Linux Virus
-
Upload
akhil-kadangode -
Category
Education
-
view
3.322 -
download
2
description
Transcript of Linux Virus
Akhil K
• Virusess are programs that can copy itself and infect a computer .
• Viruses are becoming more prominent .• Windows are prone to attack .• Is Linux safe enough ?• Are there Viruses for Linux ?
• What are viruses• Linux virus – Possiblities• Why is Linux safe• Examples• How linux virus works• Antivirus• Conclusion• References
• Viruses must copy and replicate .• Virus be able to execute itself in the host
system and write to the memory of the system • Need administrative permissions .• Bind themselves to Executables .
• Non-resident virusses :search for other hosts, infect them, and finally transfer control to the application program they infected .• Resident virusses :
loads itself into memory stays active in the background and infects new hosts when those files are accessed
• There are viruses meant for linux like any other operating system .
• NUMBERS :60,000 => WINDOWS (many are dangerous)4 0 => MAC4 0 => LINUX (none are dangerous)5 => UNIX
• PERMISSIONS• SECURE SOFTWARE DISTRIBUTION CHAINS• DIVERSITY OF LINUX DISTRIBUTIONS• POWERFUL AWARENESS MECHANISM• OTHER INBUILT FEATURES
• Strict and Impenetrable .• Basic Permissions :
Read, Write, Execute forRoot, User, and Others• "hostile" executable that a non-root user receives
executes (runs) cannot "infect“ the system as a whole .
• Only root has full access to the system .• Users can damage only users’ files .• Virus will die out on deleting user .• Viruses aren't difficult to write on Linux : but they
go nowhere other than the user files .
• TECHNIQUE :• Insert “virus" code into software package that
must run with root-user privileges .• When root ‘installs’ software virus infects the
system .
• COUNTER : OPEN SOURCE• Modifications would be found by the large number
of programmers working on the source code, and removed .
• Damages would be quickly repaired .
• Linux supports variety of CPU architectures .• Software and other configuration are hugely
diverse .• Higher the diversity tougher the virus to code.
• Powerful awareness mechanism to educate sysadmins .
• Many Linux communities in place .• Distributions stress limited use of root .
• Newly deposited files from INTERNET are not given execute privileges .
• Linux doesn't depend on file extensions .• Renaming executables won’t work
• Some distributions ignore security to ease of use .
• Eg: Lindows runs as root as default .
• Some of the common Linux viruses are :• Ramen• Bliss• Slapper worm• Linux.Diesel.962
• Internet worm .• Effects default installation of Red Hat linux 6.2 and
7.0 .• Propagates from a Linux based server to another.• Exploits two know security vulnerabilities.• Replaces default page of the web server to one
that contains the following text : RameN Crew - Hackers looooooooooooove noodles.
• Not specific • Tries to infect all binaries with write access• All machines with rsh access• Tries to patch linux kernal source to make it more
cooperative .
• Exploits a vulnerability in xmlrpc.php and AWStats • Opens a backdoor on UDP port 7222.• Sends specially crafted HTTP POST requests to
hard-coded URLs • Sends GET requests to a range of hard-code
URLS
• Relatively harmless, non-memory resident parasitic virus .
• Searches for Linux executable files in system directories and subdirectories, then writes itself to the middle of the file.
• Moves the original bytes to the end of the file and increases the size of the previous section.
File before infecting File after infecting: --------------- --------------- ƒ Header ƒ ƒ Header ƒ +-------------+ +-------------+ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ +-------------+<- Entry point +------------+<- E.P ƒProgram code ƒ ƒ Virus code ƒ +-------------+ +-------------+ ƒ ƒ ƒ ƒ L-------------- +-------------+ ƒProgram code ƒ L--------------
• PTRACE() :• Ptrace() is a system call that enables one process
to *control* the execution of another one. • Traced process enters STOPPED state and
informs tracing process by wait() call .• Tracing process decides what to do .
• #include <sys/ptrace.h>long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data);• 'request‘ determines the action that has to be
performed.
• /* target1.c */int main() { char str[]=“Hello all n"; write(0, str, strlen(str)); return 0;}• OUTPUT :
Hello all
• /* tracer1.c */
if (pid == 0) {ptrace(PTRACE_TRACEME, 0, 0, 0);execl(argv[1], argv[1], NULL);} else { wait (&status); while(1){ptrace(PTRACE_SYSCALL, pid, 0, 0); wait(&status); ptrace(PTRACE_GETREGS, pid, 0, ®s);
orig_syscall = regs.orig_eax; if (orig_syscall == SYS_write){regs.edx = 3; ptrace(PTRACE_SETREGS, pid, 0, ®s);}}}
• OUTPUT :#./tracer1 /home/rit/target1 Hel • regs.edx = 3; is they key
• /* target2.c */int main() { printf("user id: %dn", getuid() ); execl("/bin/csh", "csh", NULL, 0); return 0; }• OUTPUT :
user id: 1000 %id uid=1000(rit)gid=100(users)groups=11(floppy), 17(audio),18(video) ,19(cdrom),100(user)
• /* tracer2.c */
{ { wait (&status); while(1){ptrace(PTRACE_SYSCALL, pid, 0, 0); wait(&status); ptrace(PTRACE_GETREGS, pid, 0, ®s);orig_syscall = regs.orig_eax; if (orig_syscall == SYS_getuid32) {regs.ebx = 0;ptrace(PTRACE_SETREGS, pid, 0, ®s);}}}ptrace( PTRACE_DETACH, pid, NULL, NULL );return 0;}
• OUTPUT :# ./tracer2 /home/rit/articles/target2 user id: 0 %id; uid=0(root) gid=0(root) groups=0(root), 1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel), 11(floppy)
• Linux itself is the best antivirus .• Antivirus used to detect windows virus .• Prevent them from affecting other systems .• Eg : ClamAV
• Power of root must be discretely used .• Number of viruses and their affectivity is low .• LINUX IS SAFE..
• http://librenix.com/linux/• http://astalavista.com/linux• http://linuxmafia.com/~rick/faq/• http://virus.about.com