Selamlar.
--------------------------------------->>>>>> Sizde Katilin <<<<<<-------
Yavuz ACIK SISTEM'97
Akdeniz Universitesi 7. Acik Sistem Sempozyumu
Network Grubu 19-21 Mart 1997
Swissotel, The Bosphorus, Istanbul
---------- Forwarded message ----------
Date: Fri, 7 Feb 1997 13:06:35 -0700 (MST)
From: Seth Edwards <sedwards@cscu.csc.edu>
To: linux kernel list <linux-kernel@vger.rutgers.edu>
Subject: Bliss Virus (fwd)
---------- Forwarded message ----------
Date: Thu, 6 Feb 1997 13:29:53 -0700 (MST)
From: Joel Maslak <j@pobox.com>
To: Linux -- Donald Lewis <dwl8339@silver.sdsmt.edu>,
Linda Bowe <lbowe@cchs.ccsd.k12.wy.us>,
Lyla Downey <ldowney@district.ccsd.k12.wy.us>,
Oguz Yetkin <yetkin@cs.wisc.edu>, Rob Lowrance <aglar@uwyo.edu>,
Seth Edwards <sedwards@cscu.csc.edu>,
Sarah Sandman <ssandman@cyprus.com>, Marvin Davies <mdavies@cyprus.com>,
hostmaster@linkeasy.net
Subject: Bliss Virus
The Bliss virus is currently a Linux binary-infecting virus.
Unfortunately, please do not feel your safe.
The author has stated that his code runs "fine" on Sun Solaris and SunOS,
as he used little Linux specific code. I don't know if the source code
for this is available, although I do know that it is being dis-assembled
as we speak.
I might also add that I tested it on FreeBSD, running an infected Linux
binary via Linux emulation. This test proved that even the Linux strain
can infect FreeBSD machines with emulation.
One final note:
I discovered accidentally (on my test network) that this virus
will send itself OVER THE NETWORK. It works with trust relationships in a
simular way to how the Internet Worm of almost ten years ago (doesn't it
feal like yesterday?). Thus a virus like this will simply reinfect a
machine (via the network) when it is cleaned. This is much more serious
than simple PC viruses which require you to clean floppies.
Apparently, it scans /etc/hosts.equiv. If it finds hosts which
the local site treats as equivilant, it tries them, in hopes that they
consider the local host equivilant. It will infect via scp (secure shell
copy) if possible, as well as standard methods (rcp). Be very careful if
you test this.
Seeing the possibilities of a virus such as this distributed in
binary form is distressing to me. It would be possible to, once a machine
is infected, WITHOUT THE USER'S CONCENT, to use a system to capture
passwords (Ethernet Sniffing, anyone?). Once the passwords are captured,
attempt to infect the remote machine. I would bet that within days, a
virus that did the above could render the Internet unusuable, as the
Internet worm did. The only "difficult" part would be to distribute a
script along with it which selected between Solaris, SunOS, AIX, A/UX,
Linux, FreeBSD, OSF/1, and AT&T "strains", and then run the appropriate
executable. In such an attack, the kernel may not even be safe.
Thus, I'm recommending that you re-examine trust relationships
between Unix hosts (and other operating systems for that matter. NT *IS*
POSIX compatible, which means it is capable of running many Unix
packages). Also, consider using switching hubs and/or smart hubs in
"secure" mode. (there is usually a mode to scramble all packets not going
to the remote MAC address). I also recommend firewalls, and routine
backups/compares (WITH WRITE PROTECTED TAPES!). While you are at it, make
sure you are running new sendmail.
Joel Maslak
Caution: When copying and pasting text, work with only a few lines
at a time. If you copy too many lines, you may trigger a bug in the
system, and your window will become unstable.
Pg. 129, "A Practical Guide to the Unix System"