[PLUG] anti virus
William Lee Irwin III
wli@holomorphy.com
Thu, 20 Sep 2001 12:59:16 -0700
On Thu, Sep 20, 2001 at 07:16:32AM -0500, Christopher N. Deckard wrote:
> Secondly, there really isn't any kind of anti-virus software because the
> only way to "infect" a Unix box is to actually run code by hand. If you
> want to consider someone cracking into your machine and replacing known
> binaries (ls, cat, grep, etc) with "evil" versions, then I guess you can
> consider that a virus. There is software like Trip Wire and snort and
> some other things that do intrusion detection and in some cases
> prevention.
The viral techniques of inserting code into executable formats of
various kinds (be it machine code in ELF or PECOFF formats or shell
scripts or Word macros) all pretty much carry over straight to UNIX.
Of course, a malicious program will need to obtain privileges to do
such modifications to executables or other files owned by root, but
it's probably possible to just propagate entirely without privileges.
In particular, see http://www.big.net.au/~silvio/ (a.k.a. the #1 google
hit for ELF .plt section virus). Computers > Hacking > Viruses > Authors
on google might also be helpful just for getting an idea of what these
things really do when they "infect" files. Various viral sources are
available from there as examples from which to learn.
Cheers,
Bill
P.S.: I don't know much myself about viruses in particular;
what I know actually stems entirely from that google
hit turning up on other queries for ELF information,
and otherwise following links.