Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!elroy.jpl.nasa.gov!lll-winken!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: spaf@cs.purdue.edu (Gene Spafford) Newsgroups: comp.virus Subject: Unix viruses (UNIX) Message-ID: <0010.9104101917.AA00785@ubu.cert.sei.cmu.edu> Date: 10 Apr 91 17:23:58 GMT Sender: Virus Discussion List Lines: 90 Approved: krvw@sei.cmu.edu First of all, Unix viruses are definitely possible, and they aren't all that difficult to write. See the articles in the Spring 1989 issue of "Computing Systems" (Usenix, 2(2)). Tom Duff describes his experience with writing a machine code version, and he and Doug McIlroy discuss shell viruses too. As I remember (my copy of the issue is out on loan right now), McIlroy has some comments on why Unix viruses aren't all that interesting. If you accept Cohen's formal definition of a virus (roughly stated as "code that makes a (possibly modified) copy of itself in another program") as most of us do, then Ken Thompson wrote perhaps the first Unix virus in his login/cc combination; see "Reflections on Trusting Trust" in the August 84 issue of Communications of the ACM, 27(8). \footnote{BTW, Cohen did not write the first virus; I see so many people claim this (incorrectly) in their writings. Cohen gets the credit for first describing them in a formal way. However, there is evidence of viruses as we know them appearing 2 years before Fred started his thesis work, and Thompson's work also predates Fred's. Furthermore, Fred did not coin the name "virus" -- his advisor Len Adelman suggested it. Even that is not the first use of the term -- see my ADAPSO book, or the excerpts in Hoffman's or Denning's books.} So, the answer to the question of, is it possible to write a Unix virus, is a definite "yes." It can easily be done as a shell script, which makes it portable to any form of Unix, or it can be done in machine language, which makes it a little less portable but easier to hide. The real question here is "How much should we worry about them?" The answer to that is, "Not much." Viruses under Unix are likely to serve only two purposes: enable an attacker to get root, or vandalize a system. If your system is configured reasonably to audit accesses, and privileged users are careful about booby-trapped files and PATH variables, it is unlikely a virus will give someone root access that they shouldn't have. Vandalizing a system is more likely. Imagine a virus that would delete all files in your $HOME directory after a certain date! If that spread to a number of executable files, it could be very damaging. Again, if the system is configured reasonably and the superuser is appropriately cautious, then none of the system programs would likely be affected, and thus the damage would be limited. Having good backups means this would be limited annoyance. The fear that people have is that a Unix virus could spread to many machines. Unix systems don't normally share removable media and programs in the same manner as PCs, so spreading a virus might be more difficult than PCs. However, Unix systems in the same administrative domain often get source code installed on all machines from a single point, and files are often shared via networked file systems, so spread is not inconceivable. This would require the virus writer defeating what should be common security practices in order to infect those sources. Prudent administration and regular auditing for integrity changes will prevent this kind of problem. Widespread infection of Unix machines is very unlikely except in cases where sys admins regularly install binaries or programs from outside sources without examining them. That could cause widespread virus propagation. (Before you say you don't do this, ask if you are running emacs or gcc -- when was the last time you read through all the code for the program and libraries before installing them?) However, in a a case like this, it is more likely that the same goals could be accomplied with less effort by just building in some form of logic bomb or Trojan Horse mechanism and be done with it. Again, some prudent administration and regular integrity auditing would spot changes before much damage would occur. Overall, I'm pretty certain that we have little reason to fear Unix viruses on properly configured systems where the sys admin is a little bit cautious and takes proper precautions. The structure of the system and the normal patterns of use indicate that anyone with a particular agenda that might be satisfied with a virus is more likely to use some other mechanism (worm, logic bomb, cracking) instead. Warning! Shameless plug follows....:-) If you want further information on how to protect against viruses, Trojan Horses, and more in the Unix environment, consider getting a copy of "Practical Unix Security" by Simson Garfinkel and me. It's published by O'Reilly & Associates (the Nutshell Handbook & X Windows reference people), and is due out in mid-May. It's about 500 pages, 19 chapters, and 5 appendices of information on Unix security, including programmed threats, network security, and much more. The book will be $29.95, and can be ordered at nuts@ora.com, 1-800-338-6887 (US & Canada) or 01-707-829-0515 (Europe). - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu phone: (317) 494-7825