Flutterby™! : New Virus 2001-03-29 03:48:10+00

New Virus

2001-03-29 03:48:10+00 by TC 3 comments

Hoof & Mouth? no no no it's the first Winux Virus. I wonder if the Mac people feel let out?

Wait! First, it's a worm, not a virus. Second, even if it works as advertised it'll only infect binaries writable by the user. If you're running as root you deserved to get reamed.

Thirdly... well... the article doesn't say how you get a binary that'll run on both platforms, or a language (like Perl) that's widely enough deployed on Windows that it'd make a difference.

I dunno, Dan. It seems to me that writing a worm payload that's smart enough to find two kinds of executable isn't really that big a deal. Sure, it's more complicated than usual, but it certainly isn't impossible. There have certainly been viruses written before that could spread via more than one method. Here you need two kinds of executable code squeezed into one payload, with logic to decide which one to install.

I wouldn't overblow this threat, either. It can't infect the Linux binaries except under some very specific circumstances. There aren't that many dual-OS machines. Still, it's entirely possible to have a shared space for dual-boot machines that Windows makes 100% writable. You probably shouldn't put any Linux binaries there.

It's not smart enough to find two kinds of executables, that's pretty damned trivial. It's polymorphic enough to handle the executable loader in '98, NT and Linux. Back in the days of .COM files I could imagine it (you could do a lot in that wasted 128 header bytes), but I guess NT does enough ELFish stuff that it ought to be possible. I haven't delved into the actual structure of Microsoft binaries since the days of the "MZ" header except to know that simple symbol substitution works (ie: as of two years ago they didn't do much internal integrity checking, which is handy when you're trying to make sure that symbols are obfuscated), so I guess I really don't know.