Linus Torvalds has had an opportunity to examine the testing and analysis by Hans-Werner Hilse which we reported on yesterday, and has blessed it as being correct. The reason that the virus is not propagating itself in the latest kernel versions is due to a bug in how GCC handles specific registers in a particular system call. He has coded a patch for the kernel to allow the virus to work on even the latest Linux kernel.
News source: NewsForge.comThat may sound terribly complex, so let's break it down. A system call is made when an application, in this case, the virus, wants the kernel to perform a task for it: perhaps to read some data, or write it to a file, or so on.
As part of the housekeeping done by an application before such a call, specific registers -- a register is a temporary storage address which can be accessed as fast as possible by the CPU -- are loaded with additional information required to perform whatever task the call is asking for.
If you wanted to move a string of data like "CAPZLOQ TEKNIQ 1.0" from one place in memory to another, you would need to load the address where the string begins in one specific register, the address where you want it moved to in another register, and the number of bytes to move in yet another.
By convention, applications assume that certain registers will not be changed during the call. The reason the virus did not work in the latest kernel is that one register, the ebx register, which the virus expects to remain unchanged, is being overwritten.
The bug, which seems to me is more of a bug in GCC than the kernel, doesn't seem to appear in most code. It takes the rare combination of hand-crafted assembler code and the use of old, now deprecated, system calls to appear. This lends support to the speculation that this virus is not new code at all, in spite of how Kaspersky Lab is trying to use it to drum up new business.
-1 Comments - Add comment