Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Virii On Their Way?

Posted by Hemos on from the really-damn-funny dept.

Eric the Cat wrote to us with one of the most amusing articles for the day. A Russian Security Consultancy has claimed that a plague of virii for Linux will be coming, thanks to Chinese hackers. Wait - it gets better. According to the security expert, *because* Linux is open source, the viruses will be even worse than in other systems. Thankfully, Jason Clifford, a Linux person, is also quoted in the article setting the story a bit straighter.

9 of 436 comments (clear)

  1. Yes, there are *real* Linux viruses by ViGe · · Score: 5

    Of course viruses exist for Linux. Except they're called Trojans, and there are relatively easy ways to keep them out: check source, compile source especially for anything suid root. Or trust your distro.

    Well, there you are wrong. There exist real viruses for Linux. They are not trojans and some of them even look for security holes in other computer so that they can break into them. Some links to the most "famous" ones:
    Bliss
    Staog

    --

    --
    It has to work - rfc1925
  2. Permissions don't necessarily help by tilly · · Score: 4

    Remember Melissa? It didn't do anything other than make a private note that it had visited and send emails. Think that Unix permissions help against something like this?

    Most people keep a lot of important data writable by themselves in their home directory. Sure, "nothing important" may have been deleted, but you could still lose all of your files.

    Recall the Internet Worm? This came up before. There was nothing special about it, it just was a worm that could spread itself without any human action. That made its generation time a fraction of a second (as opposed to the 15-minutes to an hour for Melissa), which resulted in its almost instantaneous spread to every machine it could infect. Unix permissions helped against this how?

    No, Linux is not immune to viruses. And as long as buffer overflows and the like continued to be treated as minor oversights and not like the major threats that they are (even if the program is only running with user-level permissions), Linux will be vulnerable. Once it becomes popular it will likely become a target...

    Until then don't sweat it. After all the fire hasn't burned the house down yet, and we are fireproof. Aren't we?

    Regards,
    Ben

    PS The time for a fix to become available is meaningless. What is the time for that fix to become incorporated on the average machine out there? Ri-ight.

    --
    My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
  3. Kaspersky is out of his field... by dmuth · · Score: 5
    Yes, I really have been following viruses since 1992. No, I don't consider myself an expert, but I think I know a fair deal about them.

    That being said, I also used to hang out on Fido Net's virus echos in 1994 and 1995 where some of the true anti-virus experts hung out too. And yes, I consider Eugine Kaspersky of AVP (the guy who was quoted in the article) to be one of them. Back when the first Word Macro virus (Winword.Concept), he was the one who I saw first post about it to Fido's VIRUS echo, and he was also the first one to release a fix for it (another word macro which caught and disinfected Winword.Concept).

    Unfortunately, I fear this is another case of False Authority Syndrome in that while Eugene may know viruses very well, I question his credentials in the UNIX/Linux area. For one thing, for a virus to replicate to a considerable degree on a system, you'll need to be running as root -- if you're logged in as a regular user, any program you run isn't going to be able to infect /bin/ls, no matter how hard you try. :-)

    I think Kaspersky also misunderstands the nature of UNIX/Linux, in that a lot of applications (the stuff *I* use, anyway, like Apache, PHP, MySQL, etc.), when downloaded from the net, are usually done so in source form, and the end user compiles the code and runs it. It would be foolish if someone tried to put replicating code in their source, as it would be spotted very quickly and the author would have some serious explaining to do.

    Finally, just to play the Devil's Advocate, I think problems could arise if say, a binary in a distrubtion is infected, and then is sold to thousands of unsuspecting end users. All it would then take is to run that binary as root, and you suddenly have an infection on your hands. However, I don't see this as a very likely scenario, since I can count the number of Linux-based viruses which I have heard of on one hand. For the reasons I outlined above, Linux just isn't a very attractive platform to virus writers, who want to see their creations spread.

    1. Re:Kaspersky is out of his field... by deacent · · Score: 4

      I think Kaspersky may have the future audience of Linux in mind, rather than the present audience. As Linux becomes more popular, it is likely that the average Linux user will be less technically savvy. This would mean that the user may be more likely to log in as superuser (so he doesn't have to worry about not being able to install apps) and certainly wouldn't dream of downloading source to create his own binaries. Under these circumstances, a virus is quite easy sneak into a binary distribution, just as it is on other platforms.

      I think what he's most concerned about is the fact that a malicious hacker can construct a more potent virus since he has access to the OS's source. Linux is most definitely more popular than it was a couple years ago, which makes it more interesting to virus writers, or certain other OS companies who may benefit in discrediting Linux.

      What Kaspersky overlooks is that Linux is a constantly evolving OS. As long as that remains the case, Linux could evolve an immune system to counteract viruses, either by seeking them out or by fixing weaknesses that virus writers find.

      -Jennifer

  4. Linux is a virus in itself by razvedchik · · Score: 5

    Sometimes, I feel that Linux is a huge, 640M virus just out to ruin my life. Then I remember that resolv.conf only has one "e" in it and continue on with my mission.

    It spreads from user to user, and once you're infected, you can never go back.

    It has been know to cripple and even destroy WinXX systems to the point of making itself the dominant OS on any machine.

    It makes its users say crazy things like "awk", "grep", "FUD", and so on....

    --
    I do what the voices on my console tell me to do.
  5. *nix and Viruses by DaveHowe · · Score: 5
    I think there are a few points here:
    1. There were Unix viruses, Worms and Trojans around since before the PC was designed; they have spread since the first few machines set up UUCP links; Unix viruses are far from new.
    2. Unix viruses are kept mainly in check because normal users don't have the permissions to do harm - they can harm their own files, they can harm the files of those that trust them. but they can't alter anyone else's, and, most importantly, they normally can't even INSTALL programs, never mind alter those already installed by other people.
    3. Linux is not Unix - 90% of Linux boxes are single user (maybe single user with webserver, or with a email router, but still single user) and for a high percentage of those, that single user either runs as root, or, if smart enough to run as a user when out on the net, will load the same data files, use the same packages, and generally work in the same sandpit when doing admin tasks that require system privileges as when running his limited "safe" account. As more and more buy "fashionable" pre-loaded linux boxes, you will see a wave of people caught by the same factors that make a windows-based machine insecure - that the user will run things without thinking, and that the user has enough permissions that the virus can take a hold.
    So, what it comes down to is that, in general, Unix viruses are not (and will not) be a problem, but that Linux has vunerabilities that make it less secure than Unix used to be.
    --
    --
    -=DaveHowe=-
    1. Re:*nix and Viruses by bhurt · · Score: 4

      The Morris Worm is actually a good example- yes, a Unix virus _can_ be written, but it takes more know-how than a DOS or WordMacro virus takes. Morris himself was the son of the head of computer security for the NSA, he knew pretty much all the holes unix had back then.

      The technical hurdle, as low as it might be, is important. By the time you are sufficiently knowledgable to be dangerous, you're usually intelligent enough to know _why_ this behavior is frowned upon. And have channeled your behaviors into more socially acceptable (and might I add, more rewarding) behaviors. Most decent sysadmins could be hackers and virus writters of legendary proportions. Generally, they aren't.

      The open source nature of Linux even helps here- as now there are other ways for a bright teenager to gain fame and technical esteem than writting virii. Instead, they can write kernel patches, or work on Gnome or Abiword, or write their own programs- in other words they can do something _productive_ rather than _destuctive_ programs. I'm kind of interested to see what a couple million chinese programmers can create. I doubt it'll be virii :-).

  6. The "It's hard to gain root access" fallacy by Gurlia · · Score: 4
    Finally, just to play the Devil's Advocate, I think problems could arise if say, a binary in a distrubtion is infected, and then is sold to thousands of unsuspecting end users. All it would then take is to run that binary as root, and you suddenly have an infection on your hands. However, I don't see this as a very likely scenario, since I can count the number of Linux-based viruses which I have heard of on one hand. For the reasons I outlined above, Linux just isn't a very attractive platform to virus writers, who want to see their creations spread.

    It's not attractive to virus writers? What if they are more interested in doing something malicious rather than merely in their virii spreading themselves?

    Although it is true that Linux (and Unices in general) tend to give less motivations for virus writers, do not take this as security, because it's not. Even if a virus cannot gain root access, to a home PC user, deleting his entire home directory is just as bad as infecting /bin/ls. I think Linuxers should wake up and realize that as Linux becomes more popular, there will be an increasing temptation to virus writers. And the "it's hard to gain root access" argument is a fallacy. Valuable personal data can be destroyed very easily by a virus, even if the system itself is not harmed. After all, who cares about the system? Which is more important -- the system, or the data that you use the system for? And how about DoS attacks? Even if the virus cannot reach your data, ever heard of fork( ) bombs? Or HD space hoggers that cause you to be unable save your latest document? The system may be less vulnerable, but your data isn't.

    --
    mikre he sophia he tou Mikrosophou.
  7. Things that make Linux harder/easier to attack by dsplat · · Score: 4
    Things that make Linux harder to attack:

    1. There are an enormous number of slightly different compiles of the kernel and various commonly used programs out there. Because everyone can get the source, every distribution and many users compile it for themselves. This is going to mean that a virus that attacks a binary is likely to simply break it on at least some subset of systems, making detection relatively easy.
    2. The Linux security model is different from that of Windows. If you aren't running as root or another account with access to various things, such as bin, there are a lot of files you just can't change.
    3. Different distributions structure their configurations differently. This makes targetting rc scripts harder, but not impossible.
    4. Because a large part of the configuration is found in scripts and text files, detecting the damage and determining what was done is potentially more straightforward. Joe Average User may not find it, but the local Users' Group can probably track the source of the problem for him.
    5. Because we all have documentation for the configuration of everything, building tools that detect subtle changes and keep archived copies of config files is something a good and thorough programmer on a tight budget can do.
    6. Because we have source, proving that you are a Real Programmer on an Open Source OS can be accomplished by a number of constructive avenues that are only available through Open Source. These may reduce the number of people seeking attention in negative ways ... maybe.


    Some things that are going to make Linux easier to attack:

    1. J. Virus Writer has access to full documentation and source for the programs he wants to attack. Finding the existance of buffers that can be overrun and the consequences is not a trial and error effort.
    2. Text is easy to manipulate and most config files and start-up scripts are text. Thus, the virus can do its work by spawning sed, perl, awk, ed, emacs or several other tools. Those scripts are likely to be smaller and more portable across releases and distributions than the equivalent binaries. And they can be embedded in binaries.
    3. LILO. Somebody who can install a hacked version of LILO can do some damage. And the LILO config is easy enough to edit. See my previous point.
    4. Trusted binaries can be compromised in useful ways, as described by Ken Thompson in Reflections on Trusting Trust. I have some thoughts on how to make such a compromised binary nearly undetectable on the system on which it was built. I won't detail them here.


    One of the things that I notice about Linux is that there is some overlap between these lists. It seems to point to the idea of tamper-evident packaging.

    The bottom line is that there will be people who will do destructive things. There will be security holes that they will take advantage of. There is a need for security conscious people willing to patch them. A virus is just one way of taking advantage of security holes.
    --
    The net will not be what we demand, but what we make it. Build it well.