Virus researchers at Kaspersky Lab have found proof-of-concept code for a cross-platform virus capable of infecting both Windows and Linux systems.
In an alert posted to Viruslist, Kaspersky said the sample virus has been given a dual name—Virus.Linux.Bi.a/ Virus.Win32.Bi.a—and highlighted the way attackers are targeting multiple platforms in malware attacks.
“The virus doesnt have any practical application,” the company said in the alert. “Its classic proof-of-concept code, written to show that it is possible to create a cross-platform virus.”
However, according to Shane Coursen, senior technical consultant at Kaspersky Lab, in Woburn, Mass., its normal to see proof-of-concept code modified and used in actual copycat attacks.
“This is the kind of attack well be seeing in the future,” Coursen said in an interview with eWEEK. “We know it can be done and there are obvious reasons why malware writers would want to target multiple operating systems with a single piece of malware.”
“Well start seeing viruses attacking Windows with the ability to infect Linux and Mac machines. Its not a stretch to imaging a single virus going across all three platforms and even further,” Coursen said.
According to Kasperskys analysis, the cross-platform virus sample is written in assembler and only infects files in the current directory. “However, it is interesting in that it is capable of infecting the different file formats used by Linux and Windows—ELF and PE format files respectively,” the alert said.
The virus uses the Kernel32.dll function to infect systems running Win32. It injects its code into the final section and gains control by again changing the entry point, Kaspersky said.
The warning from Kaspersky caught the attention of incident handlers at the SANS ISC (Internet Storm Center), a group of volunteers that tracks malicious activity on the Web.
ISC volunteer Swa Frantzen said the impact of the proof-of-concept code “is very low in itself” but is a sign that the cross-platform aspects of malware are becoming important.
“Even today, Web sites sending exploits to their visitors tend to detect what browser or platform the visitor is using and send a matching exploit to install some malware and earn their quarter for each confirmed installation,” Frantzen said.