Related Resources • Glossary of Terms • Virus Encyclopedia • New Computer Center

Elsewhere on the Web • IRIA Knowledgebase   • F-Secure Description

Virus researchers have discovered a new breed of virus that infects both Windows and Linux files on Intel-based Pentium PC's. Considered a proof-of-concept virus, it has not been found in-the-wild. As such, it is not posing a threat to users, but could signal the beginning of a new precedent in virus writing - the cross-platform threat. Within less than a day of discovery, the new virus has already been assigned a number of different names, including Linux.PEElf.2132, W32.Winux, Linux.Winux, W32/Lindose, and W32.PEElf.2132.

The Winux virus affects Microsoft Windows versions 95, 98, ME, NT, and 2000 as well as Linux, infecting both Windows PE (portable executable) files and Linux ELF files. When a Windows PE file in infected the filename is converted to upper case. On Linux, no case conversion occurs. The virus does not remain resident and there is no malicious payload.

According to William Stearns, Senior Research Engineer of the Dartmouth Institute for Security Technology Studies, Linux viruses are far more rare than Windows virus simply because Linux systems are much harder to infect. Unless the user logs on as root (the equivalent to a Windows NT/2000 administrator), "few binaries could be infected and most of the system files would be protected." In his white paper, The Top Ten Reasons Not to Run as Root.v8", William describes the root password as "much like a skeleton key to a building that also opens any desk drawer or filing cabinet" and provides both a humorous and factual list of why this should not be done.

Proof-of-concept
Proof-of-concept viruses are nothing new. The first Word macro virus, aptly named Concept, has since been followed by hundreds, if not thousands, of other macro viruses. Indeed, macro viruses are now the most prevalent infector found in-the-wild, according to data gathered by the Wildlist Organization. Bubbleboy, another proof-of-concept worm, was followed by a highly successful copycat worm, Kak, now considered the top infector of the year 2000 and remaining a top contendor on current threat list trackings.

Other proof-of-concept viruses, such as Stream, have not spawned copycats but have underscored the need for industry-wide changes in antivirus scanning methods to deter such viruses. Chris Brenton, also a Research Engineer of the Dartmouth Institute for Security Technology Studies, published an insightful article on the shortcomings of antivirus scanners as pertained to threats such as Stream, which affects Windows NT and 2000 running NTFS. This article, Virus Scanner Inadequacies with NTFS, provides background information on alternate data streams, what changes are needed, and what steps end users can take.

Proof-of-concept viruses often provide further indication that antivirus scanners are only part of the solution. Safe computing continues to depend on safe users. Critical security patches should be installed for each operating system being run, downloaded executables and those received via email should always be checked out thoroughly before running, and antivirus software must be kept continually updated for maximum protection. Filtering products, those that removed potentially harmful executables from email, are also valuable additions to defend against computer viruses.

Visit the New Computer Center for tips on helping secure a Windows system from digital acts of vandalism. Be suspicious of email attachments and remember that you are responsible for your system's safety.