Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!mips!pacbell.com!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: mrs@netcom.com (Morgan Schweers) Newsgroups: comp.virus Subject: Re: Unix viruses and damaging programs (UNIX) Message-ID: <0009.9104091351.AA04984@ubu.cert.sei.cmu.edu> Date: 8 Apr 91 08:44:00 GMT Sender: Virus Discussion List Lines: 56 Approved: krvw@sei.cmu.edu Greetings, A few words on "Unix" viruses... As far as I can tell they are not very likely. First off, the 'kernel' is *NOT* comparable to COMMAND.COM... The kernel is more comparable to IBMBIO.COM and IBMDOS.COM. The '?sh' programs are more comparable to COMMAND.COM. If you are to assume that 'root' has been breached, then you are in trouble already. If a person breaches 'root', they are much less likely to install a virus as install a trapdoor (patching login.c) or such. The reasons are manifold... A few reasons would be that 1) the executable file format is (as far as I know, anyone care to correct me?) not as available. 2) REAL security (as in, file-level access) is implemented in Unix. This means that non-prived person can't modify (usually) prived program . 3) Most viruses exist from the binary level, so far. This is difficult to 'spread' since many machines can be running Unix, but not be binary compatible. That generally explains why a virus won't spread too far. Now let me take the other side... I've seen (yes, SEEN) a 'worm' under Unix that can be very unfortunate. The example in particular that I saw involved the PATH statement of most people's .login's, and the fact that many people put '.' first in their PATH. Thus, say you 'cd' to a directory, and do an 'ls', and there is an 'ls' program in their directory... Well, you get the idea. It was substantially more complicated than that, but that's the basic idea. *THIS* (and silly other security precautions, like proper passwording (or shadowing, or any of the other miscellaneous topics)) is far more important to deal with than worrying about viruses under Unix. Under MS-DOS, it's not possible to close all the security holes without throwing out the OS and starting anew. Under Unix, the features are there and it's just a matter of implementing them. The same is true of most multi-user OS's. If it's made to provide seperation between users, then it's magnitudes harder to write a successful virus. One final note... I believe it has been done by one Fred Cohen, but I never learned the details of his experiment. However, the likelyhood of it spreading *OFFSITE* is virtually nil, which means your likelyhood of getting it is equivelant. I'm *NOT* a Unix guru, however. I'd *VERY MUCH* like people to correct me on matters of fact. -- Morgan Schweers P.S. It has been pointed out to me that it is possible to spread a BSI over a BBS if it's done on purpose. I apologize. Anything is possible if it's done on purpose. What I meant to say is getting a BSI off a BBS is far less likely than getting a file infector, and that's a pretty small chance anyway. +------------------ I don't speak for my company, since my company doesn't do Unix work. I do, and I love it, but I don't get paid for it, so there. -- mrs@netcom.com - ------------------+