[plug] Virus particulars

Leon Brooks leon at brooks.fdns.net
Sun Apr 28 16:57:12 WST 2002 

I did a bit of research today on Linux and viruses, and in the best GPL 
spirit, thought I'd share it with you.

Symantec's DB returns the following viruses etc for a query on `Linux' (-: and 
I've ignored hits on Linux in the `systems NOT affected' attribute :-) -

Name.Of.Virus  Population/Damage/Virility

Linux.Lion.Worm Low/Medium/Low
Linux.Ramen.Worm Medium/Medium/Medium
Linux.Adore.Worm Medium/Medium/Medium (AKA Linux.Red)
Linux.Cheese.Worm Low/Low/Low
Linux.ADM.Worm ?/?/?

    These exploit holes in obselete services. No major current Linux
    distribution (and very few if any minor ones) is vulnerable to
    them. In order to be vulnerable to the first two, you generally
    have to make some fairly thick security decisions anyway. The
    site hosting the third one's payload has closed. The fourth one
    actually *fixes* some of the damage done by Lion. AFAICT, all
    are x86-only.

Linux.Jac.8759 Low/Low/Low

    The user has to run a binary, and it infects executables in the
    $PWD directory in which it is run (ie, for most users, nothing).
    It is x86-only.

    Jac was announced by vnunet as `the first to hit the platform in
    three months', compare this with Windows' average of _daily_. It
    was with some vouyeristic pleasure that I also read this:

    `Linux users typically crow about how much more secure it is than
    the Windows platform, but this time they may be justified as Jac
    has only been branded as a low threat. It is not expected to
    spread in the wild and causes little damage.'

Linux.Hijacker.Worm Low/Low/Medium

    Your system basically has to be already broken by another trojan
    (ie have a network-accessible root shell) before Hijacker can do
    anything. Like Cheese, it actually removes other worms and closes
    up some well-known security errors. Apparently x86 only.

Linux.Backdoor.IN ?/?/? (probably AKA Linux.OSF.8759)

    Infected files have to be run by the user; in order for infection
    to spread to system files, the user must be root. Opens a UDP
    backdoor at or above port 3049 which listens for toolkit commands.
    This is excessively sneaky, it bails out if it's being debugged
    or if the system has only been up for a few minutes. The payload
    is modular (ie potentially updateable).

Linux.RST.A ?/?/?
Linux.RST.B ?/?/?

    Similar to the above, but looks for an EGO (Exterior Gateway
    Protocols) packet with a special sequence of data and may as a
    consequence open a port pointed at a rootshell. Ironically,
    RST.B was propagated as part of another exploit kit: it was
    launched on and by people thinking that they were `only' using a
    toolkit to gain access to someone else's box.

W32.Peelf.2132 Low/Low/Low

    This is a multiplatform proof-of-concept virus and has not been
    seen in the wild. In Linux, it will only spread within $PWD and
    also leaves obvious tracks (files get bigger).

Linux.Pavid NOT/REALLY/VIRUS (aka Linux.Alfa)

    Included in a collection of viruses sent to McAfee AVERT (ie
    apparently not in the wild), it does not actually spread by
    itself and has to be told what to `infect'.

Linux.Quasi NOT/REALLY/VIRUS
Linux.Elend NOT/REALLY/VIRUS
Linux.Dido NOT/REALLY/VIRUS
Linux.Cron NOT/REALLY/VIRUS
Linux.Obsid.gen NOT/REALLY/VIRUS
Linux.Emwerm.Worm NOT/REALLY/VIRUS
Linux.Kork.Worm NOT/REALLY/VIRUS
Linux.Eriz.Int NOT/REALLY/LINUX
Linux.Abulia NOT/REALLY/LINUX
Linux.Abditive.Worm NOT/REALLY/VIRUS
Linux.Silv5444 NOT/REALLY/VIRUS
Linux.Siilov.5916 NOT/REALLY/VIRUS
Linux.Dummy NOT/REALLY/VIRUS
Linux.Orig NOT/REALLY/VIRUS

    Doesn't seem to be known to other virus co's. May be an AKA for
    another virus. Symantec don't supply *any* details, not even a
    threat rating.

    Many of these are said to infect .COM and/or .EXE files, it
    appears that the only Linux reference is in the name. Maybe someone
    was trying to establish a market presence? )-:

Linux.Satyr NO/PAYLOAD
Linux.Diesel NO/PAYLOAD
Linux.Kagob NO/PAYLOAD
Linux.Nuxbee.1411 NO/PAYLOAD (also only runs if user is in admin group)
Linux.Lotek NO/PAYLOAD (AKA Linux.Winter)
Linux.Zipworm NO/PAYLOAD
Linux.Vit.4096 NO/PAYLOAD (second ever Linux virussy thing after Bliss)

    No action other than infection (proof-of-concept?).

JS.Radex.mirc NOT/REALLY/LINUX

    This is actually a Windows worm, propagating through MIRC, which attacks
    (pointlessly) any .sh files it finds.

W32.Prolin.Worm NOT/LINUX

    This is a Windows worm that renames filetypes to include the word LINUX
    (-: specifically, `change atleast now to LINUX' :-).

Linux.Penguin Low/Low/Low

    User has to run it as root; it mails off `system password file'
    presumably including /etc/shadow.

Linux.Mandragore.666 NOT/LINUX
Linux.Dies.969 NOT/LINUX (`Die' is a family of Windows worms)

    This is a Windows worm. Kaspersky don't even mention `Linux' in
    connection with it.

Linux.Doggie NOT/LINUX

    This is a Word macro virus. Kaspersky don't mention `Linux' in
    connection with it.

Linux.DoS.Trinoo.ns ?/?/?
Linux.DoS.tfn2k.tfn ?/?/?
Linux.DDoS.MStream ?/?/?

    These are DDoS toolkits, they are payloads, not viruses in themselves.

Perl.Rans

    Cross-platform, and a Linux user has to run them by hand.

Linux.Bliss.A ?/?/?
Linux.Bliss.B ?/?/?

    These are hilarous. This has to be the politest virus ever. Other than
    growing files, they do no damage, keep track of what's been infected,
    and if any infected program is run with a particular option,
    disinfects itself. (-:

    Quote from `The Answer Guy' in 1998: Although there as been one "virus"
    for Linux (Bliss, a piece of sample code that actually managed to
    honestly infect a couple of users), they are simply not a problem for
    Linux, FreeBSD, or other Unix users. 

CONCLUSIONS

*   8 Linux worms, two of which fix problems, all of which either rely on
    obsolete services or the root user running stuff; plus

*   8 proof-of-concept or `demo' viruses that don't do anything but infect,
    and one of which will disinfect on demand; plus

*   3 viruses which require the user to run them (Jac, Penguin and
    Perl.Rans); totalling...

19 infection agents, all either pathetic or obsolete, and only 2 of which will 
work at all on other than x86 platforms. Not bad for roughly 30,000 
variations on 4,000 virus families. That's 0.5% of the total (ie 200x less 
viruses) and all of them useless on a server, difficult to deploy on a 
workstation.

It's worth noting that `Linux' worm attacks (some of them will probably run on 
BSDs etc because they are x86 within an app) are generally fixed by closing 
the hole, sometimes within hours of discovery, but Windows worm attacks are 
often dealt with first by taking the service offline or adding virus scanner 
definitions, and followed up with a fix (and on several occasions a defective 
fix) weeks-to-months later.

Lest we get too cocky, there are *no* viruses for FreeBSD (although Ramen did 
actually have some code, it was never activated), OpenBSD, NetBSD, Solaris, 
HP-UX, Digital UNIX and many other systems. Solaris is only reported as 
having one (SadMind, which also attacks Microsoft IIS) by the virus 
companies.

Macintoshes are more vulnerable from Microsoft Office macro viruses than from 
native infectors. I guess there's a message there.

All virus-scanner manufacturers - I suspect scenting a new market - got 
really, really excited when Ramen hit, and again when Lion (1i0n) hit. No 
major Linux distributions ship with any vulnerabilities; most have not 
exposed a serious and exploitable vulnerability in the default configuration 
in over a year (and that's counting *all* services shipped); contrast this 
with OpenBSD's record of over 4 years, and Windows' record of about a week 
(in Windows XP's case, they actually have a negative record: showstopper 
cracks were released many weeks before the actual product).

Cheers; Leon

More information about the plug mailing list