There can be no doubt that the folks at Kaspersky Lab are persistent. Back
in 1999, Kaspersky released
anti-virus product for Linux; the company also claimed to be preparing "the
world's first Linux-based rescue disk." In 2000, the company claimed
that "new viruses for Linux
appear every day," though it backed down when that claim was questioned.
Now Kaspersky claims
encountered a "cross-platform virus," which is capable of infecting both
Linux and Windows systems. Time to be worried:
The virus doesn't have any practical application - it's classic
Proof of Concept code, written to show that it is possible to
create a cross platform virus. However, our experience shows that
once proof of concept code is released, virus writers are usually
quick to take the code, and adapt it for their own use.
There is hope, however: worried system administrators need only purchase
Kaspersky's anti-virus service, and they will be protected from the threat
of this new cross-platform virus.
Strangely enough, Linux administrators have somehow managed to avoid going
into a panic over this announcement. In fact, few Linux users feel any
more threatened than they did before.
This new "virus" is a program which is able to inject its code into
executable files found in the current working directory. It can't be the
first code with this capability - that particular problem is not especially
hard to solve. Given write access to an executable file, a program can
write to that file. If it is coded to write something unpleasant, that is
what will happen.
What this "virus" appears to lack is any sort of propagation mechanism. If
somebody runs it, their executable files will be corrupted, but it has no
way of traveling further. Any attempt to add propagation to this code will
run into some well-known problems: (1) getting Linux users to run
random malware is still challenging, and (2) most Linux users lack the
access to modify most of the executables they run, most of the time. The
normal protection mechanisms designed to keep users from accidentally (or
maliciously) damaging their systems will also serve to impede any attempt
to infect those systems.
One should not say that writing a rapidly-propagating, Linux-based virus or
worm is not possible. Sooner or later, somebody will probably pull it
off. But any such malware will have to exploit an open security
vulnerability in the target systems, and any vulnerability which is
exploited in this manner will be closed in a hurry. Commercial anti-virus
products work by trying to keep threatening malware away from the system
altogether. The Linux way of doing things, instead, is to make the system
resistant to the attack vector used by the malware in the first place.
Security updates may propagate a little more slowly than virus
descriptions, but the end result will tend to be far longer-lasting.
So it is not clear that there will ever be a real market niche for
anti-virus products on Linux systems. Linux administrators prefer to fix
the root problem, and most distributors have well-tuned mechanisms in place
for making those fixes quick and easy. Anti-virus products add complexity
to a system, can create problems
of their own, and may well not be any more effective against any sort of
"zero-day" attack. If, in the future, we find ourselves truly needing
anti-virus software, our development process will have failed badly.
Chances are that we will not fail in that way, but the flow of scary press
releases from anti-virus companies will certainly continue regardless.
to post comments)