MCAFEE DISCOVERS FIRST LINUX VIRUS; SHIPS NEW VERSION OF VIRUSSCAN TO DETECT AND REMOVE BLISS VIRUS (fwd)

MCAFEE DISCOVERS FIRST LINUX VIRUS; SHIPS NEW VERSION OF VIRUSSCAN TO DETECT AND REMOVE BLISS VIRUS (fwd)

[Luke Davis]

---------- Forwarded message ----------

SANTA CLARA, Calif.--(BUSINESS WIRE)--Feb. 6, 1997--McAfee (NASDAQ:MCAF), the
world's leading vendor of anti-virus software, today announced that its virus
researchers have discovered the first computer virus capable of infecting the
Linux operating system.

The Linux operating system is a publicly supported freeware variant of the
Unix
operating system that runs on Intel-based personal computers.

The virus, which is called Bliss, is significant because many in the Unix
industry have previously believed that viruses were not a concern to Unix
operating system users. Unix operating systems are typically difficult to
infect
 with viruses since a virus writer must have administrative privileges to
infect
 a given Unix system. McAfee researchers believe that one reason this virus
has
begun to spread is because Linux users who are playing computer games over
the
Internet, such as DOOM, must play the game in the Linux's administrator mode,
which is called `root.`

`Bliss is a destructive virus which overwrites Linux executables with its own
code,` said Jimmy Kuo, McAfee's director of anti-virus research. `Although
several incidents of Bliss infection have already been reported, the virus is
not currently widespread. We encourage concerned Linux users to download a
free
working evaluation copy of our VirusScan for LINUX, which can be used to
detect
the virus.` The History of Bliss

Very little is known about the history of the Bliss virus. McAfee
discovered the
 Bliss virus two days ago, and posted a solution Wednesday evening on its web
site. The virus is believed to have been created as a research project
several
months ago by an anonymous programmer, and until recently was not an
`in-the-wild` threat. Recently, reports of the virus have begun to surface
within Linux Internet news groups.

How Bliss Works

Bliss infects Linux executable files. Each time Bliss is executed, it
overwrites
 two or more additional files. Because the virus makes its presence known by
overwriting and destroying files each time it executes, users are immediately
alerted to its presence. Bliss overwrites the first 17,892 bytes of each
affected file with its own code. According to McAfee anti-virus
researchers, all
 files infected by Bliss are irrecoverable.

Although the virus does not operate under traditional operating systems
such as
DOS, Windows, Windows 95, Windows NT, NetWare and the Macintosh, files
created
in these aforementioned operating system formats and stored on Linux file
servers are vulnerable to corruption by Bliss.

McAfee Ships World's First Bliss Virus Scanner

As a public service, McAfee has developed a special update of its VirusScan
for
LINUX software which provides an antidote for the virus. The free working
evaluation version of the product can be downloaded from McAfee's web site at
www.mcafee.com . McAfee has also provided the virus sample to other
anti-virus
vendors, so that they too can develop solutions to protect their customers.
McAfee World's Leading Vendor of Anti-Virus Solutions

According to IDC, McAfee is the leading vendor of anti-virus software, with a
worldwide unit market share of 68% for standalone DOS and Windows PC
desktops.
As the world's leading vendor of anti-virus software, McAfee is considered
the
computer industry's Center for Disease Control. McAfee anti-virus products
are
currently used and trusted by over 20 million computer users worldwide. By
having more users than any other anti-virus software vendor, McAfee is
often the
 first to discover emerging virus threats such as the Bliss virus.

With nearly 1,000 suspect virus infections submitted to McAfee anti-virus
researchers each month, the company typically discovers between 100 and 200
new
viruses. The company leverages its unique presence on the Internet to release
monthly updates to customers.

McAfee provides the industry's most comprehensive line of anti-virus software
solutions designed to protect against computer viruses on all major desktop
and
network computing platforms. The products support DOS, Windows 3.x, Windows
95,
Windows NT, NetWare, Unix, Linux, OS/2, Lotus Notes, the Internet, and
Macintosh. McAfee's flagship anti-virus product for desktop computers is
VirusScan. Another McAfee product, WebScan, is an anti-virus scanner for Web
browsers and email, protects desktop computer users from accidentally
downloading virus-infected files from the Internet. For further protection
against Internet-borne viruses, McAfee sells WebShield, an anti-virus
solution
for Internet gateways and firewalls. McAfee's new GroupScan and GroupShield
provide native virus protection for Lotus Notes.

Founded in 1989, McAfee is a leading worldwide vendor of Network Security and
Management products for enterprise networks. The Company is also a leader in
Internet and Web-based electronic software distribution. McAfee is
headquartered
 in Santa Clara, California and can be reached by phone at (408) 988-3832
or by
fax at (408) 970-9727. McAfee's Web address is http://www.mcafee.com .

--30--dc/sf.. jsj/rn/sl/dc

CONTACT: McAfee

Jimmy Kuo, 408/980-3608

(Director of Anti-Virus Research)

or

Dovetail Public Relations

Mark Coker/Jim Azevedo, 408/395-3600

KEYWORD: CALIFORNIA

INDUSTRY KEYWORD: COMED COMPUTERS/ELECTRONICS PRODUCT REPEATS: New York
212-752-9600 or 800-221-2462; Boston 617-236-4266 or 800-225-2030; SF
415-986-4422 or 800-227-0845; LA 310-820-9473 Today's News On The Net -
Business
 Wire's full file on the Internet with Hyperlinks to your home page. URL:
http://www.businesswire.com

AP-NY-02-06-97 2300EST


This material is copyrighted and may not be republished without permission of
the originating newspaper or wire service. NewsHound is a service of the San
Jose Mercury News. For more information call 1-888-344-6863.

Re: MCAFEE DISCOVERS FIRST LINUX VIRUS; SHIPS NEW VERSION OF VIRUSSCAN TO DETECT AND REMOVE BLISS VIRUS (fwd)

[AARON HOWELL]

Just a few points that need clearing up here.
On Sat, 22 Feb 1997, Luke Davis wrote:

> world's leading vendor of anti-virus software, today announced that its virus
> researchers have discovered the first computer virus capable of infecting the
> Linux operating system.
This paragraph is a blatent lie on Mcafee's part. They didn't discover
this so called virus (which isn't really, see below, they read about it on
bugtraq, and decided to take credit for it. >
> The virus, which is called Bliss, is significant because many in the Unix
> industry have previously believed that viruses were not a concern to Unix
> operating system users. Unix operating systems are typically difficult to
> infect
>  with viruses since a virus writer must have administrative privileges to
> infect
>  a given Unix system. McAfee researchers believe that one reason this virus
> has
> begun to spread is because Linux users who are playing computer games over
> the
> Internet, such as DOOM, must play the game in the Linux's administrator mode,
> which is called `root.`
Contrary to what Mcafee would have you believe, Bliss isn't a virus, what
it actually is, is a trojen. It relies on people running unknown binaries
as root, a practice which is downright stupid at the best of times.  If a
simple tronjen like bliss is all you end up with from doing that, then
you're extremely lucky.

> 
> `Bliss is a destructive virus which overwrites Linux executables with its own
> code,` said Jimmy Kuo, McAfee's director of anti-virus research. `Although
> several incidents of Bliss infection have already been reported, the virus is
> not currently widespread. We encourage concerned Linux users to download a
> free
> working evaluation copy of our VirusScan for LINUX, which can be used to
> detect
> the virus.` The History of Bliss
Wrong on both points. Bliss is not distructive. It replaces your system
binaries with copies of itself, and moves the originals into
/tmp/bliss/originalbinaryname. It contains code which infects more
binaries then executes the original binary from /tmp/bliss. Again, it can
only infect if the infected program is run as root.
As for mcafee's comment about the virus being not wide spread or well
known about, it was distributed (in source and binary form) over various
linux security related mailing lists, long before Mcafee started making
false claims about being the first to discover it.
 > > Very little is
known about the history of the Bliss virus. McAfee > discovered the
>  Bliss virus two days ago, and posted a solution Wednesday evening on its web
> site. The virus is believed to have been created as a research project
> several
> months ago by an anonymous programmer, and until recently was not an
> `in-the-wild` threat. Recently, reports of the virus have begun to surface
> within Linux Internet news groups.
The virus author posted a complete history of the virus, along with the
code for it, to bugtraq.
> affected file with its own code. According to McAfee anti-virus
> researchers, all
>  files infected by Bliss are irrecoverable.
This was due to a bug in the original version of bliss, the new, updated
version, which is the one in wide circulation over the net, bugtraq,
linux-security, etc, does not have this fault, and acts as described
above. >
 
> Although the virus does not operate under traditional operating systems
> such as
> DOS, Windows, Windows 95, Windows NT, NetWare and the Macintosh, files
> created
> in these aforementioned operating system formats and stored on Linux file
> servers are vulnerable to corruption by Bliss.
This simply isn't true. Bliss infects executables in the current
directory (usually a system directory.)
> 
> McAfee Ships World's First Bliss Virus Scanner
> 
> As a public service, McAfee has developed a special update of its VirusScan
> for
> LINUX software which provides an antidote for the virus. The free working
> evaluation version of the product can be downloaded from McAfee's web site at
> www.mcafee.com . McAfee has also provided the virus sample to other
> anti-virus
> vendors, so that they too can develop solutions to protect their customers.
That's interesting. An antidote for a virus that supposedly renders
infected files irrecoverable. Apparently Mcafee can work wonders with
software as well as press releases.
[massive rant about how good mcafee is deleted.]
In short, the solution to not getting viruses such as bliss is simple.
Don't run unknown or suspect software as root. If you *must* run a binary
of a package which you haven't compiled yourself, such as doom etc where
the source code is proprietry and not available to the general public, Be
sure to obtain  the program from the software distributor's web or ftp
site, or from a trusted ftp site such as sunsite.unc.edu where software is
tested before being incorporated into the main ftp tree.
With *any* unix system, not just linux, any new piece of software should
be considered suspect until proven otherwise, not the other way round.
Incidentally, "strings <binary-filename>" will reveal some pretty damn
suspect strings in any binary file that is infected with bliss, right near
the top of the file.
This is the same process the Mcafee virus scanner uses to find the virus.
I hope this helps to clear up a few misconceptions presented by that
article.
Regards
Aaron.

-----------------------------------------------------------------------------
Aaron Howell.	Q.U.T Equity Department, Technical Support/Training.
work: a.howell@qut.edu.au	Linux/Networking Support.
home: a.howell@student.qut.edu.au	phone +61-19-956-467
www: http://www.cnl.com.au/~aaron	irc: DaRkAnGeL
"Captain, I think I speak for all of us when I say, to hell with orders." 
Lt. Cmdr Data Startrek, (First Contact).

Re: MCAFEE DISCOVERS FIRST LINUX VIRUS; SHIPS NEW VERSION OF VIRUSSCAN TO DETECT AND REMOVE BLISS VIRUS (fwd)

[Travis Siegel]

I'd like to point out that this linux virus is a research project only.
Anyone on the linux security lists already knows this.  The original virus
was distributed there, with xrot-13 encoding, and every other byte
switched.  It wasn't just unleashed on the general populous.  Not to
mention, this particular virus has a commandline that will remove itself
from any infecting files.  Perhaps McAfee is jumping on this one a bit too
hard?

Http://softcon.com offers web pages for a reasonable rate, and will even
create pages for you at *very* fair rates.  Check us out today if you're
looking for a home for your web pages.

Re: MCAFEE DISCOVERS FIRST LINUX VIRUS; SHIPS NEW VERSION OF VIRUSSCAN TO DETECT AND REMOVE BLISS VIRUS (fwd)

[AARON HOWELL]

On Sat, 22 Feb 1997, Peter W wrote:

> One of the very unfortunate things about running Linux is that default setups 
> place our machines in jeopardy every time we connect to the Net. The "threat" of 
> Bliss is pretty slim if you're careful, as Aaron suggests. It's probably much 
> more important to watch general security issues. EG install and configure 
> Tripwire to watch your important binaries for unexpected changes. Run COPS on 
> occasion. Make sure all your software is up-to date (I highly recommend RedHat 
> for this, as they generally release easy-to-handle RPM packages pretty quickly). 
This unfortunately stems from the fact that linux primarily started out as
a hacker operating system.
It was safe for the original designers of linux installations to assume
that:
A> The potential user was aware of the unstable nature of linux (at the
time)
and
b> The potential user was aware of such things as security issues, and
hence could configure their systems appropriately to avoid such problems.
This however is no longer the case. Many of the distribution maintainers
haven't yet caught up with the reality that no longer is linux an
operating system purely for serious hackers, and their package design
still reflects this assumption.
Probably the best of the distributions at the moment, particularly for
those with a visual disability is debian, closely followed by redhat.
I rank debian above redhat for two simple reasons. The first of which is
that debian's new boot disks allow it to be installed over a serial link
from beginning to end with no extra configuration required, and secondly
because of a brilliant little package management system called dftp, which
is an extention to debian's dpkg, which manages package retrieval via ftp
by allowing you to use your own text editor to edit a selection file
instead of forcing you into a not-always-well-designed ncurses interface.
This means those of you running emacs-speak can use an environment you are
familiar with for package manipulation instead of learning another
program.

> Those of us who have static IP addresses are at more risk, since our machines 
> are sitting ducks. I'll take a moment to chastise Caldera here: it has not kept 
> up with security problems in its original product even though it has yet to 
> release the official upgrade.
Slackware is another example of this phenomena. There seems to be two
types of distribution maintenance schemes. There are the people who
maintain a closed distribution, slackware, caldera, craftworks etc. These
distribution maintainers rarely release anything outside of their official
releases. The advantage to this is that when the new official product does
come out, its *usually* fairly stable.
Then there is the type of maintainers like those who look after debian and
redhat, Who make their entire development tree available as its being
developed. This policy allows for those who are that way inclined to keep
up with the very latest developments in their distributions, and means
that security fixes are available almost immediately to the general public
instead of several months later in a new commercial product.

> A good place for info is http://www.redhat.com/linux-info/security/ especially 
> the "Other computer security resources" link.
Anyone who is at all concerned about their linux system's security should
be on at least linux-security and bugtraq.
Subscribe to linux-security by sending a message with subscribe in the
body to 
linux-security-request@redhat.com (I think).
Bugtraq can be joined by sending mail to listserv@netspace.org with
subscribe bugtraq in the body.
Many distributions also maintain their own users and bugs mailing lists
which are also worth joining in order to keep up to date with the latest
in distribution development and user questions, see the relevant
distribution faq for more info.
Regards
Aaron


-----------------------------------------------------------------------------
Aaron Howell.	Q.U.T Equity Department, Technical Support/Training.
work: a.howell@qut.edu.au	Linux/Networking Support.
home: a.howell@student.qut.edu.au	phone +61-19-956-467
www: http://www.cnl.com.au/~aaron	irc: DaRkAnGeL
"Captain, I think I speak for all of us when I say, to hell with orders." 
Lt. Cmdr Data Startrek, (First Contact).

Re: MCAFEE DISCOVERS FIRST LINUX VIRUS; SHIPS NEW VERSION OF VIRUSSCAN TO DETECT AND REMOVE BLISS VIRUS (fwd)

[Brett]

t

Re: MCAFEE DISCOVERS FIRST LINUX VIRUS; SHIPS NEW VERSION OF VIRUSSCAN TO DETECT AND REMOVE BLISS VIRUS (fwd)

[Peter W]

On Sat, 22 Feb 1997 19:41:04 +1000 (EST), AARON HOWELL wrote:

>> researchers have discovered the first computer virus capable of infecting the
>> Linux operating system.
>This paragraph is a blatent lie on Mcafee's part. They didn't discover
>this so called virus (which isn't really, see below, they read about it on
>bugtraq, 

One of the very unfortunate things about running Linux is that default setups 
place our machines in jeopardy every time we connect to the Net. The "threat" of 
Bliss is pretty slim if you're careful, as Aaron suggests. It's probably much 
more important to watch general security issues. EG install and configure 
Tripwire to watch your important binaries for unexpected changes. Run COPS on 
occasion. Make sure all your software is up-to date (I highly recommend RedHat 
for this, as they generally release easy-to-handle RPM packages pretty quickly). 
Those of us who have static IP addresses are at more risk, since our machines 
are sitting ducks. I'll take a moment to chastise Caldera here: it has not kept 
up with security problems in its original product even though it has yet to 
release the official upgrade.

A good place for info is http://www.redhat.com/linux-info/security/ especially 
the "Other computer security resources" link.

-Peter