Computer Viruses In Unix Networks

Traditional methods used against attacks in other operating system environments such as MS-DOS are insufficient in the more complex environment provided by Unix. Additionally, Unix provides a special and significant problem in this regard due to its open and heterogeneous nature. These problems are expected to become both more common and pronounced as 32 bit multitask network operating systems such as Microsoft NT become popular. Therefore, the problems experienced today are good indicators of the problems and the solutions that will be experienced in the future, no matter which operating system becomes predominate.

The problem of software attacks exists in all operating systems. These attacks follow different forms according to the function of the attack. In general, all forms of attack contain a method of self preservation which may be propagation or migration and a payload. The most common method of self preservation in Unix is obscurity. If the program has an obscure name or storage location, then it may avoid detection until after its payload has had the opportunity to execute. Computer worms preserve themselves by migration while computer viruses use propagation. Trojan horses, logic bombs and time bombs protect themselves by obscurity.

While the hostile algorithms that have captured the general public's imagination are viruses and worms, the more common direct problem on Unix systems are Trojan horses and time bombs. A Trojan horse is a program that appears to be something it is not. An example of a Trojan horse is a program that appears to be a calculator or other useful utility which has a hidden payload of inserting a back door onto its host system. A simple Trojan horse can be created by modifying any source code with the addition of a payload. One of the most favorite payloads observed in the wild is "/bin/rm -rf / >/dev/null 2>&1" This payload will attempt to remove all accessible files on the system as a background process with all messages redirected to waste disposal. Since system security is lax at many sites, there are normally thousands of files with permission bit settings of octal 777. All files on the system with this permission setting will be removed by this attack. Additionally, all files owned by the user, their group or anyone else on the system whose files are write accessible to the user will be removed. This payload is not limited to use by Trojan horses but can be utilized by any form of attack. Typically, a time bomb can be created by using the "cron" or "at" utilities of the Unix system to execute this command directly at the specified time.

While the bin remove payload is a favorite of many authors, there are other traditional attacks which are not as overt in their destruction. These other attacks are more important because they bend the operation of the system to the purposes of the attacker while not revealing themselves to the system operator. Attacks of this form include the appending of an account record to the password file, copying the password file to an off site email address for leisurely cracking and modification of the operating system to include back doors or cause the transfer of money or property. It is extremely simple to email valuable information off site in such a manner as to insure that the recipient cannot be traced or located. Some of these methods are path dependent, however, the path selected is at the discretion of the attacker.

One of the most simple methods of inserting a back door is the well known suid bit shell attack. In this attack, a trojanized program is used to copy a shell program to an accessible directory. The shell program is then set with permission bits that allow it to execute with the userid and permission of its creator. A simple one line suid bit shell attack can be created by adding the following command to a user's ".login" or any other file that they execute. Example: cp /bin/sh /tmp/gotu ; chmod 4777 /tmp/gotu

Trojan horses and time bombs can be located using the same methods required to locate viruses in the Unix environment. There are many technical reasons why these forms of attack are not desirable, the foremost being their immobility. A virus or worm attack is more important because these programs are mobile and can integrate themselves into the operating system. Of these two forms of attack, the virus attack is the hardest to detect and has the best chance of survival. Worms can be seen in the system process tables and eliminated since they exist as individual processes while virus attacks are protected from this form of detection by their host programs. All of the methods used to detect and prevent viruses are also effective against the other forms of attack, therefore, the remainder of this paper will deal with the more serious problem of viral attacks.

In fact, virus attacks against Unix systems will eventually become more popular as simpler forms of attack become obsolete. Computer viruses have significantly more virility, methods of protection and opportunity for infection. Methods of protection have been highly refined in viruses, including rapid reproduction by infection, migration though evaluation of its environment, (boot viruses look for uninfected floppy diskettes) armor, stealth and polymorphism. In addition, the host system itself becomes a method of protection and propagation. Virus infected files are protected just as much by the operating system as are non-infected files. Introduction of viruses into systems have also been refined using technology called "droppers". A dropper is a Trojan horse that has a virus or viruses as a payload. Finally, extensive networking technology such as NFS (Network File System) allows viruses to migrate between systems without effort.

All of these reasons point to viruses as the future of hostile algorithms, however, the most significant reason for this determination is the effectiveness of the virus as a form of attack. Past experiments by Doctor Fred Cohen [1984] used a normal user account on a Unix system, without privileged access, and gained total security penetration in 30 minutes. Doctor Cohen repeated these results on many versions of Unix, including AT&T Secure Unix and over 20 commercial implementations of Unix. The results have been confirmed by independent researchers worldwide. Separate experiments by Tom Duff [1989] demonstrated the tenacity of Unix viruses even in the face of disinfectors. The virus used in Mr. Duff's experiment was a simple virus written in script. The virus was believed to have been reintroduced by the operating system from the automated backup and restore system. Reinfection took place after the system had been virus free for one year.

I first observed this problem while investigating an infection of personal computers attached to a network with a large population of Unix servers and workstations. The virus was manually attacked on the personal computers using virus scanners. During the infection period all of the personal computers were disconnected from the network and idle. Once all the computers were disinfected, all removable media was tested and the infection was unobserved for a period of time, the computers were reattached to the network. A few weeks later, a test of the computers using the same virus scanner indicated they had become reinfected with the same viruses. The source of infection was then identified as repositories of executables stored on the Unix file servers.

These repositories were organically grown centralized resources for all the personal computers because the Unix servers were effective at providing these shared services via NFS. In retrospect, this problem had to exist. The use of networked systems that were exported from the Unix platforms provided an easy, powerful method of transferring data, including executables. Some network designs provide all third party software from a network disk for ease of maintenance and reduced storage requirements. This easy access provides an open door for viruses.

Once it is understood that the BIOS and processor functions are the same for both operating systems, it is very easy to see how a transplatform virus could be designed by intention. The virus would be able to process correctly by inspecting the operating system using only common BIOS calls and then modify its basic behavior using a simple "if" structure.

Control has been the primary intent of the U.S. national standards on computer security. They deal with the control of access to the system, its functions, resources and the ability to move or share data in the system. These national standards are codified in a library generally referred to as the Rainbow series. (The name was given because the books have different color covers making a library shelf look like a rainbow.) While these standards are a valuable and important aspect of computer security, they do not provide a deterrent against software attack. A virus is an effective way of gaining control over a system, even a highly controlled system such as a B1 rated version of Unix. In this case, control does not provide protection against software attacks because of the viruses' ability to change permission sets with each new owner that is infected. A virus attack gains access to multiple users through shared files. Access control is designed to allow the sharing of files. The ability to share files is a basic need of the user and cannot be eliminated without destroying the usefulness of the system. Discretionary Access Control (DAC) is not protection against software attacks because it is a weak form of protection that can be bypassed and, as discretionary, is at the control of the end users who very often ignore it. Sites where the majority of the files on the system have no DAC protection are normal. (Many Unix sites have permission bit settings of 777 which allow anyone to read, write, execute or modify the file.) Mandatory Access Controls (MAC) also has little effect on virus activity for the same reasons, although MAC can be configured to be neither weak nor easy to bypass. Each time a virus attacks an executable file owned by a different user, it takes on the full privileges of that user, including access to files of other users whose permissions intersect the DAC and MAC permission sets of the infected user. On all systems, the need to share files forces the creation of users who exist in multiple permission sets. This multiple membership allows viruses to move between MAC compartments and levels. The reduction of multiple membership users will slow the advance of a virus but will not eliminate it. Finally, once a virus gains access to an operator account (root, operator, isso) it cannot be stopped by any form of control.

Inspection is the traditional way of locating both known holes in operating systems and in locating known viruses. The key word here is "known". System audit tools such as COPS, SATAN and others can only locate holes that are known to them. Virus scanners can only locate viruses that are known to them. This means that a virus scanner or inspection tool is obsolete even before it is shipped from the factory. It can only deal with the past, never the present or future since conditions searched for must exist at the time of coding. Virus scanner have to be constantly updated. This is becoming a problem with the explosion of viruses being created by new authors and virus computer aided design and manufacturing tools (V-CAD/CAM).

It has been proposed that audit tools such as COPS can be used to deter virus infections because they strengthen the system's ability to control access and data movement. These inspection tools only improve control. As stated, control does not provide protection against virus attacks. It attempts to keep outside people out and inside people within their areas of authorization.

The third category of protection is Integrity. Integrity systems are intended to detect change. In the MS-DOS world, early integrity systems used cyclic redundancy character, CRC, values to detect change. A virus was then created which countered this protection. The virus determined the CRC value of the target file, infected it, and then padded the file until the CRC value computed the same. Many Unix users still use this method of change detection, or worse, they attempt to use the date of last modification as an indication of change. The date of last modification can be changed to any value on Unix systems with a simple user command. On many systems an option of the "touch" command provides this ability.

Any integrity tool that does not use cryptographic methods is of little value. In fact, if the integrity system fails to detect critical changes, then the false sense of security created in the system operator can be devastating to the system. CyberSoft created an integrity tool, CIT, using the RSA Associates MD5 cryptographic hash algorithm. Since the algorithm is cryptographic, it can detect even a single bit flip and cannot be misled by any known means. In addition, during the development of CIT, it was determined that it was necessary to detect additions and deletions to the file system since these could be indications of non-infectious attacks such as performed by Trojan horses, worms and hackers. In this way, a rolling baseline can be created that will allow the system operator to quickly recover from any form of file system attack. Modifications to the protected file system created by unauthorized users or software attacks can be detected and removed. Using a tool of this type allows the administrator to locate the approximate time of attack since the modification will have taken place between two known timed events, the last and current execution of the integrity tool. Finally, integrity tools can be used to determine if a third party file has been modified or tampered with prior to use. Some manufacturers of Unix operating systems now publish MD5 digests of their systems. Using these digests, it is possible to determine that the file on your system is exactly as it should be. There was no degradation from misreading the installation media, deterioration of the disk system or intentional modification. If a manufacturer does not publish a list, then end users can create their own by installing an operating system on multiple systems from different media sources. The created digests of each system should agree.

The VFind product provides protection in all three categories. It provides Control by supplying the COPS audit tool along with a proprietary audit tool called THD (Trojan Horse Detector). COPS was not developed by CyberSoft and is available free on the Internet, however, CyberSoft believes it is necessary to provide a certificate of traceability for COPS. It receives the program directly from the author, Dan Farmer, and supplies it to the end user without modification other than packaging. This insures that the end user does not receive a trojaned or corrupt copy of the program. The THD program makes use of the fact that many Trojan attacks use duplicate file names where the file name of the Trojan is the same as a popular Unix command in order to execute. The "ls" command is normally stored in the "/usr/bin" directory. Since many users allow world read permission on their account control file, (a.k.a. dot-files) it is easy to learn the search path selected by that user to search for system commands. If an area that can be written into is in the search path prior to "/usr/bin", then a Trojan or virus infected version of the ls command can be located in that directory and will be executed. The THD program looks for duplicate file names throughout the system. It also detects known high risk file names such as "/tmp/gift" which is the result of the Unix Usenix Virus (a.k.a. AT&T Attack Virus) running on the system.

Inspection is provided by a standard virus scanner. Since the Typhoid Mary problem affects Unix systems, the scanner simultaneously searches for Unix, MS-DOS, Macintosh and Amiga viruses on the Unix system. It has a user accessible pattern matching language called CyberSoft Virus Description Language, CVDL, which can be used to keep the scanner up to date. In fact, the end user can use legally obtained scan codes from other vendors or of their own creation in order to provide independence from the vendor.

There were multiple reasons why CyberSoft felt it was necessary to develop a virus description language. The increasing sophistication of the problems was becoming difficult using standard scanning technology. Many of the viruses that attack UNIX are written entirely in source code and executed in interpretative languages such as script. Scan codes cannot be easily designed to find a virus in which white space, the use of tabs and variable names change. Normal scan codes depend on the fact that binary executables contain stable strings of code that can be searched for at specific addresses (excluding polymorph and stealth). This is only partially true in the UNIX environment. Since VFind was designed to search for UNIX, MS-DOS, Apple Macintosh and Commodore Amiga viruses on the UNIX platform, addresses could no longer be specific since the infected file might exist within a pseudo-disk or a compound file such as a tar file. In addition, the sequences of stable code values had to increase in size to hold statistical validity and not generate false hits.

Scanning for viruses written in source code required several innovations in virus scanners. Many of the features required are normal parts of compiler parsers. Compiler parsers are the first step in the process of taking a computer program written in a source language and producing a binary executable. CyberSoft felt that a compiler parser could provide a solution to its technical goals, however, it would be necessary to define an entire language for the parser to work correctly. At the time this decision was being made, 1991, CyberSoft was unable to locate any standards for a virus description language. The language was defined in January 1992 and named the CyberSoft Virus Description Language, CVDL.

During the design of CVDL, several goals were defined. The first was to design a universal way of describing pattern matching. The second was that the language incorporate enough features that unforeseen future requirements could be resolved without changing the language or code. The grammar and versatility of the language must allow general programming within the pattern matching framework. These goals dictated many of the intrinsic features within CVDL, including the necessity to process any character or hex stream. Originally, we desired the capability of processing any length pattern description, however, practical limits prevailed and a limit of 32,000 bytes per description was defined. A description of 32,000 bytes length can yield an actual pattern thousands of times longer so the constraint was considered non-binding. Boolean operators were defined and upper/lower case sensitivity or case insensitivity was made a user selectable option. One of the hardest requirements to efficiently design was the ability to provide forward reference proximity scanning. This feature was a necessity to locate source code viruses. Proximity scanning allows the definition of a pattern that will not be affected by the ambiguity of the typist or white space.

One of the design features of CVDL is its ability to be used for the cleanup of data spills by searching a system for predefined patterns. While data spills are not a common problem with software attacks, they are a common problem with hacker attacks. A hacker will store interesting files in obscure locations. Many organizations caveat "interesting" files using document headers such as "TOP SECRET" or "COMPANY CONFIDENTIAL". Using CVDL, many different possible patterns of actual code can be pattern matched within defined constraints. In this way, CVDL is able to produce a basic model of a pattern that can match with a high percentage of accuracy and integrity.

Finally, an MD5 cryptographic integrity tool called CIT provides integrity to the entire file system. CIT identifies all files which have been modified, added or deleted to the file system. A side benefit to this ability is a reduction in help desk repair time when correcting system problems.

The use of tools from all three categories of protection, along with sensible policies and procedures, provides maximum protection against software method attacks in Unix by providing support in each area that is deficient in the other tools.

Finally, viruses and worms can provide the perfect format for a hostage shielded denial of service attack. It is well known that an Internet attached system can be made to "disappear" or crash by flooding it with IP packets. Site administrators can protect their systems from crashing by programming their local router to filter out packets from the attacking source. The system will still disappear because legitimate users will be squeezed out by the flood of attack packets, but filtering at the router can at least save the system from crashing. Unfortunately, anyone can masquerade as someone else on the Internet by merely using their IP address. This attack can send a barrage of packets to the target site, each of which has a different source IP address. It is not possible to use a router to filter from this type of attack, but the Internet service provider can trace the source of attack by physical channel without relying upon the IP address. In cooperation with other Internet providers, the attacker can be isolated from the Internet for a short time. Hopefully, the attacker will become bored and go away or can be identified for action by law enforcement. Another possibility is to use viruses to generate the attack. If a virus is successful in spreading to thousands of sites on the Internet and is programmed to start an IP attack against a specific target on the same day at the same time then there is no way to stop the attack because it has originated from thousands of sites all of which are live hostages. The site under attack will have to go off line since the Internet service providers will be helpless in the face of a coordinated dispersed attack. Since the impact against each individual hostage system is low, the hostages may not even notice that there is a problem. The Internet service provider attached to the target system is in the best position to detect the attack, however, they are as subject to this attack as the target since they may "crash" from the excessive bandwidth usage flooding their network from multiple sources.

As these problems unfold, new methods of protection must be created. Research has hinted at several promising methods of protection, including real time security monitors that use artificial intelligence for simple decision making. It is my hope that these problems never reach existence, but I am already testing them in an attempt to devise methods of counteracting them. If I can create these programs, so can others.

Even with the current problems and the promise of more sophisticated problems and solutions in the future, the one thing that I believe to be certain is that Unix or Unix-like systems will continue to provide a pay back that is well worth the cost of operating them.

Virus Bulletin International 1995 September 21, 1995
(Virus Bulletin Journal) Boston Park Plaza Hotel Boston, Mass.

Eighth Annual CALS Expo 1995 October 24, 1995
(National Security Industrial Association) Long Beach Convention Center Long Beach, CA.

Photonics East 1995 October 25, 1995
(SPIE, International Society for Optical Pennsylvania Convention Center Engineering) Philadelphia, PA.

Open Systems Security 1996 March 5, 1996
(MIS Training, OSF, ISSA, Bellcore, Hilton Disney World Village InfoSecurity News) Lake Buena Vista, FL.

This paper is not the exact version presented at the conferences. The conference papers were tailored for each conference. This paper is a work created from the same root document as those presented. For copies of the presented documents please contact the individual conference sponsors for back issue pricing.