Linux Virus

Virusess are programs that can copy itself and infect a computer . Viruses are becoming more prominent . Windows are prone to attack . Is Linux safe enough ? Are there Viruses for Linux ?

What are viruses Linux virus – Possiblities Why is Linux safe Examples How linux virus works Antivirus Conclusion References

Viruses must copy and replicate . Virus be able to execute itself in the host system and write to the memory of the system Need administrative permissions . Bind themselves to Executables .

Non-resident virusses : search for other hosts, infect them, and finally transfer control to the application program they infected . Resident virusses : loads itself into memory stays active in the background and infects new hosts when those files are accessed

There are viruses meant for linux like any other operating system . NUMBERS : 60,000 => WINDOWS (many are dangerous) 4 0 => MAC 4 0 => LINUX (none are dangerous) 5 => UNIX

PERMISSIONS SECURE SOFTWARE DISTRIBUTION CHAINS DIVERSITY OF LINUX DISTRIBUTIONS POWERFUL AWARENESS MECHANISM OTHER INBUILT FEATURES

Strict and Impenetrable . Basic Permissions : Read, Write, Execute for Root, User, and Others "hostile" executable that a non-root user receives executes (runs) cannot "infect“ the system as a whole .

Only root has full access to the system . Users can damage only users’ files . Virus will die out on deleting user . Viruses aren't difficult to write on Linux : but they go nowhere other than the user files .

TECHNIQUE : Insert “virus" code into software package that must run with root-user privileges . When root ‘installs’ software virus infects the system .

COUNTER : OPEN SOURCE Modifications would be found by the large number of programmers working on the source code, and removed . Damages would be quickly repaired .

Linux supports variety of CPU architectures . Software and other configuration are hugely diverse . Higher the diversity tougher the virus to code.

Powerful awareness mechanism to educate sysadmins . Many Linux communities in place . Distributions stress limited use of root .

Newly deposited files from INTERNET are not given execute privileges . Linux doesn't depend on file extensions . Renaming executables won’t work

Some distributions ignore security to ease of use . Eg: Lindows runs as root as default .

Some of the common Linux viruses are : Ramen Bliss Slapper worm Linux.Diesel.962

Internet worm . Effects default installation of Red Hat linux 6.2 and 7.0 . Propagates from a Linux based server to another. Exploits two know security vulnerabilities. Replaces default page of the web server to one that contains the following text : RameN Crew - Hackers looooooooooooove noodles.

Not specific Tries to infect all binaries with write access All machines with rsh access Tries to patch linux kernal source to make it more cooperative .

Exploits a vulnerability in xmlrpc.php and AWStats Opens a backdoor on UDP port 7222. Sends specially crafted HTTP POST requests to hard-coded URLs Sends GET requests to a range of hard-code URLS

Relatively harmless, non-memory resident parasitic virus . Searches for Linux executable files in system directories and subdirectories, then writes itself to the middle of the file. Moves the original bytes to the end of the file and increases the size of the previous section.

File before infecting File after infecting: --------------- --------------- ƒ Header ƒ ƒ Header ƒ +-------------+ +-------------+ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ +-------------+<- Entry point +------------+<- E.P ƒProgram code ƒ ƒ Virus code ƒ +-------------+ +-------------+ ƒ ƒ ƒ ƒ L-------------- +-------------+ ƒProgram code ƒ L--------------

PTRACE() : Ptrace() is a system call that enables one process to *control* the execution of another one. Traced process enters STOPPED state and informs tracing process by wait() call . Tracing process decides what to do .

#include <sys/ptrace.h> long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data); 'request‘ determines the action that has to be performed.

/* target1.c */ int main() { char str[]=“Hello all n"; write(0, str, strlen(str)); return 0; } OUTPUT : Hello all

/* tracer1.c */ if (pid == 0) { ptrace(PTRACE_TRACEME, 0, 0, 0); execl(argv[1], argv[1], NULL); } else { wait (&status); while(1) { ptrace(PTRACE_SYSCALL, pid, 0, 0); wait(&status); ptrace(PTRACE_GETREGS, pid, 0, &regs); orig_syscall = regs.orig_eax; if (orig_syscall == SYS_write) { regs.edx = 3; ptrace(PTRACE_SETREGS, pid, 0, &regs); }} }

OUTPUT : #./tracer1 /home/rit/target1 Hel regs.edx = 3; is they key

/* target2.c */ int main() { printf("user id: &percnt;dn", getuid() ); execl("/bin/csh", "csh", NULL, 0); return 0; } OUTPUT : user id: 1000 &percnt;id uid=1000(rit)gid=100(users)groups=11(floppy), 17(audio),18(video) ,19(cdrom),100(user)

/* tracer2.c */ { { wait (&status); while(1){ ptrace(PTRACE_SYSCALL, pid, 0, 0); wait(&status); ptrace(PTRACE_GETREGS, pid, 0, &regs); orig_syscall = regs.orig_eax; if (orig_syscall == SYS_getuid32) { regs.ebx = 0; ptrace(PTRACE_SETREGS, pid, 0, &regs); }} } ptrace( PTRACE_DETACH, pid, NULL, NULL ); return 0; }

OUTPUT : # ./tracer2 /home/rit/articles/target2 user id: 0 &percnt;id; uid=0(root) gid=0(root) groups=0(root), 1(bin), 2(daemon),3(sys),4(adm),6(disk),10(wheel), 11(floppy)

Linux itself is the best antivirus . Antivirus used to detect windows virus . Prevent them from affecting other systems . Eg : ClamAV

Power of root must be discretely used . Number of viruses and their affectivity is low . LINUX IS SAFE..

http://librenix.com/linux/ http://astalavista.com/linux http://linuxmafia.com/~rick/faq/ http://virus.about.com

Linux Virus

More Related Content

Viewers also liked

Similar to Linux Virus

Recently uploaded

Linux Virus