Path: utzoo!attcan!uunet!cs.utexas.edu!sdd.hp.com!wuarchive!udel!rochester!uhura.cc.rochester.edu!ub!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: CHESS@YKTVMV.BITNET (David.M.Chess) Newsgroups: comp.virus Subject: re: *NIX virus... necessary knowledge. (UNIX) Message-ID: <0007.9012122103.AA25390@ubu.cert.sei.cmu.edu> Date: 11 Dec 90 21:08:57 GMT Sender: Virus Discussion List Lines: 30 Approved: krvw@sei.cmu.edu Jan C. Zawadzki writes that a virus under "*nix" must be "capable of switching from regular to priviledged mode and back without the knowledge of the os.". I don't think that's correct. All a virus has to do is: - Get (generally from the operating system) a list of files to which it can write; choose one or more executables from that list. - Read each one to see whether or not it is already infected. - If not, do appropriate reads and writes to the file to infect it (add a copy of the virus to it, at the start of the execution path). None of these things requires any sort of special privilege. Of course, such a simple "well-behaved" virus won't be able to infect any files to which the os doesn't give it write access, but THAT'S OK! Fred Cohen's experiments show that there's enough program-sharing and enough writeable executables in at least some *nix environments that a virus can spread very widely very quickly without subverting the os in any way. The "viruses need to write directly to the hardare" or "viruses need to modify the operating system" or "viruses need to subvert operating-system security" or "viruses need to have special privileges" stories are all common, and all false*. DC * (with the possible exception of some operating systems in which writing to any executable requires a special privilege; such systems are quite rare in real life, I think.)