The function of the expert is not to be more right than other people, but to be wrong for more sophisticated reasons. | |
Dr. David Butler, British psephologist |
Intended audience for this document are developers and script savvy administrators. But from the very beginning it also attracted people who sincerely care about security and view example code with suspicion. I'll try to explain what the source code is showing - or at least is supposed to show, once it's bug free and complete.
The plural of virus is neither viri nor virii, nor even vira nor virora. It is quite simply viruses, irrespective of context. [1]
The jargon files contain a good definition. For my purposes it is not technical enough, though. I want to make clear what this all is about, and even more important, what it is not.
A virus [2] is a program that infects other programs stored in inactive form. This document concentrates on copying the executable code of the virus into another file. Other possible targets are boot sectors and programmable ROMs.
A worm [3] is a program that penetrates other running programs. Penetration means to copy the executable code of the worm into the active process image of the host.
A trojan program [4] is deliberately started by a user because of advertised features, but performs covert malicious actions.
The jargon files include programs infected by a virus into their definition of trojan. I don't consider this helpful. The survival strategy of viruses is to stay below the level of perception of humans, operating systems or scanners. But trojans don't hide. They obfuscate their real intend by delivering a good show. Good advertising can persuade the user to install necessary system components, deactivate security checks, and throw overboard all common sense.
The jargon files also claim that "a virus cannot infect other computers without assistance". Widespread use of write-enabled network shares has made this a bold statement. It is correct that patching an executable file over the net is meaningless if that program is not executed somewhere. But I want to stress that it's not the media containing the target that distinguishes worms from viruses. A virus polluting a RAM-disk is still a virus. A worm saved to disk by the hibernation feature of a laptop is still a worm.
The main difference between worms and viruses is persistence and speed. Modifications to files are usually permanent and remain after reboot. On the other hand a virus attached to a host can get active only when that host program is started. A worm takes immediate control of a running process and thus can propagate very fast.
Usually these techniques are combined to effectively cause mischief. Viruses can get resident, i.e. attach themselves to a part of the system that runs independent of the infected executable. Worms can modify system files to leave permanent back doors [5] . And tricking the user into executing the very first infector is a lot easier than finding and exploiting [6] buffer overflows [7] .
But Unixes have traditional concepts to limit the possible damage of a malicious process. Network services can be run under the access permissions of a non-privileged account. File systems can be mounted read-only (e.g. /usr) or as noexec (e.g. /home). Some file systems have extended attributes that can prohibit access even when ls -l tells otherwise (on ext2 this is chattr(1)). Probably the strongest defense is chroot(1).
Every single one of these techniques can stop a vandalizing human, virus or worm to take over the entire machine. But while it is easy to control viruses, it is very hard to stop worms. To exploit a vulnerable network service a worm needs permissions for an incoming connection. To compromise the next machine on the network it needs an outgoing network connection. Nothing else.
I will now put on a black hat and an evil grin. Using material already published on the net, contributions sent to me, and all documentation available, I will try to build a virus to do in Linux for good. All concepts, ideas and experiments - along with enough working code to prove my conclusions - will be released to public ridicule through this document.
Should the quest fail this may have a few reasons:
I am incompetent.
Nobody cared to sent in evidence for #1.
It already has been done, but They will prevent #2 to maintain #1.
Optimistic readers could think that the inevitable big mistake of developers and distributors will be released soon, but just isn't available right now.
Even more adventurous spectators might say that design, development model, or distribution concept make Linux immune against a direct attack.
This is just one of the more boring episodes in the matrix.
Anyway, it is not a problem if we, or someone using this document, succeeds. The correct name for that situation is opportunity. Should you happen to take this document - and especially above agenda - too seriously, the story of "Osama bin virus" [8] can help.
This text written under influence of an evil grin.
[1] | |
[2] | |
[3] | |
[4] | http://www.tuxedo.org/~esr/jargon/html/entry/Trojan-horse.html |
[5] | |
[6] | |
[7] | http://www.tuxedo.org/~esr/jargon/html/entry/buffer-overflow.html |
[8] |