
(usually to do such works like checking a MS Word document's formatting, a
document that was originally made using Linux/OpenOffice.org Writer and
saved as a MS Wordfile; this is another issue where a user is forced to use
such proprietary software, because a particular agency needs a document in a
proprietary format however).
Coming back to the original issue, I almost always find some new virus that
has infected the Windows partition. These viruses either creap in through
the e-mail or shared folders over the network and mainly through pen drive
now a days.
But I have never had a single incidence of a Linux virus attack in my Linux
box. Though, the fact remains, that viruses for Linux do exist but you can
count them on your finger tips. This article tries to enlist and explain
these known Linux viruses and some of the antivirus software available. *
Known Linux Viruses?*
- Linux.Bliss
- Linux.Diesel
- Linux.Gildo
- Linux.Kagob
- Linux.Nuxbee
- Linux.Satyr
- Linux.Vit.4096
- Linux.Winter
- Linux.Zipworm
*
1. Linux.Bliss* These are nonmemory resident parasitic viruses written in
GNU C. They infect Linux OS only - infected files may be executed, and the
virus may spread itself only under Linux. The viruses search for executable
Linux files (ELF internal format) and infect them. While infecting, the
viruses shift the file body down, write themselves to the beginning of the
file and append to the end of file the ID-text:
"Bliss.a": infected by bliss: 00010002:000045e4
"Bliss.b": infected by bliss: 00010004:000048ac
It seems that the former hex number in these lines is a virus version, and
the latter is the virus length - the virus lengths are 17892 and 18604
bytes.
When an infected file is run, the "Bliss.a" virus searches for not more than
three non-infected files and infects them. "Bliss.b" infects more files (It
is not known how much). If there are not any infected files in the current
directory, the virus scans the system and infects the files in other
directories. After infecting, the viruses return control to the host
program, and it will work correctly.
Linux is an access-protected system; i.e., users and programs may access
only files that they have permission to. The same goes for a virus - it may
infect only the files and directories that are declared as "write-able" for
the current username. If the current username has total access (system
administrator), the virus will infect all the files on the computer.
*2. Linux.Diesel*
This is a relatively harmless, non-memory resident parasitic virus. It
searches for Linux executable files in system directories and
subdirectories, then writes itself to the middle of the file. Before
searching files, the virus reads its code from the host file. It moves the
original bytes to the end oNow you may ask "Why we don't have viruses to the
same proportion under Linux as we have for other proprietary OSes?" The
answer to this can be found he <http://librenix.com/?inode=21
increases the size of the previous section. After finishing its work, the
virus restores the host and transfers control to it. The virus contains the
text string:
/ home root sbin bin opt
[ Diesel : Oil, Heavy Petroleum Fraction Used In Diesel Engines ]
*3. Linux.Gildo*
It is not a dangerous, memory resident parasitic virus. It was written in
the assembler language. It uses system calls (syscall) while working with
files. The virus infects ELF files. It writes itself to the middle of the
file.
After starts the virus divides a main process and continues its work. The
resident part scans the directories from the root. The virus checks the
access right for each found file. If file has a write access the virus will
infect it. While infecting file the virus increases its code section size on
4096 bytes and writes its code to the free space. After that the virus
changes parameters for the ELF file upper sections and setups a new Entry
point for it. The virus displays the message on each start:
Gildo virus
email Gildo@jazz.hm (for comments)
The virus contains the text strings:
hello, nice boys, I hope you will enjoy this program written with nasm. I
want to say thanks to all my programmers friend.Bye from Gildo. The Netwide
Assembler 0.98 .symtab .strtab .shstrtab .text .data .sbss .bss .comment
It also contains the debug strings from the compiler:
virus.asm parent parent_process ahah scan_dir c_stat others_permissions
user_permissions group_permissions c_permissions is_regular_file
c1_is_regular_file c2_is_regular_file is_directory c1_is_directory l_readdir
skip_l_readdir e_l_readdir error_stat error_opening_file e_scan_dir
infect_file open no_open_error file_length mmap c_mmap is_suitable
error_suitable c1_is_suitable read_ehdr c_ehdr is_suitable_space patch_ehdr
patch_e_entry patch_e_sh_offset patch_phdrs l_read_ph dont_patch_phtext
dont_patch_ph patch_shdrs l_read_sh dont_patch_shtext dont_patch_sh
find_current_entry_point write suit_error munmap mmap_error close open_error
__exit __bss_start main _edata _end
*4. Linux.Kagob* It is a harmless nonmemory resident parasitic Linux virus.
The virus itself is Linux executable module (ELF file). It searches for
other ELF files in the system, then infects them.
While infecting the virus moved victim file contents down, and writes itself
to file header. To release control to the host file the virus "disinfects"
it to a temporary file and executes it.
The virus does not manifest itself in any way. It body contains the
"copyright" text string:
Linux.Kaiowas by Gobleen Warrior//SMF
*5. Linux.Nuxbee*
This is a relatively harmless, non-memory resident parasitic Linux virus.
It searches for ELF files in the directory bin, then writes itself to the
middle of the file. The virus infects files if the current user has
administrator rights. It writes itself to the Entry point offset, encrypts
and saves original bytes at the end of a file.
To restore an original file, the virus reads and encrypts the original bytes
from the host file. It uses file mapping functions to infect files. All
system functions are summoned by INT 80h (Sys call). The virus contains the
following text string:
NuxBee by Bumblebee - The NeXt Frontier
*6. Linux.Satyr* This is a harmless non-memory resident parasitic Linux
virus. The virus is a Linux executable module (ELF file). It searches for
other ELF files in the system, and then infects them. The virus infects
files in the following directories:
current directory
parent directory
~/ (user root directory)
~/bin (user /bin directory)
~/sbin (user /sbin directory)
/bin
/sbin
/usr/bin
/usr/local/bin
/usr/bin/X11
While infecting, the virus moves a victim's file contents down, and writes
itself to the file header. To release control to the host file, the virus
"disinfects" it to a temporary file and executes it.
The virus does not manifest itself in any way. Its body contains the
"copyright" text string:
unix.satyr version 1.0 (c)oded jan-2001 by Shitdown [MIONS],
http://shitdown.sf.cz
*7. Linux.Vit.4096* This is a nonmemory resident parasitic virus. The virus
has the internal ELF format, replicates under Linux OS and infects Linux
executable files. Linux is a access-protected system; i.e., users and
programs may access only files that they have permission to. The same is
true for a virus - it may infect only the files and directories that are
declared as "write-able" for the current username. If the current username
has total access (system administrator), the virus will infect all the files
on a computer.
When an infected file is executed, the virus takes control, searches for
executable ELF files in the current directory and infects them into the
middle. While infecting, the virus analyzes the internal file formats (ELF
headers), locates the first code section, makes a "cave" by shifting this
and the following sections down by 4096 bytes, writes its code to this
"cave," modifies the file entry address and corrects necessary fields in the
ELF headers.
The virus looks for duplicate infection and prevents it, and, in addition,
the virus infects files quite accurately: in tests, not all infected files
were corrupted, and the virus was able to replicate itself from them.
While infecting, the virus uses the temporary VI324.TMP file. This file name
was the reason behind the selecting of the virus name(VIxxx.Txx).
*8. Linux.Winter* This is a harmless non-memory resident parasitic Linux
virus. It is extremely small in size for a Linux virus - just 341 bytes (in
the known virus version).
When an infected file is run, the virus gains control, searches for ELF
files (Linux executable files) in the current directory, then writes itself
to the middle of the file to the non-used "Notes section" if there is one
and it has enough size. While infecting, the virus overwrites "Notes" data
in the section, but the program runs properly after that.
The virus contains the text string:
LoTek by Wintermute
The virus has a routine that sets a host name (computer name) to
"Wintermute", but this routine never gains control.
*9. Linux.Zipworm* It is harmless Linux virus affecting ZIP archives.
When the virus is run, it looks for ZIP archives in current directory and
add its copies to there. While infecting the virus does not use any external
ZIP processing tool, but parses ZIP internal formats by itself. The virus
files in archives have one of five possible names:
Ten motives why linux sux!
Why Windows is superior to Linux!
Is Linux for you? Never!
Is Linux immune to virus? NO!
zipworm!
The virus also contains the "copyright" text:
elf zip worm vecna
*Available Antiviruses Against Linux Viruses?*
My personal experience says that you will never need an antivirus as the
incedence of virus attacks hardly exists in a Linux world. But just to be on
a safer side for the unseen to happen some day, latest version one of the
antivirus should be kept handy at all times. The following is a list of some
of the better known antivirus software for the Linux platform.
*Antivirus Name and Description
* *Interface
* *AMaViS Virus Scanner:* A Mail Virus Scanner scans e-mail attachments for
viruse. Console *AntiVir*: This is an anti-virus scanner for Linux. Console
*Clam Antivirus*: Basically made for UNIX. Console *Kaspersky Anti-Virus
for Linux Workstation*: This is a comprehensive anti-virus defense system
for Linux workstations. Console *McAfee VirusScan Validate*: This is one of
the most popular virus scanning packages available for any platform Console
*RAV AntiVirus Desktop for Linux*: Powerful and wisely designed to protect
your data from a Linux environment. X11 *SAVget*: SAVget is a bash script
that aims to be a clone of the Windows SGET utility. Console *TkAntivir*:
This is a graphical front end to the antivirus program H+BEDV AntiVir/X
written in Tcl/Tk. X11 *Vexira Antivirus For Linux Server*: This is a
complete antivirus system designed specifically for Linux servers. Console
*Vexira Antivirus for Linux Workstation*: This program provides antivirus
protection for Linux workstations. Console *Vexira MailArmor - Linux
antivirus for mail servers*: This is a high-speed Linux antivirus program
for mail servers. Console
Many of these are under GPL, some under subscription scheme and few
commercial ones.
*Use Linux Feel Free & Open.*
No comments:
Post a Comment