peter%ficc@uunet.UU.NET (Peter da Silva) (10/25/89)
This is the "UNIX VIRUS" article I referred to in a previous digest. It
was posted in this form, complete with postscript.
No more than a week later the Internet Worm was loose. I was originally
amused by the irony, but as it became clear that the IW was relatively
uninfective (only infected Sun-3s and VAXen) I felt more secure about my
final paragraph. I still do.
The debate "raging in comp.sys.amiga" at the time was about whether UNIX
was as susceptible to viruses as PCs were. :->
- -----------8<----8<--------------------------------------------------`-_-'--
The Usenet virus: a case history.
A cautionary tale.
The Usenet virus was detected when a user discovered that
a program he had received from the net seemed to have two
versions of malloc included with the source. One version of
malloc might be odd, but people have never tired of reinventing
the wheel. Two versions were suspicious, particularly since they
lead to a name conflict when the program was linked.
The first, lmalloc.c, seemed to be identical to the
malloc listed in Kernighan and Ritchie. The second, bmalloc.c,
was rather strange, so we concentrated our efforts on it... this
time was later found to have been wasted.
After a little work during spare moments over the course
of a week we decided it was actually a clumsy version of the
buddy system (a fast but space-inefficient method of memory
allocation). It might make a good example of how not to write
readable code in some textbook, but it wasn't anything to get
worried about.
Back to the first. It made use of a routine named
speedhack() that was called before sbrk() the first time the
malloc() was called. There was a file speedhack.c, but it didn't
contain any code at all, just a comment saying that it would be
implemented in a future version. After some further digging,
speedhack was found at the end of main.c. The name was disguised
by some clever #defines, so it never showed up in tags and
couldn't be found just by grepping the source.
This program turned out to be a slow virus. When it was
run, it looked for a file 'lmalloc.c'. If it found it, or it
didn't find Makefile, it returned. From then on malloc ran
normally.
If it didn't find it, it reconstructed it using a series
of other routines with innocuous names tagged on to the end of
other files. This was apparently an attempt to avoid overly
increasing the size of any one of the files in the directory.
Then it went into Makefile or makefile (it looked for
both) and added lmalloc.o onto the end of the first list of '.o'
files it found. It then reconstructed each of the extra routines,
and speedhack itself, using techniques familiar to any reader of
the obfuscated 'C' contest. These were tagged onto the ends of
the '.c' files that corresponded to the '.o' files in this same
list. The program was now primed to reconstruct the virus.
On inspection, we discovered that about 40% of the
sources on our system were infected by the speedhack virus, We
also found it in one set of shell archives that we'd received
but never unpacked or used, which we took as evidence that it had
spread to a number of other systems.
We have no idea how our system was infected. Given the
frequency with which we make modifications and updates, it's
likely that the original speedhacked code is no longer on the
system. We urge you to inspect your programs for this virus in
an attempt to track it to its source. It almost slipped by
us... if the author had actually put a dummy speedhack in
speedhack.c we would have merely taken lmalloc.o out of the
Makefile and defused *this* copy of the virus without being any
the wiser.
There are other failings in this program that we have
thought of. We have decided not to describe them to avoid giving
the author of this program ideas we might regret. Some ways that
programs like this can be defeated include 'crc' checks of source
files and, of course, careful examination of sources received
from insecure sites.
- -----
Now I have to make a confession. This whole document is a hoax intended
to dramatize the problems involved with viruses and Usenet. I suspect that
most of you were clued to this by the Keywords line. While playing with the
idea and writing this article several things occurred to me:
First of all, this virus is a much more complex program than any of the
viruses that have been spotted on personal computers. I think it has to be,
based on the design goals that a REAL UNIX virus must satisfy. I have not
attempted to actually implement it because of this.
It must be small, to avoid detection. It must not cause files to
grow without bound.
It must infect foreign files, otherwise it's not a virus... just a
Trojan Horse (like the bogus ARC and FLAG programs on the PC). Trojan horses
are a dime-a-dozen.
It must infect source files, since this is the primary software
distribution channel for UNIX. A virus stuck on one machine is a boring
one.
It must not break the infected program (other than what it might
care to do deliberately).
It must not be obvious from a simple examination of the source (like,
changing main to Main and having a virus-main call Main).
I believe that given these goals (which are, of course, subject to
debate) a simpler program would be unsuccessful in infesting more than a
small fraction of the machines that (say) comp.sources.misc reaches.
There are systems immune to this particular attack, of course. Ones not
running UNIX, so sbrk() doesn't work. Or ones with radically different
versions of malloc(). Ones with no 'c' compiler. They are in the minority,
though.
On the other hand a virus of this type could infest a large proportion
of the net before it was found. The virus I described does not cause any
direct damage, except for using up a relatively small amount of disk
space. A more vicious virus is possible.
Other variations of this virus are obviously possible. For example, it
could be tagged onto any standard 'C' library routine... I chose malloc
merely because source was available and because it's something that people
complain about, so they wouldn't be likely to find an extra copy suspicious.
Another good routine would be perror(), for the same reason. This would have
the additional benefit of making the spread of the infection dependent on
an additional random factor, making it harder to detect the virus.
Do I think something like this is likely? No. Especially not now that
I've written this little piece of science fiction. I'm sure that
eventually someone will try something unlike this, I suspect that their
virus would get caught much sooner than 'speedhack', because I think
that more people look at the source than conventional wisdom would lead
you to believe. But, again, this is just my personal opinion. Debate is
welcomed... that's why I did this in the first place: to inject some
sense into the debate currently raging in comp.sys.amiga.
- ---
Peter da Silva, *NIX support guy @ Ferranti International Controls Corporation.
Biz: peter@ficc.uu.net, +1 713 274 5180. Fun: peter@sugar.hackercorp.com. `-_-'
"That particular mistake will not be repeated. There are plenty of 'U`
mistakes left that have not yet been used." -- Andy Tanenbaum (ast@cs.vu.nl)