|Posted by Linux Ducks on April 5, 2011 at 2:25 PM|
Hands-on testing of the new Linux virus
By Joe Barr and Joe Brockmeier on
April 17, 2006 (8:00:00 AM)
WEBpage URL: http://www.linux.com/archive/feed/53698
Thanks to one of our readers, NewsForge has obtained a copy of the widely reported Windows/Linux cross-platform "proof of concept" virus. News reports thus far on the code have contradicted themselves: some reported the virus can replicate itself on both Windows and Linux, others saying it has a viral nature only on Windows. Testing by both NewsForge staff and Hans-Werner Hilse may reveal why the confusion.
Our tests shows the code's viral nature is sometimes -- but not always -- effective on both platforms, depending on the kernel being used. Of course, it's impossible for us to test every version of the kernel out there, but thus far, it looks like those prior to version 2.6.16 are susceptible, and at least some of those after that release are not. Here's how we tested at NewsForge. Our first test was run on an AMD64 box with a fresh install/update of Ubuntu Dapper Flight 5 386 with the 2.16.15-20-386 kernel, with the WINE and GHex -- a binary viewer/editor -- packages also installed. After unzipping the viral package (clt.zip) into an empty directory, we tested CLT.EXE by executing it under WINE in a subdirectory containing only a small executable and linkable format (ELF) file, called hello, written in assembler, that we created for the test. We ran CLT.EXE, and a small window popped up saying that the "dropper" -- as the code calls itself -- had executed successfully.
When we examined the hello ELF file with GHex, however, it showed no signs of contagion -- not even the lines of text which were supposedly installed in lieu of the virus itself when run on Linux. We soon learned that the reason hello remained uninfected in the first test was that the hello executable file is too small, not because the viral code could not replicate on Linux. Another NewsForge staffer testing CLT.EXE under VMWare found that it did infect larger ELF files. '''
RELATED PREVIOUS POST
New virus infects Linux and Windows platforms (cross-platform infections).....
Winux Virus ......New virus infects Linux and Windows platforms: security technology studies microsoft windows versions linux viruses malicious payload william stearns....