FeriCyde Chat: The Linux Virus Threat List for 2005

Posted by PaulFerris on Feb 8, 2005 7:36 AM EDT
Lxer.com; By Paul (FeriCyde) Ferris
Mail this story
Print this story

It's hard to find a comprehensive source of pending Linux virus threats these days. Ominous warnings can be found in the press that as Linux and other Free Software projects get more popular, the threat of infection will be on the rise. Still, deep research on the subject yields very little in the way of credible results. You can turn up a lot of talk about anti-virus software and vendors selling solutions for Linux. Still, nothing could be found that really summed up the current and coming threat of viruses for someone using desktop or server Linux in a network setting.



This article is for people that want to stay informed so they can be ready to spot the signs of infection at the earliest notice. Early detection is always the best strategy for surviving any virus attack, regardless of operating system. Study the list closely, and memorize the symptoms in case (as remote as it might be) you've already become infected with one of these babies. I've included helpful tips, valuable advice and resources just in case you need to clean your system and don't exactly know where to start.

The Comprehensive 2005 Linux Virus Threat List



L0NGH0RN.Wh3N? (L0ngh0rn)

Variants also known as: F0gh0rN, L0nGSh0+ and KongLern.
A re-release of this awful code with minor changes seems to happen about every 3 to 5 years. The odd thing is that the rebel gang of law-breaking crackers that created L0ngh0rn have been well-known to the FBI and secret service during the entire time, yet they've never been shut down.

There's even speculation that they've conspired in the past with the the NSA to allow them to eavesdrop on SSL sessions a few years ago with W1nd0ze9x and W1nd0zNT variants. This raised eyebrows in the press several years back but was quickly forgotten. During the Y2K scare, there were two confusing (and incompatible) infectious outbreaks, one called W1nM3, and the other W1n2K. Released about the same time, many people wondered why the crackers even bothered.

L0ngh0rn follows a long tradition of similar viri. The cracker group comes up with an ominous-sounding name like Ch1C4G0 or C41r0w. Then they proceed to chat it up to the mainstream press, telling them what an awesome vector of destruction it's going to be, wiping out everything in its path upon infection. This typically causes mainstream journalists to wax prophetic about the new threat the virus is going to pose and of course all of the damage it's going to inflict upon installed software and operating systems. To the journalists credit, the wreckage from the infection of every one of these babies has truly cost corporate America a bundle.

After multiple deadlines have passed, the virus finally does appear. At that point the ominous features that were supposed to make it so potent turn out to be mediocre, undelivered, or worse, comical.

Recommended cleanup techniques:
The recommended cleanup of L0ngh0rn is a two-pronged approach. If the band of crackers is to believed, this virus won't really infect it's first computer until 2007. A lot of industry insiders suspect that it's really not due to strike until 2008 or later, and even then with a reduced impact. This gives a person plenty of time to prepare not just the technology, but co-workers' mental attitudes.

To address this mis-perception, remind co-workers what a lame threat the prior 3 or 4 variants were and that really good anti-virus software is shipping right now that can address the threat directly.

Demonstrate this by loading any one of the GNU/Linux or *BSD anti-virus software packages with any one of the latest virus definitions found free, right off of the Internet. These products will help you lock down your current desktop or server and avoid the headache and worry created by the threat of impending doom. Better still, your co-workers can sleep better knowing that the enterprise is more secure.

M0r0nic.An4lyzt (M0r0Nz!)

This is a rehash of a virus that appears every year. Each time it appears it tends to be classified as a new version that is perceived (incorrectly) as serious threat to Linux. Initial infections of this code caused the kernel to print erroneous warning messages repeatedly until the virus was eradicated or the system re-installed.

For example, instead of the usual boot messages, in its first incarnation M0r0Nz! would continuously cause the text "Linux will never be mainstream!" to appear on the console and in console-enabled terminal windows. The next year the same virus appeared with an only slightly different message: "Linux will never be ready for the enterprise!"

This was followed the next year by a similar virus that spat more ominous warnings of squashing by Microsoft. Then the next year by numerous text that contained the words TCO. Last years version was even less creative, the TCO being changed by one count to SCO. As a matter of fact, the SCO messages printed so often most users didn't even bother to clean their computer of the virus. After all, like all prior versions, the program is in fact a simple annoyance that does no harm if you ignore it. Most intermediate to advanced administrators simply wrote small shell scripts to pipe the output to /dev/null.

Kernel messages indicating an infection by M0r0Nz!:

  • Text with "Linux" or "Free Software" or "Open Source", and "doomed to failure".
  • "The Linux Desktop: R.I.P.".
  • "Linux ... Get the facts!".
  • "intellectual property", "Linux" and "communists".

Recent variants have even more desperately funny text:

  • "System lacks interoperability!"
  • "Kernel will need to be re-written!"


Recommended cleanup techniques:
Cleanup of the M0r0nicAn4lyzt virus is straightforward. When co-workers fall victim to it, either load anti-virus software that cleans the computer of the virus (IBM is rumored to have the best), or point out the fact that prior versions of the software were pointless, and so is this threat for the same reasons. It might help to find the source of the infection and send an email to the administrator with helpful tips on how they can clean their computers of infection. Remember to be polite at all times when doing this.

F14KyC0W0rKRZ (FLKYZ)

While M0r0Nz!'s damage is done by overwhelming the user with stupid error messages, FLKYZ damage is done at a more insidious level. Upon infection, the box tainted with this code will prompt the user to install another Linux distribution (always different from the current, perfectly functional distribution) all the while keeping the infection hidden in the boot loader.

For example, a recent coworker who was happily using Fedora became infected with FLKYZ, and found himself installing Gentoo. Fortunately for him, one of his friends knew all about Gentoo, helping him get up to speed in a fairly short while (2 weeks), only to find that the (still infected) computer was prompting him to switch to Debian.

Again, the coworker's friend came to the rescue, having converted to Debian himself the week prior, and offering all kinds of cool tips and heaping tons of praise on what a great distribution Debian was in comparison to Gentoo. This was followed the next week with yet another infection-prompted switch to Zandros.

Zandros beget Suse and so on until the coworker cleaned Linux off of his computer completely, sold it in frustration and bought a Mac. The sad part came later, when surprisingly enough, the source computer that was spreading the virus turned out to belong to none other than the friend that was constantly "helping" the coworker switch distributions.

FLKYZ's damage is done in an insidious way: Computers infected with it tend to get loaded and reloaded with operating systems instead of being used for actual work. This leads the computer user to the erroneous belief that Linux is more of a headache than a joy.

Recommended cleanup techniques:
Cleanup of the F14KyC0W0rKRZ virus is usually as straightforward as having the infected party switch back to a clean copy of the distribution they're most familiar with. Be careful not to suggest they switch to your own favorite, but rather the one that they can most easily identify with, and therefore lock down the most securely. It doesn't hurt to scan the local office environment for the source of infection and place a piece of duct tape over the network interface of the infected computer. You should also try to educate the owner of the computer such that future outbreaks of FLKYZ can be avoided.

Search.eng1ne.FUD(S.e.F)

As if you didn't have enough worries with something stupid like the FLKYZ virus running around, there's the always the threat of S.e.F infection to worry about. S.e.F is spread through browser infection from news sites. It emerges in a new form every year, wreaking havoc on news sites and wasting valuable network bandwidth. You can spot the infection when you notice repeated text of the form "Microsoft is going to crush Google!".

The good news is that the third version seems to have been caught fairly early before it could spread much beyond the usual entry points. Prior outbreaks drew more serious attention and far more imbalance in the press. Fortunately, cooler heads and a more in-depth understanding yielded a correct response this year -- Laughter and an understanding that this virus is indeed extremely harmless.

Recommended cleanup techniques:
Cleanup programs to remove the S3F virus are extremely easy to locate. Simply use google.com to search for the best removal tools, pick one, and stick with it till you're done. Avoid other search methods as they seem to be sponsored by malware-infested sources.

sUn+FUD(sUn)

The sUn virus seems to be one of the least harmless threats to a typical network connected Linux PC. The odd thing about the software is how well it works with Linux. While other viruses attempt to thwart usage of open protocols, sUn's infection can be almost undetectable. In general, the most problematic thing it seems to affect are the minds of the computer users that have been exposed to it. There are rumors that it makes executives say extremely rude and pointless things in public.

Like other Linux malware, the sUn virus can effect kernel messages. In the past couple of years, the most obvious infections caused the word Java! to print out as if in an endless loop at login, along with the annoying tendency to rename all files on the system with the text "Java." prepended or as extensions. If you start noticing that all of your software packages are renamed in a similar fashion, it's a sure sign of infection.

This malware also tries to alter the text in licensing files, wiping them out at the most in-opportune times and in other cases changing the text to create YAPNGL (Yet Another Pointless Non-GNU License). While this can be extremely annoying, overall most technical and business people have yet to be adversely affected. Infections of the sUn virus have dropped of late and are showing signs of a huge slow-down over the next few years -- possibly even total extinction.

Recommended cleanup techniques:
Cleanup of the sUn virus is pretty easy. Where practical, don't allow computers infected with sUn on your local network. If possible, get rid of the servers that have been infected in the past, and replace them with a supported GNU/Linux variant in enterprise-class settings.


Well, that's the list. You can't truly feel secure about your Linux installations unless you have a good picture of all of the attack vectors. It doesn't take a rocket scientist to see that even the most malicious malware mentioned here doesn't hold a candle to the strength and security that Linux brings to the picture, from small shops to enterprise-class settings, Linux fits the security bill.
Paul Ferris is a husband, father and Linux professional with over 15 years of Unix and over 10 years of experience with Linux. His opinions are his and his alone. He reminds you that while security is no laughing matter, that doesn't mean that you can't have some fun with it after all...

  Nav
» Read more about: Story Type: LXer Features; Groups: Community, LXer, Microsoft

« Return to the newswire homepage

Subject Topic Starter Replies Views Last Post
Magnificent use of sarcasm, Paul! AnonymousCoward 9 3,829 Feb 9, 2005 2:36 PM
I will take anal bum cover for $200 SeanConnery315 6 4,673 Feb 9, 2005 7:09 AM
Moronic.analyst? warthawg 1 3,121 Feb 9, 2005 6:45 AM
deja vu all over again all over again all over again dinotrac 0 3,287 Feb 9, 2005 3:44 AM

You cannot post until you login.