From owner-freebsd-security Thu May 3 5:39:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 846D137B424 for ; Thu, 3 May 2001 05:39:18 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA52108; Thu, 3 May 2001 09:41:57 -0300 (ART) From: Fernando Schapachnik Message-Id: <200105031241.JAA52108@ns1.via-net-works.net.ar> Subject: Re: What do folks think of this article? In-Reply-To: <20010502232105.C24364@petra.hos.u-szeged.hu> "from Szilveszter Adam at May 2, 2001 11:21:05 pm" To: Szilveszter Adam Date: Thu, 3 May 2001 09:41:57 -0300 (ART) Cc: security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Szilveszter Adam escribió: > 5) Show me a UNIX virus. Not an email virus that can spread through a UNIX > machine's MTA to windows machines, but an actual UNIX virus. Worms do not > count. They are worms, not virii. Just for fun (I know about being root && executing unknown binaries, please don't we start with that): www.avpve.com Linux.Bliss These are nonmemory resident parasitic viruses written in GNU C. They infect Linux OS only - infected files may be executed, and the virus may spread itself only under Linux. The viruses search for executable Linux files (ELF internal format) and infect them. While infecting the viruses shift the file body down, write themselves to the beginning of file and append to the end of file the ID-text: "Bliss.a": infected by bliss: 00010002:000045e4 "Bliss.b": infected by bliss: 00010004:000048ac It seems that the former hex number in these lines is a virus version, and the latter is the virus length - the virus lengths are 17892 and 18604 bytes. When an infected file is run, the "Bliss.a" virus searches for not more than three not infected files and affects them. "Bliss.b" infects more files (I see not how much). If there are no not infected files in the current directory, the virus scans the system and infects the files in other directories. After infecting the viruses return control to the host program, and it will work correctly. Linux is the access-protected system, i.e. users and programs may access only files that they have permission to. The same for virus - it may infect only the files and directories that are declared as "write-able" for current username. If current username has total access (system administrator), the virus will infect all files on computer. The viruses seem to be "under debugging" and while searching for files and infecting them they display several messages: already infected skipping, infected with same vers or different type replacing older version replacing ourselves with newer version infecting: bytes infect() returning success been to already! traversing our size is copy() returning success copy() returning failure disinfecting: not infected couldn't malloc bytes, skipping couldn't read() all bytes read bytes happy_commit() failed, skipping couldn't write() all bytes, hope you had backups! successfully (i hope) disinfected Debugging is ON Disinfecting files... using infection log: The viruses also contain the text strings: dedicated to rkd /tmp/.bliss asmlinkage int sys_umask(int mask) mask&023000 return if(mask&023000) current->uid = current->euid = current->suid = current->fsuid = 0; return old&023000} } bliss.%s.%d -l rsh%s%s %s 'cat>%s;chmod 777 %s;%s;rm -f %s' doing popen("%s" /.rhosts r %s %s .rhosts: %s, %s localhost doing do_worm_stuff() /etc/hosts.equiv hosts.equiv: %s HOME --bli ss- uninfect-files-please disinfect-files-please version %d.%d.%d (%.8x) Compiled on Sep 28 1996 at 22:24:03 Written by electric eel. dont-run-original just-run-bliss dont-run-virus dont-run-bliss just-run-original exec infect-file unsupported version help help? hah! read the source! /proc/loadavg %d. loadav is %d bliss was run %d sex ago, rep_wait=%d /tmp/.bliss-tmp.%d execv /bin PATH : /usr/spool/news /var/spool/news wow I also happen to have a description of another one if somebody is interested. Regards. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message