platform independent virus..win32/linux
Results 1 to 9 of 9

Thread: platform independent virus..win32/linux

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    682

    Exclamation platform independent virus..win32/linux

    interesting read here...


    http://sarc.com/avcenter/venc/data/linux.simile.html

    Linux.Simile
    Discovered on: May 22, 2002
    Last Updated on: May 29, 2002 at 08:58:01 PM PDT


    {Win32,Linux}/Simile.D is a very complex virus that uses entry-point obscuring, metamorphism, and polymorphic decryption. It is the first known polymorphic metamorphic virus to infect under both Windows and Linux. The virus contains no destructive payload, but infected files may display messages on certain dates. It is the fourth variant of the Simile family. This variant introduces a new infection mechanism on Intel Linux plaforms, infecting 32-bit ELF files (a standard Unix binary format). The virus infects PE files as well as ELFs on both Linux and Win32 systems. So far Symantec has not received any submission of this virus from customers.

    When the virus is first executed, it checks the current date. If the virus host is PE file, then on the 17th of March or September, a message box is displayed that looks like the following:

    If the host is an ELF file, then on the 17th of March or the 14th of May, the virus attempts to output a text message to the console similar to the caption of the message box:

    The first Win32/Linux cross-infector, {Win32,Linux}/Peelf, used two separate routines to carry out the infection on PE and ELF files. On the other hand Simile.D shares a substantial amount of code between the two infection functions, such as the polymorphic/metamorphic engines, the only platform-specific parts being the directory traversal code and the API usage.

    The virus was confirmed to infect successfully under versions 6.2, 7.0 and 7.2 of Red Hat Linux, and it very likely works on most other common Linux distributions.

    Infected files will grow by about 110KB on average, but the size increase is variable due to the shrinking and expansion capability of the metamorphic engine and to the insertion method.
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Always the harbinger of bad news. Interesting reading. Thank God for FreeBSD!!!
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    *sigh* I somehow remember suddenly losing all faith in McAfee back when they announced "discovering the very first Linux virus." (the second time was when I couldn't get one of their scanners to discover the EICAR test virus, even when I specifically scanned the file)

    (and yes, I realize this is Symantec/Norton spouting off this time...)

    In any case, what I'm wondering (and I may be showing a little bit of ignorance here), if there really are linux virii, what exactly is the spreading mechanism? I mean, in order to infect files on a machine, they'd probably have to get r00t at some point and attach themselves to a kernel module or process... and, well, technically if they do that, they're a trojan, right? Yeah, yeah... I'm possibly mincing words, but... sure... I buy that I can probably execute someone else's script or binary and it can attach itself to my current shell and then use that to possibly infect other things that I have write permission to, etc. But...

    ...does anyone see where I'm going here, or am I just rambling?

    Me, being a predominantly Solaris/SysV and OpenBSD type... well... I'm just not used to dealing with inherantly insecure boxen, unless they're blazingly fast Winblowz machines sitting behind a firewall that are used to run (almost) nothing but games. (Yes, I harden and pen test heterogenous environments, but my box-of-choice isn't one of these machines)
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    if there really are linux virii, what exactly is the spreading mechanism? I

    I'm not a linux guy but i did find some interesting...if technical stuff..



    http://www.lwfug.org/~abartoli/virus...g-HOWTO/_html/

    http://www.big.net.au/~silvio/

    http://www.kryptocrew.de/snakebyte/e/Shellvir.txt


    (and no i didn't read it all...i'm NOT a linux guy... )
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  5. #5
    God damnit sorry everyone..I didn't mean for that to get in the wild like this

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    121
    interesting find, particularily the cross platform part, would be nice be able to use that multiplatform part on helpfull apps..hmm
    what is love but contempt for hate?

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    But didn't symantic say that it wasn't in the wild?

    So far Symantec has not received any submission of this virus from customers.
    what does this mean.. I thought it was "lets scare these linux geeks into buying our warez"


    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    Senior Member
    Join Date
    Feb 2002
    Posts
    856
    Ok, time for a dumb question. If it hasn't been submitted by any customers, how do they know about it?
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    i suspect it was submitted as proof of concept by the writer...lots of the most interesting stuff i see on av vendors sites is this kind of thing...(i've pretty much stopped posting word macro and outlook exlpoits...unless they're in very high circulation...) this was obviously the work of some really smart coder...no kiddie work here...i could be wrong but it was probably sent in just to say hey look what i did...it's non destructive...and not in the wild...

    of course...it'll probably get shared with close friends...one of which will give it to the wrong person...who will modify it...add a destructive paylod...and off we go...
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •