Date: Tue, 11 Feb 1997 09:40:43 -0500 (EST) From: Vic Metcalfe <vam@recruiter.on.ca> To: David Langford <langfod@dihelix.com> Cc: questions@freebsd.org Subject: Re: "McAfee discovers a Linux virus" Possible for *BSD? Message-ID: <Pine.BSF.3.91.970211092122.15803A-100000@recruiter.on.ca> In-Reply-To: <199702101951.JAA15126@caliban.dihelix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 10 Feb 1997, David Langford wrote:
> Just saw this on a local wire. Is this an ELF thing or could it
> be more generic?
I assume you are refering to the "bliss" virus. Alan Cox, who is a major
Linux developer analysed the program and posted to the linux kernel
development mailing list on this subject. The short of it is that all
unix type operating systems can be attacked this way, but it will only
spread if you have write permissions on your executable binaries, which
generally means you run as root. Most experienced unix users do not run
suspect binaries as root, and so are not vulnerable. I've included both
Alan's posting, and a posting I presume is from the author. The author
posted a copy of the virus too, but I didn't bother looking at it so I
don't know if it was in source or binary form.
Here is the text of Alan's message:
-------------------------------------------------------------------------
Subject: Bliss: The Facts
From: alan@lxorguk.ukuu.org.uk (Alan Cox)
Date: 1997/02/08
Message-Id: <m0vt1Wo-0005FcC@lightning.swansea.linux.org.uk>
Sender: owner-Linux-Kernel@vger.rutgers.edu
Content-Type: text
X-Hdr-Sender: alan@lxorguk.ukuu.org.uk
X-Env-Sender: owner-Linux-Kernel-Outgoing@vger.rutgers.edu
Newsgroups: linux.dev.kernel
1. Bliss is a real program
2. Its really a trojan rather than a virus, but has a few simple worm
like properties.
It works like this
When it runs it attempts to replace some system binaries with itself
and move the system binaries into /tmp/.bliss. Having done this
it runs /tmp/.bliss/programname
In order for it to succeed it means someone has pulled binary only
code from a third party and run it at some point as root or a
suitably priviledged user. People should NEVER be doing that anyway
The technique used is totally portable, it will work under any OS,
regardless of security because it does not circumvent the security
of the system, it relies on people with priviledge to do something
dumb
The second attack it makes which is fairly crude is to try and rsh
to other machines and stage attacks on those. Thus given a set of
machines which totally trust each other it can spread.
Bliss is (fortunately) a mere toy and a demonstration of these techniques.
With any OS you must be careful what you install. With a protected mode
OS like Linux a user cannot do untold damage to others but root can. The
recent demonstrations of things like an activeX object that looks for
credit details in windows95 money and access databases is hopefully a
reminder to all
o Use a distribution that lets you verify packages are ok and
preferably uses digital signatures
o Install using sources from reputable sites. Check digital
signatures on what you are installing
Whatever the OS, whatever the security.....
Alan
-----------------------------------------------------------------------
Subject: First Linux virus exists!#$
From: Byron Faber <byron@morticia.physics.colostate.edu>
Date: 1997/02/09
Message-Id: <5dj5d7$414m@yuma.ACNS.ColoState.EDU>
X-To: linux-Security@vger.rutgers, edu@rs3.internic.net,
To: BUGTRAQ@netspace.org
A few months back, a very alpha version of bliss got posted. That shouldn't
have happened, but, it was pretty much ignored so I didn't worry about it.
But now it seems there's a bit of a fuss about this. I'll post the current
version, which I havn't really worked on in months.
The original binary is now properly run. I had forgotten to check the path.
This is a VIRUS. DO NOT RUN IT IF YOU DO NOT KNOW WHAT YOU ARE DOING. DO
NOT ASSUME YOU ARE SAFE JUST BECAUSE YOU ARE NOT RUNNING AS ROOT.
I have not tested this running free on a system. I tested it infecting a
single directory, and I tested it pretending that it was infecting the
whole filesystem. But I did not run these tests on the current version. In
fact, I have run very few tests on the current version - there have been
enough changes since the last tests I ran and last good look at the code I
gave that I can not consider this anything more than an alpha version. I
felt it important to release a believed-to-be working version though, since
many people seem concerned about this program.
Let me reiterate. THIS IS A VIRUS. IF YOU RUN THIS PROGRAM, YOU STAND A
GOOD CHANCE OF FUCKING YOUR SYSTEM UP PRETTY BAD.
This virus does some trivial worm things. Be careful. Oh, they are only
slightly tested, and nowhere near complete (if you saw my todo list, it
would give you nightmares).
I have compiled this with debugging verbosity on.
There are certain command-line arguments that do certain things.
Bliss does nothing intentionally destructive. Bliss may well do
accidentally destructive things. I have tried to be careful about errors
and unlikely conditions causing problems, but this is a virus. And one that
undergone some changes since it was last given any real testing.
Bliss is not expected to survive in the wild. I have written this as proof
that a unix virus is possible, and because it is a fun program.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970211092122.15803A-100000>