Tuesday, April 11, 2006

the case of the non-expert expert: a rebuttal to "the case of the non-viral virus"

how many people read the newsforge article titled "the case of the non-viral virus" by joe barr? if you did then you've just witnessed false authority syndrome in action...

let's deconstruct it, shall we?

Thus, once and for all, there is an end to the notion that Linux is somehow immune to the viral infections that plague the Windows world.
it is not the first linux virus, not by a long shot... linux viruses have been around for years now and it's really quite absurd that anyone would still be holding on to the notion that linux is immune...

One minor thing is that the alleged virus -- called Virus.Linux.Bi.a -- being trumpeted far and wide by Kaspersky Lab is not really a virus, but rather "proof of concept" code, designed to show that such a virus could be written.
there is nothing that says something cannot be both a virus and a proof of concept... the fact is that the first virus for any platform is a proof of concept by default... the first virus that performs function X is a proof of concept... it's amazing that someone could pass themselves off as an authority on a subject and be so clueless about the terminology...

for the record - Virus.Linux.Bi.a IS a real virus...

A second caveat is that for it to work on Linux, a user has to download the program and then execute it, and even then, it can only "infect" files in the same directory the program is in.
the same limitations are true for quite a few DOS and windows viruses... these limitations do not stop it from being a virus...

Exactly how the program gets write permissions even in that directory is not explained.
unless linux has changed considerably since i last used it, individual programs do not require their own permissions... some special cases have special user accounts created just for running them, but by far most programs do not... even so, it is never the program that has permissions, but rather it is the user (whether the user is a real person or not), and in this case the viral program runs in the context of (and has the permissions of) the user who executes it...

And finally, it's not a virus at all. It can't replicate itself, which is one thing that makes a piece of malware a virus.
the author seems to be talking out of his ass here... while it's true that self-replication is a requirement, the program in question DOES self-replicate... it creates copies of itself that it inserts into other programs - i'm not sure what the author of that article thinks self-replication is but making copies of itself is the very definition of self-replication...

for completeness sake, here is the original weblog entry from the kaspersky folks about this cross-platform virus: http://www.viruslist.com/en/weblog?weblogid=183651915
you can plainly see from the description that the program in question both self-replicates and infects other programs - a virus by any reasonable definition and even by the wikipedia one the author chose to cite...

0 comments: