LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Varying definition of virus, non-immunity.

Varying definition of virus, non-immunity.

Posted Jul 28, 2004 18:58 UTC (Wed) by khim (guest, #9252)
In reply to: Varying definition of virus, non-immunity. by dwheeler
Parent article: Evans Data on Linux security

Yes, exactly. I've seen a lot of viruses on Windows systems but only handful on Linux systems. Note: HANDFUL != NONE. I've seen Linux.OSF.8759 and some other (do not remember name - it was detected and eradicated quickly) only on three systems out of more then 100 in use. And in all cases it was not some central server with active sysadmin but rather normal workstations where system was used to do something and nobody bothered to actively keep it up-to-date - basically the same situation most Windows systems are in and situation most Linux systems will be in once it'll penetrate desktop.

Still... I can not see why you feel so smug: try to read description of Linux.OSF.8759 and then claim again that Linux is virus-free system.

Linux viruses are out there in the wild and while still not very frequent it's only beginning!

Simple denial and ignorance will not fix the problem.

(Log in to post comments)

Varying definition of virus, non-immunity.

Posted Jul 28, 2004 19:39 UTC (Wed) by utidjian (subscriber, #444) [Link]

Very nice description... but it is kinda short on the details. So I went googling for it. Seems most hits are just a cut-n-paste of the link you gave.

I still don't see how the virus gets on the system. Any ideas?

I still don't see how it would affect all users of a system unless it can also infect system binaries. Any ideas?

I don't see how this can spread beyond the users home folder let alone to another machine on the system. Any ideas?

You mean someone downloaded something from the net then deliberately ran it as root without checking it???? (checking for GPG signatures and MD5sums at the very least.)

-DU-...etc...

Varying definition of virus, non-immunity.

Posted Jul 28, 2004 20:08 UTC (Wed) by evgeny (guest, #774) [Link]

There are things which are called "security holes", in particularly "local root exploits". Check Linux security bulletins and you'll find some during just a few last months.

Varying definition of virus, non-immunity.

Posted Jul 29, 2004 3:33 UTC (Thu) by utidjian (subscriber, #444) [Link]

I am aware of security holes... especially local and remote root exploits. Those are still NOT viruses. I was rooted once remotely via some imap thing in Red Hat 5.2. IIRC all Linux distros were vulnerable at that time for a little while. I had just updated to 5.2 and hadn't applied the patch yet. That was not a virus... it was a user logging in to my system and using it for their own purposes.
For a local root exploit to work one needs a local user to run the software. Again... that is not a virus. The local user may run the program deliberately in which case one has a user problem in addition to having to patch the system. If a local user is tricked into running the program one still has a user problem and the the hole to patch. In either case it is not a virus.
For a virus to exist beyond a single machine it has to not only replicate but spread itself across different hosts. The virus has to attach itself to an executable and somehow transfer that file to a different host and then somehow get it to run on the other host. How would one do this? Via email? Ftp?

-DU-...etc...

Varying definition of virus, non-immunity.

Posted Jul 29, 2004 8:39 UTC (Thu) by khim (guest, #9252) [Link]

Bingo! But... had your user written exploit from scratch ? Was it put on debian mirror with nice MD5 sum and GPG checksum ? It was it compiled from sources ?

It's very easy to see virus piggyback on malware: worms, rootkits, etc. And once system is infected not even recompilation from sources will help...

You somehow forgot that malware in not immune against plain old viruses! But even if "regular" malware is detected and removed virus can go on :-( Yes, there are ways to detect it's presence (rpm/dpkg database has MD5 sums for all executable files installed from packages), but it's only till there are no stelth viruses. And it's only matter of time - stelth viruses will come. It's just looks like most virus writers do not bother with Linux... yet. Diversity, yes, it's real problem but as Linux grow even small islands ("Fedora Core 2" island, "Debian 3.0r2" island, "Mandrake 10.0" island, etc) will become atractive for virus authors - and there are possibility to write cross-platform viruses! Not just Debian/RedHat compatible viruses, but more like LinuxELF/Win32EXE/Word6Doc viruses. What then ? Virus can safely sleep in backup of someones works in .doc format and then later become active again via MS Office run under WINE...

Yes, situation with viruses on Linux are better then with viruses on Windows - but it's not result of some inner immunity and/or sheer belief in Linux's immunity. Times are changing. Mantra "there are no Linux viruses in the wild" is thing of the past - drop it before it become just embarassment for yourself.

Varying definition of virus, non-immunity.

Posted Aug 5, 2004 23:32 UTC (Thu) by rickmoen (subscriber, #6943) [Link]

khim wrote:

Mantra "there are no Linux viruses in the wild" is thing of the past - drop it before it become just embarassment for yourself.

I'll be glad to amend that to "There are Linux viruses in the wild only for extremely contrived values of 'in the wild'." Your two examples of that genre (posted elsewhere in this thread) were enlightening, and so are useful in clearing up confusion on the subject. To review:

1. An ELF infector, plausibly claimable as existing "in the wild" solely because intruders who've rooted systems through other means entirely tend to set it loose (in conjunction with the Suckit rootkit) in order to maintain their backdoor access.

2. An automated worm attack against a particular configuration within Apache of a specific obsolete version of OpenSSL — that was fixed July 2, 2002, over two years ago and 2 1/2 months before the worm appeared.


So, lessons:

1. Keep your system up to date. That's what the updating tools are for. Among other things, that makes any malware you do stupidly execute less likely to be able to escalate privilege.

2. Don't run network daemons exposed to public networks, unless/until you're willing to be responsible for patching vulnerabilities as they are found, or shut them down instead.

3. If you've already suffered root compromise, after that has already happened, don't be surprised if there are ELF-infector viruses and much worse things. Read the friendly FAQ.

4. Take with a huge grain of salt people's claims about malware "in the wild", especially when the claimant cannot answer the obvious question, asked by 'utidjian' but never properly answered, about "how the virus gets on the system". (The reply to 'utidjian' by 'evgeny' was enlightening: "security holes". If you have unpatched, significant security holes, then you have much bigger problems than malware, don't you?)

5. Pay attention to your system's treatment of "active content" such as any form of document that has macro capability. Read your mailcap files, to see how attachments are treated. Take considerable comfort (in that area) from the fact that many others have already done so, which is why, e.g., calls to PostScript viewers use the "-safer" option to disable PS file access, and why PDF lacks those file functions entirely. (Had a sudden revelation that emacs or TeX viruses might be possible? Gosh, you're only about a decade or two behind the curve. Go ahead and write one — then find out how and why it's completely impractical to make your self-infected system spread it to elsewhere.)

6. Realise that dual-boot and similar (e.g., WINE) setups can be indirectly affected by non-Linux malware problems.

7. Understand that fast, widespread, automated leveraging of a surprise remote root exploit against your network stack(s), particular network daemons not previously known to be vulnerable, etc. could happen at any time. (Got backups? Got a rebuild plan?) Understand, that notwithstanding, that at least the record of giving people advance warning of these on Linux/BSD, even on bugware like wuftpd and Berkeley lpd/lprng, BIND8, and NFS/portmapper, has been so far excellent.

8. Having done all of that, feel comfortable in dismissing "Guys, wake up! Linux is in no way immune against viruses and time come when it's not just theory but hard fact of life" postings — that don't recognise those matters of context and perspective — as pretty much content-free humbuggery.

Rick Moen
rick@linuxmafia.com

Varying definition of virus, non-immunity.

Posted Jul 29, 2004 9:40 UTC (Thu) by evgeny (guest, #774) [Link]

Exploits are not viruses; but they allow viruses to bypass security barriers imposed by the OS.

Varying definition of virus, non-immunity.

Posted Jul 29, 2004 8:19 UTC (Thu) by khim (guest, #9252) [Link]

Perhaps you googling skillz need retraining. I've found link where you can find copy of this virus in less then 5 minutes. Here, for example.

If you wish you can play with it yourself (carefully!).

Varying definition of virus, non-immunity.

Posted Jul 28, 2004 20:40 UTC (Wed) by Ross (subscriber, #4065) [Link]

How on Earth did people manage to infect their systems? There's really
no excuse for this type of problem: you have to work really hard to find
an infected executable. I've been looking for years and have never found
one. Were these people downloading binaries off of P2P networks or
something?

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds