Garfinkel Warns Of Linux Virus "Epidemic" 432
An anonymous coward says: "Simson Garfinkel has an opinion piece at SecurityFocus called " The Coming Linux Plague." He argues that Linux is no less susceptible to viruses than Windows, and that an epidemic is inevitable.
" I'm sure most of us have read his books. What do you think of this commentary?
In 15 years, only commercial disks gave me viruses (Score:1)
Naturally, people copied its techniques (it was a boot-sector infector, as I recall) and then began adding new attacks. Viruses began appearing on all the major 68k-based systems and the PC. The 8-bit computers largely avoided this. Companies began popping up to sell virus protection, and made good money at it.
Further down the road, I went through my 31337 H/P stage and had lots of dealings with virus writers.
Through all of this, despite all the BS of the virus authors and hype from antivirus companies, the only virus infections I ever got were from two commercial disks bound inside books (one was "The Black Art of 3D Game Programming").
The moral of the story is that we can expect someone to release one successful virus for Linux sooner or later, tons of people will imitate him, and it will also be more smoke than fire.
Re:Common sense VS Anti-virus software (Score:1)
There is very little chance of getting a virus is you are actually careful about what you do. However, you are an exception.
My experience has shown that someone who I would call a Typical user has absolutely no clue what a virus is, download anything from anywhere, and then ignores any messages that they receive on their computer about virii or macro virii (especially on MS Office products. Maybe I deal with a really clueless groups of Typical users..
I think it comes down to this. What you know about a computer and security improves your chances - if you have no knowledge, you have no protection. Probably about the same as unprotected sex - what you don't know, can hurt you.
Linux viruses are coming? (Score:1)
Re:Hard to imagine (Score:1)
Digital Signatures. (Score:1)
This does not, however, protect against signed code that can be compromised. Obviously, if you compromise anything running as root, you own the system. The problem with Linux (and probably most *nix) is that security is based solely on ?uid, and not a more rich security model, such as determining which resources are granted to which process based on uid, some external certificate, etc...
Re:Diversity will reduce the problem (Score:1)
Are we likely to see another "RTM worm" incident in the next year or two? Probably. Now that broadband 7/24 connections are on the rise due to DSL and cable modems, the percentage of unsecured hosts will rise. And with the increase in opportunity will come an increase in exploits. However, as the RTM worm incident showed, writing a good, well-behaved worm isn't as easy as it sounds.
Haven't we already seen things like this? Remember the DDOS attacks on yahoo and friends? Those were mostly automated attacks, scanning for multiple vunlerabilities and attaching payloads.
They aren't quite as automated because it's hard to write a fully self-distributing worm, compared to a simple boot sector virus. But with buffer overflows in almost everything shipped on linux these days (Have you upgraded your FTPD lately? Did your distribution turn on IMAPd again?) it's real easy to hit machines remotely and pop in an egg of almost arbitrary size. And if you're smart, you can use them for anything from pingflooding yahoo to voting for your entry in a $500 price from x10.
Of course, you could run audited code [openbsd.org]...
Re:How? (Score:1)
Those are POSIX 'capabilities' which are not the same thing as 'capabilities' as in EROS et al.
As reiterated by capability proponents, they are not the same thing
And in case you were wondering, the name clash was POSIX' fault. --- the idea of capabilities as in EROS/KEYKOS/SPEEDOS/etc. predates POSIX (I think), let alone POSIX 'capabilities'
John
Re:It will happen - but not as bad as windows (Score:1)
>Trojans have recently been found in things like wuarchive ftp.
Recently? The article is dated April 6, 1994....
Re:Virus (Score:1)
>actually vulnerable. Harsh!
Not really. It's that people and companies peddling anti-virus software is viewed with a great deal of suspicion.
Re:Hmmm,did anyone notice.... (Score:1)
>you'd take them?
>You cannot discount his arguments just on the basis that he is a
>security consultant. You can examine what he says in greater detail to
>make sure it makes sense, but outright saying "He is a security
>consultant therefore his arguments are invalid" is invalid in itself.
No it's not. If you know someone's in a position to line his pockets from what he's trying to sell you, you'ld had better question the motives of said person. When a security consultant starts promoting "THE VIRUS THREAT TO LINUX" in the fashion Garfinkel did, warning bells concering what he's saying should be going off...
Re:Head in the sand? (Score:1)
>want to drive a car, you need a license too.
>I remember when I got my Amiga, two weeks later, the machine started
>to behave really weird. The computer would suddenly freeze with a
>black screen and I had no clue what was wrong. I phoned up some
>friends and asked them, what this could be since it only happened when
>I booted the Workbench. One mentioned a virus called "Byte Bandit" and
>told me, how to remove it.
Who are you trying to bullshit here? You got "Byte Bandit" from your friend. Byte Bandit is/was a boot sector virus that mostly got spread around on Amiga floppy disks by the Amiga Warez Crowd.
Idiot, moron, retard (Score:1)
Window's problem has always been that all users are basically root. All program that ran could overwrite any other file on hte system. NT's problem was the macro languages built into apps were also allowed to do whatever the hell they wanted.
THe real question is, if i'm root and I open a "infected file" in vi, is vi now infected? That would be virus behavior. If I put a floppy in the drive and read my data, will any viruses on the disk execute? Personally I don't think so, but if we're going to talk about virii let's split the matter from trojan which are COMPLETELY different.
Re:Head in the sand? - clarification (Score:1)
This is a pretty grave mistake (or omission) to make for a security consultant.
In regards to the virus idea in general, though... in windows, how many people will send you an attachment of a C file? Very few. They send binaries. It's almost the exact opposite in linux. Very few will send strictly binaries, because a very large portion of the linux community will not accept them, and many run different operating systems or architectures (which the same C program may compile and run on without a hitch). It seems actually _less_ likely for people to send each other binaries in linux than in, say, solaris or irix (due to closed source patches and licensing terms, along with the lack of a _good_ default-installed C compiler).
Unix (linux inclusive) software developers would not likely get away with installing macros into their word processors which can write to disk. The linux community would reject the program if it was commercial, and "correct" it if it was open source.
As for using the system as root... how many sun administrators do this? I've received countless e-mails from admins using dtmail as root. I'm almost tempted to insert a lecture about it into my signature. Linux is not alone in the user-stupidity area.
Many linux users will be susceptible to viruses, and many will not... but i think the reasons and the realities behind the situation need clarifying.
As a side note... how many experienced administrators will trust an anti-virus program to scan and clean files on their unix-based system?
Re:How to get infected using Linux... (Score:2)
calvin:~$ ./pointlessgadget
Okay. This can set several things. But there are lots of things it can't do:
I guess it could do something like spawn a new shell. That might be trickier to notice.
'Course, if you ask me, it's your own damn fault for running games as root. :-)
Knowlegeable users and admins... (Score:2)
If you are a Windows user, having Anti-Virus Scanners and Shields are a must. As is, utilizing safe practices like not running any code that is attached to mail or other documents without being real sure of it's being safe. Running cute little programs distributed by email is a good way to be infected with viruses!
Many of the same common sense ideas about viruses in Windows also holds true for any system including Linux. If you get code or programs from untrusted sources, you run the risk of getting hacked. With Linux, though, the source is open and under the scrutiny of many eyes - this tends to eliminate such vulnerabilities.
Bottom line: Safe practices will prevent the lion's share of problems.
Re:How? (Score:2)
What you are describing is a capability system.
Take a look at EROS [eros-os.org] for a GPL'd example of this.
In particular, note the principal of least privaledge -- just because a program needs one small aspect of root's privaledges, doesn't mean it necessarily needs to be given all of them -- in practice, this gets rid of the root account per se., which is never bad where security is concerned.
John
Re:Hard to imagine (Score:2)
>your friends or some obscure web pages: usually, programs are
>distributed much more professionaly than in the case of Windows
>programs.
Exactly. Most people don't get software for linux from the Shareware-type sites that cater to the Windows crowd. We tend to get it from the author's homepage or a mirror site of Redhat,SuSE,Slackware ect. The Linux/Unix software distrubtion model is diffrent from that of Windows, which is something else the idoits who keep writing these ads,err "articles" for the Anti-virus software companies don't understand and tend to overlook.
Re:Linux Viruses (Score:2)
Let's assume that another 10% of all installations are Corel Linux.
Let's assume that a further 30% of all installations are Red Hat, with 75% of these being recent versions of Red Hat.
Then, let's assume that an additional 20% of all installations are Debian.
Now, let's assume that 20% of all installations are Mandrake.
To finish things off, let's say that 5% of all Linux installations use any other Linux distribution, and that 5% use =ANY= legacy Linux distribution.
To complicate matters, let's assume that 25% of all distributions are modified significantly from their original form. (eg: Upgrading the kernel, upgrading key libraries, replacing or upgrading key packages, installing software that affects the system operation)
Now, let's assume a virus is built to run under an original Red Hat 6.1. Then, you've 75% of 75% of 30% of the distributions, or just under 17% of what's out there.
A virus that will only infect 17% of its target audience isn't much of a threat to anyone. It'll die out from a lack of computers to infect. And that's from targetting the most common distribution out there.
The filing systems are important if you're going to write something more sophisticated, such as a virus that hides itself by marking some of itself as bad blocks. (The virus merely has to ignore the bad block markers to load itself in.)
However, SuSE is going to use ReiserFS by default and other distributions may follow suit. With no means of telling what the underlying FS is, in advance, the virus would need to be coded for them all. Otherwise, you lose out on the distributions.
Let's say you wrote a virus targetted at ext2fs systems with Glibc. Now, many distributions use that. Let's give it a generous 90%. But Slackware only recently moved over to Glibc, so that goes down to 70%.
Any person can switch over to ReiserFS, or some other non-ext2 system. Let's say that of the 25% of people who have significantly altered their system, 15% have migrated to another filing system. You're down to 55%. Let's make things easy and say that 5% use UMSDOS. Now down to 50%.
We're dealing with low-level operations, so RAID is going to seriously screw things up. Because Linux =is= used more for servers than the desktop, it's not unreasonable to put this at another 10%, bringing the total to 40%. Because something this low-level would require root privs, you're talking about a user who admins regularly with root privs. More than half of all sys admins know better, so we're talking a very optimistic 50% of users would be open to this. The total is now 20%.
Now, 20% is not much better, but it =is= an improvement. It means that 1 in every 5 computers targetted will be capable of running the virus, AND where the computer is regularly exposed enough for the virus to be able to infect it.
On every machine it cannot run on, it can't propogate. Thus, if there are entire regions in which NO machine can run the virus, NO copies of the virus can be spread by them.
This will =HEAVILY= retard the spread of any ext2 virus, to the point that you'll be up to antidote version 7.5.5 =LONG= before the virus has reached anyone you know.
Re:Linux Viruses (Score:2)
(Well, almost. I admit I've been known to cart 100+ 3.5" floppies around, when there's no CD burner handy.)
Nor do any of the three viruses on that page obviate a single point. They're not going to work on different C libraries, and the distributions are (gratifyingly!) ultra-diverse there. Nor are any of these guaranteed to be kernel-independent.
The second one explodes, if you use "strip" on it, which makes it somewhat less than fearsome, and all three will set off Tripwire. They won't do terribly well agianst any restrictions on the number of threads allowed, either.
The "Linux Virus Plague" is more myth than reality, and more hype (to sell books & software) than substance. All the viruses documented have common, widely-available tools for detection and elimination, as well as being ultra-specific to a very narrow range of computers.
Now, if you want to claim that a virus threat exists, within that subset of Linux boxes that are identical to the virus writer's machine and have no Intruder Detection software, no binary verification, no restrictions on use, no ACL software, where the user always logs in as root, where a group of such people are geographically close and where only one person out of that group has a fast Internet connection, I'd have to agree.
On the other hand, I don't really think there are terribly many such groups, do you?
P.S. If you think a.out is dead, re-read the docs for the 2.3 kernel, specifically the /proc stuff.
Re:boxen (Score:2)
--
Just sbin? You're mad (Score:2)
should be run by root? That's crazy. You
mention that if you run other stuff as root,
you're going to rm something important at some
point. Really? Well, I guess your solution of
having root never even run rm *EVER* is certainly
a way around hat... Come on. While you don't want
'.' in your root path, at least the following
should be in there:
/bin
and possibly
Re:Doesn't anyone *read* the story (Score:2)
I agree that Linux needs stronger security (how about a free Tripwire + active systems security agent?) but a few things first:
o when enough people in the Linux community need more security, it'll happen.
o if you can't wait that long, look into openbsd.
o encrypt your personal data files and anything that you don't want the world to know about.
o run tripwire or a free variant.
o whatever the solution, keep it opensource, and GPL if possible. Don't buy into a proprietary product that could possibly be doing naughty things in the background.
CHeers,
Your Working Boy,
Devoid of Clues (Score:2)
The author of the article was clearly writing outside of his field of expertise. Linux is not as vulnerable to virii because it actually has a security model. For a virus to infect a Linux machine, it would have to compromise the security model. For a virus to infect a Windows machine, it merely has to make a few function calls to start copying itself around.
Actually, I'm so irritated at this kind of irresponsible fear-mongering nonsense, I'm not going to comment further, because there's not a single nice thing I can think of to say about the guy at the moment, aside from possibly he might one day stop a bullet from killing someone with a clue.
Linux viruses are possible, but harder. :) (Score:2)
Yes, it's possible to write viruses for Linux. folks. The first viruses period were for Unix and VMS boxen (back when the entire concept of viruses was still "proof of concept") though for the most part they never spread widely...
Right now, about five or so viruses exist for Linux, all of which are for the most part "proof of concept" viruses. They've not spread widely, in part (methinks) because nobody yet wants to spoil a Good Thing...there eventually do come Bad Folks who do want to break things just out of meanness, though (look at the history of Usenet going into the shitter for a class example), so we can't rely on the good graces of most Linux users for long.
That said...I can state that writing viruses for Linux would be considerably harder. Basically, the virus would have to propogate as root to spread much of anywhere; the fact that most Linux programs are still distributed as source code also helps much in preventing infections. (This is not to say it's impossible, just much harder.)
About the easiest ways I could actually see viruses spreading under Linux the way they do under certain Microsoft OS's That Shall Not Be Mentioned are under the following conditions:
Binaries which must be installed from RPMs and as root become a lot more common. (As others have noted, there are early signs of this occuring, and to be honest I'm as nervous of this as other folks. All the more reason for teaching folks to "Use the Source, Luke" ;)
If a virus comes out that can also take advantage of system insecurity to get root. (If memory serves, at least one of the "proof of concept" viruses for Linux already does this. This is not impossible.)
If (Cthulhu forbid) a virus were to come out that specifically targeted GCC and/or other compilers. (Again, "proof of concept" exists in a roundabout way for this--specifically, the infamous "backdoor" in early versions of GCC...an original copy was made with backdoor code, and whenever it sensed it was compiling code for the login portion of the OS it inserted the code for the backdoor even if it did not exist beforehand. Even worse, if it sensed it was compiling another copy of itself, it inserted the backdoor code even if it did not exist in the source...a very nasty and clever hack, and one which could cause viruses under Linux to spread like wildfire were it to be repeated to spread viral code (say, as an RPM of GCC binaries--frighteningly enough, these actually exist in most flavours of Linux that install from packages of any sort) and it would be almost next to impossible to avoid (you'd have to recompile from a known, clean version)...)
If (Cthulhu forbid!) Microsoft Word or some similar word-processing program that has macro languages that commit Serious Misbehaviour were to become widely used. (Don't laugh this one off, either, folks. Word macro viruses are the SINGLE worst virus problem nowadays--more Word macro viruses exist than binary viruses, and more than one Word macro virus has been found with "droppers" for binary viruses or trojans...even worse, Word macro viruses with droppers for Mac andWin32 viruses are known. If Microsoft gets split up and Linux becomes much more popular, it is conceivably possible Office might get ported to Linux...even if it doesn't, it's also possible someone will write an office suite with hooks into the OS (which is the source of most probs with Word macro viruses--Office's macro languages have hooks into Visual Basic, and VB has a crapload of hooks into Win32 itself to the point some folks actually write entire Win32 applications in VB) which would cause similar misbehaviour, because a lot of folks from the Windoze world REALLY like their damned macros...which, incidentially, is why offices seem to get continually infected with Word macro viruses if they don't take "precautions".)
IMHO, all except the last two are fairly unlikely (and the second to last is unlikely unless you were to get a rogue person in place at one of the distro sites)...the things Linux has to worry about more (in fact, the things that are becoming an increasing worry even in the Windoze world) are trojans and worms.
Worms, after nearly having died off a few years back, are now back with a vengeance. First it was mIRC macro-worms (mIRC, a common IRC client in the Windoze world, has a rather powerful scripting language that can unfortunately be abused to create worms that propogate largely through DCC chat requests), now the big problem seems to be both trojans (like PrettyPark.exe) and an increasing number of Word macro worms which propogate through taking advantage of security holes in almost every program that exists for Internet apps in Windows (Agent, Eudora, Outlook Express are just a short list of programs in which worms have propogated in).
Trojans and worms have existed before with *nixes (Washington University FTP has frequently been trojaned with backdoor code, among others; I think we all know about the infamous Morris Worm). If we let security practices get lax in writing Linux apps (especially the "user-friendly" sort of apps) and especially if we do Bad Security Practices with stuff like scripting languages, etc. for apps, we could probably end up in the same boat as far as worms and trojans go. Hell, as someone noted, DDoS apps like Trin00 have been found on Linux boxen that have been compromised; I'd be really shocked if someone doesn't figure out some way to distribute a DDoS client as a worm...
So, no, we can't be lax. But part of the battle is knowing what exactly to worry about. Win32 in general, and especially Win9X, has a lot of basic security flaws that enable stuff like viruses and worms and trojans to propogate. Linux has a more secure setup if used properly--we don't want to turn it into a Windoze clone (lest we end up with the same problems) but in making Linux easier to use we want to learn from the mistakes made by a certain company in Redmond (and also by a company started by the Brothers Steve, for that matter) so that we don't repeat those mistakes. :)
Re:How? (Score:2)
Mashiara dun said:
Well, yes, at least for binary viruses (the largest problem nowadays is actually Word macro viruses, and new binary viruses are fairly rare (with the exception of CIH and the occasional Word macro virus that has a dropper)...)
Then again, it's far more safe not to look for patterns so much as to look by heuristics for programs that can potentially do Very Bad Things. (This pretty much Works on binaries except for a very few programs that rely heavily on system hooks or do "naughty" behaviour legitimately (like disassemblers), and pretty much Works 100% on macro viruses which are the major problem nowadays.)
Well put.
As it is...yes, Linux viruses are a worry, but not a MAJOR worry. I've posted a more complete post here [slashdot.org] on what I think we do need to worry about (namely, not repeating the same basic design mistakes in Windoze that allow viruses to propogate like crazy on those boxes, and increasing security in general to eliminate ways to let viruses in period).
Re:Hard to imagine (Score:2)
I'm a bit skeptical about this backdoor possibility in official versions of the kernel (or gcc or some other important piece of free s/w). People have been suggesting it for years, but it's never actually happened.
How hard would it be to do this without any of the other developers noticing, and (important for virus authors) remaining anonymous? Too hard, I guess.
I think that backdoors in proprietary software are a much bigger danger. It's much harder to tell whether there is one, and if so, where it comes from.
Poor commentary (Score:2)
After all, if every potential Linux virus writer were only holding back because they're too busy making money off the web, wouldn't the same be true of Windows virus writers? So we'd expect a tailing off in the number of new viruses? In fact, there are more new viruses around now than there have ever been.
Furthermore, historically the worst (greatest?) virus writers have been from the deprived, poverty-stricken communist states of Eastern Europe. That was back in the bad old days of course - things have changed. Now, they're deprived, poverty-stricken capitalist states. But they still write really clever viruses. And Linux is incredibly popular there.
One notable thing about a 15-year-old computer geek from Romania with an inclination towards malicious coding; his opportunity to get rich from a .com IPO is very slim indeed.
So the talent is there; the circumstances are there; but the viruses are strangely absent. Why? Two reasons, I think:
As if the "web commerce" theory wasn't silly enough, Garfinkel then suggests Linux needs anti-virus software before it can be taken seriously by business.
Excuse me?
Even although there are no Linux viruses, he thinks there is a business need for software to remove them?
How can it possibly be better to have viruses and anti virus software than to have no viruses in the first place? Which makes better business sense?
It's a symptom of the Microsoft-inspired brain softening that so many journalists seem to suffer from. Anti-virus software is not a good thing for an environment to need. Not needing it, and therefore not having it, is a good thing.
The poor design of certain Microsoft products allows malicious code to spread easily. That's a fault. Software exists which, at great expense, time and effort can keep your systems pretty much free of it. That's a kludge, albeit a necessary one. This is not a model we in the Linux community should seek to emulate!
So will there never be a real Linux virus? Well, I think there probably will be. Probably a good few. But will be as dangerous as windows ones? I don't think so. Will they spread as easily? Certainly not. Simply employing good security practice on your Linux box should be enough to keep it clean forever.
Minor correction (sorry) (Score:2)
Hmmm... (Score:2)
A couple of points (I'm paraphrasing here):
o "There will be a flood of Linux viruses after the economy goes south": Why? Because all those programmers who would otherwise have been able to make millions via IPOs will to turn to virus writing instead? What kind of argument is that? Most virus writers don't have the business acumen or social skills of a dung beetle.
o "We need programs that will prevent viruses from mdifying the kernel": And how, exactly, are they supposed to do that? The most common way of cracking a system through kernel changes is use of modules. How is this hypothetical virus detection program supposed to distinguish between genuine modules and viral modules? You'd have to have a list of approved modules with MD5 checksums for each of them, and that'd still leave you open to subversion of either the applicable areas of the kernel or the virus detection program itself.
Re:Viruses will come...Free Software isn't ready! (Score:2)
That's not true. We happen to run linux antivirus software at the elementary school where I work. Why do we do it? Because we user linux for our mail/web server, and it's pretty damn convenient to have your mail server check incoming mail for macro and other viruses, instead of just relying on the individual machine's protection.
If we used a linux box running samba as our main file server, I imagine such software would also be helpful.
Besides, it's easier to update an individual system on a regular basis than to have rely on the assumption that the automatic software worked on each and every machine on the network.
--Cycon
Re:An EFFECTIVE Linux virus is very difficult (Score:2)
Get yourself in a room with 10 Sun Enterprise 250's and 10 Sun Enterprise 250's shipping boxes and tell someone to throw the sun boxen out. See which `asset' you lose first.
Bad Mojo
Real, as in significant damage on the aggregate. (Score:2)
If your primary concern is the destruction of documents, it would be a trivial matter to make a "secure backup" by simpling crontabbing a cp to copy all the users critical files to inaccessible parts of the file system (without any additional hardware. In fact, it might be kind of intriguing to create a "delta" filesystem, where the user can recover/mirror any changes made to defined parts of his filesystem (maybe virtual fs) in, say, 10 minute intervals. So if I were to erase or corrupt all documents, i could just step back 10 minutes or up to, say, 20 days, and recover trivially...maybe my next project). Additionally, most of these dos viruses even don't go straight for the documents, they go after crucial system binaries, the MBR, you name it...which have the same effect, with only a few lines of code. Furthermore, in order for the virus hurt Joe Schmoe Linux user with any real likelyhood, it needs the ability to propogate itself; the file system and the general design of Unix makes this task require something more than just basic skills with ASM, VBA, or what have you. In other words, unlike windows systems, the hax0r needs to be somewhat innovative (assuming the vendors/distros start paying real attention to security issues) at the very least to create a viable virus, and particularly to sustain that threat.
Re:Real, as in significant damage on the aggregate (Score:2)
While I guess it is possible encrypt the documents, it doesn't make a great deal of advantages over erasing. I, a half intelligent user, could write a trivial crontab script (or for that matter just about any other backup scheme) that just backs up
In regards to my "delta" backup scheme (though most likely overkill), it is essentially foolproof within the confines of its design (e.g., unless root is attained and the HD itself is accessed). My initial mention, simply takes snap shots of all files in the defined filesystem (or rather virtual filesystem, as opposed to having to check part of an ext2 partition every other minute) on a given interval (though I could do it continously (e.g., on every write and erase)), and, with the intent to conserve space, only the DIFFERENCE [hence the word 'delta'] between the previous snapshot and the current snapshot would be physically saved. Most users' documents in a given year(or code, or what have you) are typically relatively small, and, I believe, that with my delta scheme even all the changes to the files over the course of, say, 90 days could be stored without a great deal more physical storage required. Thus, no matter what happens at the user level, the user always has the options of returning to the state of his filesystem up to 90 days before. In other words, if I have preexisting 'snapshots' of unmolested files, and the user (virus) encrypted/corrupted his files, the only thing that would happen is that he'd waste that many bytes of physical data...
It might have other uses as well. Though for people who're heavily into graphics/multimedia or what have you, the space requirements might make it infeasible for such applications.
UNIX (and Linux) viruses - the real story (Score:2)
I've written an article on this topic:
UNIX (and Linux especially) viruses - the real story [securityportal.com]
Re:viral hackers (Score:2)
Mean scripting (Score:2)
Re:How? (Score:2)
C'mon, fess up, who did it?
--------
Re:Devoid of Clues (Score:2)
OK, now let's talk about "Devoid of Clues,' shall we.
-------
Re:He is a jackass (Score:2)
-------
Re:How? (Score:2)
The referenced papers are mildly interesting, but whether the approach is a potent line of attack is conjectural at this point.
-------
Disappointment (Score:2)
The number of "write-mostly" humanoid bots on Slashdot these days is the most dismaying thing, though.
For those still not clear on who Simson Garfinkel is yet, here is your FREE CLUE! [simson.net].
--------
Re:Linux Viruses (Score:2)
Support 2.2 kernel, glibc 2.1, i386, and your virus will do fine. In that regard, the virus writer's challenge isn't any worse than a close-source commercial developer. If Loki can get Myth2 to run on your box, so can a virus writer.
That's quite a leap of logic. It doesn't have to "run on EVERYTHING to survive." Windows viruses don't run on everything -- they only run on Windows. Amiga viruses don't run on everything -- they just run on Amigas. But the viruses survive. Sure, they will fail to infect some systems. But it just has to succeed sometimes -- and that will be good enough.
I hope that someday, you prove to be correct. But for the time being, Linux is still fairly homogenious. Use the default Red Hat 6.1 installation options on a x86 box, and you will have a "typical" Linux configuration that will serve as a pretty good development target for your virus.
---
Common sense VS Anti-virus software (Score:2)
Of course, these principles also apply for any operating systems, including AmigaOS (where I actually got viruses from pirated floppies) and Linux.
Re:Contagion (Score:2)
Well, besides the obvious note that in order to look at an email you *have* to display it, AFAIK at least some mail readers in EMACS would helpfully execute any emacs-lisp code they found in the mail message. Of course that probably was in the olden days and these readers got patched many moons ago...
Kaa
Re:Hard to imagine (Score:2)
But how about some evil-minded hacker (yes, you read it right: hacker, not cracker), who contributes for example to the kernel effort, and installs somewhere in an obscure driver a nice backdoor, and waits till a new major stable version of Linux comes out?
This would be really difficult to accomplish. If the driver is for a popular hardware there will be more coders looking at the driver and thus a bigger chance to spot the backdoor and remove it. And if the driver if for a more unusual hardware, so that nobody will notice the backdoor, then very few users will be affected.
Re:It will happen - but not as bad as windows (Score:2)
This isn't ment as a flame against KDE. I keep switching off between KDE and GNOME and like a lot of the aspects of both (although it seems like KDE will have more 'killer apps' sooner, I like the 'feel' of Gnome better). Please, someone explain what about the nature of the apps will keep something like this from happening?
Re:Dual Boot (Score:2)
Re: Debian (Score:2)
Re:Hard to imagine (Score:2)
Well... not so hard to imagine. Remeber Ken Thompson's CC hack [acm.org]? (slashdot rated it 3rd in the Top 10 Hacks Of All Time [slashdot.org] thread).
Cthulhu for President! [cthulhu.org]
Re:Of course it is... (Score:2)
http://www.big.net.au/~silvio/ [big.net.au]
Re:How to get infected using Linux... (Score:2)
Re:Open World (Score:2)
http://www.big.net.au/~silvio/ [big.net.au]
Re:UNIX (and Linux) viruses - the real story (Score:2)
Re:UNIX (and Linux) viruses - the real story (Score:2)
http://www.big.net.au/~silvio/ [big.net.au]
Root isn't a barrier any more (Score:2)
It's not the OS or the uses; It's the culture. (Score:2)
When sendmail or pine is discovered to have a flaw that can be exploited to gain unauthorized access to a system, we, as a community, see this as a problem, and the problem gets fixed. It would never occur to Eric A. to leave an exploitable flaw in sendmail, because he knows that we won't accept it.
As long as we, as a community, are determined to see security flaws as unacceptable aberations, we will never see a proliferation of Unix/Linux viruses that we see in the M$ world.
Linux Virii whole different ballgame (Score:2)
The only effective ways I'm aware of involve tainting the source of a major distribution, or the patch to a program.
Since these are very closely monitored, a virus writer would actually have to crack a server, and place a virus/trojan in the code (which did happen to win.tue.nl a year or so back).
Because of this, really strict control by distributors would fix virii problems (excluding worms). And you know what? Having 7 distributions really helps. Having a virus in your distribution code could quite possibly be fatal for your business.
No-Code didn't hurt Ham Radio (Score:2)
Same thing for Linux: We must enforce rules to prevent the spread of viruses and trojans. Minimize suid programs, discourage binary-only distributions, encourage distro vendors to close known security holes by default, and last but not least, nuke the living hell out of anybody who creates a virus! Find the person responsible, and make sure they only get to see striped sunlight for a long time.
anti-virus software (Score:2)
Economic ties and crime (Score:2)
I've seen many studies where traditional crime levels do indeed react with the prosperity of a nation or state, or even city's economy. It would be interesting to see if viruses react the same way (as adjusted for it's normal growth rate). I can't see why not.
That's not to say that if the majority of programmers out there lost their job that they would turn to producing a virus or two (heck, maybe we'd see a jump in independent contributions to OSS programming). However with an economy as such I've found myself working extra hours (hey they're paying for it!) and less time spend on personal computer interests . . . for all I know during that time I may just have turned those idle hands to something less "productive." For myself I'm sure it would be something more horrible like Pokemon . . . but for others maybe viruses.
Will it be too fast, too much? (Score:2)
Linux however now finds its self growing in popularity at an astonishing rate, connected to a great virus spreading medium, humans on the inet. If viruses did start to break out and they were fairly mature, could it be too fast for people to avoid some severe damage.
I'm reminded of a military strategy taught in a collage course I took once where a fairly simple theory was demonstrated that actually not hitting a target often pulls an enemy's resources to the areas where you are attacking (away from your next likely target). Then striking that target often is easier since the defenses are weaker and have not prepared for such an attack.
Real damage? (Score:2)
It's been said before by other people, but...
You can do a whole lot more damage on a single-user computer by wiping out his/her documents than by messing up the operating system. The operating system (and programs) can be reinstalled in a few hours. Personal work can't.
--
Re:Real, as in significant damage on the aggregate (Score:2)
[Disclaimer: I'm not a linux user.]
It's possible for a virus to modify the programs that each user has installed so that the file formats are changed, perhaps to include encryption with a unique key for each instance of the virus. That makes any normal form of backup bad. Your "delta" idea would work a lot better, although any changes made after the virus started encrypting data would still be lost unless a method could be devised to get the virus to give up its encryption key. (And this would be worse than having your data wiped out at first, because you could recover everything in that case using the diffs.)
--
Intrusion Detection Software offers protection (Score:2)
The fact that root priviledges are required offers a great deal of protection in Linux (and other *nix's.) Of course a lot of software needs to be installed as root so we aren't completely protected. I think people are more likely to write trojans than viruses for Linux due to the fact that Linux boxes are useful to remote users as well as local users. That's neither here nor there though...
If you are running Linux you should absolutely be using some sort of IDS (Intrusion Detection Software.) I use aide [cs.tut.fi]. It's a 'tripwire' type program that detects changes in files (using an MD5 hash.) I have it configured on my home PC and my server. It runs via cron once a night, then e-mails me the results. That way if someone (or something) changes the kernel or an executable, library, script, etc, I'll know and be able to replace the altered (or infected) files. Software like this should be part of Linux distributions IMHO.
I realize that Virus Detection is not the same thing as active Virus Prevention. Of course, the root login requirement goes a long way as far as prevention.
numb
Re:Why it won't be as bad as Wind-blows (Score:2)
... but if security is such a concern of so many code writers in the *nix community, why are some still not taking heed and writing buffer-overflowable code?
My $0.02
Rob
Re:Head in the sand? (Score:2)
I've been stating for years that as long as you are smart and careful about what you download, you will never catch a virus. I've been using using computers for (looks at watch) holy shit, 12 years to the day!
I personally believe that the vast majority of viruses on Win systems come from stupid people opening executables in the email attachments. I seriously believe that if EVERY EMAIL CLIENT simply disregarded (throw away) executable attachments, we'd see a HUGE decrease in virulent outbreaks. After all, we have FTP and the web for distributing programs. Using email for that purpose is a complete waste.
And I completely agree with statement against executable documents.
I'd say linux is less virus-friendly... (Score:2)
Re:Are there any linux viruses today? (Score:2)
It's just a matter of time. Meanwhile, you damn well better hope that your OS is secure.
If you're using Linux, you should check out Bastille Linux [bastille-linux.org]. If you're a BSD fan, I recommend you look at OpenBSD [openbsd.org], although hopefully FreeBSD [freebsd.org] will catch up soon thanks to the FreeBSD Audit Project.
--
Brad Knowles
Re:Viruses will come...Free Software isn't ready! (Score:2)
Salve,
Ianuarius
Apples, Oranges (Score:2)
Thompson's hack was not part of a large open source project, with many, many people eyeballing it. We are talking about a very, very pure and special case. Here's why his hack would fail, today:
He's not the only game in town.
The cc/login backdoor was so damned clever, because that was the only C compiler available. You needed a C compiler to compile and generate newer versions of C, therefore the hack was propagated.
Nowadays, there are many C compilers, and they have become the de facto standard for building software. (Not a preferred standard. Python/Perl/Eiffel/Fortran fans please direct your flames to /dev/null or root@microsoft.com)
The point we are trying to make is, if a product is distributed as source, these kinds of blatant backdoors are going to be discovered. If not by someone auditing the code, then by someone who wanted to 'patch' some broken functionality. The /real/ danger are the little buffer overruns, race conditions and other common bugs.
Why viruses don't happen on Linux (Score:2)
1: In order to gain any substantial power on the system, the virus needs to use an exploit of some kind - the available exploits tend to change as software evolves, security information spreads, etc. So even if there are plenty of openings, they may not be the ones that were there when the virus was written.
2: The opportunities to spread are very limited. Unless there's a known remote exploit the virus can use to spread to other systems, it isn't likely to be able to do so. This means it'll really just wind up being a trojan horse program. And once the virus is found, and its source determined, the alert will be out and no one will get that "virus" anymore. Since remote exploits are taken very seriously these days, it's quite unlikely that any given exploit will exist long enough for a virus to take advantage of it.
3: Prepackaged Linux. Sure, so a lot of users aren't that security-minded - that's why low-maintenance prepackaged distros make it simpler. By not including unneeded service daemons, the potential for exploits is cut back. By providing most of the needed software on the distro site itself, most of the potential for introduction of malicious programs is removed. And while a lot of these systems will be running a lot of games, remember as well that SVGAlib is on the decline - systems like X DRI and framebuffers are on the way in - when game makers can rely on these technologies, there won't be need for any more SUID root games.
4: They're just not tolerated on Linux - it's really that simple. In the DOS/Windows world, viri are considered almost a fact of life - and if you get one, well it sucks to be you. In the Linux world, the existance of a virus indicates that there's some sort of flaw in the system design, and developers will work to disseminate information on the flaw, and fix it.
Who is Simson L. Garfinkel? (Score:2)
1989-09-12 Page 8
Software Makers Row Over Patents
1989-07-12 Page 9
Developing Software Is No Picnic
Sometime around 1988
A large article I can't lay my hands on, in which he describes Project GNU. This was one of the articles that inspired me to contribute to GNU by 1989, which led to the development of GNU Fortran (g77). At least, I'm pretty sure it was authored by SLG!
Article in Technology Review:
1991-02/03 Pages 53
Programs to the People "Computer whiz Richard Stallman is determined to make software free -- even if he has to transform the industry singlehandedly."
SLG may be wrong in his predictions, but he's not writing as a newcomer to Linux, Unix, GNU, or free software in general.
Figthing Virus (Score:2)
Therefore fighting Virus and other security bugs or whatever that may arise would go faster and be more efficient. There is no big company that can issue a propagandistic pressrelease to cover up the truth.
Therefore Linux should evolve faster and in the end be strongest in a security perspective.
The openness is a strong pillar for linux to rest on.
Diversity will reduce the problem (Score:2)
Then something happened. The first "stealth" virus, the WDEF virus, came out. Instead of using the OS calls like a good little virus, it tried to bypass them and jump right into the ROM, to avoid detection. This was about the time the Mac IIci came out, with a completely recompiled ROM. Instead of spreading, it crashed the machine. There have been a few recompiled ROM versions since then, but then Apple switched over to the PowerPC, increasing the diversity level. If a virus is incompatible with a good number of its target machines, it doesn't spread well. It's much harder to write a virus for a diverse platform.
And have you noticed how all the virus threats lately have been involving e-mail viruses and worms? This is because MicroSloth came up with a pitifully easy virus transmission method, by allowing live code in what was formerly only data. Worms and viruses spread best when they have a convienent way to propagate.
And how many Windows NT viruses are out there anyhow? I'm not talking about macro viruses here, I'm talking about real native code viruses infecting NT. Not too many of those, huh? Because, like Linux, there are more internal barriers for a virus to overcome. Plus, some of the macro viruses don't work under NT, even when the user logs in as Administrator all the time, because NT stores some of its files in different places than 95/98.
Now back to Linux. The creators of various distributions are having a hard enough time agreeing where to put various kinds of files, that a virus can't depend on their location. Diversity again.
About the only thing that is consistent is services on various ports, but you can't even rely on a consistent set of vulnerabilities, because the more clued admins will be able to upgrade from a source tarball.
In what form does Linux lack diversity? First of all, in a common binary format. This means that a virus can know where to patch, and a worm will run on many machines. There can be some problems in library availability, but a worm could just statically link itself. It could also spread by source code, but it can't rely on a given Linux box having a C compiler (or Perl interpreter for Perl worms!) installed.
And diversity is reduced by popular distributions like Red Hat and Mandrake which tend to be preferred by the "naive" (in a Unix admin context) users. I recently got DSL, and at least one port probe I received came from a system on a cable modem running (surprise!) Red Hat 5.2. And finger said nobody was logged in. I am quite sure the port scan was NOT initiated by the owner of the machine.
Now a big question: why a virus over other forms of attack? Personally, I think a "worm" (a program which spreads intact copies of itself, rather than inserting itself in other executables) is better suited to the Unix and Internet environment. All it has to do is carry around enough "skr1pt k1dd33" code and it can spread through less-protected systems.
However, as awareness over stack overflow bugs increases and other vulnerabilities, such holes will decrease over time. The slow animals in the herd (Red Hat 5.2 "default" installs) will be more easily taken down than others.
Are we likely to see another "RTM worm" incident in the next year or two? Probably. Now that broadband 7/24 connections are on the rise due to DSL and cable modems, the percentage of unsecured hosts will rise. And with the increase in opportunity will come an increase in exploits. However, as the RTM worm incident showed, writing a good, well-behaved worm isn't as easy as it sounds.
As to viruses in source tarballs, those are rather unlikely. Certainly it is difficult to generically add virus code to source code, but many source releases include some sort of validity check like an MD5 signature. And these days, the source is usually taken from THE official archive.
In summary, I think Linux is diverse enough that viruses will be too much effort to write. Worms are much more likely to become a problem in the near future.
Re:Head in the sand? (Score:2)
> think of this commentary?". I feel the above
> was an important thing to leave out. Moreso
> because the article itself mentions that
> gaining "root" access can be integral to the
>virus attack.
And - as others have pointed out - why bother with a virus when you can get root access? JC.
--
Linux Viruses (Score:3)
What carp!
Stop and think for a moment. To produce a binary Linux virus (as opposed to a script virus), you have to have a virus capable of handling a.out and elf binaries. It has to support Linux 1.x.y and Linux 2.x.y kernels, It has to support libc5, glibc 2.0 and glibc 2.1. It has to support ix86, IA64, ARM, Alpha, Sparc, Sparc64, m64k, ppc, S/360 and any other architecture Linux supports.
Why? Because if it can't run, it won't spread. And because you can't know what the virus will run on ahead of time, it would have to run on EVERYTHING to survive.
Then, of course, if it's doing low-level appends, it's got to support ext2fs, ext3fs, reiserfs, xfs, jfs, ufs, umsdos, and any other filing system that Linux could be run off of.
Script viruses don't have it any easier. You've no way of knowing if bash 1, bash 2, csh, tcsh, ksh, zsh, perl, tcl/tk, python, or any other given shell is present, never mind used. Nor can you rely on a given version being present. Perl and Tcl are extremely version-sensitive, making viruses in these languages either dependent on there being specific versions installed, or having support for many many versions.
Then, there's always the problems produced by the International Kernel Patch (which can encrypt partitions for you), Tripwire and its many clones, the various Linux Kernel hardening projects, etc. If a virus can survive all of that, it almost deserves to conquer the world.
Windows viruses have proliferated because there is a high degree of uniformity at the low-levels. This just doesn't exist in Linux (thank God!) and probably never could, at this point.
Any claim that someone could =write= a Linux virus which is not so specific as to be useless is plain stupid. Such an animal does not and CAN NOT exist. Linux is far too diverse, now.
Some people may have heard of the concept of "biodiversity", whereby living organisms protect themselves from real diseases or attacks by being as different and diverse as possible. Linux has gained that same protection, now, and is immune to all-encompassing attacks. Only specific attacks are of any use, and the more diverse Linux is, the more specific those attacks need to be. It could reach the point where they can only run on one machine. OOOOH! SCARY!
MISSING THE POINT (Score:3)
Think about it... I'm some bored script kiddie who wants my 15 minutes of fame. Am I going to try to write a virus to infect hundreds of systems, or hundreds of thousands?
The point the author was trying to make is that the landscape is changing. As we are celebrating all the new people who are starting to use Linux, and all the easy-to-install distributions, the "average user" is changing. You no longer need a degree in CS to simply use a Liux system. Just as there are plenty of unsophisticated Windows users, there will be unsophisticated Linux users. Add to this the hordes of home users signing up every day for always-on fat pipe Internet connections. There are ways to worm your way into a Linux system, especially if the "administrator" is clueless about security. (Read: buffer over-run bugs, SMTP vulnerabilities, etc...)
I'm not about to plunk down $50 for a questionable Linux "security" product, but I do try to keep an eye on what's happening to my system. More important, distributions like RedHat and ilk need to carefully consider what their default configurations look like, knowing that setting up maximum security as the base configuration is a wise thing to do. If users need more flexibility, then let them learn about what the tradeoffs are, so they can open up only the doors they need. Support organizations need to make security a top priority, making sure that everyone -- even the clueless newby -- can keep their systems up to date with the latest security patches.
Security -- no matter what your OS is -- doesn't come for free.
It will happen - but not as bad as windows (Score:3)
Trojans are already turning up here and there.
The trick is not to assume that something is more secure than windows, if you end up being copmplacent about security threats then you get what you deserve. You don't need to be paranoid either, and being paranoid doesn't mean spending money to support the anti-virus software industry. It just means making sure your code doesn't increase the risk to the whole.
So - if you spot a problem - then talk to the people who should deal with it.
Re:An EFFECTIVE Linux virus is very difficult (Score:3)
Agreed - in fact, they already are
Download a binary that has a virus and run it as a normal user. OK - where from? ftp.debian.org? If I check the signature on the package I can be sure that it's as the package author sent it out, and I trust that package author not to have virii on his/her machine. I (as a programmer), wouldn't download binaries from an untrusted source (as I might get a trojan, which could do far more vicious things than a virus), but a newbie might and would get infected.
Lets say the user now compiles some code, that binary will be infected, the user puts the binary into a tar ball and shoves it onto their ftp site for distribution.. the virus spreads.
The type of people who download untrusted binaries don't tend to upload binaries either.
I still remain unconvinced about the abilities of virii to do real damage in the Linux environment (heck, binary virii haven't really caused problems in the Windows environment for years). However, you make some good points. Now that these vulnerabilities in the ELF file format and the Linux kernel have been pointed out, is there any work being done to close them?
Re:How? (Score:3)
Re:Head in the sand? (Score:3)
Your statement is overrated. Here is why:
In order for a virus to proliferate it needs to execute and infect executables. Even on "home" linux systems the executables are 99.999% not owned by the user. The user has no +w on them. So unless the virus attempts an exploit it will not be able to infect executables. There are few notable exemptions of course:
In order for computer viruses to proliferate you need to follow the same rules like in the life world. Namely you need the infection rate/death rate to exceed a certain threshold. All the cases above give you thresholds for good size local outbursts, but not for an epidemy. Which is not the case with Windows 9x, MacOS and their predecessors.
There are few notable examples when the above situation will drastically change. The most important one is:NO EXECUTABLE DOCUMENT FORMATS!!!". If MSWord will be ported or a similar abomination will become a predominant software product on Linux than there will be trouble. Because there will be "executable" user writable formats floating all over the place. Than the treshold for selfsustained infection will be exceeded.
Possible, but far far more difficult. (Score:3)
Furthermore, the very nature of the Linux community poses a real obstacle to any viruses success. Whether or not people admit it, Microsoft plays a large contributing role in the success of its many viruses. Where Microsoft is unresponsive to most security problems, the linux community is very responsive. A published virus is likely to result, in a detailed plan of action against future attacks -- Microsoft simply isn't interested in this unless it can be proven that it'd hurt or help their bottom line significantly. Right now, to the best of my knowledge, most common windows exploits either come in shareware type programs (downloaded from some random site on the internet, or from a friend) or they're macroviruses (totally not an issue for linux yet). Linux, of course, is all about sharing software over the internet, as a result programs and code tend to recieve a considerable amount of scrutiny, even if only from 1% of the users (especially if primarly distributed as source). These users, can, and do, in turn, make a stink if something looks foul, making it unlikely to get archived on official sites and what not.
In conclusion, I don't have the time to analyze each and every difference between Linux and Windows; however, the differences between them will make Linux a relatively virus free platform. That being said, I do believe a few linux viruses will emerge pretty soon. Perhaps one or two will really take off, but the rest will fail. After that, the community and vendors at large will mend their ways, and stem the "reproduction" of viruses down to negligible levels.
Contagion (Score:3)
File Viruses are still out there, of course, but not nearly as much as they used to be. A "pure" file virus is one that inserts itself into some other executable (or executables in general). These are less of a problem than they used to be because software is generally obtained off a CD-ROM or remote download site, and viruses can't touch these files (unless the software company or FTP hoster does something really dumb). Not much actual copying of executables off one machine onto another is done anymore, which is how these things spread. Anyone old enough to remember when we used to copy executables as a matter of course? Come on, 'fess up! Gee -- I can remember those quaint old programs which you didn't "install" as such because they consisted of one executable.
Macro Viruses are still big, though. And Microsoft's feature-driven focus will assure that this problem only gets worse. The big problem is that their software is so ubiquitous, making them a big easy target. And they keep doing really dumb stuff. Everything keeps getting more and more "active". They love that word, don't they? "Active" means "I'm a big gaping security hole just waiting to be exploited!" Linux won't have this problem until either Microsoft starts porting their stuff, or we get virus-compatible equivalents, or somehow the marketroids take over Linux software development and we throw all common sense out the window. I mean seriously, if someone actually wrote a mail reader for Linux that was so helpful that it says, "hey -- here's some new mail for you! Let me immediately display it in this window for you! And run this javascript thing in it for you!" -- would anyone use it? Any takers? Maybe if you run it under jail, right?
Trojans on the other hand, have come into their own. I still see the damn Happy '99 trojan wandering around now and then. The trojan that emails itself to everyone in your address book is one of the more popular forms. The great thing about trojans is that they rely on the human to be the weak link, not some software hole that would get closed up the moment it was discovered (or at least would if the software in question was open source). Human stupidity is here to stay! It's going to decrease, but only because people are now growing up with email and learn the tricks at a young age. It is, however, entirely feasible to write a trojan email attachment for Linux. It's not likely to be worth anyone's while, though, because of the small target market and high likelyhood that the user has at least half a clue with regards to this sort of thing. In any case, the user isn't likely to be running an email reader which makes activating the attachment a "double click" operation, and which address book are you going to read?
In summary, I don't see a big target market for viruses here. I think that worms are more likely to be the issue. That, and security holes that get exploited manually. These all come under the banner of cracking, rather than viruses (although worms are a sort of overlap point). Another possibility, as others have suggested, is back-door code being placed in a kernel module or something which explicitly creates an exploitable weakness. We'll see if the "bug-finding is parallelable" principle of Linux development also maps to the finding of deliberate security holes. I think accidental ones are likely to be the real problem, however.
-- The Famous Brett Watson
Re:Head in the sand?.....maybe..... (Score:3)
Re:It will happen - but not as bad as windows (Score:3)
http://www.big.net.au/~silvio/ [big.net.au]
Re:An EFFECTIVE Linux virus is very difficult (Score:3)
As for programmers not downloading binaries. There are times when you need a binary because there is no source. If you are downloading the binary from redhat.com, you may think that it is safe but without getting down with the instructions and checking out what it does you can't be certain. Good reverse engineering tools are still lacking and are desperately needed for security purposes. If it is possible for an ordinary user to get infected then it is not a giant leap to see a programmer getting infected and from there it is not difficult to see a distribution getting infected and a whole lot of users getting infected and thus a whole lot of programmers getting infected - especially with most of the linux community being programmers (of one sort or another).
More like... (Score:3)
Missing dependencies:
glibc6
imlib
virus.so.4
But seriously, we scoff at this because most of us have never had a virus on a linux box. I know I never have, and I don't know anybody who has. But don't let this lull you into a false sense of security. Murphy's law has been proven true over and over and over again.
Linux is a very large and complex system. And as we all know, in any sufficiently complex system, there are bugs. If we get arrogant, those bugs will be exploited.
On a lighter note, the throroughly open nature of linux means that any virus written will be rendered useless in the next patch. But I don't think it's a problem we should ignore until systems are going down left and right.
Diversity is good - don't live in a monoculture .. (Score:3)
Bad things to do around visuses:
- Never change
- always use the same software
- encourage monopolies
- don't build up an immune system (security, anti-viral programs)
Good things:- change often, adapt
- everyone use different software (diversity of distributions, kernels, desktop environments is a VERY good thing)
- security
- actively hunt down stuff in your system that changes unexpectedly
- stay away from those who seem to get infected a lot
You get the idea - M$'s world lives in a monoculture - just like a genetically engineered crop where everything is the same they are prey to that one viral mutation that can wipe out everyoneHmmm,did anyone notice.... (Score:3)
1.This guy is a security consultant,one who makes money off computer users misery.
2.In order to market many products and/or
services a demand must be created if in fact it does not exist.
3.Software is created by people who hold
an interest in creating it,such as an out of work
security clown creating a virus,were it possible.
4.If you take off his diguise of glasses
and that ridiculous wig,you could see we are dealing with Elmer FUD.
Re:Hard to imagine (Score:3)
Never actually happened, eh? Taken from the Jargon Dictionary entry for Back Door [netmeg.net]:
Historically, back doors have often lurked in systems longer than anyone expected or planned, and a few have become widely known. Ken Thompson's 1983 Turing Award lecture to the ACM admitted the existence of a back door in early Unix versions that may have qualified as the most fiendishly clever security hack of all time. In this scheme, the C compiler contained code that would recognize when the `login' command was being recompiled and insert some code recognizing a password chosen by Thompson, giving him entry to the system whether or not an account had been created for him.
Normally such a back door could be removed by removing it from the source code for the compiler and recompiling the compiler. But to recompile the compiler, you have to use the compiler -- so Thompson also arranged that the compiler would recognize when it was compiling a version of itself, and insert into the recompiled compiler the code to insert into the recompiled `login' the code to allow Thompson entry -- and, of course, the code to recognize itself and do the whole thing again the next time around! And having done this once, he was then able to recompile the compiler from the original sources; the hack perpetuated itself invisibly, leaving the back door in place and active but with no trace in the sources.
Re:Viruses will come...Free Software isn't ready! (Score:4)
Add to the mix that back doors in software are writen almost exclusivly by profesional programmers working on high end systems.
This is just my point of view but it seems to me that viruses are writen to attack an operating system and/or platform a person dislikes.
A profesional is more likely to have access to a system he dislikes than a hobbyist who would presumably only have the system he likes the most.
Unix admin have long had to use systems they disliked. In some cases a Unix admin prefers one *nix platform but gets stuck with a diffrent *nix platform. He wouldn't write viruses on the companys own system becouse that would get him fired but he would unleash it "into the wild" if posable.
In over 30 years.. with every motivation... and a lot of Unix hobbyists (In casse you prefer to belive viruses only come from hobbyists) a Unix virus is vertually unheard of.
To back up my clame that over the years Unix people are every bit as likely to make viruses as anyone else.. even more so... look at the shear number of trojen hourses writen for Unix. Far outnumbering those for Dos.
There are sevral reasons for that.. One is that Unix people are not worryed about trojens comming back to haunt them sence they run something diffrent at home. If they use computers at home at all.
(Think 30 years ago... the standard admin 1970 used CP/M at home if he had a computer at all.. the standard admin 2000 almost certenly has a server class system at home)
Note shortly after the first Linux virus was uncovered one of the big antivirus companys made a virus scanner for Linux. Then the virus was distoryed rendering the product useless.
There is some Linux antivirus software outthere. They don't do anything useful sence theres no viruses to stop. But some hobbyists are sereous tweeks.
Check out freshmeat and take a look at the antivirus software selection
Hard to imagine (Score:4)
Of course, I can imagine worms which trick the users in, for example, executing a shell script which then mails messages using sendmail and ~/Mail, ~/.tinrc, /etc/passwd, etc. However, Unix provides nice means to control the in- and outgoing e-mail, and the root account would be in that case untouchable - I think.
But how about some evil-minded hacker (yes, you read it right: hacker, not cracker), who contributes for example to the kernel effort, and installs somewhere in an obscure driver a nice backdoor, and waits till a new major stable version of Linux comes out? Say, 2.4.0. Then all the people who download this kernel are vulnerable: the hacker waits till the 2.4 becomes popular, and then spreads the worm for the designed wormhole. Anyway, in that case he would be probably finished...
Well, I don't know. I'm not much of a hacker. But I think that getting a virus is in the case of Linux much less likely then in the case of Windows. And besides -- I haven't seen a virus for Windows ever since 1996 or something, so is there really a thing to worry about?
Regards,
January
As long as MD5, RSA, and PGP sigs remain... (Score:4)
On the issue of trojans, no one has seemed to have brought up the issue of trojans that could possibly make unannounced changes to source code as it is being compiled. Wouldn't that be harder to detect than a trojan as signatures can't protect uncompressed source? Imagine if your copy of Tripware, Necruss, GnuGP or perhaps even the kernel being comprised at compiliation time, meaning that your security could be comprimised without being able to realise it or detect it until it is too late? Now that's scary.
For the really paranoid, I recommend that you check out Kurt Seifried's extremely comprehensive Linux Administator's Security Guide (aka. LASG) at https://www.seifried.org/lasg/
If followed, it can put anyone's mind at ease.
An EFFECTIVE Linux virus is very difficult (Score:5)
That may be the case, but it's pretty damned tough to write an effective virus that will propagate with any efficiency on a Linux box.
I'll first discuss binary viruses, then macro virii, as they are seperate issues. All system-installed programs are owned by root (modulo some daemons and the like owned by administrative account), so to infect "ls" or "emacs" the virus would either have to use some exploit to gain root priviliges, or get itself installed suid root. Root exploits tend to get closed, pronto. Whilst newbies wouldn't check to see if a program installed itself suid root, experienced users would, and would let the world know if a paint program from www.reallycoolsoftware.com was installing itself suid root for no good reason. So propagation by infecting system software would be pretty damn difficult.
What could a virus then do to propagate itself without root priviliges? It could infect any program it had write permissions to - that is, any executable owned by the user, or set group or world writable. Newbies don't tend to have executables that they own, group-writable executables are rare (and not a great idea), and world-writable executables are extremely bad practice. Not much room for propagating there.
Even worse for the virus, binaries don't tend to get shared around much in the Linux community. Binaries tend to get distributed using CD-ROM's, distribution ftp sites, and possibly project ftp sites - none of the rampant floppy-swapping that made the viruses of the 80's and early 90's so prevalent. Nor do Linux email programs allow the blithe execution of binaries as many Windows mailers do.
Therefore, I consider it extremely unlikely that Linux binary virii will be able to propagate effectively.
Macro virii are a different proposition. File permissions are not such a defence here. However, these beasties rely on macro languages which were enabled by default, which allow arbitrary macro code to be executed on loading a document. If auto-executable macros are disabled by default (or banned outright), and macro languages restricted in their power to prevent them altering documents other than the one they are embedded in, the macro virus cannot propagate itself. Why can Linux applications do this readily, while Windows is more restricted? Simple - because the foreknowledge of what has happened in the Windows world is allowing Linux applications to be designed with macro-virus proofing in mind.
In summary, Linux is a damned hard target for virus writers. Next time Mr Garfinkel tries to drum up some business for himself, he might consider doing a little more research.
Re:How to get infected using Linux... (Score:5)
calvin:~$ wget http://somesite/pointlessgadget.tgz
calvin:~$ tar -xzvf pointlessgadget.tgz
calvin:~$ cd pointlessgadget
calvin:~$
calvin:~$ make
calvin:~$
"that was boring.. I'm gunna go shoot stuff"
calvin:~$ su
calvin:~$
pointlessgadget was infected with a virus.. when you ran the virus it infected every one of your running processes, including your shell. You su'd to root and it peaked at your psuedoterminal to snarf the root password. It then su'd to root and infected every running process on the machine. You then ran leetgame and the virus infected it. Next you'll probably run 'ls' and then it's all over.
Fiction? You can do it using ptrace. You can read about it here [big.net.au].
Re:Viruses will come...Free Software isn't ready! (Score:5)
http://www.big.net.au/~silvio/ [big.net.au]
Don't run as root. (Score:5)
Of course, the biggest problem is that sometimes you are going to want to run as root, and you are probably going to want to install something while su'd to root. (It is wishful thinking to expect this not to happen. Someday there is going to be a really cool game for download in binary form that has a pop-up Window which says "enter root password" which may then turn out to be a trojan.)
My experience with virus checkers is that they don't work. I had a trojan eat an old Win95 machine of mine once, and the fact that it was running Norton's Anti-virus didn't help. However, Linux has more built in security against malicious actions than Win* systems, so I'm not expecting to see "a plague of Linux viruses."
How to get infected using Linux... (Score:5)
calvin:~$ tar zxf happy9.tar.gz
calvin:~$ cd happy99
calvin:~$
calvin:~$ make
calvin:~$ su
calvin:~$ make install
calvin:~$ exit
calvin:~$ happy99
You must be root to run this program
calvin:~$ su
calvin:~$ happy99
(ops!)
Viruses will come...Free Software isn't ready! (Score:5)
I suspect that a rash of Linux viruses will come not from an economic depression (though that could certainley cause it too...think Russia), but from the midst of the masses migrating to Linux. While virtually everyone installing Linux, from "script kiddies" to Windows NT converts are scrupulous...you are bound to get a higher percentage of people who would be willing to write a virus.
Now granted, more of these people are incapable of programming such an entity compared with old Unix hands...but where there's a will there's a way. Somebody is bound to kludge together (or even finely tune, you never know) a series of downloaded hacks (hey! free source code!), and write a little code of their own...voila! Microwave virus. And it only takes one good virus to cause serious issues. Particularly because these things almost always encourage copy-cat crime. Odds are we'll see a rash of viruses any time now - whether the economy is strong or not.
Want to believe that even without a high "activiation energy" (ie the work and knowledge to install Linux) the pool of users will remain "clean"? One only has to look at Amateur Radio for a counter-example. For a long time proficieny with Morse Code was required to obtain a license. Now this may not seem like much of a barrier...but it was. When the "No-Code" license was introduced a wave of new radio operators began coming on the air. Now I don't dispute the overall effects of the new license, I think most agree they were good overall. No sense keeping a good thing to an "elite" group of people. But there was one strong negative effect - the introduction of a few, er, less than choice individuals.
Did such individuals exist in the "old world"? Well, yes. But they were a much lower percentage. Now radio had to deal with irritating interuptions and people refusing to follow protocol. A small loss, but many repeaters (stations that retransmit a weak signal) were unprepared and were abused as a result. Protection mechanisms were instituted, but it often took some months during which time a repeater was far less useful.
The long and short is that a company like Symantec (Norton) might find it worthwhile to have a Linux offering prepared. No use deploying it (well, not with scruples at least - I'm sure some morons will bite) until viruses exist. But when they do come, and I bet they will, that company will have a big lead. Other companies would probably take several months to a year to produce. By that time one could really corner the market. Linux users win, some lucky company wins (hopefuly whoever wrote the #*$&#*$&* virus shrivels up and dies). Yay!
I think few of us familiar with the sort of hacks we deploy on our systems, the sort of tricks a *nix system can perform...would deny the feasibility of writing a virus. To do so would be...naive. Now that I think of it, though I realize acting before the fact isn't the strength of the free software community, it would probably be good to begin working on a feasible free program soon. Hope we never would have to use it...but... It would be bad, bad, BAD for Linux systems to be crippled for 5 months, admins cowering in fear, because of a rash of viruses. That would take major PR recovery...and Linux really isn't that strong. Remember, the media likes biting those it adored mere months ago. Makes for good news.
-nullity-
I am nothing.
Re:How to get infected using Linux... (Score:5)