Weekly Edition
Return to the Security page
| |||||||||||||
|
| |||||||||||||
Evans Data on Linux security
Evans Data has sent out a
press release about a Linux security survey done by the company.
"Ninety two percent of survey respondents indicated that their Linux
systems have never been infected with a virus, according to Evans Data's
new Summer 2004 Linux Development Survey." The PR lacks an answer
for the most interesting question, however: what, exactly, happened to the
other 8%?
(Log in to post comments)
Evans Data on Linux security Posted Jul 28, 2004 15:27 UTC (Wed) by allesfresser (subscriber, #216) [Link] Perhaps the 8% were mail servers that merely transmitted a legacy-compatible virus? ;-)
Evans Data on Linux security Posted Jul 28, 2004 15:37 UTC (Wed) by QuisUtDeus (guest, #14854) [Link] Maybe they had a problem and attributed it to a virus. It would be an easy "It's not my fault" conclusion that is nebulous enough not to be challenged or proven wrong.
Evans Data on Linux security Posted Jul 28, 2004 15:46 UTC (Wed) by khim (subscriber, #9252) [Link] It's weak argument. If Linux serve is infected it's usually is admin's fault - it's usually problem with account separation or something. In big multiuser systems anyway. On desktop... it's other kettle of fish.
Evans Data on Linux security Posted Jul 28, 2004 15:44 UTC (Wed) by khim (subscriber, #9252) [Link] They got infected ? There are Linux viruses in the wild, you know...
Which virus? Posted Jul 28, 2004 16:12 UTC (Wed) by alonso (subscriber, #2828) [Link] Good point! Are there linux virus?
Which virus? Posted Jul 28, 2004 18:27 UTC (Wed) by khim (subscriber, #9252) [Link] Yes, I've seen linux system, infected by virus, I can still send you infected files from backup, it's in databases from most antivirus packages so it can be cured. And your point is ... what exactly ?
Which virus? Posted Jul 28, 2004 20:36 UTC (Wed) by Ross (subscriber, #4065) [Link] That's very interesting. I'd be interested in looking at a copy. How doyou want to do that?
Evans Data on Linux security Posted Jul 28, 2004 16:21 UTC (Wed) by stuart (subscriber, #623) [Link] I am not a sheep.
Evans Data on Linux security Posted Jul 28, 2004 19:04 UTC (Wed) by khim (subscriber, #9252) [Link] What that got to do with anything ? Do you need copy of virus found by me on some system in out lab so you can infect your comp and stop this nonsense ? Yes, Linux is more secure against viruses but times when you honestly was able to say there are no linux viruses in the wild are gone. Linux viruses are out there in the wild for a few years now. Guys, wake up! Linux is in no way immune against viruses and time come when it's not just theory but hard fact of life... More resistant then typical Windows installation - yes, immune - no...
Evans Data on Linux security Posted Jul 28, 2004 19:29 UTC (Wed) by nix (subscriber, #2304) [Link] Worms, yes, Viruses (be it file-infector, macro `virus', or email-client-buffer-overflowing `virus'), no. The Linux desktop is too diverse and not numerous enough: such would not survive to replicate.
Evans Data on Linux security Posted Jul 29, 2004 8:14 UTC (Thu) by khim (subscriber, #9252) [Link] Not diverse enough it seems. File-infector I've seen in the wild by myself, buffer-overflowing virus was detected in the wild and so on. No, it's just your wish it was so. Linux diversity is good thing but panacea it is not.
Evans Data on Linux security Posted Aug 5, 2004 20:48 UTC (Thu) by rickmoen (subscriber, #6943) [Link] khim wrote:Not diverse enough it seems. File-infector I've seen in the wild by myself [link], buffer-overflowing virus was detected [link]. Links were to a copy of the ELF_GMON.A ELF-infector virus and to the Ramen worm. Let's talk about that: ELF_GMON.A is a generic ELF infector basically indistinguishable from any other ELF infector — Staog, Bliss, Vit, RST (Remote Shell Trojan), Gildo, OSF, Kagob, Satyr, Rike (Rike.1627), Winter (Lotek), Diesel, Nuxbee, Winux (PEElf, Pelf), Svat, Obsidian.E, Simile (Etap), Jac, Pavid (Alfa.dr), Telf, Ynit, Blitz, Zipworm (distinctive only in that it likes to infect ELF files in Zip archives), and Penguin — and thus a-priori unlikely to "appear in the wild" under its own power given the relative shortage of admins willing to run untrustworthy binaries with root authority. (Few people have many ELF binaries sitting around in ~/bin/ and such, writable by regular users, and even those people can shoot only their own files in the foot.) The reason ELF_GMON.A can be credibly claimed to have been observed "in the wild" nonetheless is that it's a standard inclusion in the Suckit rootkit, as it activates a backdoor for the intruder on UDP port 3049. So, in short — as is the case generally for Linux malware — if ELF_GMON.A is active on your system, and especially if it has been able to write to privileged binaries, you have much, much, bigger problems than the virus itself: You have a root-owning intruder who entered through other means entirely. The presence of ELF_GMON.A in such cases (which comprise 100% of the credible "in the wild" claims, as far as I can tell) is an after-effect of his having rooted your system, rather than being the means of attack. That brings us to Ramen, about which my notes are as follows: Slapper (Cinik, Unlock) We see once again the recurring refrain with Linux malware: If your system was successfully rooted by Ramen, it's because you had a much, much bigger and fundamental problem: You were running a network service on the public Internet and failed to heed warnings about a notorious OpenSSL vulnerability for two months or longer — usually much longer. The problem, then, would not have been Ramen on such a system, but rather grossly incompetent system administration — not, mind you, on a desktop system, but rather on a system whose owner decided to offer e-commerce-type network services to the entire public Internet — that left the system wide open to an extremely well known vulnerability. Lesson: If you can't be bothered to read your distribution's security-alert mailing list, at least use yum, apt-get, up2date, etc. to leverage the diligence of those who do. All of the other worms targeting Linux to date (cheese, l10n, Adore, lpdw0rm, Slapper, Mighty, Adm, SSHD22, Millen, and Sorso) have been exactly like that: automated attack tools aimed at incompetent administrators who neither bothered to notice and fix notorious, long-patched vulnerabilities nor used maintenance regimes to repair them semi-automatically (apt-get, etc.). I'm preparing a rundown of those, to make that point, and to outline what more credible threats potentially apply (in theory, unsafe mailcap files; more commonly, theft of security tokens): Meanwhile, I've posted some notes on various worms and viruses. Rick Moen
Evans Data on Linux security Posted Jul 28, 2004 20:35 UTC (Wed) by Ross (subscriber, #4065) [Link] I don't think that's true, at least not in the wild. There are Linuxworms, but they died off a long time ago as they exploited old Apache vulnerabilities.
Evans Data on Linux security Posted Jul 28, 2004 16:30 UTC (Wed) by iabervon (subscriber, #722) [Link] People have successfully gotten viruses working with WINE. I seem to recall someone actually running a virus accidentally with WINE and reporting that this had happened.
Varying definition of virus, non-immunity. Posted Jul 28, 2004 16:37 UTC (Wed) by dwheeler (guest, #1216) [Link] First, this is a survey result, so the definition of "virus" will be whatever "virus" means to the surveyee. Many people use the term "virus" as a synonym for "malware". For example, many people include as a "virus" any executable program that when run by a user does malicious things. Also, many consider a worm a "virus" by their definition. That's unfortunate, because countering different kinds of malware requires different approaches; it'd better if everyone used the more technical (and technically correct) terminology. But that's the nature of a survey unless the surveyor carefully defined the term first, and all surveyees understood it that way... which I doubt. Thus, I suspect that "virus" includes what many would call a "malicious executable" and "worm". Anyone know otherwise? It's easy to create a malicious executable for GNU/Linux; the trick is to convince mail clients and users to actually install and run such a thing, since GNU/Linux mail clients are usually hardened specifically against this sort of thing, and privilege separation makes some attacks less spectacular.Second, it is possible to infect a GNU/Linux machine with a virus, original definition, even though it's not easy. Many people install programs to their specific user (e.g., in ~/bin), and those can be infected by running a program (though it wouldn't immediately infect other users of that machine, if there are any). More important, creating programs in ~/bin, or modifying configurations, can have some of the same effects as a virus that modifies a binary executable. Too many people run as root (Lindows!) and they CAN infect everything. And if a user ever switches to a privileged situation, a malicious program can probably piggyback those privs (e.g., Red Hat Linux; once you type in the root password to enable the "keys" other programs can probably piggyback, and then modify the main installation). I think there's excellent evidence that GNU/Linux systems tend to be more resistant to viruses than Microsoft Windows, but they're not immune. On the other hand, I'd rather be a person with a resistant immune system when I enter a germ-ridden environment, and the same holds true for computers.
Varying definition of virus, non-immunity. Posted Jul 28, 2004 18:58 UTC (Wed) by khim (subscriber, #9252) [Link] Yes, exactly. I've seen a lot of viruses on Windows systems but only handful on Linux systems. Note: HANDFUL != NONE. I've seen Linux.OSF.8759 and some other (do not remember name - it was detected and eradicated quickly) only on three systems out of more then 100 in use. And in all cases it was not some central server with active sysadmin but rather normal workstations where system was used to do something and nobody bothered to actively keep it up-to-date - basically the same situation most Windows systems are in and situation most Linux systems will be in once it'll penetrate desktop. Still... I can not see why you feel so smug: try to read description of Linux.OSF.8759 and then claim again that Linux is virus-free system. Linux viruses are out there in the wild and while still not very frequent it's only beginning! Simple denial and ignorance will not fix the problem.
Varying definition of virus, non-immunity. Posted Jul 28, 2004 19:39 UTC (Wed) by utidjian (subscriber, #444) [Link] Very nice description... but it is kinda short on the details. So I went googling for it. Seems most hits are just a cut-n-paste of the link you gave.I still don't see how the virus gets on the system. Any ideas? I still don't see how it would affect all users of a system unless it can also infect system binaries. Any ideas? I don't see how this can spread beyond the users home folder let alone to another machine on the system. Any ideas? You mean someone downloaded something from the net then deliberately ran it as root without checking it???? (checking for GPG signatures and MD5sums at the very least.) -DU-...etc...
Varying definition of virus, non-immunity. Posted Jul 28, 2004 20:08 UTC (Wed) by evgeny (guest, #774) [Link] There are things which are called "security holes", in particularly "local root exploits". Check Linux security bulletins and you'll find some during just a few last months.
Varying definition of virus, non-immunity. Posted Jul 29, 2004 3:33 UTC (Thu) by utidjian (subscriber, #444) [Link] I am aware of security holes... especially local and remote root exploits. Those are still NOT viruses. I was rooted once remotely via some imap thing in Red Hat 5.2. IIRC all Linux distros were vulnerable at that time for a little while. I had just updated to 5.2 and hadn't applied the patch yet. That was not a virus... it was a user logging in to my system and using it for their own purposes.For a local root exploit to work one needs a local user to run the software. Again... that is not a virus. The local user may run the program deliberately in which case one has a user problem in addition to having to patch the system. If a local user is tricked into running the program one still has a user problem and the the hole to patch. In either case it is not a virus. For a virus to exist beyond a single machine it has to not only replicate but spread itself across different hosts. The virus has to attach itself to an executable and somehow transfer that file to a different host and then somehow get it to run on the other host. How would one do this? Via email? Ftp? -DU-...etc...
Varying definition of virus, non-immunity. Posted Jul 29, 2004 8:39 UTC (Thu) by khim (subscriber, #9252) [Link] Bingo! But... had your user written exploit from scratch ? Was it put on debian mirror with nice MD5 sum and GPG checksum ? It was it compiled from sources ? It's very easy to see virus piggyback on malware: worms, rootkits, etc. And once system is infected not even recompilation from sources will help... You somehow forgot that malware in not immune against plain old viruses! But even if "regular" malware is detected and removed virus can go on :-( Yes, there are ways to detect it's presence (rpm/dpkg database has MD5 sums for all executable files installed from packages), but it's only till there are no stelth viruses. And it's only matter of time - stelth viruses will come. It's just looks like most virus writers do not bother with Linux... yet. Diversity, yes, it's real problem but as Linux grow even small islands ("Fedora Core 2" island, "Debian 3.0r2" island, "Mandrake 10.0" island, etc) will become atractive for virus authors - and there are possibility to write cross-platform viruses! Not just Debian/RedHat compatible viruses, but more like LinuxELF/Win32EXE/Word6Doc viruses. What then ? Virus can safely sleep in backup of someones works in .doc format and then later become active again via MS Office run under WINE... Yes, situation with viruses on Linux are better then with viruses on Windows - but it's not result of some inner immunity and/or sheer belief in Linux's immunity. Times are changing. Mantra "there are no Linux viruses in the wild" is thing of the past - drop it before it become just embarassment for yourself.
Varying definition of virus, non-immunity. Posted Aug 5, 2004 23:32 UTC (Thu) by rickmoen (subscriber, #6943) [Link] khim wrote:Mantra "there are no Linux viruses in the wild" is thing of the past - drop it before it become just embarassment for yourself. I'll be glad to amend that to "There are Linux viruses in the wild only for extremely contrived values of 'in the wild'." Your two examples of that genre (posted elsewhere in this thread) were enlightening, and so are useful in clearing up confusion on the subject. To review: 1. An ELF infector, plausibly claimable as existing "in the wild" solely because intruders who've rooted systems through other means entirely tend to set it loose (in conjunction with the Suckit rootkit) in order to maintain their backdoor access. 2. An automated worm attack against a particular configuration within Apache of a specific obsolete version of OpenSSL — that was fixed July 2, 2002, over two years ago and 2 1/2 months before the worm appeared. So, lessons: 1. Keep your system up to date. That's what the updating tools are for. Among other things, that makes any malware you do stupidly execute less likely to be able to escalate privilege. 2. Don't run network daemons exposed to public networks, unless/until you're willing to be responsible for patching vulnerabilities as they are found, or shut them down instead. 3. If you've already suffered root compromise, after that has already happened, don't be surprised if there are ELF-infector viruses and much worse things. Read the friendly FAQ. 4. Take with a huge grain of salt people's claims about malware "in the wild", especially when the claimant cannot answer the obvious question, asked by 'utidjian' but never properly answered, about "how the virus gets on the system". (The reply to 'utidjian' by 'evgeny' was enlightening: "security holes". If you have unpatched, significant security holes, then you have much bigger problems than malware, don't you?) 5. Pay attention to your system's treatment of "active content" such as any form of document that has macro capability. Read your mailcap files, to see how attachments are treated. Take considerable comfort (in that area) from the fact that many others have already done so, which is why, e.g., calls to PostScript viewers use the "-safer" option to disable PS file access, and why PDF lacks those file functions entirely. (Had a sudden revelation that emacs or TeX viruses might be possible? Gosh, you're only about a decade or two behind the curve. Go ahead and write one — then find out how and why it's completely impractical to make your self-infected system spread it to elsewhere.) 6. Realise that dual-boot and similar (e.g., WINE) setups can be indirectly affected by non-Linux malware problems. 7. Understand that fast, widespread, automated leveraging of a surprise remote root exploit against your network stack(s), particular network daemons not previously known to be vulnerable, etc. could happen at any time. (Got backups? Got a rebuild plan?) Understand, that notwithstanding, that at least the record of giving people advance warning of these on Linux/BSD, even on bugware like wuftpd and Berkeley lpd/lprng, BIND8, and NFS/portmapper, has been so far excellent. 8. Having done all of that, feel comfortable in dismissing "Guys, wake up! Linux is in no way immune against viruses and time come when it's not just theory but hard fact of life" postings — that don't recognise those matters of context and perspective — as pretty much content-free humbuggery. Rick Moen
Varying definition of virus, non-immunity. Posted Jul 29, 2004 9:40 UTC (Thu) by evgeny (guest, #774) [Link] Exploits are not viruses; but they allow viruses to bypass security barriers imposed by the OS.
Varying definition of virus, non-immunity. Posted Jul 29, 2004 8:19 UTC (Thu) by khim (subscriber, #9252) [Link] Perhaps you googling skillz need retraining. I've found link where you can find copy of this virus in less then 5 minutes. Here, for example. If you wish you can play with it yourself (carefully!).
Varying definition of virus, non-immunity. Posted Jul 28, 2004 20:40 UTC (Wed) by Ross (subscriber, #4065) [Link] How on Earth did people manage to infect their systems? There's reallyno excuse for this type of problem: you have to work really hard to find an infected executable. I've been looking for years and have never found one. Were these people downloading binaries off of P2P networks or something?
Worms and Script kiddies ... probably Posted Jul 28, 2004 20:16 UTC (Wed) by AnswerGuy (guest, #1256) [Link] I'm guessing that the other 8% were mostly people who were conflating virus infection with infestation by a worm or by script kiddies. Everyone who ever ran chkrootkit and/or RootkitHunter and found that they were "infected" might have responded in that category. We can nitpick over the differances among viruses, worms, exploits (and rootkits dropped in by compromising crackers). Ultimately that's all it is to the vast majority of users, business and industry analysts, and decision makers: nitpicking. Keeping our "infection rate" under 10% is nice; and a damn sight better than MS Windows. But we can do better! I'm hoping that "hardened" distributions will help; but I think the Fedora SELinux efforts are a step in the wrong direction (introducing FAR too much complexity). JimD
Evans Data on Linux security Posted Jul 29, 2004 11:06 UTC (Thu) by DennisJ (subscriber, #14700) [Link] "Ninety two percent of survey respondents indicated" I'm think the final 8% are those who:didn't fill in the question answered "don't know" made an invalid answer have in fact been infected The first three should have been subtracted (or their number should have included aswell), but often aren't.
Definition of "Linux system" Posted Jul 29, 2004 11:58 UTC (Thu) by copsewood (subscriber, #199) [Link] Is the "system" just the Linux bit, or does this include the filesystems (including Windows) which the Linux systems use and access when running on, say, a dual boot system. My Linux system detected a virus on an accessible filesystem, but this was a Windows virus which was a result of Windows specific malware. Sorry, but the survey question is probably too vague and meaningless to be useful. Linux systems are specifically designed not to work in isolation, so what is included and what is excluded, and did the question make these boundaries clear ?
|
|
||||||||||||