Fear of a Linux virus
There is hope, however: worried system administrators need only purchase Kaspersky's anti-virus service, and they will be protected from the threat of this new cross-platform virus.
Strangely enough, Linux administrators have somehow managed to avoid going into a panic over this announcement. In fact, few Linux users feel any more threatened than they did before.
This new "virus" is a program which is able to inject its code into executable files found in the current working directory. It can't be the first code with this capability - that particular problem is not especially hard to solve. Given write access to an executable file, a program can write to that file. If it is coded to write something unpleasant, that is what will happen.
What this "virus" appears to lack is any sort of propagation mechanism. If somebody runs it, their executable files will be corrupted, but it has no way of traveling further. Any attempt to add propagation to this code will run into some well-known problems: (1) getting Linux users to run random malware is still challenging, and (2) most Linux users lack the access to modify most of the executables they run, most of the time. The normal protection mechanisms designed to keep users from accidentally (or maliciously) damaging their systems will also serve to impede any attempt to infect those systems.
One should not say that writing a rapidly-propagating, Linux-based virus or worm is not possible. Sooner or later, somebody will probably pull it off. But any such malware will have to exploit an open security vulnerability in the target systems, and any vulnerability which is exploited in this manner will be closed in a hurry. Commercial anti-virus products work by trying to keep threatening malware away from the system altogether. The Linux way of doing things, instead, is to make the system resistant to the attack vector used by the malware in the first place. Security updates may propagate a little more slowly than virus descriptions, but the end result will tend to be far longer-lasting.
So it is not clear that there will ever be a real market niche for
anti-virus products on Linux systems. Linux administrators prefer to fix
the root problem, and most distributors have well-tuned mechanisms in place
for making those fixes quick and easy. Anti-virus products add complexity
to a system, can create problems
of their own, and may well not be any more effective against any sort of
"zero-day" attack. If, in the future, we find ourselves truly needing
anti-virus software, our development process will have failed badly.
Chances are that we will not fail in that way, but the flow of scary press
releases from anti-virus companies will certainly continue regardless.
Posted Apr 13, 2006 3:47 UTC (Thu)
by jamesm (guest, #2273)
[Link] (3 responses)
Posted Apr 13, 2006 5:04 UTC (Thu)
by eru (subscriber, #2753)
[Link]
Indeed. I recall reading recently somewhere that most of Windows malware these
days propagates by "social engineering" tricks, not any more by
operating system or application holes. The user is tricked into executing
code from an email or web page, which then can do whatever the user has authority to do, which usually includes sending more copies of the email.
The more Linux
desktops get "Windows-like" automation features (and both Gnome and
KDE keep trying to add them), the more susceptible
Linux becomes to this kind of malware. Technically the OS does not
get infected (kernel, /bin, etc are safe), but the user's desktop
environment could be, meaning whatever he does within it may be
compromized. See the recent LWN discussion here (".desktop files and security")
Posted Apr 13, 2006 5:05 UTC (Thu)
by JoeBuck (subscriber, #2330)
[Link]
The right way, when a vulnerability is found, is to patch the vulnerability, so that no possible malware can exploit it. If this isn't possible right away, it is sometimes possible to offer other defenses. But trying to recognize malware is not the right approach.
Posted Apr 20, 2006 9:01 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
And yet, WordPerfect is only vulnerable to viruses through its VBA add-in (which I never install :-)
Hopefully, the OOo and any other office-type authors on linux have gone down the "emulate WordPerfect" route, not the "emulate MS" one when adding scripting to their apps.
So no. There's no reason why linux should be vulnerable to macro viruses, other than thanks to stupid developers and idiot PHBs.
Cheers,
Posted Apr 13, 2006 5:14 UTC (Thu)
by nlucas (guest, #33793)
[Link] (4 responses)
A simple user-mode trojan can (as long as someone decides to run it) setup a keylogger, have a IRC bot running in the background, send spam (even if not using Outlook contact list, they can get the contacts from a webpage, or even google), etc.
In my opinion, the only reason there are not much treats in the *nix world is just because there are easier platforms to exploit (and, luck for the hackers/script kiddies, they are the majority).
Off course, the fact Joe "HaveNoIdeaOfComputers" Smith is mostly using that other platforms has a big role on this.
Posted Apr 13, 2006 6:34 UTC (Thu)
by tzafrir (subscriber, #11501)
[Link] (3 responses)
UNIX/Linux desktops were designed with that in mind.
Posted Apr 13, 2006 7:41 UTC (Thu)
by nlucas (guest, #33793)
[Link] (2 responses)
The point is that the fact users don't run with administrator rights doesn't make them free from having malware running, as malware doesn't need to run as root to do damage to the user data (even if the OS is protected from being infected).
It just get's easier to remove the malware, nothing more.
Posted Apr 13, 2006 15:32 UTC (Thu)
by martinfick (subscriber, #4455)
[Link] (1 responses)
I try to (and I suspect others will more and more) keep my data in a repository. Without root, you really would have a hard time destroying my data. I am sure that plenty of people have scripts and what not that run as root to back up user data with the idea that if the user account is compromised, at least an admin can restore most user data.
Posted Apr 13, 2006 19:31 UTC (Thu)
by nlucas (guest, #33793)
[Link]
Posted Apr 13, 2006 11:23 UTC (Thu)
by wouter (guest, #10160)
[Link] (1 responses)
On a world-wide scale, the largest monoculture is the most viable for viruses. Even between Linux desktops there is, I think, a much larger variation in software, which makes it very hard to create a virus that will not just run, but also spread.
Posted Apr 14, 2006 4:04 UTC (Fri)
by pm101 (guest, #3011)
[Link]
No explicit security holes required.
Posted Apr 13, 2006 19:15 UTC (Thu)
by smoogen (subscriber, #97)
[Link] (1 responses)
The largest groups that I find affected by this are Linux and MacosX people who some-how seem to have bought the "we are immune to viruses". Sure you didnt get a virus that was trying to send out 2 billion versions of yourself. But you did end up with a nice keystroke logger, a spam relay, and a P2P child porn relay.
Linux users do not have magical powers against social engineering. On some internal auditing.. we found that the Linux people were as likely to follow the nude AnnaK emails as the Windows people (even the Unix admins who had been doing this for 20+ years). We found more Linux desktops with broken versions of Firefox than we did Windows because admins thought they were immune to anything..
Posted Apr 14, 2006 15:50 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
Targetted how? I assume targetted means the sender chooses the recipient intelligently, whereas mass virus means the sender chooses the recipient indiscriminately.
Posted Apr 15, 2006 19:19 UTC (Sat)
by stock (guest, #5849)
[Link]
I'm not an expert in this area, but I suspect there's potential for malware to infect Linux via MS-workalike spreadsheet macros and similar types of high level code distributed by users. Linux is definitely not immune, and people should never become complacent.Fear of a Linux virus
Fear of a desktop virus?
Of course. But the virus companies offer a "round up the usual suspects" approach. Instead of closing security holes, they want to detect the specific programs that attack the holes. As soon as someone makes a new one, everyone is vulnerable until the virus companies upgrade their patterns, and this forces all the users of the anti-virus software to keep buying the service, so they get the upgrades. It is the wrong way to secure systems.
Fear of a Linux virus
WordPerfect has macro capability. PerfectScript is considered more powerful than VBA.Fear of a Linux virus
Wol
People sometimes forget that one doesn't need to compromise a system (meaning, becoming root) to make enough damage.Fear of a Linux virus
If you managed to get your code executed on a remote system, you've already compromised it.Fear of a Linux virus
Yes, but that is not the point (Microsoft also said the same thing at start, as it's defense about the majority of the security problems).Fear of a Linux virus
Why is it so common for 'security naysayers' to assume that people running linux have the same myopic habits as people in the single workstation / single user world of windows? Most linux users understand the idea of trying to protect their data against compromises and just plain user error. They typically do not inherently trust just storing their valuable data only in their home directories.Fear of a Linux virus
Why is it so hard for people to learn security by user education only works _AFTER_ the fact?Fear of a Linux virus
Just go to a linux noobs IRC channel and look how people swap scripts and run them without any care.
Mostly they are using their own PCs, so no chance of having an admin to correct their's mistakes.
If they get rooted, as with any window machine in a botnet, they will do as much damage to all of us as any other in the botnet.
An often overlooked factor is the propagation factor. In order for a virus to spread widely, it needs to infect more than one other host during its lifetime. Otherwise, it will die out. That's why viruses are helped a lot by monocultures. Fear of a Linux virus
Depends on the type of spread. Problem with GNU/Linux, and Unix in general, is that users tend to be able to log in remotely and be multiuser. If someone compromises my laptop, they can trivially compromise all the machines I ssh to from my laptop as well. If I su to root (instead of logging out in some hard way, and logging in as root a new) they can gain root access too. If someone ssh's from my account, they've got their accounts too. It's only a matter of time before someone writes a virus/worm with sophisticated takeovers via commendeering ssh, su, as well as capturing random passwords through key capture. An ssh virus/worm, if somehow undetected, could probably spread like wildfire, just by virtue of the way Unix is used on university networks. Fear of a Linux virus
Ok everytime that this brought up there is a lot of people saying it wont happen, wont be a problem, etc. The major thing that virus software stops these days is malware packages (worms, spyware, keystroke loggers etc). Mass viruses are not the major vector these days.. targeted malware is what we see coming it in.. it comes in for linux, windows, macosx and god knows what else.Forget viruses.. think malware.
Forget viruses.. think malware.
Mass viruses are not the major vector these days.. targeted malware is what we see coming it in..
If people, who can create a solid linux distro, get fired, like happened Fear of a Linux virus
to the founder of Mandrake/Mandriva, and their replacements have less
capabilities, of course then in the end all software gets torn down in
Quality.
Now who would like to see the quality of a Linux distro go down the
tubes?
Enough said. So Ladies and Gentlemen, know what you have running today,
and guard its source code with yar life!
Robert M. Stockmann