platform independent virus..win32/linux

[zigar]

interesting read here...


http://sarc.com/avcenter/venc/data/linux.simile.html

Linux.Simile
Discovered on: May 22, 2002
Last Updated on: May 29, 2002 at 08:58:01 PM PDT


{Win32,Linux}/Simile.D is a very complex virus that uses entry-point obscuring, metamorphism, and polymorphic decryption. It is the first known polymorphic metamorphic virus to infect under both Windows and Linux. The virus contains no destructive payload, but infected files may display messages on certain dates. It is the fourth variant of the Simile family. This variant introduces a new infection mechanism on Intel Linux plaforms, infecting 32-bit ELF files (a standard Unix binary format). The virus infects PE files as well as ELFs on both Linux and Win32 systems. So far Symantec has not received any submission of this virus from customers.

When the virus is first executed, it checks the current date. If the virus host is PE file, then on the 17th of March or September, a message box is displayed that looks like the following:

If the host is an ELF file, then on the 17th of March or the 14th of May, the virus attempts to output a text message to the console similar to the caption of the message box:

The first Win32/Linux cross-infector, {Win32,Linux}/Peelf, used two separate routines to carry out the infection on PE and ELF files. On the other hand Simile.D shares a substantial amount of code between the two infection functions, such as the polymorphic/metamorphic engines, the only platform-specific parts being the directory traversal code and the API usage.

The virus was confirmed to infect successfully under versions 6.2, 7.0 and 7.2 of Red Hat Linux, and it very likely works on most other common Linux distributions.

Infected files will grow by about 110KB on average, but the size increase is variable due to the shrinking and expansion capability of the metamorphic engine and to the insertion method.

[KorpDeath]

Always the harbinger of bad news. Interesting reading. Thank God for FreeBSD!!!

[draziw]

*sigh* I somehow remember suddenly losing all faith in McAfee back when they announced "discovering the very first Linux virus." (the second time was when I couldn't get one of their scanners to discover the EICAR test virus, even when I specifically scanned the file)

(and yes, I realize this is Symantec/Norton spouting off this time...)

In any case, what I'm wondering (and I may be showing a little bit of ignorance here), if there really are linux virii, what exactly is the spreading mechanism? I mean, in order to infect files on a machine, they'd probably have to get r00t at some point and attach themselves to a kernel module or process... and, well, technically if they do that, they're a trojan, right? Yeah, yeah... I'm possibly mincing words, but... sure... I buy that I can probably execute someone else's script or binary and it can attach itself to my current shell and then use that to possibly infect other things that I have write permission to, etc. But...

...does anyone see where I'm going here, or am I just rambling?

Me, being a predominantly Solaris/SysV and OpenBSD type... well... I'm just not used to dealing with inherantly insecure boxen, unless they're blazingly fast Winblowz machines sitting behind a firewall that are used to run (almost) nothing but games. (Yes, I harden and pen test heterogenous environments, but my box-of-choice isn't one of these machines)

[zigar]

if there really are linux virii, what exactly is the spreading mechanism? I

I'm not a linux guy but i did find some interesting...if technical stuff..



http://www.lwfug.org/~abartoli/virus...g-HOWTO/_html/

http://www.big.net.au/~silvio/

http://www.kryptocrew.de/snakebyte/e/Shellvir.txt


(and no i didn't read it all...i'm NOT a linux guy... )

[freeOn]

God damnit sorry everyone..I didn't mean for that to get in the wild like this

[indolent]

interesting find, particularily the cross platform part, would be nice be able to use that multiplatform part on helpfull apps..hmm

[Und3ertak3r]

But didn't symantic say that it wasn't in the wild?

So far Symantec has not received any submission of this virus from customers.

what does this mean.. I thought it was "lets scare these linux geeks into buying our warez"


cheers

[preacherman481]

Ok, time for a dumb question. If it hasn't been submitted by any customers, how do they know about it?

[zigar]

i suspect it was submitted as proof of concept by the writer...lots of the most interesting stuff i see on av vendors sites is this kind of thing...(i've pretty much stopped posting word macro and outlook exlpoits...unless they're in very high circulation...) this was obviously the work of some really smart coder...no kiddie work here...i could be wrong but it was probably sent in just to say hey look what i did...it's non destructive...and not in the wild...

of course...it'll probably get shared with close friends...one of which will give it to the wrong person...who will modify it...add a destructive paylod...and off we go...