This page presents my bibliography of papers and books containing information on Unix computer viruses.
Contains two articles by Bell Labs scientists on experiments and experiences with working Unix viruses:
Doug McIlroy's paper includes source code for a sh script virus.
The USA's Department of Energy refers to one virus Duff describes as the AT&T Attack Virus.
Tom Duff's article includes source code for a sh script virus. Duff writes this about his script virus:
However sorely you are tempted, do not run this code. It got loose on my machine while being debugged for inclusion in this paper. Within an hour it had infected about 140 files, and several copies were energetically seeking other files to infect [...]
Note the date on this issue of Computing Systems: 1989, over 30 years ago. Source code for two different sh script viruses has been hanging around, very publicly available for 20 years.
Russ Cox, a modern technical blogger, gives his take on the Duff and McIlroy papers linked to above.
A Platform Indenpendent Computer Virus
Keith Allen McMillan
Master's Thesis
University of Wisconsin - Milwaukee, 1994
McMillan's multiple-platform virus infects LaTeX source documents, using GNU Emacs as a helper application.
A Short Course On Computer Viruses, 2nd ed
Frederick B. Cohen
John Wiley & Sons, 1994
ISBN 0-471-00768-4
It's Alive
Frederick B. Cohen
John Wiley & Sons, 1994
ISBN 0-471-00860-5
UNIX Security - A Practical Tutorial
N. Derek Arnold
McGraw-Hill, 1993
ISBN 0-07-002560-6
See especially chapter 13. Arnold wrote a decent explanation of the memory space of a Unix process, as well as a detailed description of a Unix virus. Arnold included some or all of the source code for a Unix virus.
This book contains nearly all the theoretical papers written on the topic of computer viruses. It contains Fred Cohen's original papers on the subject. He wrote some of the first computer viruses (but probably not the very first: the elk cloner seems like the first virus) on a VAX running 4BSD Unix.
See especially Part III - Worms. This section contains all the major "third party" articles about the 1988 Morris Internet worm. It contains no articles about the "WANK/OILZ" or HI.COM VMS worms, however.
Article 22, Implications of Computer Viruses and Current Methods of Defense, by Fred Cohen seems worth a look, too. Cohen claims a Unix shell virus takes 0.2 hours to write. He also claims that "In the command language of Unix, evolutionary viruses have been written in under 200 bytes". Possibly so: by his definition of "evolutionary virus", this shell script almost fits the bill. It has a size of 184 bytes.
Contains source code for two FreeBSD viruses, "X21" and "X23", and an interesting viewpoint about Unix:
Even though some free versions of it have become available, I think it is bound to become more and more obscure as better operating systems like OS/2 and Windows NT become more widely available.
The recent success of Linux seems to prove him wrong.
We know that several people have written computer viruses that run under Unix. We know that anyone who looks can find source code for several Unix viruses. We know that cross-platform, or platform-independent viruses and worms exist. Given that some tens of thousands of viruses exist for the Wintel PC platform why don't Unix viruses exist in the wild?
If you have an answer to this question, mail me.
I think that the answer has something to do with the mild amount of "immunity" that Unix file permissions grant. If an ordinary, non-root user happens to execute a virus-infected executable, the virus can only infect files that user has permission to write to. This eliminates boot-sector viruses (formerly one of the most widespread forms of PC viruses), as most Unix machines don't grant write access to disk device files.
Further immunity occurs because Linux and Unix users have and use a vast array of text editors, word processors and email clients. A chainmail virus analogous to "Klez" just won't get far in an environment where only a few per cent of the users execute the email client that the chainmail virus can execute in.
Another area of diversity comes in versions: Linux software in particular undergoes rapid development. Should a macro virus for a Linux word processor arise, the many versions of the word processor that end up in service provide quite a bit of "immunity". Whatever bug or feature a macro virus might exploit to spread probably comes in several different varieties, one for each version of the hypothetical word processor.
Diversity constitutes the key feature of each of these examples: diversity of file permissions by user ID, diversity of email clients, diversity of versions of a word processor. By constrast, the Windows computing culture constitutes a monoculture. Virtually all users run the same word processor, the same web browser, the same email client and the same web server, on the same hardware. Any flaw in one piece of the system allows a single virus (or worm) to infect all of the systems.
Preventing the spread of viruses probably doesn't amount to making 100% of the hosts 100% immune. Prevention probably entails making enough hosts possess a variety of immunities, through local effects like file access permissions and executing different versions of a variety of software.
Serious research exists to support my position on software diversity.
$Id: virefs.html,v 1.15 2000/05/13 15:59:06 bediger Exp bediger $