l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2004 Jul 18 17:06

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] [OT] Now I have a virus. Argh!!!!!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] [OT] Now I have a virus. Argh!!!!!

Quoting boombox (boombox@cokeaholic.com):

> Of course, if you don't want to spring for antivirus, you could just make
> sure only to boot up in windows when you are playing, since I don't know
> of any Linux viruses. Makes you think.

I've been making a list of the known Linux viruses.  It turns out to be
really easy to make one, but (except during rare vulnerability windows
when there's a nice juicy security hole that's just been discovered and
that you've figured out how to exploit) damned near impossible to get
them to be executed and spread.

Staog, Bliss, Vit, RST (Remote Shell Trojan), Gildo, OSF, Kagob, Satyr,
Rike (Rike.1627), Winter (Lotek), Diesel, Nuxbee, Winux (PEElf, Pelf),
Svat, Obsidian.E, Simile (Etap), Jac, Pavid (Alfa.dr), Telf, Ynit,
Zipworm (distinctive only in that it likes to infect ELF files in Zip
archives), and Penguin:  These are all "ELF infectors", where "ELF" is the
standard Unix binary format.  To activate these, you must literally
decide to run a binary infected with them, e.g., someone mails you a
binary file and says "Please run this not-especially-trustworthy binary
executable." Doing so would of course be really dumb; the consequence of
being dumb in that particular fashion is that some number of Linux
executable binaries set to be writable by the user's account would get
modified to include a copy of the virus.  Note that the user is thereby
enable only to shoot at his _own_ foot:  No regular installed
applications could be affected, because those are not writable by
regular users: Only binary executables in /home/username/bin/ and such
could be affected (and seldom do users have any).

Note that none of the 100+ mail clients for Linux
(http://linuxmafia.com/faq/Mail/muas.html) auto-execute received
executables.  The user would have to save the attachment to
/tmp, run "chmod u+x" on it to make it executable, and then manually
run it -- in order to (finally) shoot himself (but not his system)
in the foot.

One last observation about ELF infectors:  They're all fundamentally
identical, and might as well all be the same virus.  Seen one, seen 'em
all.  (More to the immediate point:  Easily avoid running one, easily
avoid running 'em all.)

There's always some possibility of attack through various
types of "active content" received as attachments:  This is an area
under ongoing scrutiny, and it's wise for you (not just your
distribution's maintainers) to keep an eye on what your mailcap file's
willing to do.

All of the others (listed below) were "worm" automated attacks against
once-vulnerable network daemons.  Obvious lesson:  If you choose to run
network daemons, you're obliged to look out for security alerts and
disable or upgrade the daemons when those happen -- especially if you
run basket-case software like BIND8, lpd, and wu-ftpd.

Oh, and lesson #2:  There's no reason to expose NFS (No Frigging
Security; Network File System) its underlying RPC daemons, or print
servers to the public Internet.  Don't do that -- there's no reason to,
after all -- and you can't be bitten by vulnerabilities in them.

Worm.  May 22, 2001.  
BIND prior to 8.2.3.  TSIG exploit of Jan. 29, 2001.  Note BIND9 release, 
Sept. 15, 2000; BIND 9.1.0 release, Jan. 17, 2001.

1i0n (lion)
Worm.  March 23, 2001.
BIND prior to 8.2.3.  TSIG exploit of Jan. 29, 2001.  Note BIND9 release,
Sept. 15, 2000; BIND 9.1.0 release, Jan. 17, 2001.

Adore (Red)
Worm.  April 04, 2001.  
lprng input validation bug discovered December 12, 2000, rpc-statd input
validation bug discovered August 18, 2000, wu-ftpd 2.6 input validation
bug discovered July 7, 2000, and several BIND 8.2.3 buffer overflow and
input validation bugs discovered Jan. 29, 2001.

lpdw0rm (lpdworm)
Worm.  April 2001.  
lpd input validation bug fixed in Oct. 2000.

Worm.  January 17, 2001.  
wu-ftpd 2.6 input validation bug of 2000-06-22, 
rpc.statd bug fixed summer 2000, and 
LPRng input validation bug of Aug. 2000.

Slapper (Cinik, Unlock)
Worm.  Sept. 13, 2002.  
Very specific and rare combination of Apache w/OpenSSL 0.9.6d /
0.9.7beta1 or earlier.  Overflow fixed July 2, 2002.

Worm.  Oct. 3, 2002.  
Very specific and rare combination of Apache w/OpenSSL 0.9.6d and
0.9.7-beta1 or earlier.  Overflow fixed July 30, 2002.

Worm.  May 1998.  
BIND8 buffer overflow prior to 8.1.2 (in the reverse query function,
"fake-iquery yes;", which is disabled by default).  Fix released April
8, 1998.  

Worm.  Oct. 2001.  
OpenSSH pre-2.3.0 exploit.  Old versions patched Feb. 27, 2001; 2.3.0
released November 2000.

Worm.  Nov. 18, 2002
wu_imapd buffer overflow fixed May 11, 2002,
qpopper buffer overflow fixed March 2002.
bind buffer overflow through 8.3.3 fixed Nov. 11, 2002,
rpc.mountd buffer overflow fixed in 1998.

Worm.  July 02, 2003.
Buffer overflow prior to Samba 2.0.10 / 2.2.8a, which were released
April 7, 2003.

Cheers,                    Facta tua Restitueri ad Status Pristinus Eius.
Rick Moen                       (May your data be restored to
rick@linuxmafia.com            its original pristine condition.)
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!