Very Computer

We recently obtained a machine which is a second user machine, and has some
software binaries on it.  I come from the DOS world and my first instinct was
to check for viruses.  I was reliably informed that viruses do not exist on
UNIX, and therefore there is no need to check for them.  Consequently, no
virus checking software exists.

It is true that the UNIX file system, with its permissions and all, provides a
degree of security against virus attacks.  However, the machine has had a
root user who could have permission to write to anything.  For instance,
what guarantee is there that 'ls' is actually 'ls', and the binary does not
do damage?

Call me paranoid, but I find this a very difficult pill to swallow.  Can
anybody arbitrate?

Thank you.

John Birtley.

Quote:>but I find this a very difficult pill to swallow.  Can
>anybody arbitrate?

--

              Whip me.  Beat me.  Make me maintain AIX.

Sure.  Call it as "uname -s" and if it indicates that you are running Unix
then you have no viruses.

: It is true that the UNIX file system, with its permissions and all, provides a
: degree of security against virus attacks.  However, the machine has had a
: root user who could have permission to write to anything.  For instance,
: what guarantee is there that 'ls' is actually 'ls', and the binary does not
: do damage?

What you are describing are "trojan horses."  They can be a problem on
systems where security is lax.  This includes some Unix systems by
accident and all DOS systems by design.

--

Planix, Inc.                        |   Democracy is three wolves and a
Toronto, Ontario, Canada            |   sheep voting on what's for dinner.
+1 416 424 2871  (DoD#0082) (eNTP)  |

However, when being cruel just for the sake of cruelty, it is
essential for one to get one's facts straight.  Otherwise, not only
would one look like a moron, one would look like an *impolite* moron.
We wouldn't want that, now, would we?

A virus modifies a binary, adding a copy of itself.  When the binary
is run, the virus-part runs and reproduces, infecting other binaries.
(It may do other things, but for the sake of definition, all it has to
do is reproduce to be a virus.)  Machines with easily-writable-to
binaries are most at risk from viruses.

A trojan horse, on the other hand, emulates a trusted program (such as
login, that fine process that prompts you for your account name and
password) and stashes the information away for later nefarious use.
Well written trojan horses also actually DO the jobs of the programs
they're emulating.

A worm infects machines instead of binaries, spreading over the
network through security glitches.  UNIX machines are notoriously
vulnerable to worms.

A logic bomb is a program (or code in a program) that does heaps of
damage, but doesn't reproduce.

A compromised `ls' could be ANY OF THE ABOVE.  If the evil ls looks
for writable binaries to infect, virus.  An ls that searches your
account for read-protected files and copies them somewhere where the
bad guys can get at them would be a trojan horse.  If it tries to
infect ls binaries on other machines on the net, 'tis a worm, and if
it simply unlinks all your files, it's logic bomb.

(These names are not hard and fast, of course. A modified "login" that
infects binaries, spreads over the network, steals passwords, and
trashes the hard drive as well would best be classified as "big
trouble.")

--

              Whip me.  Beat me.  Make me maintain AIX.

Since UNIX ENFORCES permissions, it's pretty hard to conceive of a way
to erase files you don't have permissions on, etc.  Since the hard disk
is just looked at as a file, the rules apply to erasing the disk too;
not to mention the fact that mere programs don't have access to ports
and interrupts like they do in DOS.

: It is true that the UNIX file system, with its permissions and all, provides a
: degree of security against virus attacks.  However, the machine has had a
: root user who could have permission to write to anything.  For instance,
: what guarantee is there that 'ls' is actually 'ls', and the binary does not
: do damage?
: Call me paranoid, but I find this a very difficult pill to swallow.  Can
: anybody arbitrate?

Well John, if you're that paranoid, just reload the OS.  This could take
some time depending on which machine/os you have.  Not to mention the
fact that you will lose all data on the root filesystem, and have to
rebuild all your users.  First thing you need to do is change the root
password.  Then you could maybe do an ls -l on all the programs you
are worried about that have root owner, and compare them with the
same listing from some other machine. Other than that, welcome to UNIX.

--
If power corrupts, and absolute power corrupts absolutely,
government corruption WILL be reduced by reducing government power. q.e.d.

Bob Stewart (KB9ZW)
wk USA (310) 335-7152

   Close, but not quite.

   You may not have any viruses running, but your system may still have
a virus on it.  Try this with an expendable PC Unix system sometime:

1.  Infect a floppy diskette with your favourite boot sector virus
using a DOS machine.

2.  Shut down your Unix box.

3.  Insert the infected floppy into the machine's boot floppy drive.

4.  Reboot the Unix box.

   Assuming it's configured to try to boot off the floppy first, chances
are very good that your hard drive now has a virus on it.  It may
even prevent your Unix box from booting.
--

----------------------------------------------------------------------------
Stephen M. Dunn, CNE, ACE, Sr. Systems Analyst, United System Solutions Inc.
104 Carnforth Road, Toronto, ON, Canada M4A 2K7          (416) 750-7946 x251

Bull

: 1.  Infect a floppy diskette with your favourite boot sector virus
: using a DOS machine.

: 2.  Shut down your Unix box.

: 3.  Insert the infected floppy into the machine's boot floppy drive.

: 4.  Reboot the Unix box.

:    Assuming it's configured to try to boot off the floppy first, chances
: are very good that your hard drive now has a virus on it.  It may
: even prevent your Unix box from booting.

Steven, we have the same sort of misconceptions where I work.  A DOS
virus WILL NOT infect a UNIX system.  This is not to say that the
scenario you used will not trash a hard disk. However, you will note
that UNIX was not running at the time you loaded this virus.  In the
above case, if the system will boot UNIX, the UNIX partition will not
be infected.  IF there is a DOS partition, and IF it was the active
partition when you executed these four steps, that partition WILL be
infected. Since the virus in question is a boot sector virus, it only
has the ability to prevent booting in a UNIX system.

There is nothing magic about a virus.  Viruses are unique to OS's that
do not insulate programs from the hardware, i.e. DOS and Windows.  
I have no knowledge about NT.

There are other things that are the bane of UNIX and similar systems,
but most take advantage of sloppy system administration to execute
programs that wouldn't run as a non root user.

--
If power corrupts, and absolute power corrupts absolutely,
government corruption WILL be reduced by reducing government power. q.e.d.

Bob Stewart (KB9ZW)
wk USA (310) 335-7152

Quote:>virus WILL NOT infect a UNIX system.  This is not to say that the
>scenario you used will not trash a hard disk. However, you will note
>that UNIX was not running at the time you loaded this virus.  In the
>above case, if the system will boot UNIX, the UNIX partition will not
>be infected.  IF there is a DOS partition, and IF it was the active
>partition when you executed these four steps, that partition WILL be
>infected. Since the virus in question is a boot sector virus, it only
>has the ability to prevent booting in a UNIX system.

Bradley> There is a virus going around, however, that if you have DOS and
Bradley> Linux on the same machine, it can clobber your Linux
Bradley> partition....I had this happen....

More like it's a DOS virus that clobbers disk partitions, and if Linux
happens to be on a particular clobbered partition, well, g'bye. It's not a
Unix virus by any stretch of the imagination, and it won't do jack to your
drive if you don't have DOS on it.

--

http://www.ccs.neu.edu/home/ratinox | returned to its special container and
PGP Public Key: Ask for one today!  | kept under refrigeration.

: There is a virus going around, however, that if you have DOS and Linux on the
: same machine, it can clobber your Linux partition....I had this happen....

ANYTHING that is allowed to clobber your partition table when running MS-DOS
will obviously affect your Linux partition.

There are many ways of preventing inadvertant partition clobbering under
MS-DOS. The best are programs that check all disk accesses for access to the
MBR and partition table.  Some BIOS even provide a limited protection
against this type of infiltration.

Otherwise you can use MS-DOS 'virus' scanners to highlight changes to the
MGR and to the FA tables.

Under UNIX however, the only programs that can cause problems are those
executed from your init scripts, or those that are given SUID root
permissions.

1)  Programs executed from your init scripts operate as root.
2)  Programs SUID root are given permission by YOU to run as root (or
whatever).

Easy solution
-------------

1)  Do not run pre-compiled binarys as root (This used to be the norm, but
Linux has changed all that).  After 15 years of SysAdm experience for the
first time I'm finding binaries available from others than the Operating
system provider.  I think that this is a BAD (yes !!!!BAD!!!! thing).

This is the type of behavior that resulted in MS-DOS viruses becoming as
prevalent as they are.

Check for source code, and read it!  If source is unavailable at least grab
the binaries from a reputable dealer.

2)  SUID scripts are a NO-NO.  Linux by default disables SUID scripts.  This
was done for a reason.

If you want/need/feel-like an SUID program write it in 'c' of any other
properly implemented language.

Graham.
--
+----------------------------------------------------------------------------+


  Australia                 FidoNet  3:714/207.7
+----------------------------------------------------------------------------+

Peter> Given what would appear to be a greater connectivity between UNIX
Peter> boxes on average than dos boxes (how are you receiving this post?),
Peter> would anyone care to hypothesise why vir(insert favourite plural
Peter> ending here) are so rare in the UNIX world?

Because under an operating system with protected memory, such as Unix or
VMS, it is impossible for a virus to spread.

--

http://www.ccs.neu.edu/home/ratinox | away immediately. Seek shelter and cover
PGP Public Key: Ask for one today!  | head.

: Peter> Given what would appear to be a greater connectivity between UNIX
: Peter> boxes on average than dos boxes (how are you receiving this post?),
: Peter> would anyone care to hypothesise why vir(insert favourite plural
: Peter> ending here) are so rare in the UNIX world?

: Because under an operating system with protected memory, such as Unix or
: VMS, it is impossible for a virus to spread.

Actually, as others have pointed out to me, it is possible for a virus
to spread on a UNIX machine.  It is, however, difficult for a virus
to do anything very "useful" in a unix environment.  An infected user
might lose all his files, a stupid administrator who runs downloaded
programs as root might even lose a complete system, but in the main,
Unix file system protections greatly limit a viruses scope.

BTW, the OS's protected memory scheme protects users from each other,
it is not the mechanism that protects Unix from viruses.  File system
permissions protect us from the rampant spread of a virus in a system.
Lack of direct access to system hardware (read device drivers) protect
your harddisk from the hard disk wipes so popular in the DOS/Windoze world.

--
If power corrupts, and absolute power corrupts absolutely,
government corruption WILL be reduced by reducing government power. q.e.d.

Bob Stewart (KB9ZW)
wk USA (310) 335-7152

Programs which operate as such are not viri. A computer virus is a program
that replicates itself, on its own, whether you want it to or not; that's
the definition of a virus. As none of these replicate themselves, they are
not viri. A trojan horse is something disguised as something else; hacked
system files such as ``ls'' or stuff pulled from the nets which do
unexpected things outside of their scope are trojan horses, not viri.

Bob> BTW, the OS's protected memory scheme protects users from each other,
Bob> it is not the mechanism that protects Unix from viruses.

Yes, it does. If a virus can't wedge itself into memory somewhere, it can't
replicate itself. If it can't replicate itself, it can't spread. Game over.

--

http://www.ccs.neu.edu/home/ratinox | which, if exposed due to rupture, should
PGP Public Key: Ask for one today!  | not be touched, inhaled, or looked at.

: >>> Because under an operating system with protected memory, such as Unix or
: >>> VMS, it is impossible for a virus to spread.

Wrong, only unlikely, "today".  See below.

: Bob> Actually, as others have pointed out to me, it is possible for a virus
: Bob> to spread on a UNIX machine.  It is, however, difficult for a virus
: Bob> to do anything very "useful" in a unix environment.  An infected user
: Bob> might lose all his files, a stupid administrator who runs downloaded
: Bob> programs as root might even lose a complete system, but in the main,
: Bob> Unix file system protections greatly limit a viruses scope.

: Programs which operate as such are not viri. A computer virus is a program
: that replicates itself, on its own, whether you want it to or not; that's
: the definition of a virus. As none of these replicate themselves, they are
: not viri. A trojan horse is something disguised as something else; hacked
: system files such as ``ls'' or stuff pulled from the nets which do
: unexpected things outside of their scope are trojan horses, not viri.

: Bob> BTW, the OS's protected memory scheme protects users from each other,
: Bob> it is not the mechanism that protects Unix from viruses.

: Yes, it does. If a virus can't wedge itself into memory somewhere, it can't
: replicate itself. If it can't replicate itself, it can't spread. Game over.

If a program can infect another program, it has replicated itself.  It
is not necessary for a virus to be "wedged into memory".  It is very
possible (and even normal in the DOS world) for a program to make changes,
add code, etc., to other executables in your local directory.  It is even
possible for such a program to check to see if it has privileges, and
infect programs in the normal Unix locations: /bin, /usr/bin, /opt/bin,
etc.  It is also possible for an infected program to spawn a process that
looks for "opportunities" in the running system to infect still other
programs, or even other sytems in a networked environment.  It is also
possible for a trojan horse to carry the virus, and infect other executables
it has read/write access to. So, whether or not you have a protected
memory environment, you're vulnerable.  If you don't have a secure system,
you can be infected.  It's also possible for an executable to be infected,
and not do any damage until it's executed with privilege.  Makes you
think, doesn't it?

BTW, a running process makes a pretty good substitute for being
"wedged into memory somewhere", doesn't it?

The game, as they say, is not quite over.
--
If power corrupts, and absolute power corrupts absolutely,
government corruption WILL be reduced by reducing government power. q.e.d.

Bob Stewart (KB9ZW)
wk USA (310) 335-7152

: : >>> Because under an operating system with protected memory, such as Unix or
: : >>> VMS, it is impossible for a virus to spread.

: Wrong, only unlikely, "today".  See below.

: : Bob> Actually, as others have pointed out to me, it is possible for a virus
: : Bob> to spread on a UNIX machine.  It is, however, difficult for a virus
: : Bob> to do anything very "useful" in a unix environment.  An infected user
: : Bob> might lose all his files, a stupid administrator who runs downloaded
: : Bob> programs as root might even lose a complete system, but in the main,
: : Bob> Unix file system protections greatly limit a viruses scope.

: : Programs which operate as such are not viri. A computer virus is a program
: : that replicates itself, on its own, whether you want it to or not; that's
: : the definition of a virus. As none of these replicate themselves, they are
: : not viri. A trojan horse is something disguised as something else; hacked
: : system files such as ``ls'' or stuff pulled from the nets which do
: : unexpected things outside of their scope are trojan horses, not viri.

: : Bob> BTW, the OS's protected memory scheme protects users from each other,
: : Bob> it is not the mechanism that protects Unix from viruses.

: : Yes, it does. If a virus can't wedge itself into memory somewhere, it can't
: : replicate itself. If it can't replicate itself, it can't spread. Game over.

: If a program can infect another program, it has replicated itself.  It
: is not necessary for a virus to be "wedged into memory".  It is very
: possible (and even normal in the DOS world) for a program to make changes,
: add code, etc., to other executables in your local directory.  It is even
: possible for such a program to check to see if it has privileges, and
: infect programs in the normal Unix locations: /bin, /usr/bin, /opt/bin,
: etc.  It is also possible for an infected program to spawn a process that
: looks for "opportunities" in the running system to infect still other
: programs, or even other sytems in a networked environment.  It is also
: possible for a trojan horse to carry the virus, and infect other executables
: it has read/write access to. So, whether or not you have a protected
: memory environment, you're vulnerable.  If you don't have a secure system,
: you can be infected.  It's also possible for an executable to be infected,
: and not do any damage until it's executed with privilege.  Makes you
: think, doesn't it?

: BTW, a running process makes a pretty good substitute for being
: "wedged into memory somewhere", doesn't it?

: The game, as they say, is not quite over.
: --
: If power corrupts, and absolute power corrupts absolutely,
: government corruption WILL be reduced by reducing government power. q.e.d.

: Bob Stewart (KB9ZW)
: wk USA (310) 335-7152
--
Peter Gross
Brighton Health Care NHS Trust, UK

The ideas, suggestions, jokes, cautions, complaints, comments, scripts, insults,