Complex Linux virus warning

The cross-platform Windows/Linux virus, which made headlines last week, has prompted a "zeitgeist of new interest" in Unix and Linux viruses.

Antivirus experts say that the cross-platform skills of the Simile or Etap virus, which cropped up last week, "seem to have led to a renewed interest in *nix malware".

Although the virus was not the first of its kind to infect both Windows and Linux machines, it apparently moved virus-writing techniques "yet another step up the scale of complexity".

According to an analysis by Symantec's Peter Szor, "Simile is highly obfuscated and challenging to understand. The virus attacks disassembling, debugging and emulation techniques, as well as standard evaluation-based techniques for virus analysis."

Released in March, in a virus writers' newsletter from the 29A group, the source code for Simile was written by the virus writer who calls himself Mental Driller. "Some of his previous viruses, such as W95/Drill ([which used the Tuareg polymorphic engine], have proved very challenging to detect," said Symantec.

The new interest that Simile has sparked in Linux and Unix malware prompted the Virus Bulletin, an expert website, to release an analysis of the danger of *nix viruses.

Marius van Oers, an analyst at McAfee, warned that "Unix shell script viruses are relatively easy to create, yet powerful enough to create big problems."

However, because Unix and Linux malware is currently more targeted at the specific machine, it is difficult for viruses to spread and survive. Power users are also more likely to be aware of suspicious modifications to their systems, although this may change as more novice users migrate to alternative operating systems.

Van Oers suggested that the *nix viruses that have been successful have contained both binaries and scripts. "However, there is no technical reason why Unix shell script malware cannot be successful in the future - it is a matter of proper coding combined with suitable or less secure environments," he said.