An anti-virus software company is busily backpedalling after announcing earlier this month that it had "discovered" and countered the first Linux virus.
"[Bliss] is a stupid virus," said Joe Wells, a software consultant who maintains an index of proliferating computer viruses. "It's an alarmist approach that draws people's attention to something that's not a real threat and takes their eyes off the things that are boring but more of a threat," he said.
McAfee Software, a developer of anti-viral software, announced it had discovered and created an antidote for Bliss on 6 February. The company claimed that the hostile code was infecting Linux operating systems - a popular free version of Unix. But the tone of the announcement raised the ire of Linux users on the blinux-list mailing list.
While McAfee said the Bliss virus wasn't widespread, its announcement characterized the virus as serious and spreading in the public domain. But Bliss was not destructive. It was distributed primarily as "proof of concept" code (i.e., proof that a Linux virus could exist), to people on a security mailing list who knew what it was.
"I learned a lot of lessons from Bliss," admitted Jimmy Kuo, senior virus researcher for the Santa Clara, California-based McAfee Software. "Bliss sounded more scary than it should have been. [In subsequent releases] we have tried to include more technical information."
Wells said Bliss is an overwriter virus, a piece of code that destroys its host. Without a host, a virus has little chance of spreading. This led Wells and other anti-virus experts, including Dave Chess, research staff member at IBM's Thomas J. Watson Research Laboratory, to conclude that Bliss is not much of a threat.
Bliss exists mostly for people to run on their systems as a study of virus behavior, a common practice among those who work on anti-viral technologies, said Chess. "When it's infecting, it will tell you - infecting:(file name) and it keeps a log on the disk of the infected files," he said. Further, the program saves clean copies of every file that it infects.
Kuo, a well-respected anti-virus researcher, said a part of the confusion over Bliss stemmed from the different interpretations of such expressions as "in the wild," the phrase the anti-viral community uses to describe a virus that is in the public domain and therefore poses a threat. To Kuo, a virus has to meet five criteria before it is "in the wild," including the existence of a critical mass of users of an operating system.
"Many people are running Linux at home on $800 machines. When the number of users of a platform goes up, the average user's technical capability goes down," said Kuo.
Linux had been virus-free since its initial release in 1991. Kuo said it takes two to three years for viruses to catch up with new operating systems.
With that criterion, Bliss is the sign that Linux has attained the status of an established platform. Bliss is also a warning that other hostile code awaits, said Wells, who noted that of the 10,000 viruses in existence, only 200 to 300 pose a real threat.
"[Bliss] will be just like the Boza fiasco [the first Windows 95 virus] last year, and people will know it's possible to write viruses for Linux," said Wells.
