White Paper: Viruses in a Unix world

Users of Unix are wrong in believing that viruses cannot affect them. Respected anti-virus researcher Peter V Radatti outlines...

Users of Unix are wrong in believing that viruses cannot affect them. Respected anti-virus researcher Peter V Radatti outlines the myths, problems and solutions

The existence of the problem and its nature

The problem of software attacks exists in all operating systems. These attacks follow different forms according to the function of the attack. In general, all forms of attack contain a method of self-preservation, which may be propagation or migration and a payload. The most common method of self-preservation in Unix is obscurity. If the program has an obscure name or storage location, then it may avoid detection until after its payload has had the opportunity to execute. Computer worms preserve themselves by migration, while computer viruses use propagation. Trojan horses, logic bombs and time bombs protect themselves by obscurity.

While the hostile algorithms that have captured the general public's imagination are viruses and worms, the more common direct problem on Unix systems are Trojan horses and time bombs. A Trojan horse is a program that appears to be something it is not. An example of a Trojan horse is a program that appears to be a calculator or other useful utility which has a hidden payload of inserting a back door onto its host system. A simple Trojan horse can be created by modifying any source code with the addition of a payload.

One of the most favourite payloads observed in the wild is "/bin/rm -rf / >/dev/null 2>&1". This payload will attempt to remove all accessible files on the system as a background process with all messages re-directed to waste disposal. Since system security is lax at many sites, there are normally thousands of files with permission bit settings of octal 777. All files on the system with this permission setting will be removed by this attack. Additionally, all files owned by the user, their group or anyone else on the system whose files are write accessible to the user, will be removed. This payload is not limited to use by Trojan horses but can be utilised by any form of attack. Typically, a time bomb can be created by using the "cron" or "at" utilities of the Unix system to execute this command directly at the specified time.

While the bin remove payload is a favourite of many authors, there are other traditional attacks which are not as overt in their destruction. These other attacks are more important because they bend the operation of the system to the purposes of the attacker while not revealing themselves to the system operator. Attacks of this form include the appending of an account record to the password file, copying the password file to an offsite email address for leisurely cracking, and modification of the operating system to include back doors or cause the transfer of money or property. It is extremely simple to email valuable information offsite in such a manner as to insure that the recipient cannot be traced or located. Some of these methods are path dependent, however, the path selected is at the discretion of the attacker.

One of the most simple methods of inserting a back door is the well known suid bit shell attack. In this attack, a trojanised program is used to copy a shell program to an accessible directory. The shell program is then set with permission bits that allow it to execute with the userid and permission of its creator. A simple one line suid bit shell attack can be created by adding the following command to a user's "login" or any other file that they execute. Example: cp /bin/sh /tmp/gotu ; chmod 4777 /tmp/gotu.

Trojan horses and time bombs can be located using the same methods required to locate viruses in the Unix environment. There are many technical reasons why these forms of attack are not desirable, the foremost being their immobility. A virus or worm attack is more important because these programs are mobile and can integrate themselves into the operating system. Of these two forms of attack, the virus attack is the hardest to detect and has the best chance of survival. Worms can be seen in the system process tables and eliminated since they exist as individual processes, while virus attacks are protected from this form of detection by their host programs. All of the methods used to detect and prevent viruses are also effective against the other forms of attack, therefore, the remainder of this paper will deal with the more serious problem of viral attacks.

Unix virus attacks

The promotion of the concept of "magical immunity" to computer viral attacks surfaces on a regular basis. This concept, while desirable, is misleading and dangerous since it tends to mask a real threat. Opponents of the possibility of viral attacks in Unix state that hardware instructions and operating system concepts, such as supervisor mode or permission settings and security ratings like C2 or B1, provide protection. These ideas have been proven wrong in real life. The use of supervisor mode, the additional levels of protection provided by C2 and the mandatory access control provided by security level B1, are not necessary for viral activity and are therefore moot as a method of protection. This fact is supported by the existence of viruses that infect Unix systems as both scripts and binary.

In fact, virus attacks against Unix systems will eventually become more popular as simpler forms of attack become obsolete. Computer viruses have significantly more virility, methods of protection and opportunity for infection. Methods of protection have been highly refined in viruses, including rapid reproduction by infection, migration through evaluation of its environment, (boot viruses look for uninfected floppy diskettes) armour, stealth and polymorphism. In addition, the host system itself becomes a method of protection and propagation. Virus infected files are protected just as much by the operating system as are non-infected files. Introduction of viruses into systems have also been refined using technology called "droppers". A dropper is a Trojan horse that has a virus or viruses as a payload. Finally, extensive networking technology such as NFS (Network File System) allows viruses to migrate between systems without effort.

All of these reasons point to viruses as the future of hostile algorithms, however, the most significant reason for this determination is the effectiveness of the virus as a form of attack. Past experiments by Doctor Fred Cohen in 1984 used a normal user account on a Unix system, without privileged access, and gained total security penetration in 30 minutes. Doctor Cohen repeated these results on many versions of Unix, including AT&T Secure Unix and over 20 commercial implementations of Unix. The results have been confirmed by independent researchers worldwide. Separate experiments by Tom Duff in 1989 demonstrated the tenacity of Unix viruses even in the face of disinfectors. The virus used in Mr. Duff's experiment was a simple virus written in script. The virus was believed to have been reintroduced by the operating system from the automated backup and restore system. Re-infection took place after the system had been virus free for one year.

Projection of future problems

I believe that the problem of attack software written for and targeted against Unix systems will continue to grow, especially now that the Internet has gained popularity. Unix systems are the backbone of the world wide Internet. Viruses will become more prevalent because they provide all of the benefits of other forms of attack while having few drawbacks. Transplatform viruses may become common as an effective attack. All of the methods currently used in creating MS-DOS viruses can be ported to Unix. This includes the creation of automated CAD/CAM virus tools, stealth, polymorphism and armour. The future of viruses on Unix is already hinted at by the widespread use of Bots and Kill-Bots, (slang term referring to software robots). These programs are able to move from system to system performing their function. Using a Bot as a dropper or creating a virus that includes bot-like capability is simple.

With the advent of global networks, the edge between viruses, bots, worms and Trojans will blur. Attacks will be created that use abilities from all of these forms and others to be developed. There have already been cases where people have used audit tools such as COPS and SATAN to attack a system. Combining these tools with a virus CAD/CAM program will allow a fully functional virus factory to create custom viruses and attacks against specific targets such as companies that are disliked by the perpetuator. The information services provided by the Internet already provide sufficient information in the form of IP addresses and email domain addresses to identify, locate and attack systems owned by specific entities.

Finally, viruses and worms can provide the perfect format for a hostage shielded denial of service attack. It is well known that an Internet attached system can be made to "disappear" or crash by flooding it with IP packets. Site administrators can protect their systems from crashing by programming their local router to filter out packets from the attacking source. The system will still disappear because legitimate users will be squeezed out by the flood of attack packets, but filtering at the router can at least save the system from crashing.

Unfortunately, anyone can masquerade as someone else on the Internet by merely using their IP address. This attack can send a barrage of packets to the target site, each of which has a different source IP address. It is not possible to use a router to filter from this type of attack, but the ISP can trace the source of attack by physical channel without relying upon the IP address. In co-operation with other Internet providers, the attacker can be isolated from the Internet for a short time. Hopefully, the attacker will become bored and go away or can be identified for action by law enforcement.

Another possibility is to use viruses to generate the attack. If a virus is successful in spreading to thousands of sites on the Internet and is programmed to start an IP attack against a specific target on the same day at the same time, then there is no way to stop the attack because it has originated from thousands of sites all of which are live hostages. The site under attack will have to go offline since the ISPs will be helpless in the face of a co-ordinated dispersed attack. Since the impact against each individual hostage system is low, the hostages may not even notice that there is a problem. The ISP attached to the target system is in the best position to detect the attack, however, they are as subject to this attack as the target since they may "crash" from the excessive bandwidth usage flooding their network from multiple sources.

Conclusion

I believe that the problem of attack software targeted against Unix systems will continue to grow. Viruses may become more prevalent because they provide all of the benefits of other forms of attack, while having few drawbacks. Transplatform viruses may become common as an effective attack. All of the methods currently used in creating MS-DOS viruses can be ported to Unix. This includes the creation of automated CAD/CAM virus tools, stealth, polymorphism and armour.

The future of viruses on Unix is already hinted at by the wide spread use of Bots and Kill-bots (slang term referring to software robots). These programs are able to move from system to system performing their function. Using a Bot as a dropper or creating a virus that includes bot-like capability is simple.

With the advent of global networks, the edge between viruses, bots, worms and Trojans will blur. Attacks will be created that use abilities from all of these forms and others to be developed. There have already been cases where people have used audit tools such as COPS and SATAN to attack a system. Combining these tools with a virus CAD/CAM program will allow a fully functional virus factory to create custom viruses to attack specific targets.

As these problems unfold, new methods of protection must be created. Research has hinted at several promising methods of protection, including real time security monitors that use artificial intelligence for simple decision making. It is my hope that these problems never reach existence, but I am already testing them in an attempt to devise methods of counteracting them. If I can create these programs, so can others.

Even with the current problems and the promise of more sophisticated problems and solutions in the future, the one thing that I believe to be certain is that Unix or Unix-like systems will continue to provide a pay back that is well worth the cost of operating them.

Compiled by Will Garside

(c) February 1996 Peter V. Radatti

This was last published in June 1999

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close