papa@pollux.usc.edu (Marco Papa) (11/04/88)
This is dedicated to all the guys that claimed that "UNIX is much more
secure than the Amiga" with regard to viruses.
-- Marco Papa 'Doc'
------------------------------
Date: Thu, 3 Nov 88 05:33:04 PST
From: phil@okeeffe.Berkeley.EDU (Phil Lapsley)
Subject: Fixes for the virus
Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD
Description:
There's a virus running around; the salient facts. A bug in
sendmail has been used to introduce a virus into a lot of
Internet UNIX systems. It has not been observed to damage the
host system, however, it's incredibly virulent, attempting to
introduce itself to every system it can find. It appears to
use rsh, broken passwords, and sendmail to introduce itself
into the target systems. It affects only VAXen and Suns, as
far as we know.
There are three changes that we believe will immunize your
system. They are attached.
Thanks to the Experimental Computing Facility, Center for
Disease Control for their assistance. (It's pretty late,
and they certainly deserved some thanks, somewhere!)
Fix:
First, either recompile or patch sendmail to disallow the `debug'
option. If you have source, recompile sendmail after first
applying the following patch to the module svrsmtp.c:
*** /tmp/d22039 Thu Nov 3 02:26:20 1988
--- srvrsmtp.c Thu Nov 3 01:21:04 1988
***************
*** 85,92 ****
"onex", CMDONEX,
# ifdef DEBUG
"showq", CMDDBGQSHOW,
- "debug", CMDDBGDEBUG,
# endif DEBUG
# ifdef WIZ
"kill", CMDDBGKILL,
# endif WIZ
--- 85,94 ----
"onex", CMDONEX,
# ifdef DEBUG
"showq", CMDDBGQSHOW,
# endif DEBUG
+ # ifdef notdef
+ "debug", CMDDBGDEBUG,
+ # endif notdef
# ifdef WIZ
"kill", CMDDBGKILL,
# endif WIZ
Then, reinstall sendmail, refreeze the configuration file,
using the command "/usr/lib/sendmail -bz", kill any running
sendmail's, using the ps(1) command and the kill(1) command,
and restart your sendmail. To find out how sendmail is
execed on your system, use grep(1) to find the sendmail start
line in either the files /etc/rc or /etc/rc.local
If you don't have source, apply the following patch to your
sendmail binary. SAVE A COPY OF IT FIRST, IN CASE YOU MESS
UP! This is mildly tricky -- note, some versions of strings(1),
which we're going to use to find the offset of the string
"debug" in the binary print out the offsets in octal, not
decimal. Run the following shell line to decide how your
version of strings(1) works:
/bin/echo 'abcd' | /usr/ucb/strings -o
Note, make sure the eight control 'G's are preserved in this
line. If this command results in something like:
0000008 abcd
your strings(1) command prints out locations in decimal, else
it's octal.
The patch script for sendmail. NOTE, YOUR OFFSETS MAY VARY!!
This script assumes that your strings(1) command prints out
the offsets in decimal.
Script started on Thu Nov 3 02:08:14 1988
okeeffe:tmp {2} strings -o -a /usr/lib/sendmail | egrep debug
0096972 debug
okeeffe:tmp {3} adb -w /usr/lib/sendmail
?m 0 0xffffffff 0
0t10$d
radix=10 base ten
96972?s
96972: debug
96972?w 0
96972: 25701 = 0
okeeffe:tmp {4} ^D
script done on Thu Nov 3 02:09:31 1988
If your strings(1) command prints out the offsets in octal,
change the line "0t10$d" to "0t8$d".
After you've fixed sendmail, move both /bin/cc and /bin/ld to
something else. (The virus uses the cc and the ld commands
to rebuild itself to run on your system.)
Finally, kill any processes on your system that don't belong there.
Suspicious ones have "(sh)" or "xNNNNNNN" where the N's are random
digits, as the command name on the ps(1) output line.
One more thing, if you find files in /tmp or /usr/tmp that
have names like "xNNNNNN,l1.c", or "xNNNNNN,sun3.o", or
"xNNNNNNN,vax.o" where the N's are random digits, you've been
infected.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
uucp:...!pollux!papa BIX:papa ARPAnet:pollux!papa@oberon.usc.edu
"There's Alpha, Beta, Gamma and Diga!" -- Leo Schwab [quoting Rick Unland]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=dillon@POSTGRES.BERKELEY.EDU (Matt Dillon) (11/05/88)
>This is dedicated to all the guys that claimed that "UNIX is much more >secure than the Amiga" with regard to viruses. > >-- Marco Papa 'Doc' Uh huh, I was on when it happened. I am happy to say that DNET still worked even with a load of 35. An annoying worm to say the least. -Matt
gandalf@csli.STANFORD.EDU (Juergen Wagner) (11/05/88)
In article <13232@oberon.USC.EDU> papa@pollux.usc.edu (Marco Papa) writes: >This is dedicated to all the guys that claimed that "UNIX is much more >secure than the Amiga" with regard to viruses. ...[copy of a posting to comp.bugs.4bsd.ucb-fixes deleted].. \begin{flame} Nonsense! UNIX is an operating system far more complex than Amiga DOS or whatever it is called. UNIX can be networked, and in such systems, it is much more likely to have these problems. That's not a UNIX problem (on those old CDC6600 machines, passwords could be obtained as readable text with some tricks). You are comparing apples and pears. Oh, and I sohould mention that Amiga DOS (or whatever) is much more vulnerable to Virus attacks because o it doesn't have protection mechanisms as UNIX has (single-user machine), o it grants everybody working on the machine full access to the entire system. Therefore, a virus introduced via infected disks can be much more harmful than under UNIX where you still have the problem of gaining root access in order to be able to do really nasty things (other than using up resources as e.g. CPU, memory, disk space). \end{flame} -- Juergen "Gandalf" Wagner, gandalf@csli.stanford.edu Center for the Study of Language and Information (CSLI), Stanford CA
papa@pollux.usc.edu (Marco Papa) (11/05/88)
In article <6279@csli.STANFORD.EDU> gandalf@csli.stanford.edu (Juergen Wagner) writes: |In article <13232@oberon.USC.EDU| papa@pollux.usc.edu (Marco Papa) writes: ||This is dedicated to all the guys that claimed that "UNIX is much more ||secure than the Amiga" with regard to viruses. |...[copy of a posting to comp.bugs.4bsd.ucb-fixes deleted].. | |Nonsense! UNIX is an operating system far more complex than Amiga DOS or |whatever it is called. UNIX can be networked, and in such systems, it is ^^^^ |much more likely to have these problems. ^^^^^^^^^ |You are comparing apples and pears. Oh, and I sohould mention that Amiga ^^^^^ |DOS (or whatever) is much more vulnerable to Virus attacks because ^^^^^^^^^ [extra junk deleted] You just contradicted yourself, dude. And by the way, do you have any idea on how long it took to infect almost ALL Suns and VAXens networked to the Internet around the world? It was just a matter of hours. And how many man-hours were lost to manually substitute each version of sendmail on all UNIX hosts? -- Marco Papa 'Doc' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= uucp:...!pollux!papa BIX:papa ARPAnet:pollux!papa@oberon.usc.edu "There's Alpha, Beta, Gamma and Diga!" -- Leo Schwab [quoting Rick Unland] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
peter@sugar.uu.net (Peter da Silva) (11/05/88)
In article <13232@oberon.USC.EDU>, papa@pollux.usc.edu (Marco Papa) writes: > This is dedicated to all the guys that claimed that "UNIX is much more > secure than the Amiga" with regard to viruses. > -- Marco Papa 'Doc' You claiming responsibility, Marco? (not serious here, folks) I was one of those folks. I still make that claim. I'm not a Polyanna: I recently posted an article that described a much more virulent virus than this one. But I don't think this one can be laid at UNIX' door. First of all, the channel of infection is a gaping hole in sendmail that isn't typical of UNIX mail systems. I didn't know about it, but I'm not surprised. Many academic users leave daemons on their mailboxes that can be used the same way... and I'm sure will. If you care to secure your system this hole won't happen. Secondly, the channel that was used to transmit the virus was a deliberate reduction in UNIX security, that basically turned a network into a single machine as far as the virus was concerned. You pointed this out, and I acknowledged that it was a problem if you let people with non-trusted machines have shell access to yours. So don't do it. Finally, the virus was way more complex than any PC or Amiga virus needs to be. The typical PC or Amiga virus is a couple of hundred bytes long... and it's got complete access to the whole system... on any PC. This virus had a couple of hundred lines of prelude code, and was only able to infect a small fraction of the machines available to them... and a simple reboot would clear it out. Oh, sure, it could be made more infective... more sophisticated... more complex. And that's the point. I'm not saying, and I've never said, that UNIX is uninfectable. Just that it's a LOT harder to build a sucessful virus... that wouldn't be as sucessful as a simpler virus on an unprotected single-use system. This one is everything I've claimed a UNIX virus would be: highly complex, relatively limited in scope, easily killed and guarded against. I expect there will be more. I don't expect anything as virulent as the Byte Bandit or Brain virus. -- Peter da Silva `-_-' peter@sugar.uu.net Have you hugged U your wolf today? Disclaimer: I accept full responsibility for my own typos.
dan-hankins@cup.portal.com (Daniel B Hankins) (11/06/88)
Even though I disagree with Peter on the general issue of Unix infectability, I'm going to have to back him up on this one specific instance. After all, this was a worm and not a virus. Second, he's absolutely correct about it taking advantage of a gaping hole in sendmail. This makes it an EEV (Error Exploiting Virus) as opposed to FEV (Feature Exploiting Virus). I believe these two terms are attributable to Kenneth R. Van Wyck. Dan Hankins
phil@titan.rice.edu (William LeFebvre) (11/10/88)
In article <13251@oberon.USC.EDU> papa@pollux.usc.edu (Marco Papa) writes: [extra junk deleted] > >And by the way, do you have any idea >on how long it took to infect almost ALL Suns and VAXens networked to the >Internet around the world? It was just a matter of hours. So what? If there was a comparable network of Amigas, would an infection have spread any slower? Except for differences in disk and CPU speed, I think not. William LeFebvre Department of Computer Science Rice University <phil@Rice.edu>
phil@titan.rice.edu (William LeFebvre) (11/10/88)
In article <10984@cup.portal.com> dan-hankins@cup.portal.com (Daniel B Hankins) writes: >Second, [Peter]'s absolutely correct about it >taking advantage of a gaping hole in sendmail. This makes it an EEV (Error >Exploiting Virus) as opposed to FEV (Feature Exploiting Virus). Quite correct. That particular worm will not be successful at penetrating any host that has applied the appropriate bug fix. Is there any "fix" of any kind that can prevent the SCA virus from penetrating an Amiga? No, because there is no bug to fix. All you can do is run a program like VirusX, treat all new (formatted) disks with suspicion, and pray (well, the third step is optional). Most Unix breakins are achieved by exploiting security holes (and there are many of them) or by guessing someone's password. Why? Because that's the easiest way to get in. HOWEVER: there is a way of infecting a Unix machine with a real virus (not a worm). And it doesn't exploit any bugs. And it's not Ritchie's trojan horse, either. But I won't tell you what it is. The good thing is that it would be very hard to get it started because almost all free software distributed in the Unix world is done so in source form. William LeFebvre Department of Computer Science Rice University <phil@Rice.edu>
wtm@neoucom.UUCP (Bill Mayhew) (11/10/88)
It would have been very easy for the Unix worm to have done something akin to "rm /" once it had implanted itself. The kernel per se was not at fault; it was a loophole in sendmail that allowed the worm to exploit the system. It just proves that software that runs with daemon privilege must be carefully checked. It doesn't matter how secure the house is, if you give the keys to somebody not to be tursted. With the Amiga, you don't get partitioning of daemon or root level access nor do you have an mmu, so the job of getting a virus in is somewhat easier. I hope the Unix community was somewhat humbled. It was a good lesson that if you network your machine, no matter how smart you think you are, there is always someone smarter. Best to always be looking over your shoulder in a software sense. With our amigas, networking comes in the form of introducing foreign floppies. --Bill
devin@topologix.topologix.com (Devin Hooker) (11/11/88)
In article <2954@sugar.uu.net> peter@sugar.uu.net (Peter da Silva) writes: <In article <13232@oberon.USC.EDU>, papa@pollux.usc.edu (Marco Papa) writes: <> This is dedicated to all the guys that claimed that "UNIX is much more <> secure than the Amiga" with regard to viruses. <> -- Marco Papa 'Doc' <First of all, the channel of infection is a gaping hole in sendmail that <isn't typical of UNIX mail systems. I didn't know about it, but I'm not ... <Secondly, the channel that was used to transmit the virus was a deliberate <reduction in UNIX security, that basically turned a network into a single <machine as far as the virus was concerned. You pointed this out, and I <acknowledged that it was a problem if you let people with non-trusted machines <have shell access to yours. So don't do it. Just as a clarification - rsh and sendmail were NOT the only spread channels. There is an interesting bug in fingerd that this particular virus used also (a particularly elegant, if complex virus, I must say...) P.S. I'm not taking sides, just clarifing info. < Peter da Silva `-_-' peter@sugar.uu.net < Have you hugged U your wolf today? < < Disclaimer: I accept full responsibility for my own typos. -Devin -- Devin Hooker Software Engineer 4860 Ward Rd. Denver, Co. 80033 (303) 421-7700
devin@topologix.topologix.com (Devin Hooker) (11/11/88)
In article <10984@cup.portal.com> dan-hankins@cup.portal.com (Daniel B Hankins) writes:
[RE: the Unix virus]
<After all, this was a worm and not a virus.
<
<Dan Hankins
Please clarify for me the reason and the difference. Thanks.
-Devin
--
Devin Hooker
Software Engineer
4860 Ward Rd.
Denver, Co. 80033 (303) 421-7700dan-hankins@cup.portal.com (Daniel B Hankins) (11/12/88)
In article <211@topologix.topologix.com> devin@topologix (Devin Hooker) writes: >In article <10984@cup.portal.com> dan-hankins@cup.portal.com (Daniel B Hankins) writes: >[RE: the Unix virus] ><After all, this was a worm and not a virus. >< ><Dan Hankins > Please clarify for me the reason and the difference. Thanks. > > -Devin A virus is a piece of code that attaches itself to existing legitimate programs in order to propagate. It may or may not be malicious. A worm is a program that replicates itself, usually through a network. Sometimes known as a bacterium. Does not attach itself to other programs. Dan Hankins