From owner-freebsd-security  Thu May  3  5:39:31 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10])
	by hub.freebsd.org (Postfix) with ESMTP id 846D137B424
	for <security@FreeBSD.ORG>; Thu,  3 May 2001 05:39:18 -0700 (PDT)
	(envelope-from fpscha@ns1.via-net-works.net.ar)
Received: (from fpscha@localhost)
	by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA52108;
	Thu, 3 May 2001 09:41:57 -0300 (ART)
From: Fernando Schapachnik <fpscha@ns1.via-net-works.net.ar>
Message-Id: <200105031241.JAA52108@ns1.via-net-works.net.ar>
Subject: Re: What do folks think of this article?
In-Reply-To: <20010502232105.C24364@petra.hos.u-szeged.hu> "from Szilveszter
 Adam at May 2, 2001 11:21:05 pm"
To: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>
Date: Thu, 3 May 2001 09:41:57 -0300 (ART)
Cc: security@FreeBSD.ORG
Reply-To: Fernando Schapachnik <fschapachnik@vianetworks.com.ar>
X-Mailer: ELM [version 2.4ME+ PL82 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=ISO-8859-1
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

En un mensaje anterior, Szilveszter Adam escribió:
> 5) Show me a UNIX virus. Not an email virus that can spread through a UNIX
> machine's MTA to windows machines, but an actual UNIX virus. Worms do not
> count. They are worms, not virii.

Just for fun (I know about being root && executing unknown binaries,
please don't we start with that):


www.avpve.com
 
Linux.Bliss
 
These are nonmemory resident parasitic viruses written in GNU C. They
infect
Linux OS only - infected files may be executed, and the virus may
spread itself only under Linux. The viruses search for executable
Linux files (ELF internal format) and infect them. While infecting
the viruses shift the file body
down, write themselves to the beginning of file and append to the end
of file the ID-text:
 
"Bliss.a": infected by bliss: 00010002:000045e4
"Bliss.b": infected by bliss: 00010004:000048ac
 
It seems that the former hex number in these lines is a virus
version, and the latter is the virus length - the virus lengths are
17892 and 18604 bytes.
 
When an infected file is run, the "Bliss.a" virus searches for not
more than three not infected files and affects them. "Bliss.b"
infects more files (I see not how much). If there are no not infected
files in the current directory, the virus scans the system and
infects the files in other directories. After infecting the viruses
return control to the host program, and it will work correctly.

Linux is the access-protected system, i.e. users and programs may
access only files that they have permission to. The same for virus -
it may infect only
the files and directories that are declared as "write-able" for
current username. If current username has total access (system
administrator), the virus will infect all files on computer.
 
The viruses seem to be "under debugging" and while searching for
files and infecting them they display several messages:
 
already infected
skipping, infected with same vers or different type
replacing older version
replacing ourselves with newer version
infecting: bytes
infect() returning success
been to already!
traversing
our size is
copy() returning success
copy() returning failure
disinfecting:
not infected
couldn't malloc bytes, skipping
couldn't read() all bytes
read bytes
happy_commit() failed, skipping
couldn't write() all bytes, hope you had backups!
successfully (i hope) disinfected
Debugging is ON
Disinfecting files...
using infection log:
 
The viruses also contain the text strings:
 
dedicated to rkd
/tmp/.bliss
asmlinkage int sys_umask(int mask)
mask&023000 return if(mask&023000) current->uid = current->euid =
current->suid = current->fsuid = 0; return old&023000} } bliss.%s.%d
-l rsh%s%s %s 'cat>%s;chmod 777 %s;%s;rm -f %s' doing popen("%s"
/.rhosts r %s %s .rhosts: %s, %s localhost doing do_worm_stuff()
/etc/hosts.equiv hosts.equiv: %s HOME --bli
ss- uninfect-files-please disinfect-files-please version %d.%d.%d
(%.8x)
Compiled on Sep 28 1996 at 22:24:03
Written by electric eel.
dont-run-original
just-run-bliss
dont-run-virus
dont-run-bliss
just-run-original
exec
infect-file unsupported version
help help? hah! read the source!
/proc/loadavg %d.
loadav is %d
bliss was run %d sex ago, rep_wait=%d
/tmp/.bliss-tmp.%d execv /bin
PATH : /usr/spool/news /var/spool/news wow

I also happen to have a description of another one if somebody is
interested.

Regards.


Fernando P. Schapachnik
Planificación de red y tecnología
VIA NET.WORKS ARGENTINA S.A.
fschapachnik@vianetworks.com.ar
Tel.: (54-11) 4323-3381

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message