jbotz@MHC.bitnet (12/16/90)
srodawa@vela.acs.oakland.edu (Ron Srodawa) writes: > S72UZAW@TOE.TOWSON.EDU (Jan C. Zawadzki) writes: > >Greetings... > > For the last couple of weeks I saw a number of inquiries about UNIX > >oriented anti-virus utilities. A couple of comments: > > I think the author misses the drift of those requests. I think they > were asking for software which runs in Unix and checks MSDOS > diskettes. Cross products such as these are quite common for other Both types of requests, requests for Unix utilities which search MS-DOS files for viruses, and requests for utilties/information related to Unix viruses, appeared in recent issues of this list. In an older digest (VIRUS-L Digest [Volume 3 Issue 192]) Jim Wright <jwright@cfht.cfht.hawaii.edu> writes: > Subject: unix anti-viral sites > > # Anti-viral and security archive sites for Unix > # Listing last changed 05 June 1990 > > cs.hw.ac.uk > Dave Ferbrache <davidf@cs.hw.ac.uk> > NIFTP from JANET sites, login as "guest". > Electronic mail to <info-server@cs.hw.ac.uk>. > Main access is through mail server. > The master index for the virus archives can be retrieved as > request: virus > topic: index > For further details send a message with the text > help > The administrative address is <infoadm@cs.hw.ac.uk> > > funic.funet.fi > Jyrki Kuoppala <jkp@cs.hut.fi> > Accessible through anonymous ftp, IP number 128.214.6.100. > Directory pub/unix/security contains programs to help in > security, pub/doc/security contains various documents about > security in general and unix security (like the worm > documents) > > wuarchive.wustl.edu > Chris Myers <chris@wugate.wustl.edu> > Accessible through anonymous ftp, IP number 128.252.135.4. > A number of directories can be found in ~ftp/usenet/comp.virus/*. Hope this re-posting is helpful. ___________________________ Jurgen Botz, Academic Software Consultant Academic Computing internet: JBotz@MHC.bitnet Mount Holyoke College Compuserve: 70531,600 South Hadley, MA 01075 Voice: 413-538-2375
ROBERTS@decwrl.dec.com (George Roberts - page 0571) (12/18/90)
WHY DO SOME PEOPLE STILL ASSUME YOU NEED PRIVELEGES TO SPREAD VIRUSES? "Jan C. Zawadzki" <S72UZAW@TOWSONVX.BITNET> writes: >To write a UNIX virus you need a very high level of skill at picking >the internals of UNIX, and that system IS harder to master than DOS. >Granted, there is a number of ways of gaining the root privs. One doesn't need root privs. One doesn't need to know the internals of UNIX. I doubt a virus that works on a particular UNIX cpu would be much more or less complicated than one that works on a pc. There are some very sophisticated viruses on pc's and I admit that there could be even more sophisticated viruses in UNIX that would be very complicated, but a very simple "UNIX" virus (using no holes) would not be difficult to write. Simple viruses on pc's have spread uncontrollably. >No one but root can mess with my files or directories, I and I should >not be able to mess with anyone else's file space. Not true. You can mess with your files. Similarly, on a PC. >If you keep people from writing to */bin directories, >they will not be able to mess with publicly used utilities. True, but: 1) Viruses don't need to be in publicly used utilities (the */bin directories) to spread. 2) Someone needs access to these directories, or your software will never change. When this person (with root priv) executes a program with a (simple) virus in it, those public utilities will get infected anyway. Viruses spread when people share software. On pc's this can be done through removable disks. On time-share systems, it is easier. You can simply assign execute access on a file to a friend and let him/her know about the program. There are many other ways to share software on both types of systems, but it is generaly easier on time-share systems. - - George Roberts ..decwrl.dec.com!teda!ratvax.dnet!roberts
spaf@cs.purdue.edu (Gene Spafford) (04/11/91)
First of all, Unix viruses are definitely possible, and they aren't
all that difficult to write. See the articles in the Spring 1989
issue of "Computing Systems" (Usenix, 2(2)). Tom Duff describes his
experience with writing a machine code version, and he and Doug
McIlroy discuss shell viruses too. As I remember (my copy of the
issue is out on loan right now), McIlroy has some comments on why Unix
viruses aren't all that interesting.
If you accept Cohen's formal definition of a virus (roughly stated as
"code that makes a (possibly modified) copy of itself in another
program") as most of us do, then Ken Thompson wrote perhaps the first
Unix virus in his login/cc combination; see "Reflections on Trusting
Trust" in the August 84 issue of Communications of the ACM, 27(8).
\footnote{BTW, Cohen did not write the first virus; I see so many
people claim this (incorrectly) in their writings. Cohen gets the
credit for first describing them in a formal way. However, there is
evidence of viruses as we know them appearing 2 years before Fred
started his thesis work, and Thompson's work also predates Fred's.
Furthermore, Fred did not coin the name "virus" -- his advisor Len
Adelman suggested it. Even that is not the first use of the term --
see my ADAPSO book, or the excerpts in Hoffman's or Denning's books.}
So, the answer to the question of, is it possible to write a Unix
virus, is a definite "yes." It can easily be done as a shell script,
which makes it portable to any form of Unix, or it can be done in
machine language, which makes it a little less portable but easier to
hide.
The real question here is "How much should we worry about them?" The
answer to that is, "Not much." Viruses under Unix are likely to serve
only two purposes: enable an attacker to get root, or vandalize a
system. If your system is configured reasonably to audit accesses,
and privileged users are careful about booby-trapped files and PATH
variables, it is unlikely a virus will give someone root access that
they shouldn't have.
Vandalizing a system is more likely. Imagine a virus that would
delete all files in your $HOME directory after a certain date! If
that spread to a number of executable files, it could be very
damaging. Again, if the system is configured reasonably and the
superuser is appropriately cautious, then none of the system programs
would likely be affected, and thus the damage would be limited.
Having good backups means this would be limited annoyance.
The fear that people have is that a Unix virus could spread to many
machines. Unix systems don't normally share removable media and
programs in the same manner as PCs, so spreading a virus might be more
difficult than PCs. However, Unix systems in the same administrative
domain often get source code installed on all machines from a single
point, and files are often shared via networked file systems, so
spread is not inconceivable. This would require the virus writer
defeating what should be common security practices in order to infect
those sources. Prudent administration and regular auditing for
integrity changes will prevent this kind of problem.
Widespread infection of Unix machines is very unlikely except in cases
where sys admins regularly install binaries or programs from outside
sources without examining them. That could cause widespread virus
propagation. (Before you say you don't do this, ask if you are
running emacs or gcc -- when was the last time you read through all
the code for the program and libraries before installing them?)
However, in a a case like this, it is more likely that the same goals
could be accomplied with less effort by just building in some form of
logic bomb or Trojan Horse mechanism and be done with it. Again, some
prudent administration and regular integrity auditing would spot
changes before much damage would occur.
Overall, I'm pretty certain that we have little reason to fear Unix
viruses on properly configured systems where the sys admin is a little
bit cautious and takes proper precautions. The structure of the
system and the normal patterns of use indicate that anyone with a
particular agenda that might be satisfied with a virus is more likely
to use some other mechanism (worm, logic bomb, cracking) instead.
Warning! Shameless plug follows....:-) If you want further
information on how to protect against viruses, Trojan Horses, and more
in the Unix environment, consider getting a copy of "Practical Unix
Security" by Simson Garfinkel and me. It's published by O'Reilly &
Associates (the Nutshell Handbook & X Windows reference people), and
is due out in mid-May. It's about 500 pages, 19 chapters, and 5
appendices of information on Unix security, including programmed
threats, network security, and much more. The book will be $29.95,
and can be ordered at nuts@ora.com, 1-800-338-6887 (US & Canada) or
01-707-829-0515 (Europe).
- --
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: spaf@cs.purdue.edu phone: (317) 494-7825padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (04/11/91)
>From: spaf@cs.purdue.edu (Gene Spafford) > >First of all, Unix viruses are definitely possible, and they aren't >all that difficult to write. Entirely true, though it is more difficult to get one to spread in a properly implimented (managerial problem NOT technical) unix environment than in DOS. Given access, unix will take care of the structure of a file header, etc. provided the unix virus uses properly implimented high level calls. The low level stuff (under the OS) found in many DOS viruses is rather difficult to impliment. The unix access controls are adequate against this type of attack are adequate (viruses are possible but worms or spoofs are easier). Essence of next comment also From: ethan@thinc.COM (Ethan.Lish@THINC.COM) >So, the answer to the question of, is it possible to write a Unix >virus, is a definite "yes." It can easily be done as a shell script, >which makes it portable to any form of Unix... This is a possibility but the infection process would have to be a bit convoluted - a spoof would be simpler. You would have to invoke a "cut and paste" operation to infect other scripts and write or root access would be required. The main difficulty would be that script files are readable, kind of like patching AUTOEXEC.BAT in DOS & easy to detect (if anyone looks). Would also be limited to legal commands (annoying but not likely to be permanently destructive). In the VAX world, use of version numbers in file calls (does anyone else ?) would make such script spoofs more difficult. Key here is that "good" multi-user systems (e.g. unix) already have good defense mechanisms built in but rarely used. Warmly, Padgett
mrs@netcom.com (Morgan Schweers) (04/17/91)
Some time ago padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) happily mumbled: >In the VAX world, use of version numbers in file calls (does anyone >else ?) would make such script spoofs more difficult. > >Key here is that "good" multi-user systems (e.g. unix) already have >good defense mechanisms built in but rarely used. Greetings, Beg to differ, but... [Wherein I deleted, a description of a very successful VMS worm, based on version numbers] <Sigh> There really *ARE* some things a person shouldn't post. Suffice it to say that a person I knew used the version number facility of VMS to make 'script spoofs' easy. (As well as using MBX's as a 'trapdoor' facility which trapped the System manager even. Scary. Took less than a few days.) The 'version numbering' of VMS makes it susceptible to worms and such. DCL worms, also, have been around a while. All these things require that people run things out of other's accounts. However, in an educational environment this can be considered to hold true. In many other environments as well. The problem here is that *WORMS* are easy on almost any system, but Viruses seem to be only 'easy' on PC's. (I consider a worm a program of which there is an entirely *SEPERATE* program, and a virus a program which incorporates itself into the main program.) If you are running a Un*x system, work on the intricacies of protections. Proper passwording, proper protection, make sure your users are 'security aware'. Run COPS on your system occasionally. For the most part, you won't need to worry about worms or viruses. As Padgett says, you've got great protections available. Now *USE* them! Of course if you *DO* run into one, comp.virus/VIRUS-L would probably be very interested in it. -- Morgan Schweers +---- I'm out of my company's field here, so they probably don't care what I'm saying now. -- mrs@netcom.com - ----+