Unix Virus Query

[Terry Arnold]

I was asked a question today about Unix virus detection utilities and how many
Unix viruses were around. I am now passing the questions on to this august
body.

1. How many confirmed Unix viruses have shown up?

2. What are the effective detection utilities for Unix viruses?

Terry Arnold
tar...@cts.com

[Leigh Hart]

tar...@crash.cts.com (Terry Arnold) writes:

>I was asked a question today about Unix virus detection utilities and how many
>Unix viruses were around. I am now passing the questions on to this august
>body.

>1. How many confirmed Unix viruses have shown up?

don't know...

>2. What are the effective detection utilities for Unix viruses?

daily cron job to calculate checksums for all static system files
and binaries - if changes are detected from one night to the
next diff the files and mail results to root.

There's probably boggins of bundled packages that do the same,
Veriacity is one new one that's getting a lot of noise in a few
groups...

Cheers

Leigh
--
| "By the time they had diminished | Leigh Hart |
| from 50 to 8, the other dwarves | <ha...@eppie.apana.org.au> |
| began to suspect 'Hungry' ..." | C/- PO Box 758 |
| -- Gary Larson, "The Far Side" | North Adelaide SA 5006 |

[Bob Bagwill]

Terry Arnold (tar...@crash.cts.com) wrote:
: I was asked a question today about Unix virus detection utilities and

Maybe it's just me, but I think preventing modifications of executables
is preferable to detecting them after the fact. If your executables
are on a read-only disk/partition, you don't need to run Tripwire
on them every day.

--
Bob Bagwill
rbag...@nist.gov

[Vesselin Bontchev]

Terry Arnold (tar...@crash.cts.com) writes:

> 1. How many confirmed Unix viruses have shown up?

If by "Unix viruses" you mean "viruses specific for the Unix
platform", then I have seen three of them, plus one worm, and am aware
of the existence of at least another one (virus). Of them, only one
virus and the worm have been found in the wild.

If by "Unix viruses" you mean "just any kind of computer virus, if it
is found on a Unix machine", then there are much more cases. First, we
regularly get report of Master Boot Sector infectors that have
infected an IBM PC compatible, running som brand of Unix. Many people
seem to ignore that the MBR infectors are not OS-specific and can
infect *any* IBM PC, regardless of the OS it runs.

Second, we often have cases when a Unix machine is used as a file
server for MS-DOS files, and then the files on it can easily become
infected from a MS-DOS workstation - although the Unix OS itself is
not infected.

> 2. What are the effective detection utilities for Unix viruses?

Since Unix has discretionary access controls, you don't need behaviour
blockers. This leaves the other two kinds of anti-virus programs -
integrity checkers and scanners. A good integrity checker is Tripwire.
I am not aware of a good and free Unix-based scanner, but I know that
Peter Radatti would be happy to sell you a commercial one.

Regards,
Vesselin
--
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bont...@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany

[Dan Kappus]

: If by "Unix viruses" you mean "just any kind of computer virus, if it

: is found on a Unix machine", then there are much more cases. First, we
: regularly get report of Master Boot Sector infectors that have
: infected an IBM PC compatible, running som brand of Unix. Many people
: seem to ignore that the MBR infectors are not OS-specific and can
: infect *any* IBM PC, regardless of the OS it runs.

Explain this for the uniformed, please.

[Paul Ferguson]

Dan Kappus (danka@news-server) wrote:

What this means, basically, is that MBR (master boot record) infectors
of this nature use BIOS level interrupt calls to perform their deeds
prior to DOS (or any other OS) loading. So it really wouldn't matter if
you had LINUX running on a 80x86 platform -- if you boot accidentally
with an infected diskette, *poof*, its done its work.

This, of course, only applies to the INTEL processor platform.
It _is_ the most widely _used_ platform on the planet, like it
or not.

Cheers,

_______________________________________________________________________________
Paul Ferguson
US Sprint
Managed Network Engineering tel: 703.904.2437
Herndon, Virginia USA internet: pa...@hawk.sprintmrn.com

[Adam Roach]

For which branch of the armed forces do you want me to explain it?
--

---------------------------------------------------------------------------
Adam Roach --- ad...@tamu.edu --- PGP 2.6 Public Key Available
----------------- WWW URL: http://ftp.tamu.edu/~abr8030 -------------------

[Vesselin Bontchev]

Dan Kappus (danka@news-server) writes:

> : infected an IBM PC compatible, running som brand of Unix. Many people
> : seem to ignore that the MBR infectors are not OS-specific and can
> : infect *any* IBM PC, regardless of the OS it runs.

> Explain this for the uniformed, please.

When an IBM PC compatible machine is turned on, it's BIOS reads the
first physical sector of the first floppy disk, or, if not available,
of the first physical hard disk, and transfers control to it. The
first physical sector of the hard disk is called Master Boot Record,
or MBR. It contains information about the logical partitions of the
hard disk, and a small program that finds the bootable partition,
reads its first logical sector, and transfers control to it. This
sector usually contains a program to locate the files containing the
operating system, to load them in memory, and to transfer control to
it.

Note that at the time when either of the two boot sectors is executed,
there is no operating system in memory. Therefore, the fact that the
disk contains an operating system like Unix that provides protection
and so on is irrelevant - because the boot sectors run while this
operating system is not present yet.

A typical MBR infector works in the following way. When you forget an
infected floppy in the first floppy disk drive of your computer at
boot time, the virus installs itself in memory and immediately infects
the MBR of the hard disk. The infected diskette does not have to be
bootable - all that is needed is that it is formatted (could be even
empty) and its boot sector is infected. The next time you boot from
the hard disk, the virus in the MBR gets control. If you now load an
operating system with memory protection (e.g., Unix or OS/2), the
virus is usually "disconnected" - in the sense that it is unable to
infect further. However, the machine *is* infected, regardless that it
doesn't run Messy-DOG and is unable to spread the infection further.
Also, if the virus does any intentional damage at boot time (as the
Michelangelo virus does), it *will* be able to cause it, because it
will cause it when the operating system is not loaded yet and thus
provides no protection.

All this might look more like a useless mental exercise to you, the
Unix types, but we had a serious case when a company had distributed
Michelangelo-infected Xenix installation disks - and since you have to
*boot* from those disks...

[Dan Kappus]

Adam Roach (ad...@spam.tamu.edu) wrote:

: In article <Cu4yG...@versant.com>, Dan Kappus <danka@news-server> wrote:
: }
: }: If by "Unix viruses" you mean "just any kind of computer virus, if it
: }: is found on a Unix machine", then there are much more cases. First, we
: }: regularly get report of Master Boot Sector infectors that have
: }: infected an IBM PC compatible, running som brand of Unix. Many people
: }: seem to ignore that the MBR infectors are not OS-specific and can
: }: infect *any* IBM PC, regardless of the OS it runs.
: }
: }Explain this for the uniformed, please.

: For which branch of the armed forces do you want me to explain it?

Ack. Pardon me. I mean uniNformed.
: ---------------------------------------------------------------------------

: Adam Roach --- ad...@tamu.edu --- PGP 2.6 Public Key Available
: ----------------- WWW URL: http://ftp.tamu.edu/~abr8030 -------------------

-----------------------------------------------------------------------------
-da...@photobooks.gatech.edu dankac...@igc.apc.org
mathcs.emory.edu!tmewarp.atl.ga.us!danka
as said by David Smith "The horror of our existance is when we find out who we really are." Guess. Pick, I'm one of em.

[John Shardlow]

|> This, of course, only applies to the INTEL processor platform.
|> It _is_ the most widely _used_ platform on the planet, like it
|> or not.

NOT.

--
+----------------------------------+
| John Shardlow |
| jsha...@london.micrognosis.com |
| jo...@iceberg.demon.co.uk |
+----------------------------------+
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a

mQCNAi3vWtsAAAEEAKJ0em25+3pxU8h700vmlqMlKJMc8nsy3hBZq87bONHLCDzY
+O+tBmSI9bj+sUFS/Y/hmHer1QTlISg6w/ao8E+aHqXEn5c1JmPM0CvlKr0NjxD2
do+z6jQcNBey08njDEYG950IyZkE8m8wd9UumIx10fObDRvaDOOVRBJD8x49AAUR
tDNKb2huIEouIFNoYXJkbG93IDxqc2hhcmRsb3dAbG9uZG9uLm1pY3JvZ25vc2lz
LmNvbT4=
=1R1I
-----END PGP PUBLIC KEY BLOCK-----

[Christopher Samuel]

In article <tarnold.4...@crash.cts.com> of comp.security.unix,
tar...@crash.cts.com (Terry Arnold) doodled:

> I was asked a question today about Unix virus detection utilities and
> how many Unix viruses were around. I am now passing the questions on
> to this august body.
>
> 1. How many confirmed Unix viruses have shown up?

There are 3 entries in the Virus Test Center (University of Hamburg)
list of Unix viruses, with one of them being the Internet worm (NB they
do classify it as a worm, not a virus).

The other two are the AT&T Attack virus (shell script) that was written
by an unnamed UNIX Security specialist at AT&T Bell Labs as an
experiment, and has been published, and the VMAGIC virus (COFF binary
infector), which had its C source published.

One of the notes on the VMAGIC virus is:

* 5) The virus as published will run on System V.2 on 68000 (Mac etc)
* only; these systems have 3 segments (.text, .data, .bss). Other
* versions and hardware platforms need more (specialised) segments not
* specified in published virus.

For more info look at:

ftp.uws.edu.au:/pub/unix/security/virus/texts/catalog/unixvir.zip

> 2. What are the effective detection utilities for Unix viruses?

Try something like Tripwire that does checking of file integrity, it's
well worth it.

Chris
--
Christopher Samuel Phone: +44 684 895311 ch...@rivers.dra.hmg.gb
N-115, Defence Research Agency, St Andrews Road, Great Malvern, England, UK
The UK-PAGANS mailing list - solely for pagans in the United Kingdom.
Send "info uk-pagans" to majo...@mono.city.ac.uk for information.

[Shawn Mamros]

bed...@teal.csn.org (Bruce Ediger) writes:
>Why is VMS left out of all this fooforaw? There have been at least
>2 separate VMS/DECnet worms, each of which had 2 major variants.
>I believe this to be a "conspiracy of silence" to protect the alleged
>good name of VMS security.

Probably because the original poster asked about UNIX only... :-)

VMS and DECnet Phase IV certainly haven't been entirely immune from
security problems; the only reason they don't tend to be talked about
as much is that there's fewer VMS machines around, and you don't have
a true real-world equivalent of the TCP/IP-speaking Internet for the
DECnet protocol where serious troublemakers lurk about.

(Note: I've removed comp.security.unix out of the Followup-To: line,
for obvious reasons...)

-Shawn Mamros
E-mail to: mam...@ftp.com

[Sten Drescher]

In article <321tr0$a...@news.tamu.edu>, ad...@spam.tamu.edu (Adam Roach) writes:

AR> regardless of the OS it runs. } }Explain this for the uniformed,
AR> please.

AR> For which branch of the armed forces do you want me to explain it?
AR> --

The US Marines - then anyone can understand it ;-)
--
Sten Drescher 2709 13th St #1248
s...@floyd.brooks.af.mil Brooks AFB, TX 78235
RIPEM and PGP public keys available via finger
#include <disclaimer.h>
"That's not funny."
-George Stephanopoulos, when Leon Panetta said about a group of
visiting children: "I thought they were the White House staffers,"
quoted in Newsweek.

[Bruce Ediger]

ch...@rivers.dra.hmg.gb (Christopher Samuel) wrote:
>There are 3 entries in the Virus Test Center (University of Hamburg)
>list of Unix viruses, with one of them being the Internet worm (NB they
>do classify it as a worm, not a virus).

Why is VMS left out of all this fooforaw? There have been at least

[Cheryl Haaker]

In article <940810...@cavedog.ftp.com>, mam...@ftp.com (Shawn Mamros) writes:
>bed...@teal.csn.org (Bruce Ediger) writes:

The dirty little secret is out! If you don't change the default
passwords that come with a VMS system, or if you let your users use
their usernames as their passwords, VMS is penetrable!!!

>>Why is VMS left out of all this fooforaw? There have been at least
>>2 separate VMS/DECnet worms, each of which had 2 major variants.
>>I believe this to be a "conspiracy of silence" to protect the alleged
>>good name of VMS security.

The WANK and OILZ worms? OILZ was a variant of WANK. They "broke" in
by using the default passwords, then took it from there.

[...] text deleted

>VMS and DECnet Phase IV certainly haven't been entirely immune from
>security problems;

Sad but true.

> the only reason they don't tend to be talked about
>as much is that there's fewer VMS machines around,

Also true... but you don't need as many to support an equivalent number
of users. 1 PC/person, 1 Unix/person (everybody has a workstation, right?)
but 1 VMS/...well, we have 2000 users. This is not actually a lot.

> and you don't have
>a true real-world equivalent of the TCP/IP-speaking Internet for the
>DECnet protocol where serious troublemakers lurk about.

What about NASA's HEPnet and SPAN? What about DEC's own EasyNet? The
NASA net(s) were where the DECnet worms ran free; what goes on within
the EasyNet is not always publicized...

/\ /\ "Keeping That Fur Flying"
^o o^ Cheryl K. Haaker, haa...@technet.nm.org
->T<- New Mexico Technet (505) 345-6555 fone
~ Albuquerque, NM (505) 345-6559 fax
___oOO___OOo___

[DFRussell]

[...]

>>the only reason they don't tend to be talked about
>>as much is that there's fewer VMS machines around,
>
>Also true... but you don't need as many to support an equivalent number
>of users. 1 PC/person, 1 Unix/person (everybody has a workstation, right?)
>but 1 VMS/...well, we have 2000 users. This is not actually a lot.

Nice troll.

--
Disclaimer: I don't speak for Martin Marietta or the EPA.
----------------------------------------------------------
russel...@unixmail.rtpnc.epa.gov, Martin Marietta TSI,
P.O. Box 14365, MD-4501-1B, Research Triangle Park, NC 27709

[Vesselin Bontchev]

Cheryl Haaker (haa...@technet.nm.org) writes:

> >>Why is VMS left out of all this fooforaw? There have been at least
> >>2 separate VMS/DECnet worms, each of which had 2 major variants.
> >>I believe this to be a "conspiracy of silence" to protect the alleged
> >>good name of VMS security.

> The WANK and OILZ worms? OILZ was a variant of WANK. They "broke" in

No, WANK/OILZ count as two variants of one worm. I guess by the other
one he means the Father Christmas worm, but I was unaware that there
have been two variants of it...

[Bruce Ediger]

I wrote, some time in the past, and a bit too emotionally:

>> >>Why is VMS left out of all this fooforaw? There have been at least
>> >>2 separate VMS/DECnet worms, each of which had 2 major variants.
>> >>I believe this to be a "conspiracy of silence" to protect the alleged
>> >>good name of VMS security.

Cheryl Haaker (haa...@technet.nm.org) writes:
> The WANK and OILZ worms? OILZ was a variant of WANK. They "broke" in

bont...@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote:
>No, WANK/OILZ count as two variants of one worm. I guess by the other
>one he means the Father Christmas worm, but I was unaware that there
>have been two variants of it...

I base my claim that the Father Xmas worm had 2 variants on Report
SPAN-027, "'Father Christmas' Worm Report". I quote: "On Friday
January 13, 1989 a worm, nearly identical to the Father Christmas Worm,
entered the Digital Equipment Corporations (DEC) internal network,
called Easynet."

This doesn't seem like enough evidence to say "each of which had 2 major
variants". After re-reading Longstaff & Schultz, "Beyond Preliminary
Analysis of the WANK and OILZ Worms: A Case Study of Malicious Code",
I think I worded my statement way too strongly, for which I apologize.

It should say: "There have been 2 separate DECnet/VMS worms, each of which
had some minor variants."

Sincerely,
Bruce Ediger

[Padgett 0sirius]

In article <32fctg$i...@rzsun02.rrz.uni-hamburg.de> bont...@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
>No, WANK/OILZ count as two variants of one worm. I guess by the other
>one he means the Father Christmas worm, but I was unaware that there
>have been two variants of it...

Sounds right to me. Father Christmas hit SPAN machines before Morris AFAIR,
Not co be confused with CHRISTMA - that was IBM. WANK (Worms Against Nuclear
Killers) was later like 1990-91.

A. Padgett Peterson, P.E.
Cybernetic Psychophysicist
We also walk dogs
PGP 2.4 Public Key Available