[ LUGOS ] Viruses?

[Renato Lukac]

On Tue, 26 Aug 1997, David Klasinc wrote:

>  Hm, kaj so ze eni virusi za Linux? In kaj pocnejo v /tmp? Ene filetke..
> Se kdo spomni kaj? :) malo me paranoja daje.. :))
bliss je bilo cudo, ki se je takrat omenjalo in nekaj o tem je v attach.
lp, lr

         ,'~`.                                           \\|//
        ( o o ) Window$ is living proof of Murphy's Law -(@ @)-
+--.oooO--(_)--Oooo.-*-*-*-------------------------.oooO--(_)--Oooo.-+
|Renato Lukac       ** * **  |Email:renato na s-gms.ms.edus.si          |
|Gimnazija M.Sobota  G M S   |WWW:http://www.s-gms.ms.edus.si/renato/|
|Slovenija          *******  |Tel.: + 386 / (0)69 / 38-260-106       |
+--------------------------------------------------------------------+

On Fri, 31 Jan 1997, Peter wrote:

> Today I became infected with the bliss virus, any info on this would be
> appreciated!  How do I scan for files infected and is it possible to

Someone sent me a copy of this quite a while back.  Here's an
excerpt from a news posting about it.  I've attached the binary
to this e-mail.

Todd Burroughs



: Well, I couldn't resist ;)
: Believing in my own system I sued to nobody and did an strace -f and
: a strings on the binary. It crashed shortly after probing some directories
: and files, and tries to do some rsh's on host.equiv trusted clients
: (we dont use rsh, just ssh, so it failed )

: Here's the trace:
[...cut...]
: Here's the strings output:
[...cut...]

: Anyone who finds out more, please let me know. I'd like to know
: what it does, now that my curiosity has been aroused ;)


I too ran it as 'nobody' and as yourself, watched it fail to do anything and
then get stuck when it couldn't use 'rsh' (we use ssh too)

So... being of curious nature, I tried it out, on a disposable system, running
it as root.


It's behaviour is as follows.

For each directory in your $PATH, whip through it randomly picking excecutable
files (not just binaries) and prepend the 'bliss' binary to them. Then when 
they are execed, the same thing happends. 


/bin/ls got hit fairly early on, so it spread pretty fast, doing about 10-20
binaries a minute.

The files 'infected' ;
a) grow by 17892 bytes
b) lose all of there original functionality
c) retain date/time stamp data
d) retain file permissions 
e) are logged to /tmp/.bliss

Links are destroyed.


The 'rsh' part it pretty basic. The routine is titled 'do_worm_stuff', but 
that would appear to be a solid case of self aggrandisement, as all it
does (worm wise) is go through the hosts.equiv and .rhosts and try to
'rsh' to each of those machines as each of the users in /etc/passwd.
A pretty unlikely scenario as nobody in their right mind is going to
use hosts.equiv nowadays.


Disinfection of the test machine was pretty simple, because of the log of 
infected files is available. Simply a case of 'cat'ing new copies of the 
binaries into the infected ones, and then adding back any set[ug]id bits that
have been lost.

If you do get infected, remember 
0) do not log any more sessions in.
1) disconnect the network card
2) kill all non-essential processes (killall5 if it's still OK)
3) replace all the binaries in /tmp/.bliss

You could probably script the last one, but it's probably a bit dangerous to
do so.

I still haven't firgured out the reference in the 'strings' output to 
/usr/lib/news and /var/spool/news. As far as I can see, no files were 
created or changed in those directories (apart from the news system binaries)

(nothing was added to the mail spool either)
nothin
spremljajoci prg
Aleph One seems to have said:
>
> ugh :)
>6
> Today I became infected with the bliss vi6rus, any info on this would be
> appreciated6!  How do I scan for files infected and is it6 possible to
> remove it?  I first noticed t6he infection when running a program (not as
6> root) messages flashed on the screen about 6transversing directories and
> such.  The pr6ogram (gimp) had been working fine since I do6wnloaded the
> binary for gimp from their ma6in site.  The gimp people told me they have
6> not been receiving complaints their binarie6s are infected, so something
> else must be 6the source.

        ....

>
> I am pres6ently using this to scan for it in my home di6r:
> grep infected /home/peter/**/*(xD/)
> 6Any help would be great!!!
>
> Rgds,
> Pet6er.
>
> [mod: It looks as if lots of debugg6ing strings are still in the binary.
> Odd t6hat this "debugging version" would be in the 6wild.
> Peter, can you verify that it indeed6 is a virus? Unless it knows of
> ways to be6come root, you should be safe if you add a ne6w user-account,
> place an infected binary a6nd a few uninfected binaries in that users
>6 account. Make sure that you have an unmodifi6ed version available for
> comparison.
> On6 one hand I don't like to approve this until 6Peter has verified this,
> but on the other 6hand if there is really a linux-virus on the 6loose, you
> all would like to hear about it6 ASAP right? -- REW]

        Peter and all6,

        I've forwarded your message and 6the reply by Todd to
        the Chief AV Re6searcher at McAfee Associates (the
        p6remier PC Anti-virus company).

        Jim6my is a friend of mine (I used to be the sysa6dmin
        there) and has assured me that 6he will look into it
        first thing in 6the morning (he's here at my house now).

 6       This would be the first "live and in-t6he-wild" Linux
        virus that I've ever 6heard of -- have I been missing
        some6thing?

        In any event -- McAfee may 6be able to add this to
        their existin6g uvscan product.  uvscan scan Linux
       6 filesystems for DOS and Windows (including W6ord Macro)
        viruses.   It may be poss6ible for the AV team to
        simply add b6liss' signature to the next release -- and
 6       it may even be possible for them to cr6eate a remover.

        However -- the cur6rent version of this is almost
        guara6nteed not to detect or remove this (unless
 6       someone at McAfee's AV team discovered6 this without
        telling the boss).

6        I noticed your detection mechanism --6 it seems like
        we could add somethin6g to the zmagic file to allow
        the st6ock Linux 'file' command to identify Bliss
 6       infected binaries.  Then a command lik6e:

                find / -print | { while6 read i; do
                        file $i 6| grep "Bliss Infected" && \
               6         echo $i
                        #do6 something about the infected files
        6                done
                       6 }

        Would do the trick.  An interim6 solution would be
        to simply rm all 6infected files and restore from
        CD o6r via FTP.

        If you could cut a tape6 or other backup of your
        system in i6ts infected state it might be of
        int6erest to the McAfee team.

        Who know6s how to update the zmagic file?

        J6immy has asked me to let everyone on this lis6t
        know that if you want updates on t6his issue -- or
        if you have further 6information, please feel free
        to for6ward it through me or directly to cjkuo na mcafe6e.com.


        I suppose this would be a6 great time to recommend
        that more p6eople get and install 'tripwire' and
       6 cops and that everyone use the 'chattr +i' c6ommand to
        help protect their libs an6d binaries from lame attacks
        such as6 these.

                tripwire and cops 6are available at
                the COAST a6rchive at cs.purdue.edu

                In6formation about using 'chattr' to
          6      mark you files as immutable is in the
6                Linux-Tips HOWTO (actually su6bmitted
                to them by moi).

6                Note -- currently the immutab6le flag under
                ext2fs is of l6imited security value since
                6any root run program that wants to can
     6           simply chattr it back.  However --6 it would
                be effective again6st crude and lame attacks
                li6ke this one (as described in Todd's excerpt).6

                The addition of a BSD-lik6e 'securelevel'
                (which is in6 the works for the 2.1 kernels)
            6    will make the "immutable" flag a viable
6                security feature.

        6A final note:

        This should serve as6 yet another reminder that we
        must a6lways be aware of the trust that we place in
6
        the sources for all of our files.

6
        The fact that a system is a single-u6ser workstation
        should not lull anyo6ne of us into allowing the admin
        of 6that system to neglect proper ownership and p6ermissions
        conventions.

        H6ere's a one line script to find any files on 6your path
        to which you have write ac6cess (run this under
        your normal log6in id).


#! /bin/bash
        ## find.wx6-files
find $(echo $PATH | tr : " ") -type f6 | \
        { while read i; do [ -x $i -a -6w $i ] && ls -l $i ; done }

        While 6doing this I discovered several files that
 6       were writeable by me in my normal acco6unt (I was a
        member of the 'root' gr6oup.  Red Hat 3.03 leaves
        a number o6f X11R6 binaries group writable.

        I6've fixed that now (and permissions don't pre6vail
        over ext2fs attributes anyway).6


--
Jim Dennis,                        6        info na mail.starshine.org
Proprietor, 6                         consulting na mail.star6shine.org
Starshine Technical Services      6        http://www.starshine.org

