Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Bug

Garfinkel Warns Of Linux Virus "Epidemic" 432

An anonymous coward says: "Simson Garfinkel has an opinion piece at SecurityFocus called " The Coming Linux Plague." He argues that Linux is no less susceptible to viruses than Windows, and that an epidemic is inevitable. " I'm sure most of us have read his books. What do you think of this commentary?
This discussion has been archived. No new comments can be posted.

Garfinkel Warns Of Linux Virus "Epidemic"

Comments Filter:
  • I've been tinkering with computers for 16-17 years. When I got started, you couldn't go out and *buy* a virus for any personal computer if you wanted one. A few years after I got my start, Compute! magazine (I mourn the days of type-in listings for my Atari) published an article on the SCA virus for the Amiga. I can't speak for anyone else, but I thought it was a joke at first.

    Naturally, people copied its techniques (it was a boot-sector infector, as I recall) and then began adding new attacks. Viruses began appearing on all the major 68k-based systems and the PC. The 8-bit computers largely avoided this. Companies began popping up to sell virus protection, and made good money at it.

    Further down the road, I went through my 31337 H/P stage and had lots of dealings with virus writers.

    Through all of this, despite all the BS of the virus authors and hype from antivirus companies, the only virus infections I ever got were from two commercial disks bound inside books (one was "The Black Art of 3D Game Programming").

    The moral of the story is that we can expect someone to release one successful virus for Linux sooner or later, tons of people will imitate him, and it will also be more smoke than fire.
  • by Anonymous Coward
    You are correct sir!
    There is very little chance of getting a virus is you are actually careful about what you do. However, you are an exception.
    My experience has shown that someone who I would call a Typical user has absolutely no clue what a virus is, download anything from anywhere, and then ignores any messages that they receive on their computer about virii or macro virii (especially on MS Office products. Maybe I deal with a really clueless groups of Typical users..
    I think it comes down to this. What you know about a computer and security improves your chances - if you have no knowledge, you have no protection. Probably about the same as unprotected sex - what you don't know, can hurt you.
  • by Anonymous Coward
    I guess this means that MS is going to port Office to Linux after all. I thought it was just going to be MS Vaporware (TM).
  • by Anonymous Coward
    Have a look at what Ken Thompson himself said about this a few years ago: http://x31.deja.com/getdoc.xp?AN=200800703
  • More widespread use of digitally signing binary or source packages (via PGP, X.509, whatever), that would be automatically verified by rpm, apt, or some standalone tool (for you .tar.gz folks out there) would help out quite a bit, as you would be able to verify the source of the packaging. Of course, you would have to trust the folks you are downloading from. This technique would work well for protecting against rogue kernel patches and the like, if you trust Linus' or Alan's signatures.

    This does not, however, protect against signed code that can be compromised. Obviously, if you compromise anything running as root, you own the system. The problem with Linux (and probably most *nix) is that security is based solely on ?uid, and not a more rich security model, such as determining which resources are granted to which process based on uid, some external certificate, etc...

  • Are we likely to see another "RTM worm" incident in the next year or two? Probably. Now that broadband 7/24 connections are on the rise due to DSL and cable modems, the percentage of unsecured hosts will rise. And with the increase in opportunity will come an increase in exploits. However, as the RTM worm incident showed, writing a good, well-behaved worm isn't as easy as it sounds.

    Haven't we already seen things like this? Remember the DDOS attacks on yahoo and friends? Those were mostly automated attacks, scanning for multiple vunlerabilities and attaching payloads.

    They aren't quite as automated because it's hard to write a fully self-distributing worm, compared to a simple boot sector virus. But with buffer overflows in almost everything shipped on linux these days (Have you upgraded your FTPD lately? Did your distribution turn on IMAPd again?) it's real easy to hit machines remotely and pop in an egg of almost arbitrary size. And if you're smart, you can use them for anything from pingflooding yahoo to voting for your entry in a $500 price from x10.

    Of course, you could run audited code [openbsd.org]...

  • Those are POSIX 'capabilities' which are not the same thing as 'capabilities' as in EROS et al.

    As reiterated by capability proponents, they are not the same thing

    And in case you were wondering, the name clash was POSIX' fault. --- the idea of capabilities as in EROS/KEYKOS/SPEEDOS/etc. predates POSIX (I think), let alone POSIX 'capabilities'


    John
  • >While were talking about current developments:
    >Trojans have recently been found in things like wuarchive ftp.

    Recently? The article is dated April 6, 1994....
  • >Sounds like everyone has to big of an ego to admit that Linux is
    >actually vulnerable. Harsh!

    Not really. It's that people and companies peddling anti-virus software is viewed with a great deal of suspicion.
  • >So if his arguments were said by someone outside the security field
    >you'd take them?
    >You cannot discount his arguments just on the basis that he is a
    >security consultant. You can examine what he says in greater detail to
    >make sure it makes sense, but outright saying "He is a security
    >consultant therefore his arguments are invalid" is invalid in itself.

    No it's not. If you know someone's in a position to line his pockets from what he's trying to sell you, you'ld had better question the motives of said person. When a security consultant starts promoting "THE VIRUS THREAT TO LINUX" in the fashion Garfinkel did, warning bells concering what he's saying should be going off...
  • >Well... who said that using a computer requires no skills? When you
    >want to drive a car, you need a license too.
    >I remember when I got my Amiga, two weeks later, the machine started
    >to behave really weird. The computer would suddenly freeze with a
    >black screen and I had no clue what was wrong. I phoned up some
    >friends and asked them, what this could be since it only happened when
    >I booted the Workbench. One mentioned a virus called "Byte Bandit" and
    >told me, how to remove it.

    Who are you trying to bullshit here? You got "Byte Bandit" from your friend. Byte Bandit is/was a boot sector virus that mostly got spread around on Amiga floppy disks by the Amiga Warez Crowd.
  • Jeez this is dense. What the author is taking about is running a program that does bad things, a trojan not a virus. If he had thought for a moment he would have taken his head out of his ass before writting this drivel.
    Window's problem has always been that all users are basically root. All program that ran could overwrite any other file on hte system. NT's problem was the macro languages built into apps were also allowed to do whatever the hell they wanted.
    THe real question is, if i'm root and I open a "infected file" in vi, is vi now infected? That would be virus behavior. If I put a floppy in the drive and read my data, will any viruses on the disk execute? Personally I don't think so, but if we're going to talk about virii let's split the matter from trojan which are COMPLETELY different.
  • As to the use of the word "virus", I believe that Mr. Garfinkle was using the Windows world definitionm which from what I can tell is "any malicious piece of code that you accidently get on your computer somehow." Not a correct definition technically, but when writing it is a heck of a lot easier to refer to genreal "viruses" than to have to type out "viruses, trojans, worms, and other malicious code" everytime you want to make a general statement.

    This is a pretty grave mistake (or omission) to make for a security consultant.

    In regards to the virus idea in general, though... in windows, how many people will send you an attachment of a C file? Very few. They send binaries. It's almost the exact opposite in linux. Very few will send strictly binaries, because a very large portion of the linux community will not accept them, and many run different operating systems or architectures (which the same C program may compile and run on without a hitch). It seems actually _less_ likely for people to send each other binaries in linux than in, say, solaris or irix (due to closed source patches and licensing terms, along with the lack of a _good_ default-installed C compiler).

    Unix (linux inclusive) software developers would not likely get away with installing macros into their word processors which can write to disk. The linux community would reject the program if it was commercial, and "correct" it if it was open source.

    As for using the system as root... how many sun administrators do this? I've received countless e-mails from admins using dtmail as root. I'm almost tempted to insert a lecture about it into my signature. Linux is not alone in the user-stupidity area.

    Many linux users will be susceptible to viruses, and many will not... but i think the reasons and the realities behind the situation need clarifying.

    As a side note... how many experienced administrators will trust an anti-virus program to scan and clean files on their unix-based system?
  • Bzzt. Sorry.

    calvin:~$ ./pointlessgadget

    Okay. This can set several things. But there are lots of things it can't do:

    1. Change env vars in the current running shell
    2. Change the binary of your shell, unless you own it.
    3. Change the memory of your shell process (or any running process). That's what virtual memory spaces are for.

    I guess it could do something like spawn a new shell. That might be trickier to notice.

    'Course, if you ask me, it's your own damn fault for running games as root. :-)

  • are the ones who rarely get hit by viruses. The saying, "Prevention is worth a pound of cure" has never been more true.

    If you are a Windows user, having Anti-Virus Scanners and Shields are a must. As is, utilizing safe practices like not running any code that is attached to mail or other documents without being real sure of it's being safe. Running cute little programs distributed by email is a good way to be infected with viruses!

    Many of the same common sense ideas about viruses in Windows also holds true for any system including Linux. If you get code or programs from untrusted sources, you run the risk of getting hacked. With Linux, though, the source is open and under the scrutiny of many eyes - this tends to eliminate such vulnerabilities.

    Bottom line: Safe practices will prevent the lion's share of problems.
  • What you are describing is a capability system.

    Take a look at EROS [eros-os.org] for a GPL'd example of this.

    In particular, note the principal of least privaledge -- just because a program needs one small aspect of root's privaledges, doesn't mean it necessarily needs to be given all of them -- in practice, this gets rid of the root account per se., which is never bad where security is concerned.


    John
  • >patches. This is not Windows world, where you get the programs from
    >your friends or some obscure web pages: usually, programs are
    >distributed much more professionaly than in the case of Windows
    >programs.

    Exactly. Most people don't get software for linux from the Shareware-type sites that cater to the Windows crowd. We tend to get it from the author's homepage or a mirror site of Redhat,SuSE,Slackware ect. The Linux/Unix software distrubtion model is diffrent from that of Windows, which is something else the idoits who keep writing these ads,err "articles" for the Anti-virus software companies don't understand and tend to overlook.
  • Let's say that 10% of all installations out there are Slackware.

    Let's assume that another 10% of all installations are Corel Linux.

    Let's assume that a further 30% of all installations are Red Hat, with 75% of these being recent versions of Red Hat.

    Then, let's assume that an additional 20% of all installations are Debian.

    Now, let's assume that 20% of all installations are Mandrake.

    To finish things off, let's say that 5% of all Linux installations use any other Linux distribution, and that 5% use =ANY= legacy Linux distribution.

    To complicate matters, let's assume that 25% of all distributions are modified significantly from their original form. (eg: Upgrading the kernel, upgrading key libraries, replacing or upgrading key packages, installing software that affects the system operation)

    Now, let's assume a virus is built to run under an original Red Hat 6.1. Then, you've 75% of 75% of 30% of the distributions, or just under 17% of what's out there.

    A virus that will only infect 17% of its target audience isn't much of a threat to anyone. It'll die out from a lack of computers to infect. And that's from targetting the most common distribution out there.

    The filing systems are important if you're going to write something more sophisticated, such as a virus that hides itself by marking some of itself as bad blocks. (The virus merely has to ignore the bad block markers to load itself in.)

    However, SuSE is going to use ReiserFS by default and other distributions may follow suit. With no means of telling what the underlying FS is, in advance, the virus would need to be coded for them all. Otherwise, you lose out on the distributions.

    Let's say you wrote a virus targetted at ext2fs systems with Glibc. Now, many distributions use that. Let's give it a generous 90%. But Slackware only recently moved over to Glibc, so that goes down to 70%.

    Any person can switch over to ReiserFS, or some other non-ext2 system. Let's say that of the 25% of people who have significantly altered their system, 15% have migrated to another filing system. You're down to 55%. Let's make things easy and say that 5% use UMSDOS. Now down to 50%.

    We're dealing with low-level operations, so RAID is going to seriously screw things up. Because Linux =is= used more for servers than the desktop, it's not unreasonable to put this at another 10%, bringing the total to 40%. Because something this low-level would require root privs, you're talking about a user who admins regularly with root privs. More than half of all sys admins know better, so we're talking a very optimistic 50% of users would be open to this. The total is now 20%.

    Now, 20% is not much better, but it =is= an improvement. It means that 1 in every 5 computers targetted will be capable of running the virus, AND where the computer is regularly exposed enough for the virus to be able to infect it.

    On every machine it cannot run on, it can't propogate. Thus, if there are entire regions in which NO machine can run the virus, NO copies of the virus can be spread by them.

    This will =HEAVILY= retard the spread of any ext2 virus, to the point that you'll be up to antidote version 7.5.5 =LONG= before the virus has reached anyone you know.

  • When was the last time you saw anyone in the Linux community copy binaries by disk from one machine to another? If they have binaries, the chances are they either d/led them or they have the (usually free) CD. Either way, copying by floppy is DEAD.

    (Well, almost. I admit I've been known to cart 100+ 3.5" floppies around, when there's no CD burner handy.)

    Nor do any of the three viruses on that page obviate a single point. They're not going to work on different C libraries, and the distributions are (gratifyingly!) ultra-diverse there. Nor are any of these guaranteed to be kernel-independent.

    The second one explodes, if you use "strip" on it, which makes it somewhat less than fearsome, and all three will set off Tripwire. They won't do terribly well agianst any restrictions on the number of threads allowed, either.

    The "Linux Virus Plague" is more myth than reality, and more hype (to sell books & software) than substance. All the viruses documented have common, widely-available tools for detection and elimination, as well as being ultra-specific to a very narrow range of computers.

    Now, if you want to claim that a virus threat exists, within that subset of Linux boxes that are identical to the virus writer's machine and have no Intruder Detection software, no binary verification, no restrictions on use, no ACL software, where the user always logs in as root, where a group of such people are geographically close and where only one person out of that group has a fast Internet connection, I'd have to agree.

    On the other hand, I don't really think there are terribly many such groups, do you?

    P.S. If you think a.out is dead, re-read the docs for the 2.3 kernel, specifically the /proc stuff.

  • Since VAX is the hardware and not the OS, "VAX box" is redundant. "VMS box" would be the natural equivalent of Unix box. I tend to (incorrectly) call all VMS boxen "VAXen" although these days they are mostly Alphas.
    --
  • Only /sbin in the root path? Nothing else
    should be run by root? That's crazy. You
    mention that if you run other stuff as root,
    you're going to rm something important at some
    point. Really? Well, I guess your solution of
    having root never even run rm *EVER* is certainly
    a way around hat... Come on. While you don't want
    '.' in your root path, at least the following
    should be in there:
    /bin /sbin /usr/bin /usr/sbin
    and possibly /usr/local/bin and /usr/local/sbin
  • Hi,
    I agree that Linux needs stronger security (how about a free Tripwire + active systems security agent?) but a few things first:

    o when enough people in the Linux community need more security, it'll happen.
    o if you can't wait that long, look into openbsd.
    o encrypt your personal data files and anything that you don't want the world to know about.
    o run tripwire or a free variant.
    o whatever the solution, keep it opensource, and GPL if possible. Don't buy into a proprietary product that could possibly be doing naughty things in the background.

    CHeers,
    Your Working Boy,
  • The author of the article was clearly writing outside of his field of expertise. Linux is not as vulnerable to virii because it actually has a security model. For a virus to infect a Linux machine, it would have to compromise the security model. For a virus to infect a Windows machine, it merely has to make a few function calls to start copying itself around.



    Actually, I'm so irritated at this kind of irresponsible fear-mongering nonsense, I'm not going to comment further, because there's not a single nice thing I can think of to say about the guy at the moment, aside from possibly he might one day stop a bullet from killing someone with a clue.

  • Yes, it's possible to write viruses for Linux. folks. The first viruses period were for Unix and VMS boxen (back when the entire concept of viruses was still "proof of concept") though for the most part they never spread widely...

    Right now, about five or so viruses exist for Linux, all of which are for the most part "proof of concept" viruses. They've not spread widely, in part (methinks) because nobody yet wants to spoil a Good Thing...there eventually do come Bad Folks who do want to break things just out of meanness, though (look at the history of Usenet going into the shitter for a class example), so we can't rely on the good graces of most Linux users for long.

    That said...I can state that writing viruses for Linux would be considerably harder. Basically, the virus would have to propogate as root to spread much of anywhere; the fact that most Linux programs are still distributed as source code also helps much in preventing infections. (This is not to say it's impossible, just much harder.)

    About the easiest ways I could actually see viruses spreading under Linux the way they do under certain Microsoft OS's That Shall Not Be Mentioned are under the following conditions:

    Binaries which must be installed from RPMs and as root become a lot more common. (As others have noted, there are early signs of this occuring, and to be honest I'm as nervous of this as other folks. All the more reason for teaching folks to "Use the Source, Luke" ;)

    If a virus comes out that can also take advantage of system insecurity to get root. (If memory serves, at least one of the "proof of concept" viruses for Linux already does this. This is not impossible.)

    If (Cthulhu forbid) a virus were to come out that specifically targeted GCC and/or other compilers. (Again, "proof of concept" exists in a roundabout way for this--specifically, the infamous "backdoor" in early versions of GCC...an original copy was made with backdoor code, and whenever it sensed it was compiling code for the login portion of the OS it inserted the code for the backdoor even if it did not exist beforehand. Even worse, if it sensed it was compiling another copy of itself, it inserted the backdoor code even if it did not exist in the source...a very nasty and clever hack, and one which could cause viruses under Linux to spread like wildfire were it to be repeated to spread viral code (say, as an RPM of GCC binaries--frighteningly enough, these actually exist in most flavours of Linux that install from packages of any sort) and it would be almost next to impossible to avoid (you'd have to recompile from a known, clean version)...)

    If (Cthulhu forbid!) Microsoft Word or some similar word-processing program that has macro languages that commit Serious Misbehaviour were to become widely used. (Don't laugh this one off, either, folks. Word macro viruses are the SINGLE worst virus problem nowadays--more Word macro viruses exist than binary viruses, and more than one Word macro virus has been found with "droppers" for binary viruses or trojans...even worse, Word macro viruses with droppers for Mac andWin32 viruses are known. If Microsoft gets split up and Linux becomes much more popular, it is conceivably possible Office might get ported to Linux...even if it doesn't, it's also possible someone will write an office suite with hooks into the OS (which is the source of most probs with Word macro viruses--Office's macro languages have hooks into Visual Basic, and VB has a crapload of hooks into Win32 itself to the point some folks actually write entire Win32 applications in VB) which would cause similar misbehaviour, because a lot of folks from the Windoze world REALLY like their damned macros...which, incidentially, is why offices seem to get continually infected with Word macro viruses if they don't take "precautions".)

    IMHO, all except the last two are fairly unlikely (and the second to last is unlikely unless you were to get a rogue person in place at one of the distro sites)...the things Linux has to worry about more (in fact, the things that are becoming an increasing worry even in the Windoze world) are trojans and worms.

    Worms, after nearly having died off a few years back, are now back with a vengeance. First it was mIRC macro-worms (mIRC, a common IRC client in the Windoze world, has a rather powerful scripting language that can unfortunately be abused to create worms that propogate largely through DCC chat requests), now the big problem seems to be both trojans (like PrettyPark.exe) and an increasing number of Word macro worms which propogate through taking advantage of security holes in almost every program that exists for Internet apps in Windows (Agent, Eudora, Outlook Express are just a short list of programs in which worms have propogated in).

    Trojans and worms have existed before with *nixes (Washington University FTP has frequently been trojaned with backdoor code, among others; I think we all know about the infamous Morris Worm). If we let security practices get lax in writing Linux apps (especially the "user-friendly" sort of apps) and especially if we do Bad Security Practices with stuff like scripting languages, etc. for apps, we could probably end up in the same boat as far as worms and trojans go. Hell, as someone noted, DDoS apps like Trin00 have been found on Linux boxen that have been compromised; I'd be really shocked if someone doesn't figure out some way to distribute a DDoS client as a worm...

    So, no, we can't be lax. But part of the battle is knowing what exactly to worry about. Win32 in general, and especially Win9X, has a lot of basic security flaws that enable stuff like viruses and worms and trojans to propogate. Linux has a more secure setup if used properly--we don't want to turn it into a Windoze clone (lest we end up with the same problems) but in making Linux easier to use we want to learn from the mistakes made by a certain company in Redmond (and also by a company started by the Brothers Steve, for that matter) so that we don't repeat those mistakes. :)

  • Mashiara dun said:

    *Bzzzt!* Wrong,(solely) pattern based virus detection became obsolete with the first polymorphic viruses and this was in the late 80s.

    Well, yes, at least for binary viruses (the largest problem nowadays is actually Word macro viruses, and new binary viruses are fairly rare (with the exception of CIH and the occasional Word macro virus that has a dropper)...)

    Then again, it's far more safe not to look for patterns so much as to look by heuristics for programs that can potentially do Very Bad Things. (This pretty much Works on binaries except for a very few programs that rely heavily on system hooks or do "naughty" behaviour legitimately (like disassemblers), and pretty much Works 100% on macro viruses which are the major problem nowadays.)

    All modern scanning systems have multiple scan modes with different types of execution emulation along with pattern based detection system and on top of that a more or less sophisticated heuristic scanner that can detect previoysly unknown viruses by searching for virus like behaviour (often only simple ones, excemptions to this rule are coming up like F-Secure Orion that detects all known 32bit windows viruses purely on heuristics).

    Well put.

    As it is...yes, Linux viruses are a worry, but not a MAJOR worry. I've posted a more complete post here [slashdot.org] on what I think we do need to worry about (namely, not repeating the same basic design mistakes in Windoze that allow viruses to propogate like crazy on those boxes, and increasing security in general to eliminate ways to let viruses in period).

  • But how about some evil-minded hacker (yes, you read it right: hacker, not cracker), who contributes for example to the kernel effort, and installs somewhere in an obscure driver a nice backdoor, and waits till a new major stable version of Linux comes out?

    I'm a bit skeptical about this backdoor possibility in official versions of the kernel (or gcc or some other important piece of free s/w). People have been suggesting it for years, but it's never actually happened.

    How hard would it be to do this without any of the other developers noticing, and (important for virus authors) remaining anonymous? Too hard, I guess.

    I think that backdoors in proprietary software are a much bigger danger. It's much harder to tell whether there is one, and if so, where it comes from.

  • The argument that potential virus writers are holding back because they're too busy making money off the web is just silly. It's a very superficial level of analysis. What's more, it's based on ignorance.

    After all, if every potential Linux virus writer were only holding back because they're too busy making money off the web, wouldn't the same be true of Windows virus writers? So we'd expect a tailing off in the number of new viruses? In fact, there are more new viruses around now than there have ever been.

    Furthermore, historically the worst (greatest?) virus writers have been from the deprived, poverty-stricken communist states of Eastern Europe. That was back in the bad old days of course - things have changed. Now, they're deprived, poverty-stricken capitalist states. But they still write really clever viruses. And Linux is incredibly popular there.

    One notable thing about a 15-year-old computer geek from Romania with an inclination towards malicious coding; his opportunity to get rich from a .com IPO is very slim indeed.

    So the talent is there; the circumstances are there; but the viruses are strangely absent. Why? Two reasons, I think:

    • Virus writers don't hate Linux they way many of them hate Windows. Maybe that will change, but I don't think it will.
    • Linux is more secure than Windows (certainly in its 9X incarnations). It *is* a challenge to get malicious code run as root - if only through age-old security practices such as not having the current directory in root's path, which every Linux distribution enforces as default. A lot of code *is* compiled from source on the box it is run from. We by and large *don't* share fourth- and fith-generation copies of pirated games (complete with "extra functionaity" picket up at some stage) on Linux.

    As if the "web commerce" theory wasn't silly enough, Garfinkel then suggests Linux needs anti-virus software before it can be taken seriously by business.

    Excuse me?

    Even although there are no Linux viruses, he thinks there is a business need for software to remove them?

    How can it possibly be better to have viruses and anti virus software than to have no viruses in the first place? Which makes better business sense?

    It's a symptom of the Microsoft-inspired brain softening that so many journalists seem to suffer from. Anti-virus software is not a good thing for an environment to need. Not needing it, and therefore not having it, is a good thing.

    The poor design of certain Microsoft products allows malicious code to spread easily. That's a fault. Software exists which, at great expense, time and effort can keep your systems pretty much free of it. That's a kludge, albeit a necessary one. This is not a model we in the Linux community should seek to emulate!

    So will there never be a real Linux virus? Well, I think there probably will be. Probably a good few. But will be as dangerous as windows ones? I don't think so. Will they spread as easily? Certainly not. Simply employing good security practice on your Linux box should be enough to keep it clean forever.

  • Add "binary" to the first "virii" in the last paragraph.
  • by BJH ( 11355 )

    A couple of points (I'm paraphrasing here):

    o "There will be a flood of Linux viruses after the economy goes south": Why? Because all those programmers who would otherwise have been able to make millions via IPOs will to turn to virus writing instead? What kind of argument is that? Most virus writers don't have the business acumen or social skills of a dung beetle.

    o "We need programs that will prevent viruses from mdifying the kernel": And how, exactly, are they supposed to do that? The most common way of cracking a system through kernel changes is use of modules. How is this hypothetical virus detection program supposed to distinguish between genuine modules and viral modules? You'd have to have a list of approved modules with MD5 checksums for each of them, and that'd still leave you open to subversion of either the applicable areas of the kernel or the virus detection program itself.

  • There is some Linux antivirus software outthere. They don't do anything useful sence theres no viruses to stop. But some hobbyists are sereous tweeks.
    That's not true. We happen to run linux antivirus software at the elementary school where I work. Why do we do it? Because we user linux for our mail/web server, and it's pretty damn convenient to have your mail server check incoming mail for macro and other viruses, instead of just relying on the individual machine's protection.

    If we used a linux box running samba as our main file server, I imagine such software would also be helpful.

    Besides, it's easier to update an individual system on a regular basis than to have rely on the assumption that the automatic software worked on each and every machine on the network.

    --Cycon

  • The boxen thing is actually not typically someone trying to sounds really important or complex. In my experience, most people use boxen exclusivly to refer to computer boxes. Never as boxen of doughnuts or similar. The reason seems to be that a computer box is an animal. And the plural of box (as an animal) is boxen, in order to denote some difference from boxes (non animal/computer).

    Get yourself in a room with 10 Sun Enterprise 250's and 10 Sun Enterprise 250's shipping boxes and tell someone to throw the sun boxen out. See which `asset' you lose first. ;)


    Bad Mojo
  • Well true, I'm not forgetting that by any means. I regard a "real" threat though, as being something more than just the ability to erase a few files on a few isolated individuals. For me, to be a "real" threat, it must be sufficiently viable to travel across the country for a couple generations, and must have the ability to set back a great number of users who employ reasonable generic countermeasures. For your information, I don't regard Norton antivirus, or what have you, as being particularly "reasonable" because it requires an extensive database and direct knowledge of each paticular virus.

    If your primary concern is the destruction of documents, it would be a trivial matter to make a "secure backup" by simpling crontabbing a cp to copy all the users critical files to inaccessible parts of the file system (without any additional hardware. In fact, it might be kind of intriguing to create a "delta" filesystem, where the user can recover/mirror any changes made to defined parts of his filesystem (maybe virtual fs) in, say, 10 minute intervals. So if I were to erase or corrupt all documents, i could just step back 10 minutes or up to, say, 20 days, and recover trivially...maybe my next project). Additionally, most of these dos viruses even don't go straight for the documents, they go after crucial system binaries, the MBR, you name it...which have the same effect, with only a few lines of code. Furthermore, in order for the virus hurt Joe Schmoe Linux user with any real likelyhood, it needs the ability to propogate itself; the file system and the general design of Unix makes this task require something more than just basic skills with ASM, VBA, or what have you. In other words, unlike windows systems, the hax0r needs to be somewhat innovative (assuming the vendors/distros start paying real attention to security issues) at the very least to create a viable virus, and particularly to sustain that threat.

  • Well any sensible user is apt to have the applications installed (owned by) as root, or some other user. Thus, since you can't modify the application binaries (baring some kind of exploit), you couldn't have the application corrupt or encrypt the documents. The hax0r could, of course, write a program that just goes straight for the documents (though that would likely be quite ugly and detectable).

    While I guess it is possible encrypt the documents, it doesn't make a great deal of advantages over erasing. I, a half intelligent user, could write a trivial crontab script (or for that matter just about any other backup scheme) that just backs up /home/fall/documents/ to /backup/documents/$date/ (root owned of course). In other words, whether the files are erased, corrupted, or encrypted is essentially irrelevant.

    In regards to my "delta" backup scheme (though most likely overkill), it is essentially foolproof within the confines of its design (e.g., unless root is attained and the HD itself is accessed). My initial mention, simply takes snap shots of all files in the defined filesystem (or rather virtual filesystem, as opposed to having to check part of an ext2 partition every other minute) on a given interval (though I could do it continously (e.g., on every write and erase)), and, with the intent to conserve space, only the DIFFERENCE [hence the word 'delta'] between the previous snapshot and the current snapshot would be physically saved. Most users' documents in a given year(or code, or what have you) are typically relatively small, and, I believe, that with my delta scheme even all the changes to the files over the course of, say, 90 days could be stored without a great deal more physical storage required. Thus, no matter what happens at the user level, the user always has the options of returning to the state of his filesystem up to 90 days before. In other words, if I have preexisting 'snapshots' of unmolested files, and the user (virus) encrypted/corrupted his files, the only thing that would happen is that he'd waste that many bytes of physical data...

    It might have other uses as well. Though for people who're heavily into graphics/multimedia or what have you, the space requirements might make it infeasible for such applications.

  • I've written an article on this topic:

    UNIX (and Linux especially) viruses - the real story [securityportal.com]

  • You're equating virus writers to Linux users? Real intelligent Jethro.
  • Virii need not be the all powerful super destructo weapons that bring systems to their knees. They can just be annoyances that don't actually do "damage". Here's an example of one I've seen. Someone writes a little ditty and names it ls, they upload it (you figure out a way to do it and it'll get done). Then when someone lists the files in the directory it runs instead and does something cute like change the user's password. The user logs in the next day only to find he/she cannot log into their account so they have to email the admin to get their password changfed back. It doesn't really harm anything except a user's productivity. This is where Unix finds itself susceptible to unauthorized programs. Linux isn't anymore invincible to virii attacks than Windows is, it merely makes the attackers me a little more clever. Users who aren't familiar with proper security run as root a good deal of the time, they also like to download little goodies since they are free afterall. Joe Newbie downloads what is supposed to be a desktop toy for KDE and it turns out to nuke his home directory or change his password or some such thing. It's no different than getting a malicious Windows virus.
  • So why did this, the first posting with ANYTHING substantive to say on the issue, get moderated as "redundant"?

    C'mon, fess up, who did it?

    --------
  • Yes indeed, the author, Simson Garfinkel, who co-wrote Practical Unix & Internet Security and Web Security and Commerce with Gene Spafford for O'Reilly is not qualified to talk about this issue. Yes indeed.

    OK, now let's talk about "Devoid of Clues,' shall we.

    -------
  • Wow, another substantial comment. When you grow up, Kamel, and stop flinging the insults of a 10-year-old at things you have no knowledge of, perhaps you will have something of interest to say.

    -------
  • Never mind. I saw this before seeing all the others.

    The referenced papers are mildly interesting, but whether the approach is a potent line of attack is conjectural at this point.

    -------
  • This is one of the most disappointing story blocks I've seen on Slashdot in a good long while. The self-absorption and lack of even basic rhetorical skill is pretty disheartening. Not to mention the shallow understanding of the issues. It makes the few comments that really get into the technical considerations stand out that much more.

    The number of "write-mostly" humanoid bots on Slashdot these days is the most dismaying thing, though.

    For those still not clear on who Simson Garfinkel is yet, here is your FREE CLUE! [simson.net].
    --------
  • It has to support Linux 1.x.y and Linux 2.x.y kernels, It has to support libc5, glibc 2.0 and glibc 2.1. It has to support ix86, IA64, ARM, Alpha, Sparc, Sparc64, m64k, ppc, S/360 and any other architecture Linux supports.

    Support 2.2 kernel, glibc 2.1, i386, and your virus will do fine. In that regard, the virus writer's challenge isn't any worse than a close-source commercial developer. If Loki can get Myth2 to run on your box, so can a virus writer.

    And because you can't know what the virus will run on ahead of time, it would have to run on EVERYTHING to survive.

    That's quite a leap of logic. It doesn't have to "run on EVERYTHING to survive." Windows viruses don't run on everything -- they only run on Windows. Amiga viruses don't run on everything -- they just run on Amigas. But the viruses survive. Sure, they will fail to infect some systems. But it just has to succeed sometimes -- and that will be good enough.

    Any claim that someone could =write= a Linux virus which is not so specific as to be useless is plain stupid. Such an animal does not and CAN NOT exist. Linux is far too diverse, now.

    I hope that someday, you prove to be correct. But for the time being, Linux is still fairly homogenious. Use the default Red Hat 6.1 installation options on a x86 box, and you will have a "typical" Linux configuration that will serve as a pretty good development target for your virus.


    ---
  • I must say I don't understand all this fuss on computer viruses... I have run a Windows box without any virus protection for many months, it was on the Internet most of the day, and I never had any problems with viruses. I do believe it's mostly a matter of only downloading software from trustable locations, and not running any executable sent by email or DCC GET from someone you don't know or don't trust to be careful enough.

    Of course, these principles also apply for any operating systems, including AmigaOS (where I actually got viruses from pirated floppies) and Linux.

  • if someone actually wrote a mail reader for Linux that was so helpful that it says, "hey -- here's some new mail for you! Let me immediately display it in this window for you!

    Well, besides the obvious note that in order to look at an email you *have* to display it, AFAIK at least some mail readers in EMACS would helpfully execute any emacs-lisp code they found in the mail message. Of course that probably was in the olden days and these readers got patched many moons ago...

    Kaa
  • But how about some evil-minded hacker (yes, you read it right: hacker, not cracker), who contributes for example to the kernel effort, and installs somewhere in an obscure driver a nice backdoor, and waits till a new major stable version of Linux comes out?

    This would be really difficult to accomplish. If the driver is for a popular hardware there will be more coders looking at the driver and thus a bigger chance to spot the backdoor and remove it. And if the driver if for a more unusual hardware, so that nobody will notice the backdoor, then very few users will be affected.

  • But what about the effort to incorporate a scripting language into KDE as well as the interoperability of the the KOffice and Konqueror. I'm not sure that there is a mail client included (which might limit the distribution mechanism), but it does seem like the desktop may soon get quite a few of the 'pieces' needed for a mellisa-alike.

    This isn't ment as a flame against KDE. I keep switching off between KDE and GNOME and like a lot of the aspects of both (although it seems like KDE will have more 'killer apps' sooner, I like the 'feel' of Gnome better). Please, someone explain what about the nature of the apps will keep something like this from happening?
  • Check this out for more discusion: http://slashdot.org/article.pl?sid=00/03/05/234123 2
  • Debian *releases* tend to come out at a glacial pace (but still at a faster pace than most other OSes - 1 year vs. 3 for MS (95, 98, 01)), but Debian *security patches* appear within hours of the problem being reported on Bugtraq, CERT, etc.
  • Well... not so hard to imagine. Remeber Ken Thompson's CC hack [acm.org]? (slashdot rated it 3rd in the Top 10 Hacks Of All Time [slashdot.org] thread).


    Cthulhu for President! [cthulhu.org]
  • viruses can spread as non-root too! the most interesting linux virus trait is to gather authentication tokens to increase the yeild of program infection. Someone su'ing to root is a god send if a virus can simulate a getpass().. infect /bin/ls and you have the entire system. Then it's a matter of getting off that system and onto another.. this is where the line is blurred between virus and worm. Infection (and residency) is really about following the user.. go where they go and you will find others to infect. The most revealing linux virus research can be found at:

    http://www.big.net.au/~silvio/ [big.net.au]

  • can happen, has happened, check silvio's source in the next few days for code to make it happen.
  • bah.. willfully infecting people is bad (m'kay) but what I program on my own computer is my business. Viruses are damn interesting and writing viruses is the first step to defeating them. The most revealing linux virus research can be found at:

    http://www.big.net.au/~silvio/ [big.net.au]

  • you make some good points in your article. But most of the things you say stop viruses are just hurdles, things to get around. There is research into getting around these hurdles and then battling those techniques. The most revealing linux virus research can be found at:

    http://www.big.net.au/~silvio/ [big.net.au]

  • Lots of people are saying "but a virus needs root access" and so on. In the olden days of yore, only a few sysadmins had root access. Mere users had to install software in their home directories, or they had to ask a sysadmin to put it in a global location. Things are much different now, with almost every Linux user being his or her own sysadmin. Every time someone grabs a new kernel, a new version of GNOME or KDE, a new version of gcc, a new video card driver, or just about any software, that person becomes root to do the installation. It would be relatively easy to upload a trojan horse claiming to be so-and-so and thousands of people would download it, switch to root, and run it. Then something could be installed in the .bashrc file for any user--or in the crontab--for example, and only the very hardcore are going to realize it. And that's just a simple case.
  • When M$-Word is released with an appallingly unsecure macro language, and when the virus writers demonstrate this, it never occurs to the M$ developers or their user community that the answer is to remove those capabilities in the macro language that make it unsecure. Their answer is to live with the unsecure language and construct an elaborate system of virus signature scanners, virus cleaners, and a virus signature distribution system.

    When sendmail or pine is discovered to have a flaw that can be exploited to gain unauthorized access to a system, we, as a community, see this as a problem, and the problem gets fixed. It would never occur to Eric A. to leave an exploitable flaw in sendmail, because he knows that we won't accept it.

    As long as we, as a community, are determined to see security flaws as unacceptable aberations, we will never see a proliferation of Unix/Linux viruses that we see in the M$ world.
  • The hardest part about making linux virii is making the infection available in the first place.

    The only effective ways I'm aware of involve tainting the source of a major distribution, or the patch to a program.

    Since these are very closely monitored, a virus writer would actually have to crack a server, and place a virus/trojan in the code (which did happen to win.tue.nl a year or so back).

    Because of this, really strict control by distributors would fix virii problems (excluding worms). And you know what? Having 7 distributions really helps. Having a virus in your distribution code could quite possibly be fatal for your business.

  • The No-code license didn't hurt Amateur Radio, the lack of enforcement from the FCC did. Just listen to 75 Meters, which a no-coder like me is prohibited from operating on. It's the biggest cesspool imaginable. While some of the operating practices on 2 meters (where most no-coders operate) have dropped a little, the major problem is a lack of substantive enforcement.


    Same thing for Linux: We must enforce rules to prevent the spread of viruses and trojans. Minimize suid programs, discourage binary-only distributions, encourage distro vendors to close known security holes by default, and last but not least, nuke the living hell out of anybody who creates a virus! Find the person responsible, and make sure they only get to see striped sunlight for a long time.

  • Instead of anti-virus software, why not software that helps people plug security holes? Software that could advise on proper use of the root account, sensible measures when installing rpms or kernel modules, and require an interactive password before writing to +x files?
  • "But if the economy goes south, we're likely to see a suddenly bloom of viruses from out-of-work overachievers."

    I've seen many studies where traditional crime levels do indeed react with the prosperity of a nation or state, or even city's economy. It would be interesting to see if viruses react the same way (as adjusted for it's normal growth rate). I can't see why not.

    That's not to say that if the majority of programmers out there lost their job that they would turn to producing a virus or two (heck, maybe we'd see a jump in independent contributions to OSS programming). However with an economy as such I've found myself working extra hours (hey they're paying for it!) and less time spend on personal computer interests . . . for all I know during that time I may just have turned those idle hands to something less "productive." For myself I'm sure it would be something more horrible like Pokemon . . . but for others maybe viruses.
  • The only thing that worries me about this is that for such a long time Linux has been relatively (sure a few here and there) virus free. Those producing anti-virus protection MS world (not to say that they're the panacea of virus protection) had viruses from the early days when they traveled from floppies to floppies slowly but surely. Early viruses were quite crude and most very early ones didn't actually damage squat. Some outbreaks were damaging but relatively slow and the anti-virus packages evolved with the viruses and do pretty well (IMHO).

    Linux however now finds its self growing in popularity at an astonishing rate, connected to a great virus spreading medium, humans on the inet. If viruses did start to break out and they were fairly mature, could it be too fast for people to avoid some severe damage.

    I'm reminded of a military strategy taught in a collage course I took once where a fairly simple theory was demonstrated that actually not hitting a target often pulls an enemy's resources to the areas where you are attacking (away from your next likely target). Then striking that target often is easier since the defenses are weaker and have not prepared for such an attack.
  • The hax0r, to do real damage, must find some way to get his code executed as root.

    It's been said before by other people, but...

    You can do a whole lot more damage on a single-user computer by wiping out his/her documents than by messing up the operating system. The operating system (and programs) can be reinstalled in a few hours. Personal work can't.

    --

  • Ok, I think it's safe to limit this discussion to machines with one or two users who don't normally log in as root.

    [Disclaimer: I'm not a linux user.]

    It's possible for a virus to modify the programs that each user has installed so that the file formats are changed, perhaps to include encryption with a unique key for each instance of the virus. That makes any normal form of backup bad. Your "delta" idea would work a lot better, although any changes made after the virus started encrypting data would still be lost unless a method could be devised to get the virus to give up its encryption key. (And this would be worse than having your data wiped out at first, because you could recover everything in that case using the diffs.)

    --


  • The fact that root priviledges are required offers a great deal of protection in Linux (and other *nix's.) Of course a lot of software needs to be installed as root so we aren't completely protected. I think people are more likely to write trojans than viruses for Linux due to the fact that Linux boxes are useful to remote users as well as local users. That's neither here nor there though...

    If you are running Linux you should absolutely be using some sort of IDS (Intrusion Detection Software.) I use aide [cs.tut.fi]. It's a 'tripwire' type program that detects changes in files (using an MD5 hash.) I have it configured on my home PC and my server. It runs via cron once a night, then e-mails me the results. That way if someone (or something) changes the kernel or an executable, library, script, etc, I'll know and be able to replace the altered (or infected) files. Software like this should be part of Linux distributions IMHO.

    I realize that Virus Detection is not the same thing as active Virus Prevention. Of course, the root login requirement goes a long way as far as prevention.

    numb
  • Just a random thought in passing ...

    ... but if security is such a concern of so many code writers in the *nix community, why are some still not taking heed and writing buffer-overflowable code?

    My $0.02

    Rob
  • Someone moderate this guy up!

    I've been stating for years that as long as you are smart and careful about what you download, you will never catch a virus. I've been using using computers for (looks at watch) holy shit, 12 years to the day! :P) Anyway, none of the computers that I ever owned ever had any kind of anti-virus software on them. Ever. Yet, I've never been infected.

    I personally believe that the vast majority of viruses on Win systems come from stupid people opening executables in the email attachments. I seriously believe that if EVERY EMAIL CLIENT simply disregarded (throw away) executable attachments, we'd see a HUGE decrease in virulent outbreaks. After all, we have FTP and the web for distributing programs. Using email for that purpose is a complete waste.

    And I completely agree with statement against executable documents.
  • ...not because Linux has superior virus detection, but because the average Linux user won't execute a file named "HAPPYFUN.EXE" that's emailed from someone he doesn't know. Please excuse the generalization, but the average Linux-user is much more computer saavy than the average Win95/98 user. Plus, the open source spirit does a lot to cut down on a virus. It's very difficult to hide a virus in source code. "Hmm, what's this stretch of uncommented assembly language?"
  • I have two words for you -- Script Kiddies. The people writing rootkits and script-kiddie toolkits will surely migrate to writing full-blown viruses, and even virus toolkits (so that the script kiddies can "write" their own viruses).

    It's just a matter of time. Meanwhile, you damn well better hope that your OS is secure.

    If you're using Linux, you should check out Bastille Linux [bastille-linux.org]. If you're a BSD fan, I recommend you look at OpenBSD [openbsd.org], although hopefully FreeBSD [freebsd.org] will catch up soon thanks to the FreeBSD Audit Project.
    --
    Brad Knowles

  • Disce, puer, Latinae.

    Salve,

    Ianuarius

  • Thompson's hack was not part of a large open source project, with many, many people eyeballing it. We are talking about a very, very pure and special case. Here's why his hack would fail, today:

    He's not the only game in town.

    The cc/login backdoor was so damned clever, because that was the only C compiler available. You needed a C compiler to compile and generate newer versions of C, therefore the hack was propagated.

    Nowadays, there are many C compilers, and they have become the de facto standard for building software. (Not a preferred standard. Python/Perl/Eiffel/Fortran fans please direct your flames to /dev/null or root@microsoft.com)

    The point we are trying to make is, if a product is distributed as source, these kinds of blatant backdoors are going to be discovered. If not by someone auditing the code, then by someone who wanted to 'patch' some broken functionality. The /real/ danger are the little buffer overruns, race conditions and other common bugs.

  • OK, so it's not, strictly-speaking, impossible for a virus to attack a system that's not 100% securely managed - but there are a few reasons why Linux viri are still -impractical-

    1: In order to gain any substantial power on the system, the virus needs to use an exploit of some kind - the available exploits tend to change as software evolves, security information spreads, etc. So even if there are plenty of openings, they may not be the ones that were there when the virus was written.
    2: The opportunities to spread are very limited. Unless there's a known remote exploit the virus can use to spread to other systems, it isn't likely to be able to do so. This means it'll really just wind up being a trojan horse program. And once the virus is found, and its source determined, the alert will be out and no one will get that "virus" anymore. Since remote exploits are taken very seriously these days, it's quite unlikely that any given exploit will exist long enough for a virus to take advantage of it.
    3: Prepackaged Linux. Sure, so a lot of users aren't that security-minded - that's why low-maintenance prepackaged distros make it simpler. By not including unneeded service daemons, the potential for exploits is cut back. By providing most of the needed software on the distro site itself, most of the potential for introduction of malicious programs is removed. And while a lot of these systems will be running a lot of games, remember as well that SVGAlib is on the decline - systems like X DRI and framebuffers are on the way in - when game makers can rely on these technologies, there won't be need for any more SUID root games.
    4: They're just not tolerated on Linux - it's really that simple. In the DOS/Windows world, viri are considered almost a fact of life - and if you get one, well it sucks to be you. In the Linux world, the existance of a virus indicates that there's some sort of flaw in the system design, and developers will work to disseminate information on the flaw, and fix it.
  • Articles in the Christian Science Monitor: [csmonitor.com]

    1989-09-12 Page 8
    Software Makers Row Over Patents

    1989-07-12 Page 9
    Developing Software Is No Picnic

    Sometime around 1988
    A large article I can't lay my hands on, in which he describes Project GNU. This was one of the articles that inspired me to contribute to GNU by 1989, which led to the development of GNU Fortran (g77). At least, I'm pretty sure it was authored by SLG!

    Article in Technology Review:

    1991-02/03 Pages 53
    Programs to the People "Computer whiz Richard Stallman is determined to make software free -- even if he has to transform the industry singlehandedly."

    SLG may be wrong in his predictions, but he's not writing as a newcomer to Linux, Unix, GNU, or free software in general.

  • But the linux community should be/are going to be more open in acknowledging security bugs and virus.
    Therefore fighting Virus and other security bugs or whatever that may arise would go faster and be more efficient. There is no big company that can issue a propagandistic pressrelease to cover up the truth.

    Therefore Linux should evolve faster and in the end be strongest in a security perspective.

    The openness is a strong pillar for linux to rest on.
  • Let me start by asking: why haven't there been many Macintosh viruses? Sure, it's not that popular a platform to begin with, but it had its share of viruses at first.

    Then something happened. The first "stealth" virus, the WDEF virus, came out. Instead of using the OS calls like a good little virus, it tried to bypass them and jump right into the ROM, to avoid detection. This was about the time the Mac IIci came out, with a completely recompiled ROM. Instead of spreading, it crashed the machine. There have been a few recompiled ROM versions since then, but then Apple switched over to the PowerPC, increasing the diversity level. If a virus is incompatible with a good number of its target machines, it doesn't spread well. It's much harder to write a virus for a diverse platform.

    And have you noticed how all the virus threats lately have been involving e-mail viruses and worms? This is because MicroSloth came up with a pitifully easy virus transmission method, by allowing live code in what was formerly only data. Worms and viruses spread best when they have a convienent way to propagate.

    And how many Windows NT viruses are out there anyhow? I'm not talking about macro viruses here, I'm talking about real native code viruses infecting NT. Not too many of those, huh? Because, like Linux, there are more internal barriers for a virus to overcome. Plus, some of the macro viruses don't work under NT, even when the user logs in as Administrator all the time, because NT stores some of its files in different places than 95/98.

    Now back to Linux. The creators of various distributions are having a hard enough time agreeing where to put various kinds of files, that a virus can't depend on their location. Diversity again.

    About the only thing that is consistent is services on various ports, but you can't even rely on a consistent set of vulnerabilities, because the more clued admins will be able to upgrade from a source tarball.

    In what form does Linux lack diversity? First of all, in a common binary format. This means that a virus can know where to patch, and a worm will run on many machines. There can be some problems in library availability, but a worm could just statically link itself. It could also spread by source code, but it can't rely on a given Linux box having a C compiler (or Perl interpreter for Perl worms!) installed.

    And diversity is reduced by popular distributions like Red Hat and Mandrake which tend to be preferred by the "naive" (in a Unix admin context) users. I recently got DSL, and at least one port probe I received came from a system on a cable modem running (surprise!) Red Hat 5.2. And finger said nobody was logged in. I am quite sure the port scan was NOT initiated by the owner of the machine.

    Now a big question: why a virus over other forms of attack? Personally, I think a "worm" (a program which spreads intact copies of itself, rather than inserting itself in other executables) is better suited to the Unix and Internet environment. All it has to do is carry around enough "skr1pt k1dd33" code and it can spread through less-protected systems.

    However, as awareness over stack overflow bugs increases and other vulnerabilities, such holes will decrease over time. The slow animals in the herd (Red Hat 5.2 "default" installs) will be more easily taken down than others.

    Are we likely to see another "RTM worm" incident in the next year or two? Probably. Now that broadband 7/24 connections are on the rise due to DSL and cable modems, the percentage of unsecured hosts will rise. And with the increase in opportunity will come an increase in exploits. However, as the RTM worm incident showed, writing a good, well-behaved worm isn't as easy as it sounds.

    As to viruses in source tarballs, those are rather unlikely. Certainly it is difficult to generically add virus code to source code, but many source releases include some sort of validity check like an MD5 signature. And these days, the source is usually taken from THE official archive.

    In summary, I think Linux is diverse enough that viruses will be too much effort to write. Worms are much more likely to become a problem in the near future.
  • > The original poster does ask, "What do you
    > think of this commentary?". I feel the above
    > was an important thing to leave out. Moreso
    > because the article itself mentions that
    > gaining "root" access can be integral to the
    >virus attack.

    And - as others have pointed out - why bother with a virus when you can get root access? JC.

    --

  • by jd ( 1658 ) <`imipak' `at' `yahoo.com'> on Thursday March 16, 2000 @03:57AM (#1198743) Homepage Journal
    Yes, I believe Linux Viruses will take over the world!

    What carp!

    Stop and think for a moment. To produce a binary Linux virus (as opposed to a script virus), you have to have a virus capable of handling a.out and elf binaries. It has to support Linux 1.x.y and Linux 2.x.y kernels, It has to support libc5, glibc 2.0 and glibc 2.1. It has to support ix86, IA64, ARM, Alpha, Sparc, Sparc64, m64k, ppc, S/360 and any other architecture Linux supports.

    Why? Because if it can't run, it won't spread. And because you can't know what the virus will run on ahead of time, it would have to run on EVERYTHING to survive.

    Then, of course, if it's doing low-level appends, it's got to support ext2fs, ext3fs, reiserfs, xfs, jfs, ufs, umsdos, and any other filing system that Linux could be run off of.

    Script viruses don't have it any easier. You've no way of knowing if bash 1, bash 2, csh, tcsh, ksh, zsh, perl, tcl/tk, python, or any other given shell is present, never mind used. Nor can you rely on a given version being present. Perl and Tcl are extremely version-sensitive, making viruses in these languages either dependent on there being specific versions installed, or having support for many many versions.

    Then, there's always the problems produced by the International Kernel Patch (which can encrypt partitions for you), Tripwire and its many clones, the various Linux Kernel hardening projects, etc. If a virus can survive all of that, it almost deserves to conquer the world.

    Windows viruses have proliferated because there is a high degree of uniformity at the low-levels. This just doesn't exist in Linux (thank God!) and probably never could, at this point.

    Any claim that someone could =write= a Linux virus which is not so specific as to be useless is plain stupid. Such an animal does not and CAN NOT exist. Linux is far too diverse, now.

    Some people may have heard of the concept of "biodiversity", whereby living organisms protect themselves from real diseases or attacks by being as different and diverse as possible. Linux has gained that same protection, now, and is immune to all-encompassing attacks. Only specific attacks are of any use, and the more diverse Linux is, the more specific those attacks need to be. It could reach the point where they can only run on one machine. OOOOH! SCARY!

  • by Bilbo ( 7015 ) on Thursday March 16, 2000 @05:03AM (#1198744) Homepage
    You're missing the whole point of the article. What the author is trying to point out is, the reason we don't see Linux viruses is not because Linux is "immune", but because (a) current users are mostly techie types who understand basic security, and more important, (b) the pool of targets is smaller.

    Think about it... I'm some bored script kiddie who wants my 15 minutes of fame. Am I going to try to write a virus to infect hundreds of systems, or hundreds of thousands?

    The point the author was trying to make is that the landscape is changing. As we are celebrating all the new people who are starting to use Linux, and all the easy-to-install distributions, the "average user" is changing. You no longer need a degree in CS to simply use a Liux system. Just as there are plenty of unsophisticated Windows users, there will be unsophisticated Linux users. Add to this the hordes of home users signing up every day for always-on fat pipe Internet connections. There are ways to worm your way into a Linux system, especially if the "administrator" is clueless about security. (Read: buffer over-run bugs, SMTP vulnerabilities, etc...)

    I'm not about to plunk down $50 for a questionable Linux "security" product, but I do try to keep an eye on what's happening to my system. More important, distributions like RedHat and ilk need to carefully consider what their default configurations look like, knowing that setting up maximum security as the base configuration is a wise thing to do. If users need more flexibility, then let them learn about what the tradeoffs are, so they can open up only the doors they need. Support organizations need to make security a top priority, making sure that everyone -- even the clueless newby -- can keep their systems up to date with the latest security patches.

    Security -- no matter what your OS is -- doesn't come for free.

  • by szyzyg ( 7313 ) on Thursday March 16, 2000 @12:44AM (#1198745)
    Viruses in various forms will propagate - there's loads of programmes which are vulnerable. But I don't see the huge problems with macro viruses occurring, there won't be any 'melissa'.

    Trojans are already turning up here and there.

    The trick is not to assume that something is more secure than windows, if you end up being copmplacent about security threats then you get what you deserve. You don't need to be paranoid either, and being paranoid doesn't mean spending money to support the anti-virus software industry. It just means making sure your code doesn't increase the risk to the whole.

    So - if you spot a problem - then talk to the people who should deal with it.
  • As linux becomes more popular binary distributions will become common.

    Agreed - in fact, they already are

    Download a binary that has a virus and run it as a normal user. OK - where from? ftp.debian.org? If I check the signature on the package I can be sure that it's as the package author sent it out, and I trust that package author not to have virii on his/her machine. I (as a programmer), wouldn't download binaries from an untrusted source (as I might get a trojan, which could do far more vicious things than a virus), but a newbie might and would get infected.

    Lets say the user now compiles some code, that binary will be infected, the user puts the binary into a tar ball and shoves it onto their ftp site for distribution.. the virus spreads.

    The type of people who download untrusted binaries don't tend to upload binaries either.

    I still remain unconvinced about the abilities of virii to do real damage in the Linux environment (heck, binary virii haven't really caused problems in the Windows environment for years). However, you make some good points. Now that these vulnerabilities in the ELF file format and the Linux kernel have been pointed out, is there any work being done to close them?

  • by Goonie ( 8651 ) <.robert.merkel. .at. .benambra.org.> on Thursday March 16, 2000 @02:03AM (#1198747) Homepage
    A cursory browse at the example virii there (I didn't read all the papers, I admit), doesn't explain how a virus could gain root privileges (which it requires to propagate effectively), without being executed by root. Could you give me a pointer to a specific paper?
  • by arivanov ( 12034 ) on Thursday March 16, 2000 @05:34AM (#1198748) Homepage
    If you think Linux is safe... your wrong.

    Your statement is overrated. Here is why:

    In order for a virus to proliferate it needs to execute and infect executables. Even on "home" linux systems the executables are 99.999% not owned by the user. The user has no +w on them. So unless the virus attempts an exploit it will not be able to infect executables. There are few notable exemptions of course:

    • College campuses and enterpirse networks with a d...head sysadmin. Users install their own software in their home dirs. Guess what happens next.
    • Debian and Co and users in the group staff. /usr/local/bin is writable. Oh-oh...
    • Developer users that write their won software in C. Yeah viruses here. On a linux system. Right... What have I been smoking anyway...

    In order for computer viruses to proliferate you need to follow the same rules like in the life world. Namely you need the infection rate/death rate to exceed a certain threshold. All the cases above give you thresholds for good size local outbursts, but not for an epidemy. Which is not the case with Windows 9x, MacOS and their predecessors.

    There are few notable examples when the above situation will drastically change. The most important one is:NO EXECUTABLE DOCUMENT FORMATS!!!". If MSWord will be ported or a similar abomination will become a predominant software product on Linux than there will be trouble. Because there will be "executable" user writable formats floating all over the place. Than the treshold for selfsustained infection will be exceeded.

  • by FallLine ( 12211 ) on Thursday March 16, 2000 @05:46AM (#1198749)
    The file system, while not perfect, does complicate things significantly. The hax0r, to do real damage, must find some way to get his code executed as root. This means he must:


    a) Convince the user to run his stuff as root.
    - This of course will not work against most intelligent people
    - If, and when, such viruses start emerging, the current Linux using populous can be educated about this.

    b) Have the user unknowingly run an exploit (to get root privs) plus virus code.
    - The problem with this, though clearly possible, is that, in order to gain huge distribution, it needs a relative stable set of exploits. Most known exploits do get patched relatively quickly, just many current users are sufficiently dilligent to apply them. Here again, a linux virus/hacking epidemic would get most users act in order. Things such as automated patch retrievals/installation (or, at the very least, email) could also be implimented. Furthermore, this revolves more around the stupidity of the vendors (read: distributions) than it does the actual design flaw. I might be alone, but I think the vast majority of these exploits could have been prevented if they really put any effort into security. The bottom line is: Instead of trying to 'detect' and 'fight' each viruses individually, you attack their points of entry directly (knocking out hundreds of would-be viruses for each buggy program you shutdown)

    c) Have the user run non-root code, which actually trojans password entering programs, and wraps the IO to the real program, while trapping the input. For example, create own su program in ~bin/, change PATH precedence such that ~bin/ proceeds the real su's path (e.g., /sbin, /usr/sbin, etc) Wait till user runs 'su -'

    - Possible, and much harder to prevent. But this depends on the user acting in a certain way.

    Furthermore, the very nature of the Linux community poses a real obstacle to any viruses success. Whether or not people admit it, Microsoft plays a large contributing role in the success of its many viruses. Where Microsoft is unresponsive to most security problems, the linux community is very responsive. A published virus is likely to result, in a detailed plan of action against future attacks -- Microsoft simply isn't interested in this unless it can be proven that it'd hurt or help their bottom line significantly. Right now, to the best of my knowledge, most common windows exploits either come in shareware type programs (downloaded from some random site on the internet, or from a friend) or they're macroviruses (totally not an issue for linux yet). Linux, of course, is all about sharing software over the internet, as a result programs and code tend to recieve a considerable amount of scrutiny, even if only from 1% of the users (especially if primarly distributed as source). These users, can, and do, in turn, make a stink if something looks foul, making it unlikely to get archived on official sites and what not.

    In conclusion, I don't have the time to analyze each and every difference between Linux and Windows; however, the differences between them will make Linux a relatively virus free platform. That being said, I do believe a few linux viruses will emerge pretty soon. Perhaps one or two will really take off, but the rest will fail. After that, the community and vendors at large will mend their ways, and stem the "reproduction" of viruses down to negligible levels.
  • by The Famous Brett Wat ( 12688 ) on Thursday March 16, 2000 @02:26AM (#1198750) Homepage Journal
    Boot Viruses are virtually extinct in their pure form. They relied on people booting of floppy disks. Several different floppy disks. The only boot viruses left are file viruses that get their dirty hooks into the boot sector as a means of making sure they are installed. We can ignore this category -- it's dead.

    File Viruses are still out there, of course, but not nearly as much as they used to be. A "pure" file virus is one that inserts itself into some other executable (or executables in general). These are less of a problem than they used to be because software is generally obtained off a CD-ROM or remote download site, and viruses can't touch these files (unless the software company or FTP hoster does something really dumb). Not much actual copying of executables off one machine onto another is done anymore, which is how these things spread. Anyone old enough to remember when we used to copy executables as a matter of course? Come on, 'fess up! Gee -- I can remember those quaint old programs which you didn't "install" as such because they consisted of one executable.

    Macro Viruses are still big, though. And Microsoft's feature-driven focus will assure that this problem only gets worse. The big problem is that their software is so ubiquitous, making them a big easy target. And they keep doing really dumb stuff. Everything keeps getting more and more "active". They love that word, don't they? "Active" means "I'm a big gaping security hole just waiting to be exploited!" Linux won't have this problem until either Microsoft starts porting their stuff, or we get virus-compatible equivalents, or somehow the marketroids take over Linux software development and we throw all common sense out the window. I mean seriously, if someone actually wrote a mail reader for Linux that was so helpful that it says, "hey -- here's some new mail for you! Let me immediately display it in this window for you! And run this javascript thing in it for you!" -- would anyone use it? Any takers? Maybe if you run it under jail, right?

    Trojans on the other hand, have come into their own. I still see the damn Happy '99 trojan wandering around now and then. The trojan that emails itself to everyone in your address book is one of the more popular forms. The great thing about trojans is that they rely on the human to be the weak link, not some software hole that would get closed up the moment it was discovered (or at least would if the software in question was open source). Human stupidity is here to stay! It's going to decrease, but only because people are now growing up with email and learn the tricks at a young age. It is, however, entirely feasible to write a trojan email attachment for Linux. It's not likely to be worth anyone's while, though, because of the small target market and high likelyhood that the user has at least half a clue with regards to this sort of thing. In any case, the user isn't likely to be running an email reader which makes activating the attachment a "double click" operation, and which address book are you going to read?

    In summary, I don't see a big target market for viruses here. I think that worms are more likely to be the issue. That, and security holes that get exploited manually. These all come under the banner of cracking, rather than viruses (although worms are a sort of overlap point). Another possibility, as others have suggested, is back-door code being placed in a kernel module or something which explicitly creates an exploitable weakness. We'll see if the "bug-finding is parallelable" principle of Linux development also maps to the finding of deliberate security holes. I think accidental ones are likely to be the real problem, however.

    -- The Famous Brett Watson

  • by Sun Tzu ( 41522 ) on Thursday March 16, 2000 @01:57AM (#1198751) Homepage Journal
    Color me wrong, but why haven't the "half-dozen or so known Linux viruses" been detectable on the virometer yet? Sure, the boom is "coming", but why haven't the viruses that are already here had any success?
  • really the key here is to keep linux viruses open source and support linux virus developers.. it's really quite comparable to the biological warfare debate.. if your own people arnt making them then how will you know how to combat what the enemy is doing? The most revealing linux virus research can be found at:

    http://www.big.net.au/~silvio/ [big.net.au]

  • sure.. the same guy who wrote these viruses has written scanners for each of them and is working on a "generic scanner" which detects such things as "entrypoint in the data segment", which he then defeats by overwriting the start of the original entrypoint with a jump to the data segment, etc. It's an arms race of sorts and the first step is to identify the possible techniques.

    As for programmers not downloading binaries. There are times when you need a binary because there is no source. If you are downloading the binary from redhat.com, you may think that it is safe but without getting down with the instructions and checking out what it does you can't be certain. Good reverse engineering tools are still lacking and are desperately needed for security purposes. If it is possible for an ordinary user to get infected then it is not a giant leap to see a programmer getting infected and from there it is not difficult to see a distribution getting infected and a whole lot of users getting infected and thus a whole lot of programmers getting infected - especially with most of the linux community being programmers (of one sort or another).
  • by DerMarlboro ( 64469 ) on Thursday March 16, 2000 @05:49AM (#1198754)
    rpm -ivh stoned.rpm
    Missing dependencies:
    glibc6
    imlib
    virus.so.4

    But seriously, we scoff at this because most of us have never had a virus on a linux box. I know I never have, and I don't know anybody who has. But don't let this lull you into a false sense of security. Murphy's law has been proven true over and over and over again.

    Linux is a very large and complex system. And as we all know, in any sufficiently complex system, there are bugs. If we get arrogant, those bugs will be exploited.

    On a lighter note, the throroughly open nature of linux means that any virus written will be rendered useless in the next patch. But I don't think it's a problem we should ignore until systems are going down left and right.
  • Biologyn teaches us a lot

    Bad things to do around visuses:

    • Never change
    • always use the same software
    • encourage monopolies
    • don't build up an immune system (security, anti-viral programs)
    Good things:
    • change often, adapt
    • everyone use different software (diversity of distributions, kernels, desktop environments is a VERY good thing)
    • security
    • actively hunt down stuff in your system that changes unexpectedly
    • stay away from those who seem to get infected a lot
    You get the idea - M$'s world lives in a monoculture - just like a genetically engineered crop where everything is the same they are prey to that one viral mutation that can wipe out everyone
  • by flyneye ( 84093 ) on Thursday March 16, 2000 @03:25AM (#1198756) Homepage
    Using basic powers of observation we can see:
    1.This guy is a security consultant,one who makes money off computer users misery.
    2.In order to market many products and/or
    services a demand must be created if in fact it does not exist.
    3.Software is created by people who hold
    an interest in creating it,such as an out of work
    security clown creating a virus,were it possible.
    4.If you take off his diguise of glasses
    and that ridiculous wig,you could see we are dealing with Elmer FUD.
  • by BMazurek ( 137285 ) on Thursday March 16, 2000 @03:33AM (#1198757)
    I'm a bit skeptical about this backdoor possibility in official versions of the kernel (or gcc or some other important piece of free s/w). People have been suggesting it for years, but it's never actually happened.

    Never actually happened, eh? Taken from the Jargon Dictionary entry for Back Door [netmeg.net]:

    Historically, back doors have often lurked in systems longer than anyone expected or planned, and a few have become widely known. Ken Thompson's 1983 Turing Award lecture to the ACM admitted the existence of a back door in early Unix versions that may have qualified as the most fiendishly clever security hack of all time. In this scheme, the C compiler contained code that would recognize when the `login' command was being recompiled and insert some code recognizing a password chosen by Thompson, giving him entry to the system whether or not an account had been created for him.

    Normally such a back door could be removed by removing it from the source code for the compiler and recompiling the compiler. But to recompile the compiler, you have to use the compiler -- so Thompson also arranged that the compiler would recognize when it was compiling a version of itself, and insert into the recompiled compiler the code to insert into the recompiled `login' the code to allow Thompson entry -- and, of course, the code to recognize itself and do the whole thing again the next time around! And having done this once, he was then able to recompile the compiler from the original sources; the hack perpetuated itself invisibly, leaving the back door in place and active but with no trace in the sources.

  • I have known profesional programmers and hobbyists and in my view profesionals are MORE likely to write viruses than less likely.

    Add to the mix that back doors in software are writen almost exclusivly by profesional programmers working on high end systems.

    This is just my point of view but it seems to me that viruses are writen to attack an operating system and/or platform a person dislikes.
    A profesional is more likely to have access to a system he dislikes than a hobbyist who would presumably only have the system he likes the most.

    Unix admin have long had to use systems they disliked. In some cases a Unix admin prefers one *nix platform but gets stuck with a diffrent *nix platform. He wouldn't write viruses on the companys own system becouse that would get him fired but he would unleash it "into the wild" if posable.
    In over 30 years.. with every motivation... and a lot of Unix hobbyists (In casse you prefer to belive viruses only come from hobbyists) a Unix virus is vertually unheard of.

    To back up my clame that over the years Unix people are every bit as likely to make viruses as anyone else.. even more so... look at the shear number of trojen hourses writen for Unix. Far outnumbering those for Dos.
    There are sevral reasons for that.. One is that Unix people are not worryed about trojens comming back to haunt them sence they run something diffrent at home. If they use computers at home at all.
    (Think 30 years ago... the standard admin 1970 used CP/M at home if he had a computer at all.. the standard admin 2000 almost certenly has a server class system at home)

    Note shortly after the first Linux virus was uncovered one of the big antivirus companys made a virus scanner for Linux. Then the virus was distoryed rendering the product useless.

    There is some Linux antivirus software outthere. They don't do anything useful sence theres no viruses to stop. But some hobbyists are sereous tweeks.
    Check out freshmeat and take a look at the antivirus software selection
  • by jw3 ( 99683 ) on Thursday March 16, 2000 @01:02AM (#1198759) Homepage
    OK, so I'm just a lame biologist, still -- I can't quite imagine how this would happen. I mean, of course you can write viruses for Linux, but to spread them would be very hard. I can only judge from my own case: places where I get software for Linux I can count on the fingers of one hand -- in 95% of the cases, it's a SuSE mirror. Yes, I can imagine some evil-minded soul who tricked SuSE into getting an infected package. But even though I could have been infected then, SuSE would be able to quickly track the virus and submit sufficient patches. This is not Windows world, where you get the programs from your friends or some obscure web pages: usually, programs are distributed much more professionaly than in the case of Windows programs.

    Of course, I can imagine worms which trick the users in, for example, executing a shell script which then mails messages using sendmail and ~/Mail, ~/.tinrc, /etc/passwd, etc. However, Unix provides nice means to control the in- and outgoing e-mail, and the root account would be in that case untouchable - I think.

    But how about some evil-minded hacker (yes, you read it right: hacker, not cracker), who contributes for example to the kernel effort, and installs somewhere in an obscure driver a nice backdoor, and waits till a new major stable version of Linux comes out? Say, 2.4.0. Then all the people who download this kernel are vulnerable: the hacker waits till the 2.4 becomes popular, and then spreads the worm for the designed wormhole. Anyway, in that case he would be probably finished...

    Well, I don't know. I'm not much of a hacker. But I think that getting a virus is in the case of Linux much less likely then in the case of Windows. And besides -- I haven't seen a virus for Windows ever since 1996 or something, so is there really a thing to worry about?

    Regards,

    January

  • ...impossible to counterfeit, then the smarter half of the whole Linux community (who verify packages before installation) should be safe from viruses and trojans. Let's cross our fingers and hope the heavily used mirrors don't let their security down. Perhaps a review board of mirror site security should be establish. Even the most parnoid should be be able to sleep at night knowing that someone checked their mirror before they downloaded that last package.
    On the issue of trojans, no one has seemed to have brought up the issue of trojans that could possibly make unannounced changes to source code as it is being compiled. Wouldn't that be harder to detect than a trojan as signatures can't protect uncompressed source? Imagine if your copy of Tripware, Necruss, GnuGP or perhaps even the kernel being comprised at compiliation time, meaning that your security could be comprimised without being able to realise it or detect it until it is too late? Now that's scary.
    For the really paranoid, I recommend that you check out Kurt Seifried's extremely comprehensive Linux Administator's Security Guide (aka. LASG) at https://www.seifried.org/lasg/
    If followed, it can put anyone's mind at ease.
  • After all, it's not too terribly hard to write a virus for any computer operating system

    That may be the case, but it's pretty damned tough to write an effective virus that will propagate with any efficiency on a Linux box.

    I'll first discuss binary viruses, then macro virii, as they are seperate issues. All system-installed programs are owned by root (modulo some daemons and the like owned by administrative account), so to infect "ls" or "emacs" the virus would either have to use some exploit to gain root priviliges, or get itself installed suid root. Root exploits tend to get closed, pronto. Whilst newbies wouldn't check to see if a program installed itself suid root, experienced users would, and would let the world know if a paint program from www.reallycoolsoftware.com was installing itself suid root for no good reason. So propagation by infecting system software would be pretty damn difficult.

    What could a virus then do to propagate itself without root priviliges? It could infect any program it had write permissions to - that is, any executable owned by the user, or set group or world writable. Newbies don't tend to have executables that they own, group-writable executables are rare (and not a great idea), and world-writable executables are extremely bad practice. Not much room for propagating there.

    Even worse for the virus, binaries don't tend to get shared around much in the Linux community. Binaries tend to get distributed using CD-ROM's, distribution ftp sites, and possibly project ftp sites - none of the rampant floppy-swapping that made the viruses of the 80's and early 90's so prevalent. Nor do Linux email programs allow the blithe execution of binaries as many Windows mailers do.

    Therefore, I consider it extremely unlikely that Linux binary virii will be able to propagate effectively.

    Macro virii are a different proposition. File permissions are not such a defence here. However, these beasties rely on macro languages which were enabled by default, which allow arbitrary macro code to be executed on loading a document. If auto-executable macros are disabled by default (or banned outright), and macro languages restricted in their power to prevent them altering documents other than the one they are embedded in, the macro virus cannot propagate itself. Why can Linux applications do this readily, while Windows is more restricted? Simple - because the foreknowledge of what has happened in the Windows world is allowing Linux applications to be designed with macro-virus proofing in mind.

    In summary, Linux is a damned hard target for virus writers. Next time Mr Garfinkel tries to drum up some business for himself, he might consider doing a little more research.

  • hehe.. more like:

    calvin:~$ wget http://somesite/pointlessgadget.tgz
    calvin:~$ tar -xzvf pointlessgadget.tgz
    calvin:~$ cd pointlessgadget
    calvin:~$ ./configure
    calvin:~$ make
    calvin:~$ ./pointlessgadget

    "that was boring.. I'm gunna go shoot stuff"

    calvin:~$ su
    calvin:~$ /usr/leet/leetgame

    pointlessgadget was infected with a virus.. when you ran the virus it infected every one of your running processes, including your shell. You su'd to root and it peaked at your psuedoterminal to snarf the root password. It then su'd to root and infected every running process on the machine. You then ran leetgame and the virus infected it. Next you'll probably run 'ls' and then it's all over.

    Fiction? You can do it using ptrace. You can read about it here [big.net.au].
  • sticking your head in the sand is no way to defend against "a plague of viruses". Writing viruses is the only way to actively discover how it is possible to defend against them. A lot of linux viruses have already been written by very smart people and most have a scanner written for them too. Every virus developed introduces new information that can be added to a "generic scanner". Open and intelligent discussion of virus techniques is the solution to computer viruses.. on all platforms.. but the corporate antivirus companies dont want you to know that. They want you to subscribe to virus bulletin (a $5000/year subscription) and join the international computer antivirus standards body Caro (to join Caro you must be unaminously voted into Caro by current members. All current members are antivirus companies (or their founders) and have an interest in not voting you in - less competition). Dont let the anti-virus scam continue onto the linux platform. Do some research, address the problems. The most revealing linux virus research can be found at:

    http://www.big.net.au/~silvio/ [big.net.au]

  • by ronfar ( 52216 ) on Thursday March 16, 2000 @03:20AM (#1198764) Journal
    Rick Moen's Comments on this subject [linuxmafia.com] and also read this one http://linuxmafia.com/~rick/faq/#virus [linuxmafia.com] Basically, the best security against evil binaries (which of course run into the sub-goblins of viruses, worms, Trojan Horses, and the like) is to not run as root.

    Of course, the biggest problem is that sometimes you are going to want to run as root, and you are probably going to want to install something while su'd to root. (It is wishful thinking to expect this not to happen. Someday there is going to be a really cool game for download in binary form that has a pop-up Window which says "enter root password" which may then turn out to be a trojan.)

    My experience with virus checkers is that they don't work. I had a trojan eat an old Win95 machine of mine once, and the fact that it was running Norton's Anti-virus didn't help. However, Linux has more built in security against malicious actions than Win* systems, so I'm not expecting to see "a plague of Linux viruses."

  • by ralmeida ( 106461 ) on Thursday March 16, 2000 @03:21AM (#1198765) Homepage
    calvin:~$ wget http://somesite/happy99.tar.gz
    calvin:~$ tar zxf happy9.tar.gz
    calvin:~$ cd happy99
    calvin:~$ ./configure
    calvin:~$ make
    calvin:~$ su
    calvin:~$ make install
    calvin:~$ exit
    calvin:~$ happy99
    You must be root to run this program
    calvin:~$ su
    calvin:~$ happy99
    (ops!)

  • by nullity ( 115966 ) on Thursday March 16, 2000 @12:56AM (#1198766) Homepage
    Most Linux users have no traditional Unix sysadmin, or user experience behind them. Traditionally the difficulty alone of installing Linux served as a sort of filter against immoral users engineering viruses. If you've ever administered a real system, or know of people who do, you're very unlikely to write a virus (unless you really have issues!).

    I suspect that a rash of Linux viruses will come not from an economic depression (though that could certainley cause it too...think Russia), but from the midst of the masses migrating to Linux. While virtually everyone installing Linux, from "script kiddies" to Windows NT converts are scrupulous...you are bound to get a higher percentage of people who would be willing to write a virus.

    Now granted, more of these people are incapable of programming such an entity compared with old Unix hands...but where there's a will there's a way. Somebody is bound to kludge together (or even finely tune, you never know) a series of downloaded hacks (hey! free source code!), and write a little code of their own...voila! Microwave virus. And it only takes one good virus to cause serious issues. Particularly because these things almost always encourage copy-cat crime. Odds are we'll see a rash of viruses any time now - whether the economy is strong or not.

    Want to believe that even without a high "activiation energy" (ie the work and knowledge to install Linux) the pool of users will remain "clean"? One only has to look at Amateur Radio for a counter-example. For a long time proficieny with Morse Code was required to obtain a license. Now this may not seem like much of a barrier...but it was. When the "No-Code" license was introduced a wave of new radio operators began coming on the air. Now I don't dispute the overall effects of the new license, I think most agree they were good overall. No sense keeping a good thing to an "elite" group of people. But there was one strong negative effect - the introduction of a few, er, less than choice individuals.

    Did such individuals exist in the "old world"? Well, yes. But they were a much lower percentage. Now radio had to deal with irritating interuptions and people refusing to follow protocol. A small loss, but many repeaters (stations that retransmit a weak signal) were unprepared and were abused as a result. Protection mechanisms were instituted, but it often took some months during which time a repeater was far less useful.

    The long and short is that a company like Symantec (Norton) might find it worthwhile to have a Linux offering prepared. No use deploying it (well, not with scruples at least - I'm sure some morons will bite) until viruses exist. But when they do come, and I bet they will, that company will have a big lead. Other companies would probably take several months to a year to produce. By that time one could really corner the market. Linux users win, some lucky company wins (hopefuly whoever wrote the #*$&#*$&* virus shrivels up and dies). Yay!

    I think few of us familiar with the sort of hacks we deploy on our systems, the sort of tricks a *nix system can perform...would deny the feasibility of writing a virus. To do so would be...naive. Now that I think of it, though I realize acting before the fact isn't the strength of the free software community, it would probably be good to begin working on a feasible free program soon. Hope we never would have to use it...but... It would be bad, bad, BAD for Linux systems to be crippled for 5 months, admins cowering in fear, because of a rash of viruses. That would take major PR recovery...and Linux really isn't that strong. Remember, the media likes biting those it adored mere months ago. Makes for good news.

    -nullity-

    I am nothing.
  • by rcw-home ( 122017 ) on Thursday March 16, 2000 @05:08AM (#1198767)
    You can't ptrace setuid processes, and if you ptrace the parent bash process, you don't get the keystrokes from the su process.

If it wasn't for Newton, we wouldn't have to eat bruised apples.

Working...