Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: University of Texas Paper on Moving to Linux

In comp.os.linux.advocacy, B Gruff
<bbgruff@xxxxxxxxxxx>
 wrote
on Wed, 14 Feb 2007 20:19:43 +0000
<53h970F1sjoirU1@xxxxxxxxxxxxxxxxxx>:
> On Wednesday 14 February 2007 10:30 raylopez99 wrote:
>
>> Reposted below with my comments IN CAPS
>
> Why don't you quote and intersperse comment like everybody else?
> That way, we'd be able to see who-said-what in future quotes.
>
> In future, please include [Troll] on your headers.
>
>> As a reference
>> point, Windows has a known 15,000 viruses, many of which have toppled
>> entire data systems.  WELL 40/15K IS ABOUT 0.3%, WHICH SEEMS LIKE THE
>> REAL MARKET SIZE OF LINUX COMPARED TO WINDOWS
>
> FYI, number of known Windows viruses is well over 200,000, not 15,000 as
> reported.  Please recompute based on the correct figure)
>

On the flip side, the number *active* is probably more
relevant; the Stoner or Stoned virus in particular is
probably long since dead, for example.  This can be applied
to both sides of the debate, of course.

If there are 200,000 viruses extant, this is a major upswing from

http://www.cknow.com/vtutor/NumberofViruses.html

which claims 103,000 in June 2005.  Of course either way
it's still an awful damned lot of malware. :-)

AIUI, there's about a dozen or so Linux viruses at the
very most, all of them dead; Li0n was probably the most
virulent.  Unfortunately, Google is being reticent again
(or maybe swamped; the Windows malware, after all, is of
far more concern).

There are hints of a cross-spreading variant, and I for
one would expect this to continue.  After all, Linux/x86
is now a popular enough solution to try to infect.
(It is also possible -- if one's extremely paranoid --
that someone is trying to ensure that the Linux experience
is less than satisfactory so that people can go back to
the relatively safe Vista.  But I wouldn't sell the farm
and move just yet...)

As of 2005:

http://lxer.com/module/newswire/view/31417/index.html

claims the following, erm, entries:

L0nGH0RN.Wh3N?  -- a rather goofy virus
M0r0nic.An4lyzt/M0r0nz! -- kernel infecter
F14KyC0W0rKRZ/FLKYZ -- bootloader infecter
Search.eng1ne.FUD/S.e.F -- Replicator/browser infecter
sUn+FUD/sUn -- stealth kernel infecter

and these appear to be more along the lines of inside jokes.

http://www.geocities.com/sunnylug/linviruses.html

has a more credible list of 9 viruses:  Bliss, Diesel, Gildo, Kagob,
Nuxbee, Satyr, Vit.4096, Winter, and Zipworm.  (All of them prefixed
with "Linux.", for clarity.)  This is as of early 2004.

Bliss: nonmemory-resident ELF infector.  Payload is a silly message.

Diesel: Another nonmemory-resident ELF infector.  It tends to
infect the middle of a file, making it a little harder to find.
Payload unknown but probably not dangerous.

Gildo: This one's memory-resident, but still an ELF infector.
Payload is not dangerous.

Kagob: nonmemory-resident ELF infector.  No payload.

Nuxbee: nonmemory-resident ELF infector.  Contains a
compressor/encryptor and saves the original bytes.
Payload unknown but probably not dangerous.

Satyr: nonmemory-resident ELF infector.  No payload.

Vit.4096: self-contained nonmemory-resident ELF infector.

Winter: tiny nonmemory-resident ELF infector.  Has code
to set host name to "Wintermute" but code is never called.
No other payload of note.

Zipworm: ZIP archive infector.

Not exactly the most dangerous creatures.

Were I to actually want to design a virus (and had a nice
big security hole to wedge it into) I'd want a polymorphic
root-capable kernel infector that can compress random data
blocks into hidden disk areas and be extremely difficult
to detect and eradicate.  I'd probably also attack /dev/hda
and /dev/sda, in an attempt to find the bootloader, as well
as attacking the kernel proper -- and maybe some knowledge
of LILO and GRUB, to find kernels (the config files, after
all, can name them "Fred", "GrumbleB00blybee", or "Huh?",
as opposed to the more traditional /vmlinuz).  Note that
/vmlinuz includes piggy.o, which is a decompressor;
any infector would have to ensure that it writes itself
properly into the kernel, lest it corrupt it as opposed
to infect it.  But that's a detail any cracker worth his
salt can figure out. :-)

I'd also want to infect X, so that it will send keyboard
events my way -- the software equivalent of a physical
plugin between keyboard and computer unit.  I'd then
sell the passwords on Ebay to the highest bidder.

Distribution would probably be via a variety of methods:
RFC1459/IM, web pages, spam, and portscans.  Admittedly,
portscans are less than effective with NAT boxes, but one
never knows.

But I'm not a nasty sort, really. :-)  (I just know
this is vaguely possible.)  However, a random data
block compressor/infector was possible under *DOS*.
A quick search pulled up the NuKE Encryption Device,
dated October 1992 -- well before Win95.  But there's
a whole slew of others, all dated from 1992 to 1999,
on http://www.vx.netlux.org/lib/static/vdat/engine2.htm .

The truth is out there.  Somewhere.

-- 
#191, ewill3@xxxxxxxxxxxxx
Windows Vista.  It'll Fix Everything(tm).

-- 
Posted via a free Usenet account from http://www.teranews.com


[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index