The first sighting on the linux-security mailing list happened around January 31, 1997, and Alan Cox replied with this message.
Then, on February 5th, the author of bliss, apparently a nice guy concerned that an earlier alpha version of his code (which was posted on September 29, 1996 to comp.security.unix, alt.comp.virus and comp.os.linux.misc) could still be in use, posted version 0.4.0 to the widely read Usenet newsgrooup comp.security.unix, complete with ample warnings and the prospect of a future (GPL'ed?) source code release.
It was promptly analyzed by Alan Cox
on February 8th, and, one day later and much more comprehensively, by Ray
Lehtiniemi. Quick summary: if you run bliss (which is, by the way,
not specific to Linux and can be compiled for SunOS, Solaris, and
OpenBSD) or any binary infected with bliss,
it tries to attach itself to (i.e.: infect)
all binaries that you have write access to, on all machines that you
have rsh access to. It writes a neat log of all its actions to /tmp/.bliss
and even has a --bliss-uninfect-files-please
command line option that
sometimes might come handy, and actually does what it promises. Bliss
was compiled with helpful debugging information. I
especially like the
feature where it tries to patch the Linux kernel source, so that the next
kernel compilation will produce a much more cooperative Linux. Moral:
don't run it, especially if you're root. That's all there is to
it. We all knew already that we should never do anything but system
administration as root, now didn't we? We also should never run
executables that we haven't
compiled ourselves from inspected sources. Big deal. Enter McAfee.
McAfee is a company that makes its money from the fact that people continue to use inferior operating systems that can easily be infected with viruses, with disastrous results. In their press release, dated February 5 and widely reprinted in clueless media everywhere, they claim to have "discovered" bliss (actually, they are talking about the earlier alpha version, but they don't know this), a program that had been publicly available for several months at that time, thereby proving that they don't even follow the security and virus usenet newsgroups. They also recommend that you run one of their binaries, without letting you look at the sources, of course. Now what have we learned a moment ago: is that a good idea? An analysis of the press announcement has been provided by Russ Allbery. Another message shows that the information about bliss was provided to McAfee by a participant on the linux-security mailing list, where the sighting of the alpha version had been posted previously. McAfee, the heroic virus discoverer! Savior of the universe!
Here's another message from Alan Cox about the difference between viruses and trojan horses. Albert D. Cahalan begs to differ, but that is not the last word on that matter. And, on a final note: bliss shows that Linux is popular enough to attract virus writers, bliss makes people afraid of running as root which they shouldn't do anyway, and bliss makes people reluctant to run programs without inspectable sources. All hail bliss!
cat /tmp/.bliss
.
To protect against similar programs, keep backups of your important
programs in a safe place and use a program which detects any
modifications. Traditionally, tripwire has been used for this purpose,
but nowadays people recommend the free alternative AIDE.
To read a description of a truly cool and diabolical trojan/virus as opposed to the rather lame bliss, check this out.
If you have anything to contribute regarding bliss or want to read other people's comments, please go here or send me mail.