A history of viruses on Linux

We recently gave you a brief history of viruses on the Mac and as requested by a user we wanted to give you a history of viruses on Linux. Given the tight security integrated into Linux, it is difficult to take advantage of a vulnerability on the computer, but some programmers have found ways around the security measures. There are several free options for anti-virus on Linux that you really should use, even if it isn't always running - a weekly or monthly scan doesn't hurt. Free anti-virus solutions include: ClamAV, AVG, Avast and F-Prot.

The cracker group VLAD wrote the first Linux virus named Staog. The virus took advantage of a flaw in the Kernel that allowed it to stay resident on the machine and wait for a binary file to be executed. Once executed the virus would attach itself to that file. Shortly after the virus was discovered the flaw was fixed and the virus quickly became extinct. VLAD was also responsible for writing the first known virus for Windows 95, Boza.

The Bliss computer virus made its way out into the wild. The virus would attach itself to executables on the system and prevent them from running. A user had to have root access for the virus to be affected, and to this day Debian lists itself as still being vulnerable to this virus. The threat to Debian is minimal though as users do not typically run as root. 

No significant viruses were reported this year but oddly enough a hoax message went around stating there was a virus that was threatening to install Linux on your computer. At the time the Melissa virus was ravaging PCs worldwide and on April 1, 1999 (April Fools Day) a message went out warning that a virus named Tuxissa was running about secretly installing Linux on unsuspecting computers. 

A rather harmless virus, Virus.Linux.Winter.341, showed up and inserted itself into ELF files; ELF files are executable Linux files. The virus was very small, only 341 bytes, and would insert LoTek by Wintermute into the Notes section of an ELF file. The virus was also supposed to change the computer name to Wintermute but never gained control of a machine to effect the change. 

This was an eventful year for Linux viruses; the first was the ZipWorm, a harmless virus that would simply attach itself to any zip files located in the same directory it was executed in. Next was the Satyr virus which was also a harmless virus, it would simply attach itself to ELF files adding the string unix.satyr version 1.0 (c)oded jan-2001 by Shitdown [MIONS], https://shitdown.sf.**(edited as URL causes Avast to block page). There was also a virus released called Ramen which would replace index.html files with their own version displaying Ramen Crew at the top and a package of Ramen Noodles at the bottom. Later a worm by the name of Cheese came out that actually closed the backdoors created by the Ramen virus. There were several other viruses released this year that were relatively harmless. 

A vulnerability in Apache led to the creation and spread of the Mighty worm. The worm would exploit a vulnerability in Apache's SSL interface, then infect the unsuspecting victims computer. Once on the computer it would create a secret connection to an IRC server and join a channel to wait for commands to be sent to it. 

Another harmless virus showed up, it was called the Rike virus. The virus, which was written in assembly language, would attach it self to an ELF file. Once attached it would expand the space the file required and write RIKE into that free space. 

Similar to the virus from the previous year, the Binom virus would simply expand the size of the file and write the string [ Cyneox/DCA in to the free space. The virus was spread by executing an infected file. 

The Lupper worm began spreading to vulnerable Linux web servers. The worm would hit a web server looking for a specific URL, then it would attempt to exploit a vulnerable PHP/CGI script. If the server then allowed remote shell command execution and file downloads, it would become infected and begin searching for another server to infect. 

A variant of the Mighty worm from 2002 named Kaiten was born. It would open a connection to an IRC channel and wait for commands to be sent and executed. 

An exploit in OpenOffice led to the spread of a virus named BadBunny. This virus would infect Windows, Mac and Linux machines. The virus creates a file called badbunny.py as an XChat script and creates badbunny.pl, a Perl virus infecting other Perl files. There was also a trojan horse released by the name of Rexob. Once on the machine, it would open a backdoor allowing remote code execution. 

A website for GNOME users to download screensavers and other pieces of eye-candy unknowingly hosted a malicious screen saver called WaterFall. Once installed on the machine it would open up a backdoor that when executed would cause the machine to assist in a distributed denial of service attack (DDOS). The DDOS attack was very specific and targeted a specific website, MMOwned.com. 

The koobface virus, a virus that spreads through social networking sites targets Windows, Mac and, in a more recent variant, Linux computers. Once infected, the virus attempts to gather login information for FTP and social networking sites. Once your password has been compromised the virus will send an infected message to all of your friends in your social network. 

This is by no means a complete list of Linux viruses but it does cover the major ones. It also points out that most of the viruses found on Linux are fairly harmless. That doesn't mean they don't exist though. Be sure to keep an eye on what your downloading and where you're going on the Internet and you will most likely stay virus free. An occasional virus scan wouldn't hurt either. 


Report a problem with article
Next Article

Apple to expand their campus

Previous Article

Homeland Security seizes over 70 domains

100 Comments - Add comment