Date: Sun, 20 Jun 110 13:23:08 -0700 (PDT) From: Jim Dennis <jimd@mcafee.com> To: nate@sri.MT.net (Nate Williams) Cc: randyd@nconnect.net, questions@FreeBSD.ORG Subject: Re: Missing Memory & shrinking drives Message-ID: <201006202023.NAA06201@mistery.mcafee.com> In-Reply-To: <199606201342.HAA09496@rocky.sri.MT.net> from "Nate Williams" at Jun 20, 96 07:42:00 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Greetings, > > How does FreeBSD handle the presence of the various types of viruses. > > Is it similar to the way NT handles them?? Are there any anti-virus > > utilities available for FBSD? > > 1) Unix processes aren't allowed to touch another process, so virus's > basically "don't exist". > > 2) It would be difficult to obtain a Unix virus given a source-code only > system. > > 3) Given the lack of pre-packaged binary software that comes from > outside vendors the chances of getting a virus are slim to none. > If/when FreeBSD becomes *really* popular this might become an issue, > but it isn't one yet. > > However, some vendors would lead you to believe that virus exist on > every system, so you must spend a gazillion dollars on their > virus-protection software. Don't bother. Mostly correct. Note that most PC virii are not OS specific -- they rely on the initial behaviour of the BIOS (these are boot sector virii; there are a few hundred of them like 'Stoned' and 'Michealangelo'). During startup the BIOS polls drive A:, and any other drives it finds -- then, media was detected in drive A: a typical BIOS, in typical configuration, will try to boot off of the floppy. Booting (from a floppy or otherwise) involves reading the first sector of the medium (the "boot sector" on a floppy or the "Master Boot Record" -- MBR -- on a hard drive) and executing a small chunk of loader code. (Actually it looks for a set of "signature" bytes and only executes the block if the signature is found). This small chunk of code is not part of the OS. Linux LILO, FreeBSD's BootEasy, the only Mark Williams Coherent Boot Loader, OS/2 and NT's "BootManager" (special case) are all MBR's (actually OS/2 and NT use an MBR *and* a small, proprietary, partition since their load code is too fat to fit). There are specialty products, like OnTrack's infamous Disk Manager, Golden Bow's old vfeature, and probably "System Commander" that are third-party boot loaders. Note that most boot loaders can load multiple OS'. (The basic MS DOS mbr code and the old Novell Netware 2.x "cold boot loader" are the only two that I can think of that don't recognize multiple OS'). A typical boot sector virus either moves or replaces the installed boot loader -- and copies it's code into that sector. Since this is done *before any OS is loaded* it can happen on any normal PC compatible. Typically the BSV (boot sector virus) then makes itself memory resident. This part only works for DOS, since almost any 32-bit OS, from Concurrent DOS, through Linux, FreeBSD and even OS/2 and NT, switch out of real mode and replace all interrupt service routines -- all hardwire drivers, with their own 32-bit code. Note that Win '95 is vulnerable since the 32-bit GUI is still riding on top of a 16-bit OS, and still relies and *some* chunks of "real mode" code (some BIOS functions, and some "old hardware drivers"). After years of working in the support and IS departments of the two most prominent publishers of anti-virus software (Symantec and more recently McAfee Associates) I've boiled the whole thing down to this simple statement: If you have ever seen the message: "Non-System Disk Error, Replace and hit any key to continue:" Then you *might* have a virus. If you run FreeBSD or Linux than it is unlikely that a virus can spread from your machine to anyone else's. It is likely that one can sit, undetected, indefinitely on your system -- only becoming active for a few seconds every time you reboot. If, for example, you were to catch 'Michealangelo' and you were to ever reboot on March 6th of any year -- then the virus would zero out the first 17 sectors of the first 255 tracks (upto 16 heads if I recall correctly) of your first hard drive. I pick 'Michealangelo' as an example because it is one of the few virii with a known, simple trigger, and a known, simple payload. 'Stoned' (from which 'Michealangelo' was probably derived) would simply periodically lock up the system with the message "your PC is now stoned" -- which it (some variations of it) might not attempt to do until DOS was loaded (in our hypothetical situation -- most BSV's would never trigger and never drop a payload). The point is that the usual behaviour of a BSV is to install itself in RAM, load the original boot sector (usually copied to a spare sector of track zero) and jump into that to complete the *normal* boot cycle. However that is purely a matter of programming. If you never allow DOS formatted floppies to be left in your machine's A: drive -- and you configure your CMOS/BIOS settings to skip the attempt to boot off of A: and you never run DOS on your machine (there are also some virii that are "multi-partite" -- meaning that they can infect normal .EXE or .COM binaries, *and* can infect boot records and MBR's -- and there are "droppers" trojan programs that aren't technical viruses but can "drop" a virus onto a system)....if you follow those sorts of conventions then your FreeBSD system is probably safe from viral infection. Some academics have written "Unix virus demonstrations" which are often just shell scripts. These don't propagate due to the multi-user nature of Unix. The normal, customary, practices of Unix users makes a poor population for viral propagation -- users normally only execute utilities that were installed by the administrator(s) of their system, or applications and utilities that they themselves built or installed. Relatively little software for Unix is distributed in binary form -- and the exceptions to this are often treated to extra scrutiny by administrators (obtaining them only direct from know good sites, checking sums and MD5 hashes, etc). So, as a practical point, there are not *unix* viruses. If, on the other hand, you are concerned about the possible propagation of PC viruses *from* your NFS or FTP server to other PC's -- then you might want to look at McAfee's anti-virus for Unix (available for Linux, SunOS, and Solaris -- hopefully the Linux version will run O.K. under FreeBSD's "emulation"). Sad to say I haven't had time to personally test that.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201006202023.NAA06201>