FeriCyde Chat: The Linux Virus Threat List for 2005
This article is for people that want to stay informed so they can be ready to spot the signs of infection at the earliest notice. Early detection is always the best strategy for surviving any virus attack, regardless of operating system. Study the list closely, and memorize the symptoms in case (as remote as it might be) you've already become infected with one of these babies. I've included helpful tips, valuable advice and resources just in case you need to clean your system and don't exactly know where to start.
The Comprehensive 2005 Linux Virus Threat ListL0NGH0RN.Wh3N? (L0ngh0rn)Variants also known as: F0gh0rN, L0nGSh0+ and KongLern.A re-release of this awful code with minor changes seems to happen about every 3 to 5 years. The odd thing is that the rebel gang of law-breaking crackers that created L0ngh0rn have been well-known to the FBI and secret service during the entire time, yet they've never been shut down. There's even speculation that they've conspired in the past with the the NSA to allow them to eavesdrop on SSL sessions a few years ago with W1nd0ze9x and W1nd0zNT variants. This raised eyebrows in the press several years back but was quickly forgotten. During the Y2K scare, there were two confusing (and incompatible) infectious outbreaks, one called W1nM3, and the other W1n2K. Released about the same time, many people wondered why the crackers even bothered. L0ngh0rn follows a long tradition of similar viri. The cracker group comes up with an ominous-sounding name like Ch1C4G0 or C41r0w. Then they proceed to chat it up to the mainstream press, telling them what an awesome vector of destruction it's going to be, wiping out everything in its path upon infection. This typically causes mainstream journalists to wax prophetic about the new threat the virus is going to pose and of course all of the damage it's going to inflict upon installed software and operating systems. To the journalists credit, the wreckage from the infection of every one of these babies has truly cost corporate America a bundle. After multiple deadlines have passed, the virus finally does appear. At that point the ominous features that were supposed to make it so potent turn out to be mediocre, undelivered, or worse, comical.
Recommended cleanup techniques:
To address this mis-perception, remind co-workers what a lame threat the prior 3 or 4 variants were and that really good anti-virus software is shipping right now that can address the threat directly. Demonstrate this by loading any one of the GNU/Linux or *BSD anti-virus software packages with any one of the latest virus definitions found free, right off of the Internet. These products will help you lock down your current desktop or server and avoid the headache and worry created by the threat of impending doom. Better still, your co-workers can sleep better knowing that the enterprise is more secure.
M0r0nic.An4lyzt (M0r0Nz!)This is a rehash of a virus that appears every year. Each time it appears it tends to be classified as a new version that is perceived (incorrectly) as serious threat to Linux. Initial infections of this code caused the kernel to print erroneous warning messages repeatedly until the virus was eradicated or the system re-installed.For example, instead of the usual boot messages, in its first incarnation M0r0Nz! would continuously cause the text "Linux will never be mainstream!" to appear on the console and in console-enabled terminal windows. The next year the same virus appeared with an only slightly different message: "Linux will never be ready for the enterprise!" This was followed the next year by a similar virus that spat more ominous warnings of squashing by Microsoft. Then the next year by numerous text that contained the words TCO. Last years version was even less creative, the TCO being changed by one count to SCO. As a matter of fact, the SCO messages printed so often most users didn't even bother to clean their computer of the virus. After all, like all prior versions, the program is in fact a simple annoyance that does no harm if you ignore it. Most intermediate to advanced administrators simply wrote small shell scripts to pipe the output to /dev/null. Kernel messages indicating an infection by M0r0Nz!:
Recent variants have even more desperately funny text:
Recommended cleanup techniques:
F14KyC0W0rKRZ (FLKYZ)While M0r0Nz!'s damage is done by overwhelming the user with stupid error messages, FLKYZ damage is done at a more insidious level. Upon infection, the box tainted with this code will prompt the user to install another Linux distribution (always different from the current, perfectly functional distribution) all the while keeping the infection hidden in the boot loader.For example, a recent coworker who was happily using Fedora became infected with FLKYZ, and found himself installing Gentoo. Fortunately for him, one of his friends knew all about Gentoo, helping him get up to speed in a fairly short while (2 weeks), only to find that the (still infected) computer was prompting him to switch to Debian. Again, the coworker's friend came to the rescue, having converted to Debian himself the week prior, and offering all kinds of cool tips and heaping tons of praise on what a great distribution Debian was in comparison to Gentoo. This was followed the next week with yet another infection-prompted switch to Zandros. Zandros beget Suse and so on until the coworker cleaned Linux off of his computer completely, sold it in frustration and bought a Mac. The sad part came later, when surprisingly enough, the source computer that was spreading the virus turned out to belong to none other than the friend that was constantly "helping" the coworker switch distributions. FLKYZ's damage is done in an insidious way: Computers infected with it tend to get loaded and reloaded with operating systems instead of being used for actual work. This leads the computer user to the erroneous belief that Linux is more of a headache than a joy.
Recommended cleanup techniques:
Search.eng1ne.FUD(S.e.F)As if you didn't have enough worries with something stupid like the FLKYZ virus running around, there's the always the threat of S.e.F infection to worry about. S.e.F is spread through browser infection from news sites. It emerges in a new form every year, wreaking havoc on news sites and wasting valuable network bandwidth. You can spot the infection when you notice repeated text of the form "Microsoft is going to crush Google!".The good news is that the third version seems to have been caught fairly early before it could spread much beyond the usual entry points. Prior outbreaks drew more serious attention and far more imbalance in the press. Fortunately, cooler heads and a more in-depth understanding yielded a correct response this year -- Laughter and an understanding that this virus is indeed extremely harmless.
Recommended cleanup techniques:
sUn+FUD(sUn)The sUn virus seems to be one of the least harmless threats to a typical network connected Linux PC. The odd thing about the software is how well it works with Linux. While other viruses attempt to thwart usage of open protocols, sUn's infection can be almost undetectable. In general, the most problematic thing it seems to affect are the minds of the computer users that have been exposed to it. There are rumors that it makes executives say extremely rude and pointless things in public.Like other Linux malware, the sUn virus can effect kernel messages. In the past couple of years, the most obvious infections caused the word Java! to print out as if in an endless loop at login, along with the annoying tendency to rename all files on the system with the text "Java." prepended or as extensions. If you start noticing that all of your software packages are renamed in a similar fashion, it's a sure sign of infection. This malware also tries to alter the text in licensing files, wiping them out at the most in-opportune times and in other cases changing the text to create YAPNGL (Yet Another Pointless Non-GNU License). While this can be extremely annoying, overall most technical and business people have yet to be adversely affected. Infections of the sUn virus have dropped of late and are showing signs of a huge slow-down over the next few years -- possibly even total extinction.
Recommended cleanup techniques:
Well, that's the list. You can't truly feel secure about your Linux installations unless you have a good picture of all of the attack vectors. It doesn't take a rocket scientist to see that even the most malicious malware mentioned here doesn't hold a candle to the strength and security that Linux brings to the picture, from small shops to enterprise-class settings, Linux fits the security bill. Paul Ferris is a husband, father and Linux professional with over 15 years of Unix and over 10 years of experience with Linux. His opinions are his and his alone. He reminds you that while security is no laughing matter, that doesn't mean that you can't have some fun with it after all... |
|
Subject | Topic Starter | Replies | Views | Last Post |
---|---|---|---|---|
Magnificent use of sarcasm, Paul! | AnonymousCoward | 9 | 4,022 | Feb 9, 2005 2:36 PM |
I will take anal bum cover for $200 | SeanConnery315 | 6 | 4,843 | Feb 9, 2005 7:09 AM |
Moronic.analyst? | warthawg | 1 | 3,286 | Feb 9, 2005 6:45 AM |
deja vu all over again all over again all over again | dinotrac | 0 | 3,450 | Feb 9, 2005 3:44 AM |
You cannot post until you login.