discuss: Virus-Writing-HOWTO
Subject:
Re: Virus-Writing-HOWTO
From:
Alexander Bartolich ####@####.####
Date:
12 Mar 2002 20:06:04 -0000
Message-Id: <3C8E5EFA.5070508@gmx.at>
Greg Ferguson wrote:
> [...] my personal feeling is that the document itself appears
> to be a "cookbook-style guide to destruction".
If you have that feeling then others will have, too.
So I consider it a major item to fix.
Because to me the facts tell exactly the opposite.
I'll try to give some reasoning:
2nd and 3rd section is a guided tour through traditional
diagnostic tools. I'm old-school and consider that vital
knowledge, but I bet that most kdevelop/kylix people never
heard of it.
The trip ends with the presentation of a peculiarity of
executables produced by gcc/ld. And a primitive scanner
(a perl script parsing the output of readelf) that verifies
the existence and possible violations of this peculiarity.
The 4th section shows how simple it is to use that knowledge
for an infection, but since the infector is written in C++
it can't be inserted itself.
Anyway, for me the lessons are:
+ After some RTFM it is amazing how far the tools shipped with
every distribution can take both offense and defense
- not written, but implied:
outlawing "hacking tools" is nonsense
+ The popular argument that Linux is a hard target because
it is an inhomogeneous platform is refuted
- not yet written: even stronger evidence will follow
- not written, but implied:
then it must be something else that makes it hard to kill
> Even the sarcastic(?) closing remark - "Feel the power
> of the dark side!" - tends to make me uncomfortable with
> this type of document (maybe that's a bit harsh;
> call me prudish, but...).
Ok. That's unnecessary show.
But then wouldn't you expect something like
347 |\/|'/ d1c|< j00 c4|\/|p3r!
in this type of document? (just kidding)
Seriously, I hate pedagocical attidute.
I had fun playing with that stuff, and it should come through.
> [...]
> On the other hand, I would like to see the document slanted
> towards more of a "white hat" style - e.g. now that we have
> the cookbook, how can the one defend themselves appropriately
> against the "cooks"?
As I said, the scanner is written before the virus.
Though, I could add some reference to anti-virus tools.
But then most entries on freshmeat target win32 stuff
passing through a Linux/BSD server.
And IMHO you completely miss my point:
Viruses are not a threat to Linux.
Don't take my word for it, try it.
And look how far you can come.
Anyway, I intend to continue like this:
+ Less visible patching of the entry point through
knowledge of the startup-code (it's always the same gcc/glibc).
+ Setup of chroot-environments for testing viruses (perhaps some
links to white-hat cvs-in-chroot or bind-in-chroot documentation).
+ Infective code that choses a target, then calls the C++ infector
from 4th section with a fixed filename, e.g.
"/home/alba/BIG-BAD-VIRUS".
Demonstrates the importance of file permissions (and futility
of being non-root) without being a deployable virus.
+ Survey through my (limited) virus collection (Is it just my
incompetence as collector, or are there really so few of them?)
+ Perhaps implementation of an improved infection method.
But hey, I'm a lazy guy.
> I stress that these are simply my personal opinions after
> reading the document.
Thanks for spending your time on it.
However, given the depth of our misunderstanding I would be
glad about detailed contributions. But I don't really know how
to procede in such a case. Probably CVS and different license.
I just copied that copyright thingy from a template, anyway.
