Torvalds patches Linux kernel, fixes broken virus

The hacker who created a widely reported cross-platform virus that could affect both Windows and Linux PCs may have inadvertently done some free bug testing for the Linux operating system. On Wednesday Linux creator Linus Torvalds said he had patched his operating system kernel to fix a bug that had been preventing the virus from running.

The virus, called Virus.Linux.Bi.a/ Virus.Win32.Bi.a, was first reported by security vendor Kaspersky Lab on April 7, which labeled it an interesting proof of concept program, because of its ability to affect both Windows and Linux.

After discovering the virus did not work on recent versions of Linux, open-source developers did a little investigative work and discovered that this was due to an obscure bug in the compiler used by Linux. News of this bug was first reported on the NewsForge.com Web site.

The bug affects versions of Linux that were compiled using a certain kernel option, called REGPARM, which was recently enabled by default, according to Torvalds.

Torvalds has now patched the problem in his version of the Linux kernel, which is used by developers. Most users, however, won’t see the patch until version 2.6.17 of the kernel is released, he said.

This patch fixes what Torvalds calls a “benign” bug that has no effect on most programs. It also helps Virus.Linux.bi work in systems where it otherwise would have been ineffective.

But Torvalds said there are a couple of reasons why his fix doesn’t really help the bad guys. First, he disputed the idea that Virus.Linux.Bi is actually a virus. “It ends up really being just a program that writes to files that it has permissions to write to. Nothing wrong with that,” he said. “It just does so in an interesting manner that means that it gathers more publicity.”

And even if the proof of concept code could be put to malicious use, it would have been a trivial matter for “any serious bad guy” to overcome the compiler bug that was preventing it from working, Torvalds added.

“Fixing the bug in no way made for worse security,” he said. “Quite the reverse: fixing a latent bug that doesn’t matter today is absolutely required for good security tomorrow. Anybody who tells you otherwise is incompetent.”

To date, Kaspersky has not seen any hackers adopt the proof of concept code for use in real attacks, though the security vendor says that it’s still possible that malicious “black hat” hackers could put it to use. “There are always black-hatters out there that are going to try to use part of it to create something new,” said Shane Coursen a senior technical consultant with the company. “We may see another virus using the same method of cross-platform infection.”