Bliss
Bliss
Type File virus
Creator "electric eel"
Date Discovered 1997.01.31
Place of Origin
Source Language
Platform Linux
File Type(s) ELF executables
Infection Length 17,892 bytes
Reported Costs

Bliss is the second Linux virus. Its classification was contraversial with some people calling it a trojan, others a worm and most others calling it a virus.

Behavior

When executed, Bliss looks for ELF executables to which it has write access. It creates the directory /tmp/.bliss, where it will store some system binaries. When it finds one, it overwrites the file. The file's functionality will be partially or completely lost. It looks for other machines to infect by reading the /etc/hosts.equiv file, a file on Linux and most other Unix-based systems that lists other trustworthy computers on the network. Bliss will remove itself if an infected file is executed with the —bliss-disinfect-files-please switch.

The virus contains the following text:

  dedicated to rkd
  infected by bliss
  skipping, infected with same vers or different type
  replacing older version
  replacing ourselves with newer version
  infect() returning success
  successfully (i hope) disinfected
  rsh%s%s %s 'cat>%s;chmod 777 %s;%s;rm -f %s'
  doing do_worm_stuff()
  /etc/hosts.equiv
  Compiled on Sep 28 1996 at 22:24:03
  Written by electric eel.
  help? hah! read the source!
  bliss was run %d sex ago, rep_wait=%d
  /usr/spool/news
  GCC: (GNU) 2.7.2.l.2

Variants

There was a second variant of Bliss that is 18,604 bytes long. It is a prepender rather than an overwriter. Then the file is executed, the original program is extracted to the /tmp directory under the process ID name with the prefix ".bliss-tmp." added to it. Infected files will run correctly, though shell scripts may complain about them. It uses the /tmp/.bliss to clean up infected files if the correct command is issued. When files are executed with the argument —bliss-, the user may choose between these relatively self-descriptive options:

  • uninfect-files-please, disinfect-files-please
  • dont-run-original, just-run-bliss, just-run-virus
  • dont-run-virus, dont-run-bliss, just-run-original
  • force-worm-stuff
  • exec
  • infect-file <file-list>
  • version
  • help

It also checks the following directories for executables:

  • $HOME/bin
  • $PATH
  • each getpwent()/bin
  • /usr/spool/news
  • /var/spool/news
  • /dos
  • /proc
  • /cdrom
  • /

History

An "alpha" version of Bliss is known to have existed as far back as the 29th of September 1996, when its code was posted to comp.security.unix, alt.comp.virus and comp.os.linux.misc. The first reported binary infection was on the 31st of January 1997. On the 5th of February, the creator posted to comp.security.unix that he was concerned that his creation may be loose. McAfee Antivirus claimed credit for discovering the virus on the same day and the press ran with that story, though they actually received the information from the Linux Security mailing list.

While today it seems to be generally agreed that Bliss is a virus, but when it came out, its classification was a source of controversy. Often devotees of a platform that is known for its security (particularly when compared to Microsoft Windows) will claim that a certain malware is something different from what others are reporting it as, like the argument over the classification of the Oompa worm. One analyst noted the fact that the user has to run the program (as root no less) in order for it to spread as proof that it is a trojan. Proponents of the virus classification cite the fact that it spreads at all for it being a virus. Others thought it was a worm, as it could spread over networks. Our own classification is virus, since it spreads and it does so with some sort of parasitic relationship to programs, regardless of how much user involvement there is or whether or not it can spread over a network.

Sources

Mikko Hypponen. F-Secure Antivirus, F-Secure Virus Descriptions : Linux/Bliss.

University of Paderborn, Bliss, a Linux "virus", Including links in the Paderborn site. 1997

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License