Bliss, a Linux "virus"

Bliss has been called a virus for Linux, a common Unix trojan, a virus-like trojan with worm-like features etc, depending on whom you ask. Apparently, the definitions aren't very clear. Here's its story.

The first sighting on the linux-security mailing list happened around January 31, 1997, and Alan Cox replied with this message.

Then, on February 5th, the author of bliss, apparently a nice guy concerned that an earlier alpha version of his code (which was posted on September 29, 1996 to comp.security.unix, alt.comp.virus and comp.os.linux.misc) could still be in use, posted version 0.4.0 to the widely read Usenet newsgrooup comp.security.unix, complete with ample warnings and the prospect of a future (GPL'ed?) source code release.

It was promptly analyzed by Alan Cox on February 8th, and, one day later and much more comprehensively, by Ray Lehtiniemi. Quick summary: if you run bliss (which is, by the way, not specific to Linux and can be compiled for SunOS, Solaris, and OpenBSD) or any binary infected with bliss, it tries to attach itself to (i.e.: infect) all binaries that you have write access to, on all machines that you have rsh access to. It writes a neat log of all its actions to /tmp/.bliss and even has a --bliss-uninfect-files-please command line option that sometimes might come handy, and actually does what it promises. Bliss was compiled with helpful debugging information. I especially like the feature where it tries to patch the Linux kernel source, so that the next kernel compilation will produce a much more cooperative Linux. Moral: don't run it, especially if you're root. That's all there is to it. We all knew already that we should never do anything but system administration as root, now didn't we? We also should never run executables that we haven't compiled ourselves from inspected sources. Big deal. Enter McAfee.

McAfee is a company that makes its money from the fact that people continue to use inferior operating systems that can easily be infected with viruses, with disastrous results. In their press release, dated February 5 and widely reprinted in clueless media everywhere, they claim to have "discovered" bliss (actually, they are talking about the earlier alpha version, but they don't know this), a program that had been publicly available for several months at that time, thereby proving that they don't even follow the security and virus usenet newsgroups. They also recommend that you run one of their binaries, without letting you look at the sources, of course. Now what have we learned a moment ago: is that a good idea? An analysis of the press announcement has been provided by Russ Allbery. Another message shows that the information about bliss was provided to McAfee by a participant on the linux-security mailing list, where the sighting of the alpha version had been posted previously. McAfee, the heroic virus discoverer! Savior of the universe!

Here's another message from Alan Cox about the difference between viruses and trojan horses. Albert D. Cahalan begs to differ, but that is not the last word on that matter. And, on a final note: bliss shows that Linux is popular enough to attract virus writers, bliss makes people afraid of running as root which they shouldn't do anyway, and bliss makes people reluctant to run programs without inspectable sources. All hail bliss!

Appendix

For the paranoid: To check whether anything on your system is infected by bliss, do cat /tmp/.bliss. To protect against similar programs, keep backups of your important programs in a safe place and use a program which detects any modifications. Traditionally, tripwire has been used for this purpose, but nowadays people recommend the free alternative AIDE.

To read a description of a truly cool and diabolical trojan/virus as opposed to the rather lame bliss, check this out.

If you have anything to contribute regarding bliss or want to read other people's comments, please go here or send me mail.


Last Change: 19-Jan-2000
Axel Boldt <axel@uni-paderborn.de>