Although it can be a pain in the server to maintain two operating systems, it’s always been comforting to know that if you had, for example, both Linux/UNIX and Windows systems running, at least one would be immune to any new attack. That’s no longer the case.

Simile.D (aka Etap.D), which, fortunately for all of us hasn’t been seen on the Web (yet), can infect both Windows32 systems and Linux operating systems, making it the first effective cross-platform virus. A few earlier demonstrations of cross-platform viruses have been seen, but there has been nothing really solid until now. Earlier multiplatform attacks simply combined several different attacks, each targeting a different OS. Simile.D attacks the same vulnerability in both.

Risk level—low (for this strain)
This virus wasn’t released in the wild, and this version is pretty innocuous. But just because the risk from Simile.D itself is almost nonexistent, the mere existence of this kind of virus is a major threat that all security managers need to consider.

Applicability—Windows32 and Linux/UNIX systems
Simile.D infects portable executable (PE) files and executable and linking format (ELF) files on Windows32 platforms, and it infects ELFs on Linux systems.

Symantec has confirmed that this virus can attack versions 6.2, 7.0, and 7.2 of Red Hat Linux, and probably most, if not all, other Linux releases by Red Hat and other vendors. It can also infect any 32-bit version Windows.

Macintosh, and UNIX systems aren’t vulnerable, so those who opted for BSD UNIX instead of Linux as an inexpensive alternative to Microsoft are immune in this case.

The key word that most of the antivirus companies use in describing this virus is “complex.” No one can turn one of these out in an afternoon’s hard coding session. It’s so complex that less-sophisticated vandals probably won’t even be able to understand how it operates, so this sort of virus won’t be co-opted by script kiddies. It’s difficult to attack multiple operating systems, designing a good new polymorphic engine is complicated, and creating metamorphic viruses is an even tougher job.

The payload of Simile.D appears to be almost completely innocuous as it appears in this fourth version of what I would describe as a proof-of-concept virus. On systems where the host is a PE file, it displays a brief nonsense message on March 17 and September 17 of any year. PE files are executable across all Win32 platforms and include things such as.scr (screen saver) files.

Simile.D contains two attack mechanisms. One attacks ELFs, the other PE files. But since the ELFs are found on both Windows and Linux systems, this virus is unique in its virus taxonomy because it exploits the same vulnerability on both platforms.

Polymorphic viruses use transformation engines that alter the digital signature of the virus each time it runs. This makes it much more difficult to detect since antivirus engines can’t simply search for a specific code string. The basis of Win32 polymorphic viruses is an internal engine that can produce an endless string of new decryptors that change the appearance of the virus body (but not the data area).

Despite their complexity, and in part because of it, polymorphic viruses are essentially a dead-end as a class of viruses. Once antivirus companies distribute a detection method, the hackers have to spend a great deal of time developing a new polymorphic engine. The creation of a really efficient polymorphic engine is quite hard. Obviously, this becomes ever more difficult as each new good polymorphic code is used in a virus and subsequently found in the wild, and countermeasures for it are created and published.

Simile.D may particularly elusive because it isn’t merely polymorphic. It uses an engine to alter jump instruction code to disguise its entry point, and it combines metamorphic behavior with its polymorphic code. Metamorphic viruses are even more slippery, changing all their code, and they don’t contain a decryptor. They are difficult to find and pose a major threat to enterprise networks.

Just how polymorphic and metamorphic viruses operate is a complex topic, and the details are of interest mostly to those who write viruses or develop antivirus software. For most security managers, it is enough to know that Simile.D changes both its actual code and file size every time it is activated.

Final word
The French antivirus site said of this virus, “Even in the event of propagation, the contamination by a multi-OS virus would not present an additional danger compared to the traditional viruses” (translation by

I disagree. The fact that this virus can attack both major enterprise operating systems using vulnerabilities in the same feature (ELF) makes it especially dangerous. While it’s true that each individual infected system is in no greater danger, managers of enterprise systems with both Win32 and Linux machines now face even greater challenges because both parts of the system are in simultaneous danger. No longer will managers with Windows and Linux servers be able to feel comfortable about one part of their server architecture remaining safe in the event that a virus attacks one platform.

If, as seems likely, malicious hackers carry on the development of this new class of virus, the appearance of Simile.D may prove to be one of those watershed events like the appearance of the first macro virus (released, if I recall correctly, by Microsoft) or the first worm. Although the impact of Simile.D itself is virtually nonexistent at the moment, this is only the initial warning shot for Linux administrators and the many admins who are running a mix of platforms in an enterprise environment.

You can find more information about the metamorphic engines in the Symantec white paper “Hunting for Metamorphic Viruses.” A white paper about polymorphic viruses is available here.