LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for August 21, 2008

Standards, the kernel, and Postfix

In defense of Ubuntu

Why the JMRI decision matters

LWN.net Weekly Edition for August 14, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Crossplatform virus - the latest proof of concept

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 20:33 UTC (Mon) by malignance (guest, #37047)
In reply to: Crossplatform virus - the latest proof of concept by carcassonne
Parent article: Crossplatform virus - the latest proof of concept

>(#179323 by subscriber carcassonne in response to Crossplatform virus -
>the latest proof of concept.)
>
>I thought that .exe/.com files cannot run in a etx2/3/resiserfs
>filesystem.
>
>
>And vice-versa.
>
>Do they provide both .exe and ext3 executable in one virus package ?
>
>Someone care to explain ?

I run a dual boot XP/Debian setup With 1 FAT-32 partition and several ext2
and ext3 partitions, I have a very stripped down windows running on that
FAT-32 Partition and I use EXT2-IFS to mount partitions for my home
directory and my "Program Files". Programs in windows run much faster on
ext2 file systems than on native NTFS or VFAT I wish I could boot from
one, though thus far I am unable. The partition type is irrelavant, if the
partition can be mounted then the file can be read if you're running
something that can run win32 binaries ie. windows, wine. then an infected
win32 binary can infect other binaries(in this case in the same folder),
If you're running something that that runs ELF binaries ie. Linux, etc.
the same story. This seems like it will mostly be a problem for those
stealing software on p2p networks, who are running executables in their
shared folder.

(Log in to post comments)

Crossplatform virus - the latest proof of concept

Posted Apr 11, 2006 11:50 UTC (Tue) by carcassonne (guest, #31569) [Link]

The partition type is irrelavant, if the partition can be mounted then the file can be read if you're running something that can run win32 binaries ie. windows, wine. then an infected win32 binary can infect other binaries(in this case in the same folder)

Maybe I'm too technical or pratical here, or perhaps I think that anti-virus companies can try to make a buck at Linux, but it seems that the propagation vector of such a dual-platform virus is quite restrained. A Linux virus ? OK. A Windows virus ? certainly. But one that does both ? Must be under certain precise conditions such as, you mentioned, running Wine.

I don't know about Wine since I'm using VMware since many years, but it looks like running Windows exe files directly in Linux is not a good idea to start with. Better run a virtual machine instead.

Some Windows dlls are used in Linux. Like codecs or hardware drivers (Linksys WiFi adapters for instance). These could be infected right at the distributor. Linksys could have infected dlls but that's something quite rare, even today. Companies, especially large, do look after the condition of their binaries.

Now, I wouldn't be surprised that an anti-virus company tries to cash on the general ignorance of Linux systems. Why not ? As more and more people move towards Linux, this is a profitable avenue. These people are used to infested and otherwise unstable Windows environments and do not know much about Linux. A perfect combination for an aspiring anti-virus company ! ;-)

Hopefully, the mandatory bunch of developers moving to Linux (also coming from Windows) won't facilitate the spread of virii and other worms in Linux systems !

Crossplatform virus - the latest proof of concept

Posted Apr 12, 2006 19:33 UTC (Wed) by malignance (guest, #37047) [Link]

>Maybe I'm too technical or pratical here, or perhaps I think that
>anti-virus companies can try to make a buck at Linux, but it seems that
>the propagation vector of such a dual-platform virus is quite restrained.
>A Linux virus ? OK. A Windows virus ? certainly. But one that does both ?
>Must be under certain precise conditions such as, you mentioned, running
>Wine.

The propagation vector isn't restrained because of some need for wine.
Wine, Windows, and to a more limited extent Linux in general are
among ways this can spread(anything that can run those two types
binaries). What restricts this particular virus from spreading is the fact
that it only infects binaries in the current directory. Making some moron
who runs His stolen wares in his "My Shared Files" directory Infect all
the binaries in that current directory (running windows or linux).

Running a virtual machine helps If you restrict filesystem access.

The propagation vector will grow dramatically when the infected binaries
can infect binaries in archives and/or in other directories and mounted
file systems. With the use of pre-packaged RPM and DEB binaries becoming
more prevalent, one sys-admin running some game he stole could potentially
infect an entire mirror.

>Now, I wouldn't be surprised that an anti-virus company tries to cash on
>the general ignorance of Linux systems. Why not ? As more and more people
>move towards Linux, this is a profitable avenue. These people are used to
>infested and otherwise unstable Windows environments and do not know much
>about Linux. A perfect combination for an aspiring anti-virus
>company ! ;-)

With all that said I think its safe to assume that Microsoft has the
biggest profit motive in releasing a cross platform virus. (A pure linux
virus I think would have a very limited propagation vector due to the
current state of its userbase, and architecture. Today it needs a windows
host to spread.)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.