http://os.newsforge.com/article.pl?sid=06/04/17/1752213 By Joe Barr and Joe Brockmeier April 17, 2006 Thanks to one of our readers, NewsForge has obtained a copy of the widely reported Windows/Linux cross-platform "proof of concept" virus. News reports thus far on the code have contradicted themselves: some reported the virus can replicate itself on both Windows and Linux, others saying it has a viral nature only on Windows. Testing by both NewsForge staff and Hans-Werner Hilse may reveal why the confusion. Our tests shows the code's viral nature is sometimes -- but not always -- effective on both platforms, depending on the kernel being used. Of course, it's impossible for us to test every version of the kernel out there, but thus far, it looks like those prior to version 2.6.16 are susceptible, and at least some of those after that release are not. Here's how we tested at NewsForge. Our first test was run on an AMD64 box with a fresh install/update of Ubuntu Dapper Flight 5 386 with the 2.16.15-20-386 kernel, with the WINE and GHex -- a binary viewer/editor -- packages also installed. After unzipping the viral package (clt.zip) into an empty directory, we tested CLT.EXE by executing it under WINE in a subdirectory containing only a small executable and linkable format (ELF) file, called hello, written in assembler, that we created for the test. We ran CLT.EXE, and a small window popped up saying that the "dropper" -- as the code calls itself -- had executed successfully. When we examined the hello ELF file with GHex, however, it showed no signs of contagion -- not even the lines of text which were supposedly installed in lieu of the virus itself when run on Linux. We soon learned that the reason hello remained uninfected in the first test was that the hello executable file is too small, not because the viral code could not replicate on Linux. Another NewsForge staffer testing CLT.EXE under VMWare found that it did infect larger ELF files. Next, we copied the programs more, date, and ls from /bin into the test directory. When we ran CLT.EXE again, all three of those ELFs were infected. Each was 4,096 bytes larger than it had been before the test. But did those 4,096 additional bytes actually contain the viral code? Would the ELF files still execute? Those questions became the basis for our next test scenario. Instead of running CLT.EXE under WINE, we repeated the tests in a different directory, using uninfected copies of the same target programs, and then executing an infected version of ls in that directory. The only difference we could detect was that the pop-up window no longer appeared: more, ls, and date were all infected and hello remained untouched. [...] _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Tue Apr 18 2006 - 22:49:29 PDT