|
|
Log in / Subscribe / Register

Crossplatform virus - the latest proof of concept

[Posted April 8, 2006 by cook]

Anti-virus company Kaspersky Lab reports that a new cross-platform virus is in the proof-of-concept stage of development. The possibility of this type of code spreading widely is not addressed. "We’ve received a new sample: another cross platform virus. This sample is the latest attempt to create malicious code which will infect both Linux and Win32 systems. It’s therefore been given a double name: Virus.Linux.Bi.a/ Virus.Win32.Bi.a The virus is written in assembler and is relatively simple: it only infects files in the current directory. However, it is interesting in that it is capable of infecting the different file formats used by Linux and Windows - ELF and PE format files respectively. To infect ELF files, the virus uses INT 80 system calls and injects its body into the file immediately after the ELF file header and before the “.text” section. This changes the entry point of the original file."
to post comments

Crossplatform virus - the latest proof of concept

Posted Apr 8, 2006 15:30 UTC (Sat) by aleXXX (subscriber, #2742) [Link] (11 responses)

Hmm, if I'm logged in as normal user, which ELF file should it effect ?

Alex

Crossplatform virus - the latest proof of concept

Posted Apr 8, 2006 17:50 UTC (Sat) by nix (subscriber, #2304) [Link] (1 responses)

Any writable ones in the current directory.

Hence, net effect unless you run untrusted code as root, nil.

Crossplatform virus - the latest proof of concept

Posted Apr 8, 2006 23:49 UTC (Sat) by smoogen (subscriber, #97) [Link]

Which happens a lot on some systems. Download some tools, compile them, put them in your ~/bin/ because you dont have root access. Or if your OS follows the Mac paradigm for installing software.. it is installed in your tree etc. Now you may not hurt someone else.. but these days viruses really arent into breaking systems unless you are being ransomed. The real money is getting all those .doc/.swx /.abi documents and everything in ~/.gnucash to your friendly neighborhood extortionist.

Crossplatform virus - the latest proof of concept

Posted Apr 9, 2006 10:19 UTC (Sun) by dwmw2 (subscriber, #2063) [Link] (8 responses)

AFAIK it doesn't effect any files -- it only affects existing ELF files, if they're writable by the infected user.

But it's a proof of concept -- I suppose it _could_ be made to effect files in ~/bin which override system binaries. But that's not necessarily going to get it very far because they'd would generally only affect the user who's already infected.

Crossplatform virus - the latest proof of concept

Posted Apr 9, 2006 22:06 UTC (Sun) by jwb (guest, #15467) [Link] (7 responses)

What twisted distribution puts ~/bin in the path? It certainly isn't in my path.

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 11:34 UTC (Mon) by NAR (subscriber, #1313) [Link] (6 responses)

What twisted distribution puts ~/bin in the path?

Debian. And actually this seems sane - I personally don't like to type ~/bin in front of each script that I'd like to run.

Bye,NAR

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 12:03 UTC (Mon) by tomas2 (guest, #37038) [Link] (5 responses)

Hmmm... Since when?
echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games

cat /etc/debian_version
3.1

Tomas

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 12:11 UTC (Mon) by NAR (subscriber, #1313) [Link] (4 responses)

Check /etc/skel/.bash_profile.

Bye,NAR

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 12:31 UTC (Mon) by tomas2 (guest, #37038) [Link] (3 responses)

<copy-paste>
# set PATH so it includes user's private bin if it exists
#if [ -d ~/bin ] ; then
# PATH=~/bin:"${PATH}"
#fi
</copy-paste>

So, it's commented out, and I think this is the default, at least in Sarge?
(I'm sure I haven't changed the file myself)

Tomas

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 12:46 UTC (Mon) by AAP (guest, #721) [Link]

Yes, IIRC, it's commented out, but it seems to me that it wouldn't be that unusual for someone to uncomment it.

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 19:00 UTC (Mon) by NAR (subscriber, #1313) [Link] (1 responses)

Maybe the local administrator modified the skeleton files. But I still think it's a sane default.

Bye,NAR

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 19:54 UTC (Mon) by tomas2 (guest, #37038) [Link]

Well, this is starting to get a little bit OT, but just for the record... :)
On my DeMuDi 1.3.0 box here at home ~/bin is included in the path by default if the directory exists.
DeMuDi 1.3.0 is based on Debian Etch, so either this is the default in Etch, or then the DeMuDi maintainer agrees with you that this is a sane default :) I personally think that the sane default is to have those lines commented out, and let root decide if he/she wants to change the default for all users or not, but maybe that's just me.

I didn't find anything about this in the Debian changelog, (maybe I didn't look carefully enough) and there is no DeMuDi changelog in /usr/share/doc/bash/

The system is DeMuDi 1.3.0, with a few packages installed from Debian Etch.
apt-cache policy bash says that the installed bash version is 3.1-2, and it's installed from DeMuDi (not Debian).

So, I don't know for sure about pure Debian Etch, but at least in DeMuDi 1.3.0 the default indeed is to include ~/bin in the path.

Tomas (/back to lurking mode, sorry for the noice guys :))

Crossplatform virus - the latest proof of concept

Posted Apr 8, 2006 15:57 UTC (Sat) by tzafrir (subscriber, #11501) [Link]

A previous proof of concept: http://www.symantec.com/avcenter/venc/data/w32.peelf.2132...

(more than 5 years old by now)

(This is one f the first hits in google for "win32 elf")

big deal

Posted Apr 8, 2006 17:12 UTC (Sat) by JoeBuck (subscriber, #2330) [Link] (20 responses)

And virus companies can hire someone to write a "triple threat" "virus", one that will infect x86 Mac executables as well, provided that a user can be fooled into running the thing. It's just not significant.

I suppose when one of these things gets polished enough to release in the wild, the virus company with the best ties to the black hat who created the virus will have a competitive advantage. That's an issue that needs investigation.

big deal

Posted Apr 8, 2006 17:51 UTC (Sat) by nix (subscriber, #2304) [Link]

They get to bloat their `viruses detected' counts a bit more this way, too.

unlikely

Posted Apr 8, 2006 18:56 UTC (Sat) by copsewood (subscriber, #199) [Link] (2 responses)

AV researchers obviously have an interest in seeing what black
hats can do before the latter release viruses into the wild.
However, cooperating beyond this level of passive observation,
e.g. by offering incentives of any kind to get blackhats to
write viruses would, if ever found out, result in much
too great a loss of reputation with their customers on
which the anti-virus business is based to be worth any
competitive advantage that might otherwise have resulted. Would
you ever buy anti-virus products from a company that you knew
had cooperated with black hats to the point of offering
incentives to them ? How could you trust such products not
to do bad and deceptive things on your system if the
ethics of the AV vendor had been compromised in this way ?

If your answers, like mine are no and you couldn't, then don't
imagine the legitimate AV community hasn't already thought
about this issue with the greatest of care.

unlikely

Posted Apr 9, 2006 23:06 UTC (Sun) by Tashlan (guest, #17277) [Link] (1 responses)

While not exactly what you are arguing, the AV vendors lack of response to Sony's Rootkit comes to mind.

Sony root kit and Back Orifice

Posted Apr 10, 2006 9:13 UTC (Mon) by copsewood (subscriber, #199) [Link]

They have enough trouble keeping up with malware supplied by cracker-culture conformant black hats. When people who look like white hats suddenly behaved like black hats this exploited a blind spot which got such malware under the AV radar for a while. This is not an entirely new problem for the AV community. What is the difference between remote control programs which are malware (e.g. Back Orifice) and those which are legitimate but very unobtrusive to the machine being remotely controlled in normal use ? I think the best answer I can give to this is based on the assumed intentions of the suppliers of such products. This criteria is also going to be very unsatisfactory from the POV of the AV community, who would naturally want to be able to use less subjective criteria, but what alternatives do they have ? This kind of problem is why Windows AV or Linux rootkit scanners can only ever be a small part of an overall security solution.

big deal

Posted Apr 8, 2006 23:09 UTC (Sat) by sbergman27 (guest, #10767) [Link] (15 responses)

It'll work, too. Remember when Linspire started offering an anti-virus product via Click'n run? They had to offer something, since their users were demanding it. As everyone knows, the *first* thing involved in internet security is running good anti-virus software. (I mean, *everybody* who is computer savvy knows that! Right?)

If you run a computer, then you're gonna have computer viruses. (And AdWare and SpyWare and whatever else the victims will agree to stomach without fleeing the platform.) That's just a fact of life in this new technologically advanced world and you have to be ready for them.

It would never occur to most people who got started off on Windows that it is possible for a platform to be resistant to security threats in the first place. (Their computer geek nephew confirms this.)

The media (and don't forget the computer geek nephew) has been too thorough in its reporting of computer viruses for them to think otherwise.

God save us from ignorance masquerading as wisdom!

big deal

Posted Apr 8, 2006 23:59 UTC (Sat) by smoogen (subscriber, #97) [Link] (8 responses)

Having installed anti-virus software is a requirement in so many procedures, I lost count. There were several times where someone would tell me we couldnt run Linux on a machine because it didnt have anti-virus software available. Thankfully that falls by the wayside when one can get clamav or similar tools

big deal

Posted Apr 9, 2006 2:48 UTC (Sun) by lutchann (subscriber, #8872) [Link] (4 responses)

It's also required by my liability insurance, which isn't surprising. I'm sure that's to reduce the risk of me being unable to meet contractual obligations for a client due to a virus infection that destroys data, ties up my time fixing things, etc.

The more surprising requirement for the insurance was to maintain a firewall that not only blocks unauthorized inbound connections but unauthorized outbound connections from both servers and workstations. Since that's how all my internal networks are already set up it wasn't a big deal for me, but it was nice to see my insurer paying attention to things like that.

egress filtering?

Posted Apr 9, 2006 23:21 UTC (Sun) by man_ls (guest, #15091) [Link] (3 responses)

You block unauthorized outbound connections? This means that you have to "authorize" outbound connections to every new port? For me this is a waste of time; malware can connect via port 80 to whatever server it wants, and I may want to connect to remote ports for new protocols, server administration, etc. My internal networks are definitely not set up like that.

egress filtering? yes!

Posted Apr 11, 2006 15:51 UTC (Tue) by lutchann (subscriber, #8872) [Link] (2 responses)

You're right, which is why I don't allow connections via port 80 to just any server. All allowed outbound connections from my internal networks are fully specified by source host, destination host and destination port; for the most part this is limited to allowing only connections to a client's servers or VPN endpoint, plus my local DNS and NTP servers. This reasonably well isolates all my internal networks from each other and the Internet, which conveniently solves a lot of problems that IT departments tend to bring up when you request VPN access to their network.

a bit excessive

Posted Apr 11, 2006 16:06 UTC (Tue) by man_ls (guest, #15091) [Link] (1 responses)

So, what do you do when you have a problem in the network and need to look something up on the web?

a bit excessive

Posted Apr 11, 2006 16:34 UTC (Tue) by lutchann (subscriber, #8872) [Link]

I have other networks here besides those I consider "internal"--everything with Internet access is in a DMZ-type network, so laptop+wireless works fine for web and IM. But from the perspective of the internal networks where all the real work goes on, the DMZ is as untrustworthy as the open Internet.

McAfee makes a Linux AV product

Posted Apr 9, 2006 22:31 UTC (Sun) by pr1268 (guest, #24648) [Link] (2 responses)

Being a University student, I get the privilege of using the campus-wide license for McAfee Antivirus. Since I only use Linux, I was thrilled to discover that not only does McAfee make a Unix version (works on Linux, FreeBSD, HP-UX, AIX, and Solaris), but also that the University I attend provides this version alongside their Windows/Mac offering.

I suppose the only down side is that this is presumably a corporate/enterprise version. It's not like I could walk into $COMMERCIAL_RETAILER and pick up a Linux copy... :-(

McAfee makes a Linux AV product

Posted Apr 10, 2006 15:49 UTC (Mon) by rickmoen (subscriber, #6943) [Link] (1 responses)

pr1268 wrote:

Being a University student, I get the privilege of using the campus-wide license for McAfee Antivirus. Since I only use Linux, I was thrilled to discover that not only does McAfee make a Unix version (works on Linux, FreeBSD, HP-UX, AIX, and Solaris), but also that the University I attend provides this version alongside their Windows/Mac offering.

I suppose the only down side is that this is presumably a corporate/enterprise version. It's not like I could walk into $COMMERCIAL_RETAILER and pick up a Linux copy... :-(

Something for you to ponder: One of the glories of running Linux is that you can avoid the need to run unauditable code with significant privilege (and can avoid running it at all, in many cases).

But here, you're pretty much proposing to run with root-user authority a proprietary, binary codebase from a proprietary-software vendor whose business integrity, along with almost all of its competitors, is already specifically subject to question, concerning the Sony rootkit scandal (a point Schneier made quite eloquently, at the time). And you're thrilled about this? Me, I'd go to great lengths to avoid exercising that option.

Rick Moen
rick@linuxmafia.com

McAfee makes a Linux AV product

Posted Apr 11, 2006 0:50 UTC (Tue) by drag (guest, #31333) [Link]

Exactly!

All of these products seem to me to have a proven security track record.. A bad track record, that is.

These things have openned up holes in root in the past for potential attackers.

If I worked somewere that required certain types of anti-virus stuff to be installed, I'd install it... in a chroot'd environment seperate from everything else and do my best to figure out how to make it work as a regular user through trickery or some VM or whatnot so that I could have it functional, yet seperate.

Although I doubt that would be to popular among management...

In light of the threats that viruses can pose I think that Gnome and KDE should look at integrating open source, passive, antivirus protection.

Things like having email scanning with Evolution similar to how it supports anti-spam scanning. Files being downloaded could be then scanned.

Or maybe integrate it with the FAM support so that files being added to the home directory will be scanned automaticly irregradless of their source. I don't think that this should be hard to do and ClamAV will probably work very well.

This should, I figure, be optional and turned off by default.

This should provide assurance to new users and also prevent situations were Linux user "A" finds funny picture and text and sends it to Linux user "B". Linux user "B" thinks it's funny and sends it to Windows user "C". Windows user "C" then becomes infected from virus sent to them from Linux user A and B, which then goes on to infect everybody else's windows PC including customer's. Of course the virus doesn't affect the Linux users at all, but that's not realy that wonderfull that they sent a Windows user a attatchment that does.

big deal

Posted Apr 9, 2006 6:18 UTC (Sun) by cate (subscriber, #1359) [Link] (2 responses)

Are not chkrootkit and rkhunter our ''antivirus'' ?

not enough to say you're just the messenger

Posted Apr 9, 2006 16:01 UTC (Sun) by copsewood (subscriber, #199) [Link]

Yes and ClamAV. It's not enough for a platform just to prevent threats to itself directly, unless it's only a client/desktop/workstation. If a Linux/Unix installation is used as a mail server, file server or router to relay and replicate (e.g. as in list email) messages sent between less well secured systems, then those like myself who are responsible for these servers need to take steps to avoid these being a part of the malware transmission problem even if we are just the messenger and not the sender. In principle this is very much the same kind of issue as applies to those running open mail relays which are not originating spam, but which by relaying and replicating it are disguising the origins of it and making the problem worse for the recipients. If one of my Mailman email lists receives a virus and replicates it, this is part of my problem, even if the virus is incapable of executing on my Linux server.

The same argument also applies to those responsible for routers which are carrying impossible source network addresses within IP packets used to carry out DDOS attacks to disguise the zombies responsible.

If handed a lemon, make lemonade

Posted Apr 10, 2006 15:33 UTC (Mon) by rickmoen (subscriber, #6943) [Link]

cate wrote:

Are not chkrootkit and rkhunter our ''antivirus''?

They are -- and the characteristics that make them so are the reason I've long advised people that they're in deep trouble if they use such things as anything but an afterthought double-check of separate, primary measures.

The best answer to any (e.g.) manager who want you to run "antiviral" software on Linux/BSD/etc. is that you already are -- and point to your setup of AIDE, Samhain, Prelude-IDS, or your other preferred flavour of file-based IDS. You needn't mention that such aren't exactly what they had in mind, but in fact are a lot more useful. What they don't know won't hurt them, and will help you.

Rick Moen
rick@linuxmafia.com

big deal

Posted Apr 10, 2006 8:53 UTC (Mon) by NAR (subscriber, #1313) [Link] (1 responses)

It would never occur to most people who got started off on Windows that it is possible for a platform to be resistant to security threats in the first place.

Yes, it's possible. Theoretically. Well, probably there are actual platforms out there without any exploits in the wild, but who would care to write a virus for VMS, that 10 sites that still use it doesn't justify the effort. I think Linux is still not that widespread to make it a popular target, but I seem to remember a Linux-specific worm reported here at LWN last year. And don't forget that the very first Internet worm was a UNIX-specific one abusing a bug in sendmail... I think it wouldn't be wise to believe that "I'm using Linux, therefore I'm safe".

Bye,NAR

Linux virii

Posted Apr 10, 2006 11:53 UTC (Mon) by man_ls (guest, #15091) [Link]

Nor is it wise to start shopping for an antivirus, just because Linux virii are theoretically possible. There are many good practices in security which should protect you better.

big deal

Posted Apr 10, 2006 16:25 UTC (Mon) by carcassonne (guest, #31569) [Link]

If you run a computer, then you're gonna have computer viruses.

I use Linux (SuSE 9.3/10.0) and do not run any anti-virus of any kind.

And I use Firefox and get e-mail with kontact. I sometimes download source code from reputable GNU sites.

Do you mean that my computer is de facto infected ?

Do you have the web pages/documents describing in ample details how such a Linux system is de facto infected ?

Thanks for the information !

Crossplatform virus - the latest proof of concept

Posted Apr 9, 2006 16:44 UTC (Sun) by Sombrio (guest, #26942) [Link] (5 responses)

It's about time that Linux became main stream enough that people will finally start writing viruses for it. :) I guess I will have to start paying more attention to Hurd.

Crossplatform virus - the latest proof of concept

Posted Apr 9, 2006 20:41 UTC (Sun) by hazelsct (guest, #3659) [Link] (4 responses)

Indeed, or FreeBSD. Debian can work with all three.

Not to mention GNOME/KDE/XFce/GNUStep, Firefox/Konqueror/Epiphany, Thunderbird/KMail/Evolution, .deb/.rpm, etc. There's no monoculture in "Linux" (except arguably glibc across Debian), so no single attack vector will work everywhere. We have security by diversity.

Interesting that they can get a single file to run on both Win32 and GNU/Linux, but not very important.

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 9:40 UTC (Mon) by anLWNreader (guest, #36915) [Link] (1 responses)

It will run fine on BSD and GNU too, so no point in switching.

Crossplatform virus - can't touch non-x86

Posted Apr 11, 2006 19:35 UTC (Tue) by hazelsct (guest, #3659) [Link]

Okay, then switch to PowerPC, Alpha, or any of the other 8 Debian platforms, where *zero* of the x86 ELF binaries and buffer overflow exploits will run. Honeypots running Linux on Sparc with multiple known vulnerabilities have had years of uncompromised uptime.

Again, security in diversity. No proprietary alternative comes anywhere near us.

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 15:09 UTC (Mon) by tzafrir (subscriber, #11501) [Link] (1 responses)

Now, how difficult would it be to write a portable file infector for #! scripts?

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 20:33 UTC (Mon) by micampe (guest, #4384) [Link]

Do you think a Python script could suffice?

Wrong character set

Posted Apr 10, 2006 2:15 UTC (Mon) by pjm (guest, #2080) [Link]

http://lwn.net/ claims to be in iso-8859-1: 

<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
yet this quotation uses characters that don't exist in that character set (0x92, 0x93, 0x94), apparently from the Windows-1252 charset.

Please try to make content in the correct character set. The `tidy' program can change the encoding of some HTML (see the ‘-win1252’ option).

You may find it useful to change lwn's charset (in the header) from iso-8859-1 to utf-8 or windows-1252.

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 16:44 UTC (Mon) by carcassonne (guest, #31569) [Link] (3 responses)

I thought that .exe/.com files cannot run in a etx2/3/resiserfs filesystem.

And vice-versa.

Do they provide both .exe and ext3 executable in one virus package ?

Someone care to explain ?

Crossplatform virus - the latest proof of concept

Posted Apr 10, 2006 20:33 UTC (Mon) by malignance (guest, #37047) [Link] (2 responses)

>(#179323 by subscriber carcassonne in response to Crossplatform virus -
>the latest proof of concept.)
>
>I thought that .exe/.com files cannot run in a etx2/3/resiserfs
>filesystem.
>
>
>And vice-versa.
>
>Do they provide both .exe and ext3 executable in one virus package ?
>
>Someone care to explain ?

I run a dual boot XP/Debian setup With 1 FAT-32 partition and several ext2
and ext3 partitions, I have a very stripped down windows running on that
FAT-32 Partition and I use EXT2-IFS to mount partitions for my home
directory and my "Program Files". Programs in windows run much faster on
ext2 file systems than on native NTFS or VFAT I wish I could boot from
one, though thus far I am unable. The partition type is irrelavant, if the
partition can be mounted then the file can be read if you're running
something that can run win32 binaries ie. windows, wine. then an infected
win32 binary can infect other binaries(in this case in the same folder),
If you're running something that that runs ELF binaries ie. Linux, etc.
the same story. This seems like it will mostly be a problem for those
stealing software on p2p networks, who are running executables in their
shared folder.

Crossplatform virus - the latest proof of concept

Posted Apr 11, 2006 11:50 UTC (Tue) by carcassonne (guest, #31569) [Link] (1 responses)

The partition type is irrelavant, if the partition can be mounted then the file can be read if you're running something that can run win32 binaries ie. windows, wine. then an infected win32 binary can infect other binaries(in this case in the same folder)

Maybe I'm too technical or pratical here, or perhaps I think that anti-virus companies can try to make a buck at Linux, but it seems that the propagation vector of such a dual-platform virus is quite restrained. A Linux virus ? OK. A Windows virus ? certainly. But one that does both ? Must be under certain precise conditions such as, you mentioned, running Wine.

I don't know about Wine since I'm using VMware since many years, but it looks like running Windows exe files directly in Linux is not a good idea to start with. Better run a virtual machine instead.

Some Windows dlls are used in Linux. Like codecs or hardware drivers (Linksys WiFi adapters for instance). These could be infected right at the distributor. Linksys could have infected dlls but that's something quite rare, even today. Companies, especially large, do look after the condition of their binaries.

Now, I wouldn't be surprised that an anti-virus company tries to cash on the general ignorance of Linux systems. Why not ? As more and more people move towards Linux, this is a profitable avenue. These people are used to infested and otherwise unstable Windows environments and do not know much about Linux. A perfect combination for an aspiring anti-virus company ! ;-)

Hopefully, the mandatory bunch of developers moving to Linux (also coming from Windows) won't facilitate the spread of virii and other worms in Linux systems !

Crossplatform virus - the latest proof of concept

Posted Apr 12, 2006 19:33 UTC (Wed) by malignance (guest, #37047) [Link]

>Maybe I'm too technical or pratical here, or perhaps I think that
>anti-virus companies can try to make a buck at Linux, but it seems that
>the propagation vector of such a dual-platform virus is quite restrained.
>A Linux virus ? OK. A Windows virus ? certainly. But one that does both ?
>Must be under certain precise conditions such as, you mentioned, running
>Wine.

The propagation vector isn't restrained because of some need for wine.
Wine, Windows, and to a more limited extent Linux in general are
among ways this can spread(anything that can run those two types
binaries). What restricts this particular virus from spreading is the fact
that it only infects binaries in the current directory. Making some moron
who runs His stolen wares in his "My Shared Files" directory Infect all
the binaries in that current directory (running windows or linux).

Running a virtual machine helps If you restrict filesystem access.

The propagation vector will grow dramatically when the infected binaries
can infect binaries in archives and/or in other directories and mounted
file systems. With the use of pre-packaged RPM and DEB binaries becoming
more prevalent, one sys-admin running some game he stole could potentially
infect an entire mirror.

>Now, I wouldn't be surprised that an anti-virus company tries to cash on
>the general ignorance of Linux systems. Why not ? As more and more people
>move towards Linux, this is a profitable avenue. These people are used to
>infested and otherwise unstable Windows environments and do not know much
>about Linux. A perfect combination for an aspiring anti-virus
>company ! ;-)

With all that said I think its safe to assume that Microsoft has the
biggest profit motive in releasing a cross platform virus. (A pure linux
virus I think would have a very limited propagation vector due to the
current state of its userbase, and architecture. Today it needs a windows
host to spread.)


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds