Working on an efficient generic shellcode detection engine and verifying results with randomly generated input, I've effectively ended up fuzzing different open source disassembler libraries. The disassembler library of choice for my current project is libdasm because of its comparatively long history and public domain license. But writing a sound and complete x86 disassembler is obviously not a trivial task due to the complex nature of the x86 instruction set.
libdasm used to have issues correctly disassembling certain floating point instructions in the past, but this was simply caused by an off-by-three error in the opcode lookup tables (three NULL rows missing) and thus the fix was comparatively easy.
On Saturday "Linuxtag 2006" closed in Wiesbaden (Germany). According to the organisers, it’s Europe's biggest Linux Expo.
At the Kaspersky stand we talked to a lot of visitors. Pretty soon, it dawned on us exactly what the biggest threat to Linux systems is: the almost overwhelming belief in the invulnerability of Linux.
Nearly every visitor accepts the need to protect Windows against malicious code (although even at a Linux fair you find people believing that a firewall is all you need to keep viruses and worms away). But many people we spoke to were unable to think of Linux as potentially vulnerable; after all, they argued, a Linux user would never go online with root rights as typical Windows XP home users do.
But such thinking overlooks some important facts:
- You don’t need to have root privileges to delete a user’s home directory of a user or access his personal data - you only need to run malicious code with user privileges. (And not every user makes daily backups which could mitigate the potential damage.)
- The number of new malicious programs for an operating system isn’t related to the number of known security flaws, but to the number of installations. In Germany, the number of Linux distributions installed is growing rapidly, and overall, the number of malicious programs for Linux more than doubled between 2004 and 2005).
- To access a system, a virus writer doesn’t need 300 vulnerabilities - one is enough.
- Vulnerabilities exist prior to their being identified by the developers who report them. Virus writers actively search for vulnerabilities, but keep their discoveries to themselves.
- Only a perfect system can offer perfect security. In his "Areas for Improvement in the 2.6 Kernel Development Process" Andrew Morton (lead maintainer of the Linux production kernel) pointed out that the number of new bugs in the current 2.6 kernel are causing concern, and might lead to the development process being halted until existing problems are fixed.
Just to avoid any misunderstanding: of course Linux is currently more secure than the average Windows installation. This is due to things like user/root separation, a smaller number of installations, and rapid reaction to reported vulnerabilities. And currently, given the relatively small number of malicious programs for Linux, installing a virus scanner is more a gesture of friendship towards the Windows users you share files with. But taking all of this, and coming to the conclusion that your own system is practically invulnerable will make it easy for malware to spread on Linux systems in the future.
Let's take a look at what history teaches: In 2000, the VBS.Loveletter worm took just a few hours to spread across unsecured Windows computers around the world. So far, nothing on this scale has hit the Linux world. But the question is: when the day comes, will users and companies have enough time to choose and install a reliable virus scanner before their systems are hit?
This morning a new worm for Linux appeared on the Internet. This is the second worm in the last couple of months. (The one before this one, Lupper, appeared on 7th November 2005). This shows how relatively rare Linux worms are in comparison to Windows worms.
We've called the new worm Net-Worm.Linux.Mare.a, and it uses php include to propagate. A modification of Backdoor.Linux.Tsunami spreads together with the worm.
Years ago, I attended a Linux conference. It was the first Linux conference for me, and compared to other similar events, the first thing I noticed was that the atmosphere was pretty relaxed. People were chatting during presentations, drinking beer and hacking the presenter's laptop using a three-day old vulnerability in SSH over WiFi. I've later learned this was your regular Linux/Unix conference, but it looked pretty exotic to a newbie.
One of the presentations was about Unix malware in general, Linux malware in particular. The presenter examined some common Linux rootkits and backdoors, and a Linux virus - but no worms. At the end of the presentation, he pointed out that despite the lack of cases, Linux worms are not only possible but very likely to appear in the future and become as common as, for example, CodeRed. This last statement was received with general (for 'general', read 'loud') disagreement from the audience who pointed out that Linux is more secure than Windows and things like CodeRed can't and will never happen. The speaker sighed but didn't comment - he probably knew better.
Several days ago, we started receiving a flood of packets over port 80 through our honeypot network codenamed "Smallpot". Plain text, no buffer overflow or shellcode involved, they were flagged "low importance" by the automatic analysis system and stayed in the queue for a while until we noticed something was not quite right about them. Generally, we receive tons of port 80 packets containing simple HTTP requests - spammers looking for open proxies or other ways to deliver their messages; it is not that usual to have a worm which is replicating over a port 80 (HTTP) exploit without using a buffer overflow.
Well, Net-Worm.Linux.Lupper is just that. The worm itself is an ELF binary, statically compiled so it runs on most systems and packed with a set of exploits which target vulnerable versions of 'xmlrpc.php' and 'awstats.pl'. These can be found in various Linux distributions (including but not limited to: Gentoo, Mandriva, Slackware, Debian, Ubuntu), but also in older distributions of WordPress, a very popular blogging package.
Another notable thing is that hardware buffer overflow protection such as that built into most recent CPUs from AMD and Intel (using the NX / XD bit) is helpless against such attacks and will not prevent infection with Lupper. Which proves once again that the above solutions, aggressively marketed as "the end to all virus problems", are not quite there yet.
Detection for Lupper.A was added to the antivirus databases on November 6th, the .B variant was added earlier today. Of course, KAV for Linux File Servers with on-access protection enabled prevents infections with Lupper.
Slapper, one of the best known worms for Linux, is three years old tomorrow. It caused an outbreak back in 2002. This anniversary started me thinking about Linux malware:
Before Slapper, Linux viruses had been around for a while. Bliss, a virus which appeared in 1997, was the first to demonstrate that Linux was vulnerable to viruses. And once Bliss opened the door, other types of malware followed.
Many Linux viruses infect ELF [Executable and Linkable Format] files, the most common Linux file type. However, this is not the only technique. Some viruses use Unix shell scripts which are supported by most Linux distributions. These are powerful and easy to write. The Ramen worm, for example, uses known system exploits to gain root access to vulnerable Linux servers and then employs ELF binaries and shell scripts to find other servers to infect.
The number of Linux threats has increased slowly. But they have grown more sophisticated. Multi.Etapux, for example, is a complex polymorphic virus which uses entry-point obfuscation to evade detection. It is also able to infect Windows 32 PE files as well as Linux ELF files. There are also Linux threats which exploit system vulnerabilities in order to attack. The Slapper worm, for example, utilizes a known vulnerability in the Open SSL library to infect Apache web servers. And the Adore worm uses a random port scan to identify systems that have a root access vulnerability in the BIND.DNS service on Linux servers.
Linux virus writers (and all other Unix flavours) face quite a few difficulties. For example, to modify ELF binaries, it's necessary to have root administration rights. And there may be specific dependencies related to specific Linux versions, making it hard for a virus writer to create a single virus for all implementations of Linux. But such obstacles can be overcome. The use of scripts, for example, makes a virus or worm less dependent on a specific Linux distribution. One of the early Linux viruses, Staog, uses a vulnerability to get root access to the system. Slapper uploads itself as a uuencoded source file. It then decodes and compiles the source into an ELF binary, re-compiling itself using a local copy of the 'C' compiler.
So why hasn't there been more malicious code for Linux? The dominance of Windows, particularly as a desktop operating system, is the key reason. Malware authors want the biggest possible bang for their buck so they target the operating system that is most widely used. Linux simply isn't widespread enough to be a serious target - at the moment.
That said, the use of Linux as an operating system is increasing, partly due to the popularity of Linux distributions such as RedHat and SuSE. Currently there are 712 pieces of malware that target Linux. This number will almost certainly increase as the popularity of Linux itself increases.
And one other thing to consider - more and more organizations are starting to use Linux alongside Windows, with a Linux file-server storing Windows applications. These files can be infected at desktop level, with infected files then being stored on the server. Organizations must therefore accept the necessity of scanning the Linux server to protect against malicious code attacks.
With the delayed release of Longhorn and Novell's recent announcement of Novell Linux, based on its earlier purchase of German Linux developer SuSE, the OS wars are reaching new heights.
One of the most praised and popular operating systems a couple of years ago, Solaris started to fade out of the scene when Sun became more interested in Linux than supporting its own OS. A real pity, since Solaris was a nicely designed modern operating system, had better security features than many other commercial solutions and benefited from coherent updates from its developers.
From this point of view, we salute Sun's initiative to revive Solaris and freely distribute version 10 for x86 and SPARC machines, hence rejoining the OS wars with a fresh, new approach!
Of course, Solaris is no longer such a strong presence on the Unix OS market - Linux is getting better every day, has likely more ports than any other OS out there. Distributions such as Fedora Core 3 benefit from easy and straightforward updates with a mouse click. How will the new Solaris 10 work on today's market cannot be guessed at this stage of the story.
Discovered in 2001, 'Sadmind' (aliases: SunOS/BoxPoison, Solaris/Sadmind.worm)is still the only known Solaris worm at the moment. You can find a description of Sadmind, in our Virus Encyclopedia.