Friday, April 06, 2007 8:48 AM
cmosby
Symantec Security Response Weblog: The iPod virus
The iPod virus
On Wednesday morning, we received anonymously a copy of the first "iPod virus", which we call Linux.Noslo, a play on the virus author's name of "Oslo". This virus is designed to run on iPod Linux, but there is nothing iPod-specific in the virus code, so it is not an iPod virus. It is just another proof-of-concept Linux virus.
"iPod Linux" is a software project that allows a user to run a different operating system, Linux, directly on an iPod. So, when the iPod is switched on, the user sees a Linux interface instead of the usual Apple interface. This virus runs within that particular Linux framework and infects the files that are part of that operating system.
The virus arrives as a file called "oslo.mod.so" and it infects specific iPodLinux files on the compromised device. To infect an iPod would require a user to manually copy an infected file to the device. The virus has no way to leave the device on its own.
Once executed, the virus searches the "/usr/lib" directory and all subdirectories for files containing the string "mod.so" in the file name. The virus then checks inside files to determine if it is a Linux file and currently not infected. When an infected file is executed, it will infect other files but it will no longer run the host code.
The virus will display the following message on the iPod screen, once the infection routine is completed:
"You are infected with Oslo the first iPodLinux Virus"
The virus also displays a greetings message on the iPod screen when Linux is shut down.
This shows that, eventually, a virus writer will target any operating system on any platform, just to show that it can be done. What a waste of time. Posted by Peter Ferrie on April 5, 2007 03:00 PM
Source: Symantec Security Response Weblog: The iPod virus
Filed under: Security and Anti-Virus, Geek Stuff, AntiVirus Information, Internet Hacks, Internet Applications