Fear of a Linux virus [LWN.net]

There can be no doubt that the folks at Kaspersky Lab are persistent. Back in 1999, Kaspersky released its anti-virus product for Linux; the company also claimed to be preparing "the world's first Linux-based rescue disk." In 2000, the company claimed that "new viruses for Linux appear every day," though it backed down when that claim was questioned. Now Kaspersky claims to have encountered a "cross-platform virus," which is capable of infecting both Linux and Windows systems. Time to be worried:

The virus doesn't have any practical application - it's classic Proof of Concept code, written to show that it is possible to create a cross platform virus. However, our experience shows that once proof of concept code is released, virus writers are usually quick to take the code, and adapt it for their own use.

There is hope, however: worried system administrators need only purchase Kaspersky's anti-virus service, and they will be protected from the threat of this new cross-platform virus.

Strangely enough, Linux administrators have somehow managed to avoid going into a panic over this announcement. In fact, few Linux users feel any more threatened than they did before.

This new "virus" is a program which is able to inject its code into executable files found in the current working directory. It can't be the first code with this capability - that particular problem is not especially hard to solve. Given write access to an executable file, a program can write to that file. If it is coded to write something unpleasant, that is what will happen.

What this "virus" appears to lack is any sort of propagation mechanism. If somebody runs it, their executable files will be corrupted, but it has no way of traveling further. Any attempt to add propagation to this code will run into some well-known problems: (1) getting Linux users to run random malware is still challenging, and (2) most Linux users lack the access to modify most of the executables they run, most of the time. The normal protection mechanisms designed to keep users from accidentally (or maliciously) damaging their systems will also serve to impede any attempt to infect those systems.

One should not say that writing a rapidly-propagating, Linux-based virus or worm is not possible. Sooner or later, somebody will probably pull it off. But any such malware will have to exploit an open security vulnerability in the target systems, and any vulnerability which is exploited in this manner will be closed in a hurry. Commercial anti-virus products work by trying to keep threatening malware away from the system altogether. The Linux way of doing things, instead, is to make the system resistant to the attack vector used by the malware in the first place. Security updates may propagate a little more slowly than virus descriptions, but the end result will tend to be far longer-lasting.

So it is not clear that there will ever be a real market niche for anti-virus products on Linux systems. Linux administrators prefer to fix the root problem, and most distributors have well-tuned mechanisms in place for making those fixes quick and easy. Anti-virus products add complexity to a system, can create problems of their own, and may well not be any more effective against any sort of "zero-day" attack. If, in the future, we find ourselves truly needing anti-virus software, our development process will have failed badly. Chances are that we will not fail in that way, but the flow of scary press releases from anti-virus companies will certainly continue regardless.

to post comments

Fear of a Linux virus

Posted Apr 13, 2006 3:47 UTC (Thu) by jamesm (guest, #2273) [Link] (3 responses)

I'm not an expert in this area, but I suspect there's potential for malware to infect Linux via MS-workalike spreadsheet macros and similar types of high level code distributed by users. Linux is definitely not immune, and people should never become complacent.

Fear of a desktop virus?

Posted Apr 13, 2006 5:04 UTC (Thu) by eru (subscriber, #2753) [Link]

Indeed. I recall reading recently somewhere that most of Windows malware these days propagates by "social engineering" tricks, not any more by operating system or application holes. The user is tricked into executing code from an email or web page, which then can do whatever the user has authority to do, which usually includes sending more copies of the email. The more Linux desktops get "Windows-like" automation features (and both Gnome and KDE keep trying to add them), the more susceptible Linux becomes to this kind of malware. Technically the OS does not get infected (kernel, /bin, etc are safe), but the user's desktop environment could be, meaning whatever he does within it may be compromized. See the recent LWN discussion here (".desktop files and security")

Fear of a Linux virus

Posted Apr 13, 2006 5:05 UTC (Thu) by JoeBuck (subscriber, #2330) [Link]

Of course. But the virus companies offer a "round up the usual suspects" approach. Instead of closing security holes, they want to detect the specific programs that attack the holes. As soon as someone makes a new one, everyone is vulnerable until the virus companies upgrade their patterns, and this forces all the users of the anti-virus software to keep buying the service, so they get the upgrades. It is the wrong way to secure systems.

The right way, when a vulnerability is found, is to patch the vulnerability, so that no possible malware can exploit it. If this isn't possible right away, it is sometimes possible to offer other defenses. But trying to recognize malware is not the right approach.

Fear of a Linux virus

Posted Apr 20, 2006 9:01 UTC (Thu) by Wol (subscriber, #4433) [Link]

WordPerfect has macro capability. PerfectScript is considered more powerful than VBA.

And yet, WordPerfect is only vulnerable to viruses through its VBA add-in (which I never install :-)

Hopefully, the OOo and any other office-type authors on linux have gone down the "emulate WordPerfect" route, not the "emulate MS" one when adding scripting to their apps.

So no. There's no reason why linux should be vulnerable to macro viruses, other than thanks to stupid developers and idiot PHBs.

Cheers,
Wol

Fear of a Linux virus

Posted Apr 13, 2006 5:14 UTC (Thu) by nlucas (subscriber, #33793) [Link] (4 responses)

People sometimes forget that one doesn't need to compromise a system (meaning, becoming root) to make enough damage.

A simple user-mode trojan can (as long as someone decides to run it) setup a keylogger, have a IRC bot running in the background, send spam (even if not using Outlook contact list, they can get the contacts from a webpage, or even google), etc.

In my opinion, the only reason there are not much treats in the *nix world is just because there are easier platforms to exploit (and, luck for the hackers/script kiddies, they are the majority).

Off course, the fact Joe "HaveNoIdeaOfComputers" Smith is mostly using that other platforms has a big role on this.

Fear of a Linux virus

Posted Apr 13, 2006 6:34 UTC (Thu) by tzafrir (subscriber, #11501) [Link] (3 responses)

If you managed to get your code executed on a remote system, you've already compromised it.

UNIX/Linux desktops were designed with that in mind.

Fear of a Linux virus

Posted Apr 13, 2006 7:41 UTC (Thu) by nlucas (subscriber, #33793) [Link] (2 responses)

Yes, but that is not the point (Microsoft also said the same thing at start, as it's defense about the majority of the security problems).

The point is that the fact users don't run with administrator rights doesn't make them free from having malware running, as malware doesn't need to run as root to do damage to the user data (even if the OS is protected from being infected).

It just get's easier to remove the malware, nothing more.

Fear of a Linux virus

Posted Apr 13, 2006 15:32 UTC (Thu) by martinfick (subscriber, #4455) [Link] (1 responses)

Why is it so common for 'security naysayers' to assume that people running linux have the same myopic habits as people in the single workstation / single user world of windows? Most linux users understand the idea of trying to protect their data against compromises and just plain user error. They typically do not inherently trust just storing their valuable data only in their home directories.

I try to (and I suspect others will more and more) keep my data in a repository. Without root, you really would have a hard time destroying my data. I am sure that plenty of people have scripts and what not that run as root to back up user data with the idea that if the user account is compromised, at least an admin can restore most user data.

Fear of a Linux virus

Posted Apr 13, 2006 19:31 UTC (Thu) by nlucas (subscriber, #33793) [Link]

Why is it so hard for people to learn security by user education only works _AFTER_ the fact?
Just go to a linux noobs IRC channel and look how people swap scripts and run them without any care.
Mostly they are using their own PCs, so no chance of having an admin to correct their's mistakes.
If they get rooted, as with any window machine in a botnet, they will do as much damage to all of us as any other in the botnet.

Fear of a Linux virus

Posted Apr 13, 2006 11:23 UTC (Thu) by wouter (guest, #10160) [Link] (1 responses)

An often overlooked factor is the propagation factor. In order for a virus to spread widely, it needs to infect more than one other host during its lifetime. Otherwise, it will die out. That's why viruses are helped a lot by monocultures.

On a world-wide scale, the largest monoculture is the most viable for viruses. Even between Linux desktops there is, I think, a much larger variation in software, which makes it very hard to create a virus that will not just run, but also spread.

Fear of a Linux virus

Posted Apr 14, 2006 4:04 UTC (Fri) by pm101 (guest, #3011) [Link]

Depends on the type of spread. Problem with GNU/Linux, and Unix in general, is that users tend to be able to log in remotely and be multiuser. If someone compromises my laptop, they can trivially compromise all the machines I ssh to from my laptop as well. If I su to root (instead of logging out in some hard way, and logging in as root a new) they can gain root access too. If someone ssh's from my account, they've got their accounts too. It's only a matter of time before someone writes a virus/worm with sophisticated takeovers via commendeering ssh, su, as well as capturing random passwords through key capture. An ssh virus/worm, if somehow undetected, could probably spread like wildfire, just by virtue of the way Unix is used on university networks.

No explicit security holes required.

Forget viruses.. think malware.

Posted Apr 13, 2006 19:15 UTC (Thu) by smoogen (subscriber, #97) [Link] (1 responses)

Ok everytime that this brought up there is a lot of people saying it wont happen, wont be a problem, etc. The major thing that virus software stops these days is malware packages (worms, spyware, keystroke loggers etc). Mass viruses are not the major vector these days.. targeted malware is what we see coming it in.. it comes in for linux, windows, macosx and god knows what else.

The largest groups that I find affected by this are Linux and MacosX people who some-how seem to have bought the "we are immune to viruses". Sure you didnt get a virus that was trying to send out 2 billion versions of yourself. But you did end up with a nice keystroke logger, a spam relay, and a P2P child porn relay.

Linux users do not have magical powers against social engineering. On some internal auditing.. we found that the Linux people were as likely to follow the nude AnnaK emails as the Windows people (even the Unix admins who had been doing this for 20+ years). We found more Linux desktops with broken versions of Firefox than we did Windows because admins thought they were immune to anything..

Forget viruses.. think malware.

Posted Apr 14, 2006 15:50 UTC (Fri) by giraffedata (guest, #1954) [Link]

Mass viruses are not the major vector these days.. targeted malware is what we see coming it in..

Targetted how? I assume targetted means the sender chooses the recipient intelligently, whereas mass virus means the sender chooses the recipient indiscriminately.

Fear of a Linux virus

Posted Apr 15, 2006 19:19 UTC (Sat) by stock (guest, #5849) [Link]

If people, who can create a solid linux distro, get fired, like happened
to the founder of Mandrake/Mandriva, and their replacements have less
capabilities, of course then in the end all software gets torn down in
Quality.

Now who would like to see the quality of a Linux distro go down the
tubes?

Enough said. So Ladies and Gentlemen, know what you have running today,
and guard its source code with yar life!

Robert M. Stockmann