Unix security: The W32.Winux virus
At the end of March, a new virus started making some headlines. I'm not referring to the Lion worm, but rather the "W32.Winux" virus (also known as the "W32/Lindose.2132" virus). It is being touted by some news organizations as "the first virus to infect both Windows and Linux." This is not an entirely accurate description.
Quite a few viruses in the past have affected both Windows and Linux. Application specific viruses (e.g., MS Word macro viruses), as opposed to operating system specific, can infect any system running the vulnerable application. Crossing platforms in and of itself is not such a great feat, but the W32.Winux virus is indeed different. As a caveat, I have not seen the virus code. However, looking over the descriptions posted by Central Command (who initially reported the new virus) and McAfee (who verified Central Command's findings), I can extrapolate its potential and how it works.
W32.Winux is not a platform-independent virus. W32.Winux's initial injection point must be a Windows machine -- it cannot start by infecting a Linux box. Once it infects a Windows computer though, it starts looking for certain files under the Windows file system and the Linux file systems. When it finds what it's looking for, it opens files and inserts code.
It initially infects a Windows system and seeks out certain Windows files (PE file types, which include .exe files). W32.Winux's uniqueness stems from the fact that it doesn't stop there. After infecting a Windows system, W32.Winux then starts looking through the system for any known Linux files -- for instance, through shared file systems or remote drives. It looks through those for Linux ELF files, which also include Linux system binaries.
W32.Winux is not in the wild. The reports were not generated because it was found infecting any system; they were generated through a proof of concept submitted to Central Command. W32.Winux is also easy to detect and remove. Don't panic; the largest concern is its potential to start a trend. A virus spreading like "I Love You" with a "Ramen" worm payload would be unfortunate. Currently, W32.Winux is a curiosity.
RESOURCES:
- Central Command's virus details:
http://support.avx.com/cgi-bin/command/solution?11=010327-0017&130=0985731825 - McAfee virus profile:
http://vil.mcafee.com/dispVirus.asp?virus_k=99060 - First virus to infect Windows, Linux apps appears --
Virus spreads to other executable files in the directory it occupies:
http://www.itworld.com/Sec/3833/CWSTO58378/ - First P2P virus hits:
http://www.itworld.com/Net/4087/ITW_2-28-01_p2pvirus/
ITworld.com
Build your tech library with our book giveaways.
Windows PowerShell 2.0 Unleashed
By Tyson Kopczynski, Pete Handley, Marco Shaw; Published by Sams
Windows PowerShell Unleashed will not only give you deep mastery over PowerShell but also a greater understanding of the features being introduced in PowerShell 2.0–and show you how to use it to solve your challenges in your production environment. Enter now!
Ubuntu Server Administration
By Michael Jang; Published by McGraw-Hill Osborne Media
Realize a dynamic, stable, and secure Ubuntu Server environment with expert guidance, tips, and techniques from a Linux professional. Ubuntu Server Administration covers every facet of system management -- from users and file systems to performance tuning and troubleshooting. Enter now!
