Re: [masq] 1st virus in Linux :( (fwd)

root (abszero@epix.net)
Wed, 19 Feb 1997 16:19:23 -0500 (EST)

James Mohr wrote:
> From: Russ Allbery[SMTP:rra@cs.stanford.edu]
> Sent: Samstag, 8. Februar 1997 16:17
> To: submit-linux-dev-kernel@ratatosk.yggdrasil.com; Ambrose Au
> Cc: webcomments@cc.mcafee.com
> Subject: Re: [masq] 1st virus in Linux :( (fwd)
>
> Ambrose Au <achau@wwonline.com> writes:
>
> > In case you do not notice, there is a new destructive virus called Bliss
> > which infects Linux executables.
> > Its target is users who play games such as doom over the Internet with
> > root access.
> > Details at Mcafee's website: http://www.mcafee.com/corp/press/020597.html
>
> This is not a virus in the way the term is used for operating systems
> without memory protection.
>
> Any program being run as root has priviledges to modify the file system
> and do damage to your system; this is why you do not run general binaries
> as root. All this is is a simple Trojan Horse, based on the idea of
> getting stupid people to run unknown binaries as root, with an interesting
> side twist of modifying other system binaries when it runs. McAfee's
> statements about this are, at best, misleading. To quote from their web
> site:
>

I would define a virus as a program desinged to modifie other programs
without the user's intervention or knowledge. A "simple Trojan Horse"
wouldn't be able to infect other programs.

> McAfee (Nasdaq: MCAF), the world's leading vendor of anti-virus
> software, today announced that its virus researchers have discovered
> the first computer virus capable of infecting the Linux operating
> system.
>
> Whatever you would like to call this, it quite definitely isn't anything
> new. Trojan Horse binaries for Unix systems have been around for years,
> as have Trojan Horse modified source distributions; there was a CERT
> several years ago about IRC, for example.
>
> The virus, which is called Bliss, is significant because many in the
> Unix industry have previously believed that viruses were not a concern
> to Unix operating system users.
>
> The implication behind this statement is patently absurd. Obviously, as
> anyone who knows anything about Unix is aware, if you run a hostile
> program as root it can do all sorts of nasty things to your system. Duh.
> Again, McAfee is attempting to portray this as some major new problem when
> it's nothing of the sort.
>
> We encourage concerned Linux users to download a free working
> evaluation copy of our VirusScan for LINUX, which can be used to
> detect the virus.
>
> No thank you. Linux doesn't need a virus checker; Linux administrators
> need to use some basic intelligence about what they run as root. People
> who run binary-only packages obtained from untrusted sources as root on
> their system get exactly what they deserve.
>

Also, simply doing them setuid/gid on somthig other than root might be a
good thing. However, svgalib programs need to be run as root (or setuid,
anyway), as do things (such as Quake and Doom in there fullscreen, Xwindows
ports) that use some extentions for xwin.

> It looks to me like McAfee is attempting to use this as a publicity stunt
> to promote their software business and to attempt to scare Linux users
> into paying them money. I'll refrain from speculating about how much of a
> threat a real operating system is to a company who makes its living on
> protecting users of less sophisticated operating systems from their
> inherent limitations.
>
> McAfee just flushed all respect I had for them down the toilet.
>

Although McAfee, like every good business, never misses a good opportunity
to get ink, they make good programs.

--- James Mastros