Akhil K

• Virusess are programs that can copy itself and infect a computer .

• Viruses are becoming more prominent .• Windows are prone to attack .• Is Linux safe enough ?• Are there Viruses for Linux ?

• What are viruses• Linux virus – Possiblities• Why is Linux safe• Examples• How linux virus works• Antivirus• Conclusion• References

• Viruses must copy and replicate .• Virus be able to execute itself in the host

system and write to the memory of the system • Need administrative permissions .• Bind themselves to Executables .

• Non-resident virusses :search for other hosts, infect them, and finally transfer control to the application program they infected .• Resident virusses :

loads itself into memory stays active in the background and infects new hosts when those files are accessed

• There are viruses meant for linux like any other operating system .

• NUMBERS :60,000 => WINDOWS (many are dangerous)4 0 => MAC4 0 => LINUX (none are dangerous)5 => UNIX

• PERMISSIONS• SECURE SOFTWARE DISTRIBUTION CHAINS• DIVERSITY OF LINUX DISTRIBUTIONS• POWERFUL AWARENESS MECHANISM• OTHER INBUILT FEATURES

• Strict and Impenetrable .• Basic Permissions :

Read, Write, Execute forRoot, User, and Others• "hostile" executable that a non-root user receives

executes (runs) cannot "infect“ the system as a whole .

• Only root has full access to the system .• Users can damage only users’ files .• Virus will die out on deleting user .• Viruses aren't difficult to write on Linux : but they

go nowhere other than the user files .

• TECHNIQUE :• Insert “virus" code into software package that

must run with root-user privileges .• When root ‘installs’ software virus infects the

system .

• COUNTER : OPEN SOURCE• Modifications would be found by the large number

of programmers working on the source code, and removed .

• Damages would be quickly repaired .

• Linux supports variety of CPU architectures .• Software and other configuration are hugely

diverse .• Higher the diversity tougher the virus to code.

• Powerful awareness mechanism to educate sysadmins .

• Many Linux communities in place .• Distributions stress limited use of root .

• Newly deposited files from INTERNET are not given execute privileges .

• Linux doesn't depend on file extensions .• Renaming executables won’t work

• Some distributions ignore security to ease of use .

• Eg: Lindows runs as root as default .

• Some of the common Linux viruses are :• Ramen• Bliss• Slapper worm• Linux.Diesel.962

• Internet worm .• Effects default installation of Red Hat linux 6.2 and

7.0 .• Propagates from a Linux based server to another.• Exploits two know security vulnerabilities.• Replaces default page of the web server to one

that contains the following text : RameN Crew - Hackers looooooooooooove noodles.

• Not specific • Tries to infect all binaries with write access• All machines with rsh access• Tries to patch linux kernal source to make it more

cooperative .

• Exploits a vulnerability in xmlrpc.php and AWStats • Opens a backdoor on UDP port 7222.• Sends specially crafted HTTP POST requests to

hard-coded URLs • Sends GET requests to a range of hard-code

URLS

• Relatively harmless, non-memory resident parasitic virus .

• Searches for Linux executable files in system directories and subdirectories, then writes itself to the middle of the file.

• Moves the original bytes to the end of the file and increases the size of the previous section.

File before infecting File after infecting: --------------- --------------- ƒ Header ƒ ƒ Header ƒ +-------------+ +-------------+ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ +-------------+<- Entry point +------------+<- E.P ƒProgram code ƒ ƒ Virus code ƒ +-------------+ +-------------+ ƒ ƒ ƒ ƒ L-------------- +-------------+ ƒProgram code ƒ L--------------

• PTRACE() :• Ptrace() is a system call that enables one process

to *control* the execution of another one. • Traced process enters STOPPED state and

informs tracing process by wait() call .• Tracing process decides what to do .

• #include <sys/ptrace.h>long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data);• 'request‘ determines the action that has to be

performed.

• /* target1.c */int main() { char str[]=“Hello all n"; write(0, str, strlen(str)); return 0;}• OUTPUT :

Hello all

• /* tracer1.c */

if (pid == 0) {ptrace(PTRACE_TRACEME, 0, 0, 0);execl(argv[1], argv[1], NULL);} else { wait (&status); while(1){ptrace(PTRACE_SYSCALL, pid, 0, 0); wait(&status); ptrace(PTRACE_GETREGS, pid, 0, &regs);

orig_syscall = regs.orig_eax; if (orig_syscall == SYS_write){regs.edx = 3; ptrace(PTRACE_SETREGS, pid, 0, &regs);}}}

• OUTPUT :#./tracer1 /home/rit/target1 Hel • regs.edx = 3; is they key

• /* target2.c */int main() { printf("user id: &percnt;dn", getuid() ); execl("/bin/csh", "csh", NULL, 0); return 0; }• OUTPUT :

user id: 1000 &percnt;id uid=1000(rit)gid=100(users)groups=11(floppy), 17(audio),18(video) ,19(cdrom),100(user)

• /* tracer2.c */

{ { wait (&status); while(1){ptrace(PTRACE_SYSCALL, pid, 0, 0); wait(&status); ptrace(PTRACE_GETREGS, pid, 0, &regs);orig_syscall = regs.orig_eax; if (orig_syscall == SYS_getuid32) {regs.ebx = 0;ptrace(PTRACE_SETREGS, pid, 0, &regs);}}}ptrace( PTRACE_DETACH, pid, NULL, NULL );return 0;}

• OUTPUT :# ./tracer2 /home/rit/articles/target2 user id: 0 &percnt;id; uid=0(root) gid=0(root) groups=0(root), 1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel), 11(floppy)

• Linux itself is the best antivirus .• Antivirus used to detect windows virus .• Prevent them from affecting other systems .• Eg : ClamAV

• Power of root must be discretely used .• Number of viruses and their affectivity is low .• LINUX IS SAFE..

• http://librenix.com/linux/• http://astalavista.com/linux• http://linuxmafia.com/~rick/faq/• http://virus.about.com