Shellcoders Programming Uncovered (Uncovered series)

Antivirus programs, in the form in which they currently exist, are catastrophically unsuitable for solving the problems, for which they are intended, and are principally unable to solve them. This doesn't mean that they are useless; however, it is unwise to blindly rely on their help. As was already mentioned, for the moment there are practically no viable UNIX viruses. Consequently, antiviral scanners have nothing to scan. Heuristic analyzers remain immature and are not prepared for real-world operation under production conditions.

The situation is aggravated because it is extremely difficult to distinguish a stable signature in script viruses. The stable signature is the one that must not be encountered in normal programs, and it must withstand the slightest mutations , without any pretensions of polymorphism. Kaspersky Antivirus traps most existing script viruses, but it does this quite strangely: Not every infected file is detected , and even the slightest reformatting of the infected file results in the virus remaining unnoticed.

All scripts obtained from potentially unreliable sources must be checked manually, because even the dumbest Trojan is capable of paralyzing the activity of an entire company that blindly relies on various antiviral software, and it will do this in seconds. With scripts, either you unconditionally rely on your supplier or you do not trust that supplier. The file you obtain might contain anything (including, simply, an incorrectly working program).

The situation with binary files is even more deplorable. This is partially because manual analysis of such files requires the investigator to have fundamental knowledge of the operating system and partially because it requires an unrealistic period of time. Furthermore, normal viruses principally resist automatic analysis. Therefore, the best strategy of protection against viruses consists of an expertly-configured access-restriction policy, timely installation of patches, and regular backup.

It is necessary to make the following observations, based on practical experience:

• Some administrators erroneously believe there are no viruses in the UNIX world. Viruses, however, are possible.

• Some users, striving to feel like gods, work at the root level for long intervals. Viruses are fond of such users.

• The small number of viruses affecting UNIX is offset by a practically complete lack of normal antiviral software.

• eMule and IRC are the main sources of supplementing your personal collection of viruses.

• The openness of the ELF format and the availability of the system-loader source code considerably simplify the process of designing UNIX viruses.

• The development of viruses is not prosecuted by law. It is the development of malicious programs that is prosecuted by law.

• There are about a dozen of different methods of inserting the virus code into ELF files. Virus writers have mastered only two or three of them, so they have no reason for complaining about the lack of areas, in which they could apply their creative potential.

• UNIX and Windows viruses are built according to the same principles, but UNIX viruses are simpler.

• The Kaspersky Antivirus Encyclopedia contains lots of errors in its descriptions of UNIX viruses.

• Most UNIX viruses depend on the version of the operating system; therefore, every investigator must support lots of operating systems on his or her computer.

• An impressive collection of UNIX viruses can be found at http://vx.netlux.org .