Garfinkel Warns Of Linux Virus "Epidemic"

An anonymous coward says: "Simson Garfinkel has an opinion piece at SecurityFocus called " The Coming Linux Plague." He argues that Linux is no less susceptible to viruses than Windows, and that an epidemic is inevitable. " I'm sure most of us have read his books. What do you think of this commentary?

Just what we need is more clueless hysteria

It's funny. If you have an emerging platform, it is bound to draw viruses and bogus prophets. Why? It's big business.

Windows has viruses. DOS had viruses. OS/2 had viruses. Linux has viruses. However, notice the trend of decreasing number of viruses vs. the robustness and well-thinked approach to memory handling?

Antivirus software companies want you to believe in the horror of viruses. Else they would be out of business.

Unless you run a virus-infected program as root in Linux I doubt that it will do harm any more than an ordinary user would. All the more reasons to go for source code instead of binaries. Besides, if any John Doe can do rm -rf / & from their shell and succeed then you'd probably be better off with a straightjacket, not antivirus software.

Re:virus threats

Microsoft already created some type of registry implementation for *nix. I know because I watched a poor Sparc Classic work on building it for about 4 hours when I installed IE for solaris. It deleted alot faster.

Re:bridge over troubled water

Not unless Simson has found the Fountain of Youth.

Simson graduated MIT '87. Simon & Garfunkel were around in the '70s or '60s.

Although I never did see them both at the same time, now that I think about it.

Re:Viruses will come...Free Software isn't ready!

virii is not a word, stupid.

Simson Garfinkel

Hey weren't these the guys that wrote those hokey folk songs in the 70s and 80s?? Oh wait that was Simon and Garfunkal. My mistake

Wow. Are you a troll?

Nah, probably not. You didn't post this AC, and your userid is #2011. You're just an extraordinarily stupid poster.

The root account is not interesting enough

Now first people ought to less ignorant, as *nix was the platform of choice to get those slimy little buggers up and running to start with.

For the all to often re-iterated root argument. It is just the fact that the most interesting stuff use not to run or to be accessible only as root.

Not your customers database, not your exam results, not your design documents. Joe Sixpacks account is where it is going to hurt most and while you are busying yourself watching the front entrance I am sneaking through the backdoor, ready to kick your ass bigtime ... so to speak.

So stop being ignorant and at the same time let those jerks who have nothing better to do than causing trouble to other people know what you think of them, no matter what your todays favourite OS is.

Virus

Take 2 pills and call me in the morning

Re:Virus

Sounds like everyone has to big of an ego to admit that Linux is actually vulnerable. Harsh!

Re:Virus

I wonder if the source code
for viruses will be GPLed :-)

But seriously: a virus is a serious system program. You can learn something by studying them....

In the old days a lot of assembly programers
had their virus streak.

So lots of viruses means clever programers means
.... better LINUX.

Re:Virus

Thing is well 2 things one you canna get at Garfinkel , and the other one if it aint BSD it dont deserve to live according to Garfinkle . Mind you Carbunkel also springs to mind along with Oh Dear who's gotten hie undies on inside out (skids showing?) and upside down Phew . Cheers Pete

Re:Virus

Furthermore, it's not the conventional PC style virus that is the problem. Attempting to bolt norton antivirus onto the problem isn't going to yield a solution. Protocol level security filters (rather than file level onese) need to be developed to address the vulnerabilities.

...and wouldn't you know, the greatest need for such a filtering facility would infact be Windows and not Unix.

Although, Unix could use one to prevent abuse of email services and other protocols that seem to be epidemic once you start building apps and automation tools the Microsoft way. While such practices aren't in vogue now, a flood of novices coming to Unix could encourage them to be.

Things like Melissa are less likely on Unix because of culture and some awareness of security issues. 'de-volve' the userbase and that cultural 'check' will deteriorate.

Re:Virus

I'll just say it here: He's looking for a solution where there is no problem. The guy doesn't undersand how virus software publishers protect you from viruses. Somebody has to be infected. You have to know what you're protecting against so virus software on linux won't be needed until there are viruses on linux. It doesn't work the other way around. There are no "flu shots" in virus software.

Visit McAfee.com and read how they do it. People call them and describe their problem, McAfee analyzes the virus when they get a hold of it, and they fix it so other people that get infected will be okay. But you can't protect against programs that "might" exist. This guy needs to research his stories a bit more.

Re:Virus

[C.Lee]

>Sounds like everyone has to big of an ego to admit that Linux is
>actually vulnerable. Harsh!

Not really. It's that people and companies peddling anti-virus software is viewed with a great deal of suspicion.

Re:Virus

[um...+Lucas]

So long as many programs need to be installed as root, i'd think that many new users and even some veteran ones will get hosed in the process. Maybe not so much by virii but by trojans. The possibility is great enough that one should not just scoff at it.

Re:Virus

[AndrewShaw]

For that matter there are no flu shots without a preexisting infection in the real world, either.

If you're so smart......

Why would you fire someone from a technical position for a small error in their use of English (Or even worse - their use of Latin)? And would you fire people for frequent failure to capitalise at the start of a new sentence?

Re:Head in the sand?

No, this ISN'T 'clearly true' as Garfinkle seems to indicate.

Why? The simple truth is that what makes virii so common in the Windows world is NOT found in the UNIX world. The DOS/Windows EXE format allows all kinds of junk to be piggybacked on the EXE...this is how files get 'infected' so commonly in Windows. There's no need to replace an EXE with a trojan, you can just append anything to the EXE format.

UNIX doesn't have this brain damage, thankfully, making it a lot more difficult. The concept of the 'virus' vanishes, as you need to replace an entire executable with a hacked one, which is commonly called 'trojaning'. It's a different world, and Garfinkle is just spreading FUD (specifically against Linux, once again).

And lets not forget the total lack of security in the Windows world...the basic security in the UNIX world makes it a lot tougher...that's why to date we've only seen trojans and worms, and NOT virii.

As a final note, for all that Simpson Garfinkle is incorrectly revered, he is a gigantic BSD bigot. He HATES Linux, and this isn't the first time he's spread FUD against Linux. Why didn't Garfinkle include FreeBSD in his little plague prediction? Why just Linux? Because, Garfinkle has an axe to grind against Linux. Really, he's starting to sound as shrill as Metcalfe these days..

Re:Common sense VS Anti-virus software

goddamnit !!! virii is not a fucking word, you moronic bastard.

I do not read books

I've been running Linux for about 3 years and have been a frequent visitor of /. for about 2 years so and have never read a damned Linux book. It is not right for you to assume "I'm sure most of us have read his books". I highly believe that is not the case, sir.

Books are old school, the internet is the way to go.

bridge over troubled water

you know, the name Simson Garfinkel looks almost exactly like Simon & Garfunkel... coincidence... or massive nerd/pop singer conspiracy at work?

Re:bridge over troubled water

[Valur]

It does! I was thinking the exact same thing when I saw Simson Garfinkel. It must be a conspiracy...

Re:Linux Virii whole different ballgame

listen, you retarded excuse for a human being. There is no such word as virii, asswipe. Stop practicing your pseudo Latin for once in your retarded life, bitch.

Non-existent. Not "non-existant". Dolt. (nt)

(nt)

Re:Possible.

If I ever catch that guy Chen Ing-Hau, I'm gonna beat the crap out of him.

Re:Ham radio abuse

You can't prove that the Ham radio abuse was
done by No-code hams, so please don't spread
pro-Morse FUD!

A lot of repeater abuse is done by Coded hams with
an anti-repeater grudge, and by non-hams who
happen to have the right gear. FM handhelds are
amazingly cheap and easy to get hold of.

There no point trying to deny the pleasure of the
many just because of the actions of the few.

Morse testing must end - see last link on :
http://www.geocities.com/rf-man/howto/

+Bah!+

Re:Of course it is...

you're right. virii can't spread because that word doesn't fucking exist, bitch it's hard to spread a non-existant entity. Viruses, on the other hand, can spread. should've stayed in school, you dumb fuck. Perhaps you'd be here in Harvard with me.

Re:linux isn't as bad as windows

As per your points:

a) This is an MS Internet Explorer and Outlook Express problem. I use Netscape. Stuff doesn't get automatically executed, here.

b) This is a problem with users. I scan all .exe files I download, be it from Microsoft, the excellent Parsec project, the 3dfx site.
This after YEARS of running without a virus scanner, after which I found win32.cih on my system after accidentally running one file which I didn't scan (deleted itself, and didn't even show me a nude Britney Spears, damnit)

c) This is also a problem with users, though they *are* the problem of many other people, who work tech support (like me) or actually do the work.

It's fairly (sl)easy to change code on a page, then offer it as the original. That's why sites like Freshmeat and RPMfind.net are good. People trust that what they get there is the Real Deal, and not virus infested piece of garbage.

They are also the well-known sites, which means herding users into that direction will be that much easier. -- AC

Re:Funny...

You're a hero!!! You're the fucking MAC DADDY buddy and we all thank you!

Re:Well he has a point there

pssst. over here. yeah, me. you know what? there is no such word as virii. just thought you might want to know that before you further embarass yourself, you dumb fuck. go play with your macro viruses now, jackass.

Re:Viruses will come...Free Software isn't ready!

The one thing I love about english is that if people use a word that isn't in the dictionary enough times, it becomes a word in the dictionary.

I'm not worried.

Incredibly intelligent people have been meddling with UNIX for more than 30 years. UNIX has also had an extremely wide range of morons using it. Just because it's a command line doesn't mean that naive people can't sit down and use it and run stupid things.
If viruses were really possible, they would have been developed already. Viruses are not easily possible. Things that ARE possible are root exploits, buffer overflows, automatic rootkits, and so on. These are much more dangerous than brainless autonomous viruses in my opinion.
Anti-virus software makers look at the commercial market (the market that probably cares most about anti-virus) and sees "Oh shit, Linux at 25%?? Linux doesn't have any viruses! AIIEE" and are very interested in the concept of Linux viurses. I wouldn't be suprised if one or two employees were stuffed away in a backroom conducting "research" on Linux viruses.
It ain't gonna happen. Viruses are so dreadfully powerful on DOS/Windows9x because there's no security at ALL. Any program can do anything it wants. UNIX, and to some extents, NT, greatly diminish the strength and damage potential of viruses.
Chances are, if your UNIX system is insecure enough to be infected by a virus, you've got much bigger problems, buddy.

Re:Figthing Virus

But the linux community should be/are going to be more open in acknowledging security bugs and virus.

I agree fullheartedly with this argument, however as less savvy user add up to the Linux comunity, the entire comunity becomes suceptible. Computer virii are similar to the biological counterpart in many aspects, for example:

• Plague seldom affect small population. In agriculture if various crops are intermingled there is a smaller change of disease. But when you go to one crop, diseases spread like wildfire with devasting effects. Thus as more and more people use Linux bigger are the chances of a plague.
• Prevention can avoid epidemics, but requires knowledge. Africa has the biggest amount of HIV infected in the world because people did not or do not know how to avoid it. Ignorance is a allied of all Virii and Baterial epidemics.

Both of these conditions are bound to happen. And without proper control this could mean a terrible problem. I'll give an example. Experienced administrators would never set inproper permission on a file, however I have seen not so unsavvy administrador do chmod 777 on entire trees. No lest say Joe Doe is using Linux after year os Windows, he just wants to use, he has heard he should not run as root (lucky) and trys to run Office 2002 for Linux. Get a file permission problem. He check with his unssay friend and he discovers that someone say chmod 777 -R / will solve the problem. . . . presto one new victim.

Most of you savvy people will say, hes just a sucker. Not true. He doesn't know better, just like the first AIDS victims. An this will surely impact the whole Linux credibility.

The openness is a strong pillar for linux to rest on.

I'm not that sure this is really such a strong pillar. For the unsavvy this is no protection and even for the savvy this doesn't help much. How many of you go into the code of every single product you install?

I think that some concern should be given to the potential problem of unsavvy people joining the community. Something like SATAN could be in hand, something that check for possible exploits and harden the machine for user. With stuff like this virii will appear and reck havoc.

Re:I'd say linux is less virus-friendly...

"You mom doesn't read the source, hell, your mom would probably go for the binary distribution." it's yo' momma for geeks :D

It takes conscious effort to write secure code.

Oftentimes the programmer is inexperienced (and doesn't know about buffer overflows or how to prevent them), or they're in a hurry and don't have time to write proper code. A perfect example is the case of the overworked and underpaid sysadmin who writes a quicky hack to get the boss/clients/whoever off his back. Sometimes this individual knows about the possible security flaws and will promise himself "I'll fix this as soon as I get some free time", but this may very well not happen, and so the broken code lives on indefinitely. The code may also propagate to other systems if someone asks the sysadmin for a copy of his neat program, and it might eventually get posted on a web page or someplace like freshmeat.net...

Re:Viruses will come...Free Software isn't ready!

hehe. virri...
What a stupid person...

This person is probably an illiterate 13 year old script kiddy which downloads porn all day long and tries to get attention on /. by posting revolutionary crap. Such people should be moderated down.

Rob? Rob are you there?
What are we going to do about this situation?

Democoracy is good by at least we can have some quallity here.

of course linux is volnerable... but...

Viruses are incapable of doing anything until they are "executed." By "execution" I include macros and shell scripts... The advantage Linux has going for it is that Linux, unlike windows, has fairly decent file permissions. If your are not stupid and you don't run as root all the time (I was once stupid too) The design of the operating system helps to protect you from viruses as much as users. Of course their are vulerabilitys in programs which will be found and exploited to make a virus. Once a virus gets root access you are pretty much SOL, but you still have at least one more level of protection.

Re:pural for virus

...plural for virus.

Gee whiz, if we're going to get anal about the correct English spelling for the plural of virus, at least spell what we're talking about correctly.

Re:Ham radio abuse

I actually agree with you that morse code testing shouldn't be used. However I do attribute much of the VHF abuse to the no-code tech license. (Worse still are pirates...but...that's a seperate issue).

-nullity- (too lazy to login :)

Reminds me of Jesse Berst

This article reminds me of the older days when Jesse Berst would say things like Linux is going to get crushed by Windows, just to get hits on ZDNet. AFter all, there wasn't much content in the article, I just think he wants the Linux zealots to visit his website to increase ad revenue.

Re:Hmmm,did anyone notice....

Elmer Fudd? Where are the devilbunnies, then?

Wow Simon and Garfunkel use Linux!

Coolness

Re:How?

So we have learned here that Harvard (which is not most well known for its sciences) is full of Commies and Jews. Worse than that, it apparently fosters an attitude where correctness is unacceptable.

Re:Common sense VS Anti-virus software

Totally true. The OED lists it as "viruses". Hell, why can't everyone be born with an encylopaedic knowledge of the English language? And "Virii" would be the plural of "virius".

Oh yeah, one other thing.... Who cares!?

Re:OT: Virii vs. viruseses.

You're not very good at Latin, are you? The plural of virus would be viri, not virii. It doesn't really matter, though, since both are wrong in English.

There is a chance for anything...

there are ways to get around anything... nothing is absolutly safe. There is a chance for anything and with that chance this means that it is vulnerable no matter how you put it. It is no more safer in the long run. As more and more people use it, more and more will find ways to munipulate it.

Re:Head in the sand?

Flamebait. It's a different world, and Garfinkle is just spreading FUD (specifically against Linux, once again).

He probably says "Linux" so much in the article because it's it the IT equivalent of "sex" - it gets attention. Did you miss the part "Linux (and the other versions of Unix) desperately needs credible anti-virus software"? Did you miss that his examples are generic? E.g. NetBSD has EZ(tm) install packages too, which AFAIK have to be done as root (it's never worked when I've tried not being root, I probably need to polish system directory ownerships). It's scary how easy it'd be for something Nasty to be in one of them.

It was only a couple of weeks ago I saw a buffer-overflow bugfix for something... that's, what, ten years after the Internet Worm wrought its havoc, on Unix machines, mainly through a buffer-overflow attack. We seem to be damn slow to learn!

linux isn't as bad as windows

the problem with windows is:

a) that stuff gets automatically executed, sometimes without telling you (e.g. from a webpage, activex whatever)

b) all you have to do to run the damn virus is double click, or page through your e-mail, the defaults aren't set at a majorly high security level

c) most users don't have a clue

With open source, in theory you (or some less lazy git) can patch the code so that it doesn't do evil things like automatically execute. The way I would imagine virii could infest you like a pack of rabid worms would be if some h4x0r dude broke into your (always-on?) computer and left a nice surprise for you, trojans that override your neat code, etc., so that viruses would get automatically executed. Or he/she could leave a virus for you.

nothing i say has anything to do with my employer

What does that mean?

Babelfish doesn't seem to support Latin.

reason for lack of linux viruses

I think there are two main reasons why there are few linux viruses. 1. The majority of "dumb" PC users use Windows. A virus programmer can affect many more people by having a binary for windows. (The same reason why more commercial apps are written for windows.) 2. Let's face it, linux is probably the OS of choice for crackers and and other deviants. why write something that may ultimately affect your own machine? (although, presumably someone bright enough to program will know what precautions to take in order to not get a virus.) Just guessing folks.

Re:reason for lack of linux viruses

linux is just more secure, any virus that is executed only affects the user who executed it. Provided the malicious code was not executed as root of course! Speaking from a multiuser standpoint, anyone that stupid should have there home directory and processes destroyed anyway.

Re:reason for lack of linux viruses

[QuantumG]

good points.. but I dont think you need to be "dumb" to get a virus.. you do have to be "dumb" to pay for a product to get rid of a virus that will probably cause you no trouble if you just leave it the hell alone. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Re:Head in the sand?

It depends on what you count as "the target". With a Windows virus, the virus brings down *the system*, which in turn affects the single user of that machine. With a putative Linux virus, the virus attacks the user's personal files, but the system is unaffected.

For a single-user Linux box, this is as serious as the Windows virus. Reinstalling the system isn't as big a problem as getting your files back. UNIX-like OSes have been considered "immune" because no matter what other users on the same box do, your files are safe.

ac.uk

Re:Head in the sand?

No, the guy you're replying to may of have been shouting at the top of his lungs but if you do a quick review of articles S. Garfinkle has written that mention Linux, and in particular those that mention Linux in any comaprison with BSD, you will see an obvious, baldly stated dislike of Linux, the whole Linux phenonmenon and the general idea of Free Software/ Open Source. Indeed he prefers BSDi to FreeBSD and will tell you that closed source is categorically more secure than Open Source. Sorry I'm not going to provide citations, just search for articles he's written that have come to attention here or maybe at Linuxtoday: it's not a subtle thing, it's open bigotry.

Re:Common sense VS Anti-virus software

The OED lists it as "viruses".

Wow, someone knows where to look! :) But what does the OED say about the apalling current usage of media, data, agenda, and bacteria (for instance) as singulars... or the idiot pluralisations of "mediums" and "agendas" I suffer on the evening news nearly every night? Dictionaries tend to, have to, follow usage, not "rightness"... so the OED may merely be behind the times.

Look up "hacker" in the OED, though ... they have both the definitions we care about, but compare the reputations of the sources! :)

boxen

hmm. i alway assumed "box -> boxen" was sorta a generalization of "vax -> vaxen". vaxen is clearly superior to vaxes as the plural of vax.

it also seems like a box is usually something that runs unix, or at least not vms (which sounds more right, "unix box" or "vax box"?). so in that light boxen is the unix equivalent of vaxen.

Re:boxen

[copito]

Since VAX is the hardware and not the OS, "VAX box" is redundant. "VMS box" would be the natural equivalent of Unix box. I tend to (incorrectly) call all VMS boxen "VAXen" although these days they are mostly Alphas.
--

Re:Of course it is...

Actually, this should be scored Seriously Redundant. It's the third time I've read this "most revealing research @ silvio" and I'm only 1/4 of the way down the page!

Re:Hard to imagine

In some respects I agree with you, viruses are less likely in a unix environment. But to do any real damage to the system and not just the user account, the virus would need root privileges. I am more concerned with an internet worm, with the power of the Morris worm. Consider if the Morris worm were released in a unix dominant network. Everything would shutdown and even the best sys admins would be scratching their heads (remember the worm changed its' pid and name to /bin/sh). While you think this is a little farfetched, it really only relied on a few security holes to enter the system and start taking up resources. Now consider how vulnerable a typical linux system is. Redhat ships with a bug in lpd that is easily exploitable to root (securityfocus.com even gives you the exploit code). Modify this exploit into a worm and every redhat box is going to choke.

Re:Common sense VS Anti-virus software

All that we know is that you don't know that you have a virus.

virii vs viruses

attack! attack! the viruses are on their way. no, the virii are making up some ground ... boom! destroyed!

well, i am someone different to that poster, but i thought that the word virii was correctly using the latin stem. but then, i stopped doing latin 8 years ago (thankfully). we had the same sorta discussion in a biology class once where someone wrote "boli" as the plural of "bolus" (as in, the bolus of food that you swallow) and the teacher marked it initially wrong and then gave in after some debate.

p.s. harvard went to my alma mater :-P p.p.s. there's no such word as "existant". you mean "existent". p.p.p.s. so what if i haven't used capital letters, neither did you ;-)

That can depend on the size and complexity

of the program. You can be a non-programmer and vet small amounts of simple code--to the extent that youcan tell it isn't absconding with /etc/passwd or installing a listening daemon.

If it's small and simple. Otherwise, Joe has to use binaries only from very trusted sources, utilise md5 checksums and if getting something that isn't from his distro's main ditribution, restrict himself to getting the source from the main ftp site.

All in all with just common sense, Joe can be pretty darn safe with Linux, and avoiding viruses is part of it. I mean we'll certainly see more attention in that arena, but as others have pointed out the ability of a virus to do its essential thing--replicate automatically, is more limited in Linux and the damage it can do is also more limited. It seems a diminished, relatively fruitless goal for a blackhat to pursue. Which would you rather put on the net fulltime, Linux or win98? I know which one I prefer. Which would you rather write viruses for? Yep && Why would that change?

Re:Head in the sand?

You say:
The REAL False sense of security is in thinking that it only happens to someone elses operating system.

I say:
However there are very good reasons to imagine that Linux is much less vunarable to viruses than Windows. There are two primary reasons:

1. Because Linux is designed from the ground up as a multi-user system. Consequently, assuming the virus can only get limited access permission it cannot compromise many system resources. (Unlike Windows where anyone can trash anything.)

2. Because it is an open-source system it is hard to include viruses in open-source software without quick and ready detection.

This latter point is, unfortunately, becoming less relevant as more and more programs are released as binary only (Corel, Applixware, Oracle.) Perhaps something we need to think about when we choose what sw to install.

Of course Linux is not immune to virus problems (I still remember the sendmail worm), however, it certainly is much, much less vunerable, especially if it is configured correctly.

Re:UNIX (and Linux) viruses - the real story

silvio is a crazy bugger that's gonna get himself killed if he keeps going on about the upper and lower classes! brainwashing is a coming man... you'll see..

Re:OT: Frames

In Netscape: right-click text, choose 'Open Frame in new Window', re-size as needed.

Re:Head in the sand?

I can comment authoratively on this, and say that although the ELF object file format common to many Unix such as Linux and FreeBSD, it is indeed possible to infect a binary using appendage techniques common to the MS-DOS world. Obviously, you cant just append data to the end of the file, but you can add new program data to the process image. Doing this isnt beyond the capabilities of a semi competent programmer, but it is harder than what most people with nasty intentions can do. OK.. I'll discuss some major flaws that everyone talks about regarding Unix virus. Root is not necessary for an effective virus. Infact, root can often be thought of as an effective goal of the virus. Its obvious, that a virus with root is going to do alot more damage, but root isnt everything. I better back this up now.. How many times have you telnetted to another box from your unix box? Do you change identify with the 'su' command. Do you use the same password on multiple machines? Does wtmp show any machines that you came from in the past with those same passwords? If the answer is yes, if a virus is present on the system as that particular user, then the virus can infect another user or system. Some people might call this a worm, and it might be, but viruses and worms are very similar when you try to write malicious programs that dont use exploits. The only real problem, is initial infection.. Certainly, most people dont run untrusted binaries but it does happen sometimes. However, if the virus author infects the binaries of a trusted distribution or package, then all hell can break loose. Another option is for hackers to infect accounts they break into. Maybe their goal is to obtain superuser status. On a single user box, having a user account almost garauntees you superuser access since 'su' is often used. For true multiuser boxes (with real multiple users, not just a single user on a multiuser os), having a user account can give you access to all accounts the user logs into originating from that account. I hope this presents the true image of unix viruses, that they are indeed dangerous. On the flip side, I've never seen a virus implement what I've just described. But its definately possible, just tricky for most people. It requires a fair bit of knoledge about object formats, dynamic linking, pseduo terminals, process formats and so forth.. I should end with saying what has been implemented in the virus world (but largely unheard of). * true image infection with the virus occupying real space in the process image * per process residency by intercepting dynamic function calls * inserting new code into a running process * wrappers for programs that log data transfers, including password entries This isnt a big leap to the virus I described earlier. Detection of infected binaries is quite easy for many types of viruses. I can detect all known try infection viruses with my techniques. Thats the advantage of having a complex object format such as ELF (compared to things like .COM etc). What happens when you have root though? How about a worm that steals pop/telnet/ssh/ftp passwords and then trys to log into machines that logged into the compromised box (this takes advantage of the fact that most people use the same passwords) Then when a user account is compromised, use the virus techniques above. There are many other techniques that can be used, and the scope of unix viruses and worms are almost endless. I am suprised by the fact, that very few people actually have written viruses. From my experience however, very few of the "hacker" types have enough knoledge to write an effective virus. Perhaps we will see a stream of viruses appearing once a few take off. Maybe.. I'm not going to predict if this is going to happen or not. I do however believe that Unix viruses are a serious threat. Silvio

Would a Macro type virus be possible?

Now that more applications are available for Linux would it be possible to create macro type virii?

Of course we're not talking about anything that would run as root, but if say an individual were to download a document for Star Office, or receive a document via e-mail, would it be possible to hide a command or macro which messed with that user's home directory?

Millionaire in a week?

I don't buy the excuse that anyone who can set up a website can become a millionaire in few weeks. That's not why viruses for Linux have not become common place.

Perhaps someone can post the recipie for for becoming a millionair in a few weeks just by having decent programming skills...I would like to know. Geezz...is this the only lame reason this guy has come up with why linux viruses aren't commonplace!?

Software will just "require" you be root 2 install

And if **every** major software package does this, and Linux spreads to the clueless mass desktop user who *just* *doesn't* *care* the way we do about security, our concerns will not matter. The bulk of the market will continue to buy and use these products, leaving the road wide open for Linux viruses.

Re:VIRUSES

Ah, a language purist. While we're on the subject, I think it's only fair to point out that you failed to properly punctuate the word "can't". You also neglected to capitalize the first word of your fourth sentence. You failed to place a comma after the word "Geez", a word no more proper than "virii". You forgot to capitalize "Linux". You failed to punctuate the end of your last sentence. You misspelled "pretentious". You misspelled "ridiculously". You forgot to punctuate the very first word of your entire post.

You'd do well to put some effort into mastering the basics of the English language before shooting your mouth off about improper words.

Re:Head in the sand?

UNIX doesn't have this brain damage, thankfully, making it a lot more difficult.

You might want to actually check your assumptions...

From this page:

"* VIT The VIT Virus is a Linux x86 parasitic virus that infects ELF executeables by using the padding of the text segment. For replication, direct infection via attemption infection of executeables in the current directory is employed. This virus is documented in the article UNIX ELF VIRUS AND PARASITES. The name of this virus by curiosity was given by the people at FProt who noticed the virus created a temp file using the letters VIT."

&sign($AC[0]);

viral hackers

I would hope virus builders would have enough respect for linux not to make viruses. It's like shooting yourself in the foot. Then again there are the evolvin cyber life viruses. If you don't know don't ask. You'll only become more paranoid.

I'm sorry. Did I run over your Dogma?

Re:viral hackers

[Graymalkin]

You're equating virus writers to Linux users? Real intelligent Jethro.

Re:Viruses will come...Free Software isn't ready!

You are a dumb little fucker. Needle-dick.

Antivirus product on the market

Apparently it's called tar.

Yes, I've noticed that

1) Law of supply and demand. This bloke has supply but no demand, so he needs to invent a demand.
2) Most linux users could care less about viruses, myself included. So, the bloke makes up a scare. There are linux viruses everywhere, just waiting to be made. You know your neighbor who just got laid off from the toothpaste factory? Well, he's angry, definitely going to release a linux virus.
3) Intelligent linux users dismiss this bloke as an imbicile, but he fools the morons who believe everything they read in the press. Meanwhile, this bloke laughs all the way to the bank.

As someone who works with Unix for a living, just remember these easy steps: only run as root when you absolutely have to, and be careful what you install. Can you remember those two easy steps class? Good.

Re:Of course it is...

Umm... is this QuantumG guy trying to karma-whore or just trying to generate the slashdot effect on his page??? This is like the FOURTH time I read this "most revealing linux virus research can be found at ...silvio/ ..." and it's marked Informative.

This should be marked Redundant...

I've had viruses before

Not true. I am not your average Windows user. I use Windows at work and Linux at home. Once, a friend of mine, who codes as well as almost anyone, sent me a virus via icq by accident. Bam, there goes Windows. In Linux, this wouldn't have happened because at the worst, it would have taken out my home directory. So for all you novice linux users out there, don't run as root, and you should be fine. Never mind the scare tactics by someone trying to sell you something.

Re:Hard to imagine

...most viruses are spread by running pirated or other dubious software. Since switching to Linux, I have only installed two such progs and I checked the source.

Cool, you had source for your pirated software? Where did you get it?

;-)

Usage == "Rightness"

Unless we want Language Police.

Re:Reasons enough

The most revealing research into why virii is not a word can be found at:

silvio@silvio.silvio

Re:Hard to imagine

The situation that worries me more is one in which a worm, using the same ideas as the Morris worm (using a couple of security holes to spread as far as possible) was actually coded *well*, and did not bring down every box it touched. It could sit there, spreading itself onwards at an acceptable rate, not drawing attention to itself via a large amount of processor usage, and so on. If this worm's primary function was not mere reproduction and spreading, but to act, say, as a DDOS trojan, then we would have a Problem(tm).

Sorry about the AC, but I couldn't be bothered to log in.

--
RegularFry

Reality is the original Rorschach.

He's right, of course.

UNIX is a system whose security model is fundamentally flawed. Its vulnerabilities stem from three major design mistakes:

1) the C language.
2) the SETUID bit.
3) the root account.

Securing a UNIX system against viruses requires a hardware solution, because there will always be one more remote-root exploit.

The solution, is to keep all the code that you can't stand to have changed, on a read-only disk. Set up your boot volume with your kernal image, /bin, /usr/bin, etc, and then PULL THE WRITE-PROTECT jumper.

The hardware solution is trivial. In UNIX, a software solution may well be impossible.

-jcr

Re:Viruses will come...Free Software isn't ready!

Quit moderating this person up! I am getting sick of hearing the same thing from this person over and over... Especially that "The most revealing linux viruses.." bit.. Now only if I had moderator points to score this person down...

Lynx

Lynx is still the best web browser. :)

Re:Linux Viruses

Stop and think for a moment. To produce a binary Linux virus (as opposed to a script virus), you have to have a virus capable of handling a.out and elf binaries. It has to support Linux 1.x.y and Linux 2.x.y kernels, It has to support libc5, glibc 2.0 and glibc 2.1. It has to support ix86, IA64, ARM, Alpha, Sparc, Sparc64, m64k, ppc, S/360 and any other architecture Linux supports.

Why?

it's got to support ext2fs, ext3fs, reiserfs, xfs, jfs, ufs, umsdos, and any other filing system that Linux could be run off of.

Again, why?

I don't have hard statistics with me, but somehow I doubt that the number of 1.x.y kernels, with libc5.0 running on Sparcs with ext3fs[1] is anywhere near the number of stock Red Hat 5.2 or 6.0 installs. (Not to mention related distributions like Mandrake or the billions of copies of LinuxOne OS which have been sold already. I hear that Red Hat is just a rebranded clone of LinuxOne[2])

You've no way of knowing if bash 1, bash 2, csh, tcsh, ksh, zsh, perl, tcl/tk, python, or any other given shell is present, never mind used.

Really? Are you trying to tell me that you have gone to the effort of modifying your system to boot without the aid of /bin/sh? That's impressive. And a little scary. The presence of a POSIX compliant shell is one of the few things the rest of us count on to be present on every system.

If you want to exploit holes in Linux systems, the last thing you want to do is target a handful of IA64s and IBM mainframes with obscure kernel patches. Your audience is the people who buy the boxed edition of Red Hat to run on their cable-modem connected Intel boxes at home. Those things are about as diverse as toast.

-D
dcross@cryogen.com

[1] Yes, I do know that these things don't go together. But you know that if you were truly bored enough, you could make it happen.

[2] If you don't know what I'm referring to, count yourself lucky. If you think that I don't, then send flames to my alternate address, postmaster@localhost.

Re:UNIX (and Linux) viruses - the real story

silvio,
silvio silvio silvio silvio silvio, silvio silvio silvio silvio. On the other hand, silvio silvio silvio silvio silvio silvio silvio.

Of course, your silvio may vary.

silvio

Re:Head in the sand?

College campuses and enterpirse networks with a d...head sysadmin. Users install their own software in their home dirs. Guess what happens next.

What happens is when the virus trys to run:
rm -rf /, the virus will get a 'permission denied' message. The only thing that can happen is it can possibly infect other executable files. If ROOT doesn't run them, they are useless.

There are few notable examples when the above situation will drastically change. The most important one is:NO EXECUTABLE DOCUMENT FORMATS!!!". If MSWord will be ported or a similar abomination will become a predominant software product on Linux than there will be trouble. Because there will be "executable" user writable formats floating all over the place. Than the treshold for selfsustained infection will be exceeded.

This statement is a joke.

In Windows, double-clicking an ASSOCIATED FILE is no different that opening the application first, and then opening the file. Either the virus is in the file (macro) or in the doc viewer. "Executable document" doesn't make sense, for it's the OS that gives the illusion to you, who doesn't undestand what's really happening.

Re:How to get infected using Linux...

It is also possible to use X11 to grab the keystrokes (using something like XGrabKeyboard), and looking for a meaningful pattern. The virus can even continue doing it after the computer is rebooted, by adding itself to user's .xsession or Gnome/KDE session files. However looking for root password is not so important after all, since much harm can be done even without it, e.g. stealing information, allowing remote access to system (.rhosts, attaching /bin/sh to a certain port, bypassing firewall by creating inbound connection) etc.

Re:Ham radio abuse / CW

Why down with code. Its already a thing of the past with that pathetic 5wpm minimum. They are just going to let people in without doing any work. This will probably lead to more abuse of the bands as well as other problems.

Maybe 20 word testing will come back some day.

-- A 15 year old 20 word Extra in Wisconsin

Virus-Scanners shouldn't be depended on

Simson write that what Linux needs is anti-virus software like McAfee or Norton AV- but from a security engineering standpoint, scanning for known malicious code is a weak little hack.

The analogy is a bank. If the only thing the guards do to check on the customers coming in is look for them on a list of known bank robbers, then they've got serious security problems. Each criminal gets to rob at least one bank before his picture gets passed around. (In the scaleable world of computers its not quite as bad as this...)

Besides, no virus scanner can protect you against a remote-root exploit- because once the attacker has root, his first move can be "killall norton;killall mcafee". Then he can either delete your scanning software, or cripple it so that it never really checks on his code (for instance, redirect its automatic-update function to point to his own website of phony virus signatures)

Once root is compromised, no software can protect you.

The better approach is for the bank guards to just be more careful about who gets the combination to their big vault. That could entail more people running programs like SATAN (with automatic updates of new exploits), or adopting slightly different security models on their systems. (Make a new access level that's slightly weaker than root, for running httpd and nfs servers and things, which is not allowed to change the kernel. That way exploits to those servers won't open up the whole system).

(Of course, Unix is already better off than Windows98, because generic users aren't allowed to overwrite the kernel on their own. And the sys admins never have to ASK their users to install needed patches- they can do it themselves!)

Re:Simply not true

Well quit. I have already moderated you down twice already. WE GOT THE POINT. THE FIRST TIME!

VIRUSES

Lets all say it together now:

VIRUSES! VIRUSES! VIRUSES!

not the stupid, made-up, pretensious and ridicuously incorrect excuse for a word that is "virii"... which cant even be sucessfully derived. Geez you guys may know your programming and linux, but you cant handle language worth a damn :P

Re:Possible.

Call me when you catch him, I had to pay $5 to get my BIOS replaced after that.

its not the OS guys, its the user...

take a user that knows what hes doing and that understands a few basic things about security.

he dosent need a virus scanner, be it win9x, linux, or whatever...

take the same OS, and give it to some clueless user, and you have a very big virus problem on yourhands.

now measure up the general pool of linux users against those from windows... tada, you just found out why there are more virii for windows than linux!



i dont use a virus scanner on any of my computers, unless i suspect something is wrong. i dont run untrusted programs, and i dont have office, or any email macros defined.



baring virii that use exploits to gain access (which are corrected by correcting the exploit), when the linux community is comparable to the windows community in terms of ignorence, then you can fear linux virii.


someone that understands what they are doing has very little to fear....

Re:its not the OS guys, its the user...

[QuantumG]

I really dont think you have to be clueless to get a virus. The problem is that people do distribute binaries or users don't look at the source code they are compiling. Modern Linux viruses do not use exploits to spread. It's all about following the user. Going where they go, snarfing their authorization tokens and infecting every binary they have write permissions to (in the hope that someone else will run it). The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Re:Possible.

I have gotten plenty of those email macro viruses in my inbox on mutt.

Re:I've heard this a milion times before.

>Anybody remember blimp ? The Virus MIT developed to test Unix vulnerabillity ? That managed to infect and destroy files only in the directory of the user who ran it ?

source code for blimp:

#!/bin/sh
rm -rf ~

Re:Possible.

Actually, I've had around 5-6 viruses in my Windows career, including CIH, Stealth-C, and Butterfly. There are more viruses for WIndows it seems, than grains of sand, but only people regurlarly doing file transfers (e.g. an academic LAN) are really in danger.

Re:Devoid of Clues

Right.
And so what everyone else is saying is wrong.
Read a little bit before you shoot your mouth
off. It _is_ possible to make linux virii. While
I am of the opinion that we WON'T see a huge
outbreak, I wouldn't mind a little protection
either. Always be prepared.

Re:Head in the sand?

How intuitive is it, when you need to press the RESET-Key-combination to start using the computer, and how intuitive is it, when you need to press "START" to end your session?

Enough with this stupid analogy, it's a hell of a lot more intuitive than *ANYTHING* in Linux. You've obviously figured it out so it can't be that difficult to understand.

Click START to start shutting down your computer...simple and easy to understand.

Look at the guy's hair

Are you sure his name is not Garfunkle?

Why Linux is immune to viruses

Because Linux users practice information hygiene, a belief in copying things strictly and taking great care with information, which as they understood, is potentially dangerous.

Virus? What Virus?

The medium is the message. Linux is the virus.

Re:Virus? What Virus?

[Glytch]

Tux meets Marshall McLuhan. Cool. :)

Re:Simply not true

Stop fucking posting this.

The nature of the virus writer

Hello, and good evening.

I've read the responses thus far on the subject of virus writers, and to be honest I'm a little disappointed with the quality of slashdot readers. A good virus is a good hack. Like the melissa virus, it's elegant, simple, and made to prove a point to one's self and to others. A good virus is rarely destructive, although strains have been made of good viruses that are destructive. They exist as the brain-children of intelligent people who often mean no harm.

Like the original worm, which was meant to live out on the internet forever, which could never be killed, but never really caused anyone harm (oh how the mighty fall, sometimes the authors get certian points wrong... denial of service was not such a well-understood phenomina in those days) a virus is like a work of art.

A virus is a living piece of software, it's software that exists and is distributed all over the world. That level of distribution of a hack so sublime was enough to make our mouths water when we were children in the new world. I suppose most, like me, never had the balls to put their code into distribution, and I suppose that most never intended to. It's the kind of thing that could keep you awake at nights, knowing that it's out there and out of control. The actual release of a virus requires a certain mind-set that I cannot fathom, however the authorship I can easily relate to.

Why could I never write a virus for linux? It's too inelegant, and it's too grotesque to deal with all the special cases.

Am I running as a typical user? Yes, ok, let's act like a worm and try to infect someone else. Am I someone who knows the root password? Yes, ok let's watch him until he opens up a way to access root. Am I root already? Yes, ok.. well... now... I just go around infecting things, I suppose.

There are too many variants, it's too slow, and too much complication. A virus is beautiful because it is simple. A virus is not a hacker's toolkit, it is only big enough to do a single thing and do it well. A virus that has to deal with so many modes of operation and intrusion could only be classed as an application. Very sucky.

Virii will be written for linux, but they won't be very effective because the author's hearts won't really be in them. It's so much more satisfying to write a good worm, or a windows virus that won't require all the pondering and the chewing of one's cud. Linux security is probably not good enough to beat a really effective hacker-style worm+virus combination, but it's good enough to make such a virus more complicated than it's worth, and more ugly than can be admired.

Benjamin.

Re:The nature of the virus writer

[QuantumG]

writing a linux virus is hard, but challenging.. there are a whole suite of new techniques to learn and explore. Check out http://www.big.net.au/~silvio/ for three linux viruses that do not run as root and do not infect the kernel. The golden rules of linux viruses are:

1. Follow the user
   
2. Dont use exploits, the virus will only last as long as the exploit!
   
3. snarf authorization tokens
   

Stupidity

I think Linux viruses will have a much different construction than the Windows variety. Because of the relative inexperience of most new linux users, a virus doesn't have to be sophisticated. Heck, it could just be a shell script which does an 'rm -rf * ; echo F00BaR V1Ru$ I R00l EWE'. Why write complicated code to carry out your nasty ideals when you can let the (l)user do it for you?

Re:Stupidity

[QuantumG]

viruses arnt about destruction.. you have been duped by the anti-virus corporate world.. "viruses are evil.. if you get a virus you will instantly loose your harddrive!!".. viruses are about research.

Economy?

I simply don't see why he's forecasting the economy will get worse. He's just scared of progress. Or does he believe that all the wealth that has been created will vanish and we'll end up living on the prairie without any houses?

Re:Viruses will come...Free Software isn't ready!

Lemme tell ya.

One can make a virus that will `do damage' like the virii we know, OR the same one can make a virus that will take your passwords, send your data to hackme.com on demand etc...
Now in order to create a virus a certain amount of IQ is required. Guess what people who create viruses will choose.

The destructive viruses existed before the globalization of the internet, and thus they were a `game' thing. Now virus==power. I BET - and I'm not a conspiracy maniac - that all CIA,KGB,and friends HAVE launched viruses to access the computers worldwide. Not officially of course.

The only ones who would want to create destrutive viruses is McAFee. In-freaking-deed.

Wanna catch the viruses? Thats what I expect serious people to do:
Take a computer, install stuff and then isolate that computer on a fake internet. Set the default gateway to log all IP packets. Count the number of packets (UDP mostly I guess) that were not due to normal user requests. "Viruses nowadays -if any- USE the net to contact some HQ and get commands"

Another effect of internet POLLUTION.
Some people call it trojan and others latex. But actually virus is a program that duplicates itself so viruses is the right word. All other references are pollution from people who want to FUD. Because remember people, in the society of information wars are done with : confusion, propaganda, information noise and friends. And there are lots of net battles.

Now if you'll excuse me coz i have to save the world.
--ZubaNeida

Re:virus threats

To port Office to Linux in less than 50 lifetimes will require that Microsoft implement some sort of registry, can you imagine trying to change all the office code that relies on it?

I don't believe it'd be that hard. I'd do it with a ~/.msoffice plain text file and knock up a thread to handle registry read/writes using that file on a per-user basis.

ac.uk

Write Some VB Code!

Go write some more VB code, and dream about sucking my virii

Re:Reasons enough

If I have to read "The most revealing linux virus research blah blah blah" I will shoot someone.
Ditto for "virii isn't a word! ......"

Glad to get that off my chest

Re:Common sense VS Anti-virus software

Since Lynx was? Newbie. Try gopher or ftpmail if you want to sound old ;^)

Why it won't be as bad as Wind-blows

[kinkie]

Because the Un*x programmers usually have security among their concerns, and in a pretty high position at that.
So you usually get apps that are security-conscious in the first place, and that get fixed ASAP when some exploit appears.

Re:Why it won't be as bad as Wind-blows

[kinkie]

Because they're also lazy (it's a good thing sometimes...)?

Buffer overflows have always existed, in all kinds of software. But you can go hunting them (see OpenBSD).

Re:Why it won't be as bad as Wind-blows

[doctorbob]

Just a random thought in passing ...

... but if security is such a concern of so many code writers in the *nix community, why are some still not taking heed and writing buffer-overflowable code?

My $0.02

Rob

Re:Hmmm...

[QuantumG]

absolutely right.. there is not "secure" way to stop a wayward program from modifying your kernel once it has root.. that's the point of root, if you have it you can do anything. There are things you can do to reduce it.. like getting rid of /dev/kmem and randomizing the position of the syscall table. Increasing apparent security of linux is something good that can come out of virus research. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Re:Possible.

[QuantumG]

oh please.. excluding macro's, when was the last time you had a virus on your windows box? most people would say never.. even with the latest wizz bang virus protection software.. wake up.. it's a scam. Antivirus companies make false claims about how dangerous viruses are and how effective their product is.. most viruses do not spread.. they are written purely out of interest or to be a part of the "virus community". Linux is no exception (or any other platform for that matter.. take palm os, win ce, mobile phones).. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Re:Simply not true

[QuantumG]

yes.. we can deal with viruses faster and better than anti-virus companies can (microsoft aint got nuffin to do with it.. they just make the crappy software that gets infected) but only if computer virus research is supported and not forced underground. There is a lot of linux virus research going on with the hope that we can develop a good immune system to linux. You can read about some techniques at http://www.big.net.au/~silvio/

Re:Linux Virii whole different ballgame

[QuantumG]

not true.. if you infect the programmer then you can infect the distribution, then you can infect the user and the user can infect the programmer. Follow the user, use the users authorization tokens, forget exploits, forget kernel. Check out modern linux virus technology: http://www.big.net.au/~silvio/

Possible.

[WinterKnight]

I'm just suprised that my system didnt cought
a virus for linux so far.

Re:Possible.

[Zagato-sama]

Actually, several of my friends from irc did manage to get the CIH virus. They did not scan their computers on the eve before Chernobyl's anniversery, and paid for that mistake with their motherboards.

As for viruses and Linux... there are no(few) viruses for Linux simply because nobody cares. Look at Linux's market share. If you plan to wreak some havoc by writing and distributing a virus, would you go after the 90% market or the 5% market? If linux gains more popularity, then virii will indeed start popping up.

little sense

[shitface]

This Garfinkel guys argues that the lack of *NIX and primarily Linux viruses are do to the booming economy. He then goes on to say that when the economy goes south that programmers will become unemployed and create viruses!!! This makes little sense if one was to think about it, just as a convincing of a arguement could be made that the free desktop are going to get better with a bad economy because it gives programmers more time to code on free projects. Even thought Garfinkel does not present a very good arguement, I can understand his concern. Sigh, anti-virus programs slow take up resources and slow down the system;(

Re:Hot Grits Virus

[luckykaa]

The Hot Grits virus wil only affect unsecured pants. Keep 'em done up and don't let other people into your pants, and you should be okay.

In 15 years, only commercial disks gave me viruses

I've been tinkering with computers for 16-17 years. When I got started, you couldn't go out and *buy* a virus for any personal computer if you wanted one. A few years after I got my start, Compute! magazine (I mourn the days of type-in listings for my Atari) published an article on the SCA virus for the Amiga. I can't speak for anyone else, but I thought it was a joke at first.

Naturally, people copied its techniques (it was a boot-sector infector, as I recall) and then began adding new attacks. Viruses began appearing on all the major 68k-based systems and the PC. The 8-bit computers largely avoided this. Companies began popping up to sell virus protection, and made good money at it.

Further down the road, I went through my 31337 H/P stage and had lots of dealings with virus writers.

Through all of this, despite all the BS of the virus authors and hype from antivirus companies, the only virus infections I ever got were from two commercial disks bound inside books (one was "The Black Art of 3D Game Programming").

The moral of the story is that we can expect someone to release one successful virus for Linux sooner or later, tons of people will imitate him, and it will also be more smoke than fire.

Re:Common sense VS Anti-virus software

You are correct sir!
There is very little chance of getting a virus is you are actually careful about what you do. However, you are an exception.
My experience has shown that someone who I would call a Typical user has absolutely no clue what a virus is, download anything from anywhere, and then ignores any messages that they receive on their computer about virii or macro virii (especially on MS Office products. Maybe I deal with a really clueless groups of Typical users..
I think it comes down to this. What you know about a computer and security improves your chances - if you have no knowledge, you have no protection. Probably about the same as unprotected sex - what you don't know, can hurt you.

Linux viruses are coming?

I guess this means that MS is going to port Office to Linux after all. I thought it was just going to be MS Vaporware (TM).

Re:Hard to imagine

Have a look at what Ken Thompson himself said about this a few years ago: http://x31.deja.com/getdoc.xp?AN=200800703

Digital Signatures.

[Joseph+Vigneau]

More widespread use of digitally signing binary or source packages (via PGP, X.509, whatever), that would be automatically verified by rpm, apt, or some standalone tool (for you .tar.gz folks out there) would help out quite a bit, as you would be able to verify the source of the packaging. Of course, you would have to trust the folks you are downloading from. This technique would work well for protecting against rogue kernel patches and the like, if you trust Linus' or Alan's signatures.

This does not, however, protect against signed code that can be compromised. Obviously, if you compromise anything running as root, you own the system. The problem with Linux (and probably most *nix) is that security is based solely on ?uid, and not a more rich security model, such as determining which resources are granted to which process based on uid, some external certificate, etc...

Re:Digital Signatures.

[QuantumG]

digitally signing something is something that is done by a user - the programmer who develops the binary. If the binary is infected then the programmer has just signed the virus. This is the point of modern linux viruses, follow the user.. go with them everywhere and get in on everything they do with binaries. If you are going to communicate with binaries (and that includes giving, selling and chatting) then you are going to spread viruses. A lot of interesting linux virus research can be found at:

http://www.big.net.au/~silvio/

Re:Diversity will reduce the problem

[DaveTerrell]

Are we likely to see another "RTM worm" incident in the next year or two? Probably. Now that broadband 7/24 connections are on the rise due to DSL and cable modems, the percentage of unsecured hosts will rise. And with the increase in opportunity will come an increase in exploits. However, as the RTM worm incident showed, writing a good, well-behaved worm isn't as easy as it sounds.

Haven't we already seen things like this? Remember the DDOS attacks on yahoo and friends? Those were mostly automated attacks, scanning for multiple vunlerabilities and attaching payloads.

They aren't quite as automated because it's hard to write a fully self-distributing worm, compared to a simple boot sector virus. But with buffer overflows in almost everything shipped on linux these days (Have you upgraded your FTPD lately? Did your distribution turn on IMAPd again?) it's real easy to hit machines remotely and pop in an egg of almost arbitrary size. And if you're smart, you can use them for anything from pingflooding yahoo to voting for your entry in a $500 price from x10.

Of course, you could run audited code...

Re:How?

[John+Allsup]

Those are POSIX 'capabilities' which are not the same thing as 'capabilities' as in EROS et al.

As reiterated by capability proponents, they are not the same thing

And in case you were wondering, the name clash was POSIX' fault. --- the idea of capabilities as in EROS/KEYKOS/SPEEDOS/etc. predates POSIX (I think), let alone POSIX 'capabilities'

John

Re:It will happen - but not as bad as windows

[C.Lee]

>While were talking about current developments:
>Trojans have recently been found in things like wuarchive ftp.

Recently? The article is dated April 6, 1994....

Re:Hmmm,did anyone notice....

[C.Lee]

>So if his arguments were said by someone outside the security field
>you'd take them?
>You cannot discount his arguments just on the basis that he is a
>security consultant. You can examine what he says in greater detail to
>make sure it makes sense, but outright saying "He is a security
>consultant therefore his arguments are invalid" is invalid in itself.

No it's not. If you know someone's in a position to line his pockets from what he's trying to sell you, you'ld had better question the motives of said person. When a security consultant starts promoting "THE VIRUS THREAT TO LINUX" in the fashion Garfinkel did, warning bells concering what he's saying should be going off...

Re:Head in the sand?

[C.Lee]

>Well... who said that using a computer requires no skills? When you
>want to drive a car, you need a license too.
>I remember when I got my Amiga, two weeks later, the machine started
>to behave really weird. The computer would suddenly freeze with a
>black screen and I had no clue what was wrong. I phoned up some
>friends and asked them, what this could be since it only happened when
>I booted the Workbench. One mentioned a virus called "Byte Bandit" and
>told me, how to remove it.

Who are you trying to bullshit here? You got "Byte Bandit" from your friend. Byte Bandit is/was a boot sector virus that mostly got spread around on Amiga floppy disks by the Amiga Warez Crowd.

Idiot, moron, retard

[kashani]

Jeez this is dense. What the author is taking about is running a program that does bad things, a trojan not a virus. If he had thought for a moment he would have taken his head out of his ass before writting this drivel.
Window's problem has always been that all users are basically root. All program that ran could overwrite any other file on hte system. NT's problem was the macro languages built into apps were also allowed to do whatever the hell they wanted.
THe real question is, if i'm root and I open a "infected file" in vi, is vi now infected? That would be virus behavior. If I put a floppy in the drive and read my data, will any viruses on the disk execute? Personally I don't think so, but if we're going to talk about virii let's split the matter from trojan which are COMPLETELY different.

Re:Idiot, moron, retard

[QuantumG]

1. There are lots of "userland" windows viruses.. in win32 virus talk these are called "ring-3 infectors", you don't need root and you dont need to attack the kernel. 2. There are a number of very good - and viable - linux viruses. They are simply not spread because they are research, they are an investigation of a problem with the hope of developing a solution. You can read about them at http://www.big.net.au/~silvio/

Re:Head in the sand? - clarification

[myo]

As to the use of the word "virus", I believe that Mr. Garfinkle was using the Windows world definitionm which from what I can tell is "any malicious piece of code that you accidently get on your computer somehow." Not a correct definition technically, but when writing it is a heck of a lot easier to refer to genreal "viruses" than to have to type out "viruses, trojans, worms, and other malicious code" everytime you want to make a general statement.

This is a pretty grave mistake (or omission) to make for a security consultant.

In regards to the virus idea in general, though... in windows, how many people will send you an attachment of a C file? Very few. They send binaries. It's almost the exact opposite in linux. Very few will send strictly binaries, because a very large portion of the linux community will not accept them, and many run different operating systems or architectures (which the same C program may compile and run on without a hitch). It seems actually _less_ likely for people to send each other binaries in linux than in, say, solaris or irix (due to closed source patches and licensing terms, along with the lack of a _good_ default-installed C compiler).

Unix (linux inclusive) software developers would not likely get away with installing macros into their word processors which can write to disk. The linux community would reject the program if it was commercial, and "correct" it if it was open source.

As for using the system as root... how many sun administrators do this? I've received countless e-mails from admins using dtmail as root. I'm almost tempted to insert a lecture about it into my signature. Linux is not alone in the user-stupidity area.

Many linux users will be susceptible to viruses, and many will not... but i think the reasons and the realities behind the situation need clarifying.

As a side note... how many experienced administrators will trust an anti-virus program to scan and clean files on their unix-based system?

Just a few thoughts

[Zorton]

I am sorry if some of these comments have been addressed, I do not have time to read every comment on this page.

My experence with viruses has been minimal. In a former life I helped run a Macintosh computer lab, the main problem with viruses was not system erasing/crashing/cracking types, but was instead with simple "I am a virus! fear me!" types. Same thing in the IBM world, I have yet to find one that did anything marginaly cool. I can almost hear my outburst! "Wow! cool, look what this thing did! my BIOS is toast! neet!". My question is: Does the typical virus harm anything? Or is it just simply wasted bytes of data?

As far as linux/free unix's are concerned I agree the community has been blessed by some unknown virus god thusfar. We have not seen much in the way of virus activity. I can remeber a scare a bit ago (about 1 year or so, can't remeber), a worm simply infected all executibles it could grab, problem was you could run the worm with a switch that would remove itself from all infected files. I think this worm was a warning, and I haven't heard from any of my peers about any horrible real time kernel rewritting virus. Are we naive? or is the result simply the result of all the points addressed by fellow slashdot readers? I would tend to agree that the very nature of linux and it's popular distrubution methods inhibit virus activity but do not eliminate it.

The solution in my eyes is simply knowning your system. Linux/Unix/FreeUnix's attract me due to the openness of the systems. If you want to know what a library does write a script to search the system for programs that depend on it, then check the man pages of those programs and see what they do. What about 20 pounds/megs of manuals sitting in a /usr/doc dir? do we really need those on a simple 24/7 firewall? nope, rm those suckers. I think all new linux/unix admins (note: I make a distinction between a linux user and admin, all users should be admins, IMHO) should spend 2 weeks getting to know their filesystem and running system processes. Kill the ones you don't need, lock down the others. As you can see this rant has boiled down to good security practices, don't be lazy people, clean your filesystems up, know what should be where. Then employ tripwire or something similar on as much as you can. Write a script to check the md5 sums of files on the system and report changes. Simply checking binaries works well, do it every night and have it send you a polite e-mail if a change is discovered. This was my primary reason for running a rpm based distrib, I love being able to burn a CD full of my systems rpm's and then verify my installed files vs those on the CD. Simple step in security and works well (note: is not the end all, as weather here in a Alaska advises, dress in layers). Just a bit of work and your system will be one step more secure than those base install types.

These are my thoughts....only a bit of data in the noise. :)

Linux Virii Scanners

[dkusters]

Virii scanners for Linux _do_ exist. I got my hands on a virus scanner from McAffee about a year ago. The main problem with it was the number of virii that it scanned for. So why haven't they been announced?

Imagine that you are the product manager for Virus Killer 2000. Your engineers tell you that they've ported the base application to Linux, but there are only two virii in their database that affect Linux. Would you announce the product? I surely wouldn't.

With the spread of Linux virii will come the virii scanners. It is a matter of market. Without the scare, no one will buy your product. You need a couple of good Linux virus stories before the managers will rush to buy your product.

If you build the virii, the scanners will come.

The reason why we won't see widespread epidemics

[/Wegge]

Is that contrary to the Windows situation, Linux is more than a handfull of different system layouts. Some things are of course more or less identical but, short of direct attaks to the kernel itself, any potential virus writer would have to handle many permutations. To mention a few, there are at least 2 different ways to load kernel modules, 3 different ways of runlevel handling (not to mention that each distribution uses it's own inittab) and 2 libc versions.

So, even though it is possible to create a linux virus, their spread will be slowed dramtically due to the reduced likelyhood of an infection vector from one system to another that looks enough like the first.

Simply not true

[Zemran]

Although I agree that there will be Linux virii arriving I do not see the potential threat as being the same as it is with Windoze. With Windoze nearly everyone that is using it, has Word loaded and Word auto executes macros by default. Therefore you attack Word (or Excel or Outlook). With Linux there are not the "standard" programmes to attack. Yes there are other options but if you look at the history of attacks by e-mail the vast majority are just basic macros. This principle does not equate to Linux.

There will be the occational virus arrive that will be of a different nature and we will deal with that quickly and more effieciently than Micro$oft has with the problems they have faced. I do not think that there is not a problem but lets not get into the sort of media hype that Windoze virii get.

Re:Simply not true

[QuantumG]

sorry for the repetition. It's just that a lot of people are posting the same thing with the same - incorrect - assumptions (you need to get root, you need to infect the kernel, you need to have write permissions on the file to get a process spawned from that file to infect other files) and the response is the same. I'm trying to inform.

Re:Head in the sand?

[Prothonotar]

A piece of software which does something useful but contains some malicious code is called a trojan; no doubt these exist for Linux.

A virus is a piece of code which can replicate itself and 'infect' previously clean executable data, while not otherwise affecting the functionality of the executable. I don't know the internals of the ELF binary format, but what the previous poser is saying is that it is less suceptible to being infected with a virus than the Windows EXE format. So even if a naive administrator installs a trojan, it will have a hard time replicating. Furthermore, most programs installed are executed with the user's level of access, so even a trojan installed by root and owned by root will only be able to have the permissions of the user running it. Most such trojans simply use the user account as a means to gain some level of access to the system, and then precede to attempt to gain root access through traditional password cracking mechanisms.

The RPM package format allows for md5 checksums, and I presume that other ones (such as DEB) do the same. So, one can verify that the package has been unaltered from the original source.

Most virii nowadays come from naive users running EXEs that were sent as attachments or "fun games" over the internet. Most such things for Linux are distributed as source code, and so can be examined for malicious content.

In the end, though, a box is only as secure as its administrator and users.
--
Aaron Gaudio
"The fool finds ignorance all around him.

I think what he meant..

[R.+Paul+McCarty]

What he meant was linux does not have alot of document formats that contain executable code such as macros in Word documents, that regular users might pass around on a daily basis.

Secondly, word viruses generally infect a system by changing the Normal template file, in a multi user system (like linux) global preference files like this would be owned by a different user (like root) which the user wouldn't be able to change. Of course if this were true NT should be similarly immune unless Word rewrites it's own files.

-P

Re:An EFFECTIVE Linux virus is very difficult

[Mawbid]

I always thought people who say "virii" belonged to the same category as those who use "whom" incorrectly: People who are trying to sound more sophisticated than they actually are.

I wonder if they might be more like those who say "boxen". Nobody thinks "boxen" is the proper plural of "box"; they just think it sounds cool.

So help me out here. Is my initial assessment correct, or does it simply betray my arrogance in assuming others must be stupid?
--

Re:OT: Virii vs. viruseses.

[Mawbid]

...and if we decline it appropriately, we do indeed get "virii"

No. See here.
--

It's a diferent world for viruses.

[yendor]

I've seen the viruses come and go so I usualy take all of these "the end is near".
A comparison is the Y2K hysteria and the fear of new deadly viruses.

Today people don't get many "real" viruses other than the hateful but mostly harmless Microsoft viruses that infect .doc .xls etc.
The old viruses just don't show like they used to do, and though I don't know why it's almost like the virus coders has turned security experts and crackers.

I know there will be a flood of "I have had viruses" but if we loose all of the email and MS ones and the bootsector viruses, what is left is a very small factor.

Be careful where you direct your attention for the problem is elseware.

Re:Safe practices prevent problems...

[Glytch]

>You want safe sex, try abstinence before marriage
>and monogamy after.

Assuming, of course, that one wants marriage at all. Which some of us don't.

Re:How?

[Mashiara]

>
That's part of the problem with the current crop of (Windows/Mac) virus detection programs - they only check for certain patterns that match known viruses, leaving them vulnerable to the latest versions.
>

*Bzzzt!* Wrong,(solely) pattern based virus detection became obsolete with the first polymorphic viruses and this was in the late 80s.

All modern scanning systems have multiple scan modes with different types of execution emulation along with pattern based detection system and on top of that a more or less sophisticated heuristic scanner that can detect previoysly unknown viruses by searching for virus like behaviour (often only simple ones, excemptions to this rule are coming up like F-Secure Orion that detects all known 32bit windows viruses purely on heuristics).

It's the audience not the technology

[gelfling]

There are viruses because most people don't know or care about them. With 1.4zillion winboxes out there you have fertile ground to plant viruses not because of the sheer numbers but because out of that 1.4 zillion, ~1.38zillion endpoints are used by people who don't know, don't care, aren't planning to learn anything about computers. They use office suites and internet access and chat clients and play games. So you have 95% of all users who spend 95% of their computer time doing just this.

Viruses don't spread because of obscure nefarious hard to solve technical problems. They spread because nothing appears on people's radar screens until a week solid of tv news reporting about something. And the result is you have a population that breaks into roughly 2 groups:

1 group who really doesn't have a clue and probably wouldn't be directly effected much by a virus anyway.

1 group who think they know everything and claim, usually out loud, very loud, that they've got it all under control and aren't interested in listening to you explain to them what's going on.

So if 60% of all desktops were Freenix (pick your own #) and that 60% were deployed into the general population then you would start to see Freenix viruses. One more thing to consider though is access. In rough terms, because of how the infrastructure works broadband access is at least technologically available to 2 demographics:

The wealthy or near-wealthy because this where the wires, CO's and cables go.

The lower middle class or working poor because this is exactly the old infrastructure that ADSL runs over (no fiber need apply, thank you)

So you're left with 2 groups of customers that fit the criteria of not caring about, or deluding themselves that they are immune from viruses and other security attacks. And broadband will give these populations the ability to wreak and to succumb to all sorts of havoc.

mh security flaw? lynx security flaw?

[Dr.Hair]

Well the grand daddies of mail handling and web browsing have had security bulletins issued and the ports flagged in FreeBSD.

A proper mime binary sent to a vulnerable user 'root' using nmh or exmh will be able to execute arbitrary code. path to virus. Hopefully you never have mail actually sent to the root account. Do you?

Lynx is also vulnerable to different but exploitable holes. I'm sure that root shouldn't be browsing the web, but you'll find a lot of 'seasoned' unix admins who don't have the su religion. Do you always log in to a system as yourself and then su to root?

I've known Simson a long time. And I was around MIT when the first big worm went through the system. Only fools get worms, trojans, and viruses, and it sounds like a lot of Slashdot newbies are overconfident and under vigilant.

I knew something was up....

[NoNsense]

Now we know why Microsoft has all those opening for Linux software developers. The new product will be called something like: gnuvirus. Just because they cant buy Linux from anyone and make it exinct .. they'll just try to infest the net with virii for Linux. You go, Billy G.

Re:An EFFECTIVE Linux virus is very difficult

[Signal+11]

Just a quickie - linux has had macro viruses. Check out emacs, which allows auto-interpreting of how many spaces a tab should be in .c files, or in vi where the first line could contain instructions for vi to execute on load.

Such stupidities are not limited to the windows world, nor are they any less rare. Windows simply has a unified interface. Imagine writing a virus that had to be capable of infecting the system in 62 different languages, and now you see why it isn't practical under linux. But it's possible, the means are there.

Funny...

[miker]

Funny how all the millions of Outlook Express
mail viruses (virii?) have yet to affect anyone
running any form or Unix/Unix-like system. We had one run around about a month ago, good old Pine
let me save it as a text file, which we could see
was a VBS file. So we warned everyone else, but,
Outlooks "open attachments automatically" really
"helped"

Oh how the winds change...

[skroz]

Stories such as this one have been posted before, and I've watched the reaction of slashdotters sway from "No way! There will never be a linux virus!" to "Yeah, this is definitely something we should worry about," in only a few short months. Why? There have been no new linux viruses in this time. The experts would have you believe that there is a problem because they bolster their fame and reputations by crying "wolf" every chance they get.

I'm not saying a virus is impossible, nor even unlikely, but the chances today are exactly the same as they were six months ago, and now average slashdotters have joined the panicking masses. Amusing.

Re:Hard to imagine

[Mongoose]

You need to join a software project and read the linux-devel list. It's very hard to release such code without someone noticing...

I remember a thread on linux kernel about trojan patches - they'd be eliminated by the streamlining of the code before they'd make it to the release.

--------------
QuakeForge http://quakeforge.net

Thanks for points

[korpiq]

so as a normal user I dont have the right to run a program[?]

Wrong. Only suid-exec would be restricted to read-only, single-mode -modifiable partitions.

1. You don't need root for a virus to spread

True indeed. However, you can limit the ports, devices and other resources that user-space programs can control, thus limiting the effectiveness (autospreadability) of programs such as the DDoS servers.

If your distributor gets a virus and compiles a binary release, you have a virus on lots of machines.

True. This is the original C-compiler trust problem, to which there is no cure. Total security is impossible, but assumed a distribution is secure, better security is much more achievable than is the case now with most distros.

It is an arms race.

You are right - and text above is my contribution to it :) These are ways to enhance security, cutting virii spreadage, not any final salvation :)

On the "research or not-research" part you contradict yourself, but I agree with what I read as your general idea. Security development must be open.

Base level security is a must, but not at the expense of usage.

Yes. A power user would most likely explicitly disable the security restrictions that bother him/her. My point is about distributions getting made secure by default because users are too lazy/dummy to handle it, so we'd be able to route around the weakest link in security - the uncaring user.

What the heck, my boxes are full of holes. Kind of proves the point. If the installed distributions were secure, the holes would be far and few.

Pre-, not post-protection! readonly systems

[korpiq]

I do sound like a Nazi here, but we might really avoid DDoS and disk-wipage if world ever were made like this.

1. DDoS has proved a few points:
   1. everyone who controls a computer is in effect a sysadmin of that computer
   2. ethical responsibility of a sysadmin is to ensure it cannot be compromised to be used as a weapon (ie. platform for further attacks/virii)
   3. everyone (1) is not able to be a good sysadmin (2)
   4. thus, distributions need to be secure by default (RedHat! major paradigm shift required!)
   5. there will always be buffer overflows or comparable ways to gain root on a running system
   6. thus, security must focus on disabling root from further compromising of a running system. (an on-site boot to single-user mode could still be used for unlimited maintenance.)
   7. Security updates must by default for dummy/lazy sysadmins be executed automatically from a trusted source.
   8. Systems must be made automatically proactive in tracking security compromises (even attempted) and reporting them efficiently.
2. Physically read-only disk drives
   1. All suid-exec capable disks should be impossible to write on (except in single-user mode)
   2. Specs how to cut your IDE cable to make an IDE drive physically read-only have to be spread (is this possible? Please show us how!)
   3. mount (and/or VFS?) should come as a version that allows only
   4. suidexec from physically read-only drives
   5. default (/etc/fstab specified) mounts except in runlevel 1 for maintenance.
3. init: runlevel 1 should only be accessible through local boot, not by dropping into it.
   1. to maintain remote systems, root can
   2. prepare a maintenance script
   3. call techsupport to reboot single, execute maintenance, that reboots back to production
4. /proc access denial
   1. access to resources such as kernel memory is a definite security risk
5. ipchains must be restrictive by default
   1. Reject all unnecessary traffic
   2. Track port scans and known attacks
   3. Be smart about DoS/spoofing and drop obvious attack traffic in routers/gateways/firewalls
6. *BSD should be preferred for servers
   1. Linux is great (power user) desktop system
   2. OpenBSD comes with OpenSSH, crypted fs, etc
   3. An uncompromised server can be used as an authoritative source for rebuilding compromised clients.

In short: Desktop-style virus inspection is inferior to a system built to be secure. System administrators/developers must be wise. No standard software can patch sloppy systems.

Above all: Distribution builders must take the responsibility of security of the systems installed from a distribution. End-users can not be trusted. They should work their way around security restriction if they need; not vice versa.

Share? Hate? Especially distribution builders, please respond!

Re:Pre-, not post-protection! readonly systems

[QuantumG]

so as a normal user I dont have the right to run a program.. what the hell is this? windows nt corporate workstation? 1. You don't need root for a virus to spread 2. You don't need to infect the kernel for a virus to spread. An ordinary user (not a dumb or stupid user but just your average joe linux user) can get a virus, compile some code and it is in that new binary as well. Give that binary to someone else and it will spread. Who copies binaries? Average users. If your distributor gets a virus and compiles a binary release, you have a virus on lots of machines.. that's lots of users spreading that virus. linux viruses exist and are quite well written. No-one spreads these things because it is research. It is an arms race. If this research is forced underground then we revert to the old model, of 3 or 4 companies carteling a product that does a half assed job. Base level security is a must, but not at the expense of usage.

Root not needed...

[hawkfish]

I am not a big Linux user, but there is an aspect of this topic that has been discussed on RISKS recently that no one seems to be addressing. A virus does not need root permission to cause havok, just access to a few system resources. For example, user's email address list and the ability to create sockets could bring a network to its knees.

There are some practical objections to this (the biodiversity argument comes to mind) but I am not really sure how valid they are. While it would be nice if there were zillions of flavors of Linux in the world, the fact is that most installations will standardize simply to keep administration costs down. Biodiversity is not a given - especially when large number of people are involved (just go to any city park) - and to say that it will prevent problems seems somewhat naive to me.

Discussion?

Re:Well he has a point there

[crovira]

Well, "J'en perd mon Latin!" Uh, before you criticise peoples vocabulary, make sure of you facts and just because you abbridged dick-tionary only carries four letter words doesn't mean that they're necessarily germaine to the subject at hand.

Re:Hard to imagine

[Romen]

However, there is an additional reason why this doesn't apply - this was by Ken Thompson, who was considered trustworthy by the people using his cc. If Linus decided to insert a virus into the kernel, or the egcs steering committee into gcc, we would be in trouble. But those people are in their positions for many reasons, one of which is that we trust them NOT to do this. While we don't put as much trust in the maintainers as ordinary consumers put in, say, Microsoft, it is important to be able to trust the makers of your most important software.
Sam TH

Re:How?

[BJH]

That's part of the problem with the current crop of (Windows/Mac) virus detection programs - they only check for certain patterns that match known viruses, leaving them vulnerable to the latest versions.

What you need is a program that would, for example, check on certain system calls (for example, those involved in module loading) and determine whether the call should be allowed to complete or not. Unfortunately, this isn't a drop-in solution - it needs proper integration with the kernel.

Re:How?

[BJH]

Yeah, there's been some work on including capabilities in Linux, but whenever the topic comes up, there's always a flame war about the "right" way to implement it, with the result that noone's really made a serious try at integrating the kernel and userspace support needed.

I love things like this!

[Lumpy]

I really love it when someone that knows nothing about an OS, speaks out on the up and coming Doom!! Let's see... yes this is possible if everyone logs in as root all the time (Like windows is set up to do all the time) and if Microsoft ports Outlook and word to linux. Right now Linux doesn't have an email program that automatically opens attachments and runs them, or has a scripting language that ALLOWS direct access to the systems resources for incoming email. granted, us linux users are in the dark ages by not having such features that Outlook has, and I feel really bad that I dont have outlook for my linux computer, I wish I was able to get more virii that way.

My decision on this? I tell these people that they need to watch for an email that says "FREE MONEY" dont open it it will cause your computer to explode and kill all the small birds around you.

Idiots, and morons.... and they get published as "experts". Gotta love our media.

I retract my last statement....

[Lumpy]

This garfunkel, is a complete moron! Hey, where the hell can I get myself published? I can make things up about something I know nothing about! Check this out...

Impending dangers of rectal exams.

You know when you go to the doctor, you get, as a male, a prostate exam. These exams tell the doctor nothing, and only server to get sick and twisted doctors enjoyment out of causing discomfort and pain. Prostate cancer is just a myth. Sure, doctors will tell you otherwise, but what do they know. I've had my prostate for years, and the guy at GNC said that grated goat spleen will keep me healthy. Dont trust what someone that knows your body about what they say. Just listen to me... hey, I'm published! I have to know more than them!!

The distribution model keeps us relatively safe

[Tyrell]

> If Linux picks up a lot of just-average users,
> malicious code could actually be written in
> source form, distributed with packages and
> compiled in.

I'd like to think that the package distribution model filters out virii at this level. That is, most novice users will be installing only rpm's or deb's from CD or from a centralized distribution site. These are places where each package has a (presumably trusted) maintainer responsible for - among other things - avoiding the scenario you describe.

Personally, I make a point of never downloading binaries except from one of the debian.org sites. The assumption being that _someone_ is bound to have spotted malicious source and notified the world of it. If we all look at 1% of the source we download then I figure it will happen.

So, in my mind, the big viral danger for linux won't start until download.com or someone begins indexing/carrying linux binaries with unkown provenance.

Dual Boot

[SkyWriter]

Why wouldn't a dualboot system present a security
risk? A program run under a DOS/Windows partition
can easily scribble on a linux partition.

Re:Dual Boot

[Tower]

Check this out for more discusion: http://slashdot.org/article.pl?sid=00/03/05/234123 2

Re:Hmmm,did anyone notice....

[Mr.+Flibble]

It is proper to question the motives of an individual. It is not however, proper to question the argument. The argument should be taken on its own merits regardless of the source.

Questioning the arguer instead of the argument is known as "Ad Hominim" Latin for "to the man". Ad Hominim attacks are slanderous and have no place in an argument.

Yes they do!
No they don't!
Yes they do!
This isn't an argument!
Yes it is!

But I digress....

Re:Head in the sand?

[um...+Lucas]

I personally believe that the vast majority of viruses on Win systems come from stupid people opening executables in the email attachments. I seriously believe that if EVERY EMAIL CLIENT simply disregarded (throw away) executable attachments, we'd see a HUGE decrease in virulent outbreaks. After all, we have FTP and the web for distributing programs. Using email for that purpose is a complete waste.

A lot of programs are distributed as .exe self extracting archives, and though it's not email's explicit purpose, it's generally much easier to email a small program to someone (I always use my mom as an example for this) than to try to locate it on a ftp server...

Also, I'm quite used to sending files to printers (real ones, think offset, not laser), and often times for some reason or another, they don't have all the same compression programs I use. So again, I'll package my files into a .sea and email them over to them. A lot of companies out there aren't high tech enough to have functional ftp sites...

And besides that, it seems these days most of the virii out there aren't even executable files. They're macro viruses stored inside of word documents. Blocking executables does nothing to stop that. Blocking macros would, but what if i wanted to email a fancy new excel macro to some guy in accounting?

Oh yeah... And >14 years and i've never gotten a virus either... I just read and pay attention to the alerts. With all the humdrum about Melissa the weekend before the outbreak, it was almost humorous to find that people got infected by it. It was announced on the news. They gave a perfect description of how it would appear in your inbox. Yet millions of people disregarded it and opened the files anyways....

Re:Head in the sand?

[warmi]

Of course, using computers requires skills. You know why ? because of inability of programmers to design extremely intuitive interface and , belive me, Linux ( or Unix) is not going to change that any time soon ( if anything Windows or Mac will be there first.)

Re:Head in the sand?

[warmi]

Sure, you type "startx" and then (if X shows up, that is) you open 4 xterms. Actually, that might be all you need but it is _not_ intuitive interface.

Re:Hard to imagine

[ethereal]

The point of the comment to which you were replying was that this would be unlikely in free software, because there would be many more people looking at the modified code. If Ken Thompson's backdoor had been distributed to thousands of kernel hackers around the world when he came up with it, someone would have noticed.

Re:Hard to imagine

[ethereal]

Doh! You're right; I entirely missed your original point. If at any point you use a binary of a new compiler version, rather than compiling the new compiler from trusted sources with your trusted old compiler, you are vulnerable to this attack. I was thinking more of the case where you have a sizeable number of free software programmers who always upgrade via source patches. In that situation, you would have to compare md5sum of the new binary of gcc with the md5sum of the "trusted source+trusted compiler" gcc to make sure that the new binary gcc distribution really came from the sources that everyone thinks it came from.

Re:Viruses will come...Free Software isn't ready!

[ArsonSmith]

No way, this aint true

Here's a paper I wrote about Liuux Viruses

[dmuth]

In the wake of another Slashdot article that quoted Eugene Kaspersky saying that "there will be Linux viruses any day now" (and this was about two months ago, mind you :-), and the Slashdot post I made regarding Linux viruses, I turned it into an article which I posted on my website. The article can be found here:

http://www.claws-and-paws.com/virus/articles/linux _viruses.shtml

Share and enjoy. Comments are welcome.

Re:We need secure-sites

[Helge+Hafting]

>a an example dedebian is updated so slowly that it will always be behind in the race.

Bad example, I think. New debian packages tend to arrive in a matter of days - if you use the unstable branch. I get many updates (security and others) before redhat users even though the rpm's becomes available a few days earlier. Why? Because I don't have to look for upgrades *anywhere*. I run
apt-get update; apt-getdist-upgrade
now and then. The same command every time, no searching for packages, no reading the latest security warnings.

Re:Head in the sand?

[Helge+Hafting]

>Remember, most of the new Linux users will spend their whole life running as their personal userid - and a virus will not need root access to gra their email, compromise their information and files and so on - it only needs to compromise their account.... a trivial task.

But it still can't compromise the operating system, which helps a lot. Cleanup will definitely be easier. Oh, and we know that there are exploitable buffer overflows, but they are extremely short-lived. A virus can't rely on a particular overflow, because that one will be killed in a few days. And you'll have a hard time writing a generic program for any kind of overflow -something exploiting a sendmail overflow may have to know quite a bit of that protocol before it gets to the weak point, the same goes for all other overflows.

Center for Disease Control....

[Kris+Warkentin]

Computer virii have much the same criteria for spreading as real diseases. Diseases like ebola don't spread very far because they kill their hosts too quickly. Diseases like aids don't spread very far because they are hard to transmit. Only diseases like the common cold and flu spread massively around the world because a) they're very contagious and b) they don't kill their hosts, giving them time to travel and spread the disease. It is fairly obvious how hosts in Linux are quite a bit different to win/dos hosts: it's a lot harder to propagate something that exploits security holes (which constantly get patched) on a system which actually has a security (immune system?) model of some sort. In short, it isn't that virii CANNOT be written for Linux, it's just that it is very hard for them to spread. That is why no one bothers to write virii for Linux...the rate of return is too poor.

Re:UNIX (and Linux) viruses - the real story

[Felinoid]

Just my opinion but we can theries all we want about how a virus might come into existence.
Unix has been around for over 30 years and viruses have not been an issue in all this time.
One of the reasons people think Linux has no viruses is becouse Linux is new...
However Unix isn't... and I doupt something that hasn't happend in 30 years will magicly happen in the next few months...

Ohh Linux will have viruses.. and virus patches..
If the one known virus is any indication..
A linux virus lifespan is on the range of a few months.. vs the avrage Windows virus life span of vertually immortal...

It's good to be prepaired..
But not paranoid :)

Virus scare on false assumptions

[Felinoid]

Assume: Viruses are unknown to Linux becouse Linux is new.
Wrong: Linux is based on Unix who has been around much longer than MsDos...
Linux would have picked up all those wonderful Unix viruses.
However like SunOs and BSD (who are much older than Linux) and most other *nix systems there are few if any viruses. (There is one Linux virus that I know of and it has been dead for years. This virus made use of the stupid behavure of running all software as root a big security no no).

But wait... theres annother reason this is offbase...
Viruses do not take that long to come into existence. There were allready a wide selection of Mac viruses by the time the Mac was as old as Linux is now.

On the other hand viruses for Unix are allmost unheard of.
It is due to the way Unix works.. For the same reason a program can not change system settings, erase data files or generally mess with the system... a virus infecting Linux would be a major effort.
Viruses infect Dos and Windows becouse any given program is trusted to do whats right. As such a virus can do anything it wants.
Unix is paranoid Dos is nieve and viruses only work on a nieve system.

Virus experts would like to believe it is posable to slip stuff into major protions of source code. However unless someone like Linux or RMS started writing viruses or willingly let others infect the code they maintain this isn't going to happen.

It is easy to forget that each peace of code has a respected "gate keepper" protecting his/her version of the code from bad code, back doors, trojens and viruses.

If ever such an event happend the person who let the bad code in would never be trusted with anything again and he'd never hear the end of it.
"There goes Jimmy Deot.. the guy who infected his code"
"Ohh you are 'That guy' keep away from me.. some of my friends run Linux and they'd kill me if they knew I was talking with you"
"You want to work here... we'll I don't know.. we don't want you anywhere near our computers becouse.. you know... I mean.." "You run Windows for christs sake.. don't worry I won't do anything evil"
You get the idea.... They guy who lets this happen won't live happly ever after... piriod...

Re:Virus scare on false assumptions

[QuantumG]

not true. linux viruses are not prevailent because the technical skill required to write them comes from people inside the linux community. These people feel a desire to gain knowledge, not vandalize and hassle other people. Kevin Kelly said "viruses are a critical part of all complex systems", the beleif that viruses can only thrive on naive systems is, well, naive. The human body is not exactly naive, nor is the whole web of life. You can check out modern linux virus research at http://www.big.net.au/~silvio/. Programmers who get infected with a linux virus and then pass it on would not be shunned by society, probably they would just be kindly informed that they were infected and then post an appology and a clean distribution.

Re:Virus scare on false assumptions

[--==Fengor==--]

I agree that in the situation such as now we don't have to fear viruses on linux. But it isn't entirely safe.

With the momentary hype of Linux more and more Windows-User will try to use linux cause it'S IN and i guess with them theyy'll bring their little joke program which are the common breeding place of trojans, worms and virii. Of course a wide spread plagze isn't likely to happen since the programs would probably only run on the users priviledges but even that may be a major loss of vital data to a firm if he works in a high office!

a simple fact to the end:
As long there are humans using computer ther will always be one dumb enough to catch a virus, not matter what OS used...

Loan me a moderator point...

[CodeShark]

Where's a point when you need one, darnit... I'd give you one if I had it, two if I could ;-)

More important, distributions like RedHat and ilk need to carefully consider what their default configurations look like, knowing that setting up maximum security as the base configuration is a wise thing to do.

If you hear some sound of faint clapping, it's probably me out here in unknown IP land applauding your pinpoint comment about the one thing that Linux Distributions absolutely should be doing if they want the community as a whole to escape the plethora of problems foisted on the world under the lead of WinXX.

Call me a network Nazi or simply a cautious SysAdmin, but when I install an OS on a box, I want it absolutely secure until (if and when) I am ready to communicate with the outside world, and I want absolute control over what can be communicated and how.

The simple analogy is, though we may be friends, I might not trust you enough to loan you the keys to my car, house, my cell phone, etc. Or more likely, I probably won't tell you how to access my bank account, use my credit card, etc. But if I leave my machines (or networks I SysAdmin) vulnerable, it's like doing all of the above.

The bigger danger where I work...

[CodeShark]

...is that there are other SysAdmins (NT side) who insist that they should be allowed free access to every box on the network, so that they can do remote configurations and diagnosis of problems on user workstations. Seems to be a good idea, and they actually got the PHB's upstairs in the IT department to sign off on it. At which time the more senior developers (myself included ) quietly installed locking software on our NT boxes which prevents them from gaining remote control access to our boxes, for one simple reason:

1. NT is more vulnerable than Linux to virus attacks.

What this means in practical terms is that even if I have a safe machine behind a firewall, I can get a virus or hole in my own security from another unsafe machine on the network.

I have seen entire network segments in big companies go down when a virus and/or security hole got replicated by remote configuration/distribution software (such as M$'s SMS). It didn't help that these companies tried to distribute from "clean room" distributions (tested and certified "virus free")-- all they did was pass the security hole around, leaving all of the updated "clean" workstations open to get nailed by the same exploit(s).

Re:Safe practices prevent problems...

[CodeShark]

True. Of course, "safe sex" will cut down your risk of getting AIDS, gonorrhea, chlymidia, HSV-II, etc.

Of course, it takes time and energy to prevent those things, and ya'know, when I feel the need and I gotta have it now, I might just maybe drop my guard just this once because, ya'know, I trust you and you don't have any of those diseases, right?

And your PC doesn't have any of those virus thingies, so I can safely drop my guard just this once cause I feel the need to see the uber-kewl screen saver you just sent me via email...

You want safe sex, try abstinence before marriage and monogamy after. You want safe systems, you start with a clean (virginal) computer, and don't let it sleep with strangers i.e., no-one gets access to the private (root) areas, processes, etc... until their own security has been well established.

Re: military strategy...

[CodeShark]

fairly simple theory was demonstrated that actually not hitting a target often pulls an enemy's resources to the areas where you are attacking (away from your next likely target). Then striking that target often is easier since the defenses are weaker and have not prepared for such an attack.

Ideally you don't even have to strike the target: think of Normandy (WWII) and Schwartzkopf's Gulf war strategy. In both situations, the enemy was led to believe that the bulk (and therefore the danger) of the invasion force was massing at point "A", when point "B" was the real target. So the defenses at Point A are useless.

Of course, there's a correlary theory which we all ought to consider here, which is that the best current defenses are often one war too late to prevent the invasion. [which is why France was used as a battleground in WWII after greatly beefing up their border defenses after WWI.]

Re:Hard to imagine

[akintayo]

Interesting I will read as soon as I finish my homework. But I don't think Linux is as susceptible to virus since most viruses are spread by running pirated or other dubious software. Since switching to Linux, I have only installed two such progs and I checked the source. Even if someone were to infect a popular ftp, the offending program would be removed quickly. I think the way in which the os is used rather than its capabilities, will protect it from viruses. Imagine what you would do if your box was wiped out by a virus tomorrow ?.

Of course it is...

[G-funk]

Of course it's just as vulnerable to attacks. The same users who run untrusted files as Administrator in windows2000 or NT are the same that give themselves root priveledges or run as root on their desktop linux boxes. After all, who needs security from themselves, right? ;-)

Virii (computer kind) can't spread without humans carrying it a little bit of the way.

-Gfunk

Re:Of course it is...

[SquierStrat]

No one cares if the word exists! No one cares if you are at Harvard! Ewwwwww! I got a scholarship to Harvard, yet my I.Q. is to low to know not to that swearing makes me sound like an idiot. Everyone makes mistakes in spelling, you even did mister I got a scholarship to Harvard that no one really cares about, but I can masturbate to the letter in my dorm room while my friends who also got scholarships to Harvard do the same! How many people get scholarships to Harvard or other Ivy-League schools? You answer: plenty. Unless there's only one and you got it, you're scholarship makes you no more important than anyone else, okay?

Re:Of course it is...

[QuantumG]

viruses can spread as non-root too! the most interesting linux virus trait is to gather authentication tokens to increase the yeild of program infection. Someone su'ing to root is a god send if a virus can simulate a getpass().. infect /bin/ls and you have the entire system. Then it's a matter of getting off that system and onto another.. this is where the line is blurred between virus and worm. Infection (and residency) is really about following the user.. go where they go and you will find others to infect. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

So where are they?

[LLatson]

I think the most significant argument against this guy is that Linux virii are just not common. The number of Linux users is growing at an exponential rate at the moment, and yet (besides the general lapses in security management) virii have not been a problem.

LL

Re:Viruses will come...Free Software isn't ready!

[wfberg]

Quidquid Latine dictum sit, altum viditur.

Whatever is said in latin, is regarded as being high-brow..

add to your .sig ;-)
--

Linux Intrusion Detection System [LIDS]

[stompro]

Checkout www.lids.org. This is a way to protect your system even if someone has root access, you need to know a different password that is compiled into the kernel to do things like: mount disks, put ethernet into promisc mode, write to specified dirs, .... many many things. protects against kernel modules a number of different ways.

The /. effect :-)

[tietokone-olmi]

One controversial (i.e. completely clueless) link, and we have about 400 comments. That's the real slashdot effect...

Worms are probably much more dangerous.

[Chuan-kai+Lin]

As many people have pointed out, viruses should not pose a big threat to Linux systems. Most Windows viruses propogate through SEX (Software EXchange) activities, where binaries carrying the virus are passed from one system to another by careless users. But for an open source environment like we are having under Linux, most people obtain binaries from trusted sources, thus making it much more difficult for viruses to transport this way. (The FreeBSD ports even do not transport binaries from remote hosts.)

However, that was for the stand alone systems of the past. Now since a great number of computers are wired to the Internet, especially Linux systems will likely be used to provide one sort of network service or another, worms (like the famous rtm worm) might turn out to be the greatest threat we will face in the future.

Implementing one may not be as hard as you might think. First, monitor bugtraq on a daily basis (well, securityfocus will also do), and you will likely to spot a new remote buffer overflow vulnerability within a month or two. You should be able to find the exploit (either verbal description or source code) with it, and that is where you will start. Write some code to activate the exploit against a remote host, and change the shell code to something that plants the worm into the target system. If you are in good spirits, you may even incorporate a root kit into your worm, but I can imagine infecting binaries should be good enough in most cases.

Ask yourself why script kiddies are called script kiddies: because what they do usually requires little intelligence. In other words, you can write a program to do exactly the same things. The can be automated. That is what makes it a genuine threat to us Linux folks.

Of course, I believe most /.ers can (and will) secure their own systems, but the problem is that there are many people who are not as capable as we are, or simply does not give a damn about security issues. They might be convinced that buying (or maybe even pirating) some "security software" will be enough to secure their system, just like back in the Windows days. Wrong. Bad management also contributes greatly to the problem. Just look how many systems are open to third-party mail relays... these systems are almost always important production network servers, something that people will *pay* others to administer. If they cannot even seal this trivial hole in their system, then how about real security problems? How about other "less important" systems that nobody looks after?

Re:How?

[SEWilco]

That's the reason there are so many problems on MS-DOS/Windows systems. MS-DOS (and Windows3/95/98) require certain hardware and software be available to programs, so it is easy to take over a machine. Altering this wide-open configuration breaks many legitimate programs.

The Unix security philosophy is that a user never gets direct access to hardware and system resources. They have to be given permission by the system to use resources, and generally merely request actions which are performed for them by device drivers. Any exploit is considered a problem which can be fixed without breaking legitimate programs.

No need

[Grimwiz]

In the same way the immune system doesn't produce antibodies until it has something to attack, the Linux distributions won't produce virus killers until we actually find a virus in the wild. If you know ahead of time how to identify and kill a virus then you've obviously got a better crystal ball than anyone else and should go and make a killing on the lottery. Either that or you're the chap who's just written one.

I haven't noticed a lot of "defragment" programs for Linux either, perhaps because the ext2 filesystem is inherantly less likely to become fragmented.

If necessary, market forces will bring required applications into being if there's a market for it. Hey, it even brings products into being even if they don't work but you can get suckers to buy it anyway.

--

Would it be possible to "listen" to the keyboard?

[GauteL]

Could a virus listen for a "su" command by
a user, and then catch the root-password?

Re:Viruses will come...Free Software isn't ready!

[Lotek]

Darn, Bablefish Still doesn't have that Latin--> English translator up!

Things sound cooler when said in latin.-Rough translation of my sig.

He's right--but timing is everything

[Otterley]

Mr. Garfinkel is correct in stating that Linux is susceptible to virii. Almost every operating system is.

A better treatment of the subject, however, would have been an analysis of the types of "risky behaviour" (to coin a phrase often used in the 1980s, and I do realise it's a cheesy term!) that could lead to the viral epidemic he envisions. As Linux increases in popularity, a greater number of people will engage in risky behaviour, solely out of ignorance, because they, like most computer users, are unaware of the ways that computer virii are contracted and spread.

Viral infections on UNIX platforms are generally less frequent than infections on other platforms because software for UNIX platforms has traditionally been available in source format. In the not-so-distant past, there was a One True Location where one could download the source code for a particular project, and one could assume with a reasonable degree of certainty that if one did a "ftp /get; configure && make && make install" that the software would be installed as described with few surprises.

But, the world is changing. The "download, examine, compile, install" days are disappearing fast. Mirror sites for source tarballs, often untrusted, appear more frequently these days, and binary RPMs are being built and distributed to servers around the globe by anonymous or obscure third parties.

We must consider the growing commercial appeal of Linux and the increasing number of binary-only software packages being shipped daily. It's far easier to contract a virus in a pirated binary copy of, say, Oracle 8.x (as an example) and installed as root (because the instructions said you should do so) than it would be if you installed the latest Sendmail build that you downloaded from Sendmail Inc. and compiled on your own box.

What all this means is that while Mr. Garfinkel is correct, and there is certainly an untapped market for anti-virus software, one should take care not to overhype the threat and to examine the ways that virii can be introduced, particularly through the proliferation of closed-source software and the implicit trust many people mistakenly give it.

Re:Herd effect

[Sq]

It was first mentioned in NCSA 1997 Computer Virus Prevalence Survey, IIRC. There are also other artuicles refering to it, I don't know URLs anymore, sorry.

Your favourite search engine should find some of them given 'herd computer viruses' (I would recommend Google)

(It looks one copy is NCSA ''97 report is here)

www.ncsa.com should have a link to original site but is unreachable right now(NCSA [National Computer Security Association] changed name to something else, like Ixxx)

Herd effect

[Sq]

I doubt it that Linux viruses will ever become popular. Here are few reasons for that:

- Herd effect. For viruses to be successful (as opposed to trojan horses for example) they must be good at spreading. Herd effect prevents that - if more than say 40% of population is resistant to that virus, it will fail to spred widely; if more than 60% of population is resistant, it will fail to hit more than few people before it stops spreading. (that is real work biology example working everywhere else, computer viruses included, or so am I told). Given that current population of linux users is mostly at least 'advanced user' or 'having knowledgable sysadmin' (think corporate use) herd effect alone should be able to stop viruses for becauming popular.

- The practice of exanging binaries thrtough E-mail is not popular in UN*X world. Here and there sysadmins and experienced users do send diff files or even smaller source via E-mail, but practically NEVER binaries. Novices don't send binaries at all, because they will miss libraries and stuff and would fail to run them in 90% of cases.

- Same thing with exchanging floppies with friends etc. In linux world, it is much more popular to just get URL and grab latest package from developer homepage, or your distribution maker. And there are not that many sources to get programs from even for advanced users (much less for novice users, who will rarely go further than their ftp.redhat.com or simular)

- even if virus catches on, it will need root access to give it effective chances to spread (if it only modifies current user documentes/mails/executables, it will die off _much_ more quickly), and for root it either needs to actively hunt for exploits (very hard and would need constant updates to keep up with kernel updates) or count or user dumbness to do everything as root (which is, thankfully, becoming much harder - every day more and more programs instalntly SUID to some other UID if run as ROOT, or simply refuse to run printing error message)

Re:Herd effect

[QuantumG]

The herd effect stuff is interesting.. anywhere online that I can read about it's effects on computer viruses? I think this is a hurdle and virus programmers will just get smarter and make it harder to detect that you are infected. Downloading binaries is pretty popular, even now, and will get more popular in future. Jumping from user to root is not a great problem, if the user su's.. using exploits is bad.. it sets off alarm bells and ties the life of the virus to the exploit. code that automatically searches for exploits is a damn hard idea (and possibly an example of the halting problem?). There is some great research going into computer viruses that will answer a lot of these questions and pose solutions.

Linux as a species

[philburt]

A species with a lot of genetic variation tends to be less susceptible to disease. One could argue that the proliferation of Linux variants should be encouraged to keep the species healthy. Shure, a virus goon could write a virus for Red Hat, but would it work on Slack?

Down with LSB!!!!

Re:How to get infected using Linux...

[Hardware_Bob]

no, that can't happen.
what it DID do, was creat a program called su in your path before the default su, trapped the password, immeadietly became root and screwed your system.

--------

Viruses are NOT a problem.

[Restil]

His points were valid. Stupid system administrators might possibly screw up their system(s) by doing things they shouldn't. Virii are really the least of their concerns in this regard. A computer platform is likely to remain virus free, be it windows, unix, linux, whatever, if the person using it has at least half a brain and follows some common sense techniques.

First of all, make sure your system is patched with all the up to date security patches, so the exploits which would even make such viruses possible won't even be available.

Second, don't run user applications as root... EVER unless it is absolutely necessary. Downloading source code from a respectable source and compiling it is not a significant security risk. Having the source available would make detection of any security problems easy and would be a serious loss of respect for whoever released the source in the first place. This is not a likely concern.

Of course, downloading binary rpms subjects yourself to the same set of circumstances. If you download a binary and run it as a normal user, the impact is minimal (assuming you never run it as root, and you shouldn't). If you plan to run something as root, download the source and compile it. Whats that you say? There is no source available? What operating system are you running again? If you feel a closed-source program that requires root to execute is THAT vital...well, thats just a risk you're going to have to take.

From the way he describes "viruses" the automated root kit installation is practically there. The only thing missing from it would be a feature to make it spread. Any bored programmer could probably add such a feature in an hour.

However, root kits can be detected with utilites like tripwire. Of course, such a "virus" could modify the actual kernel to return false information about infected programs, but that condition would be removed the first time the kernel was recompiled, and besides, it wouldn't affect a tripwire scan when the kernel and detection program was executed from a write protected boot disk.

Well, thats enough for this rant.

-Restil

Re:Viruses are NOT a problem.

[QuantumG]

you dont need root to spread, you dont need to modify the kernel and you probably shouldn't. Modern linux viruses are about following the user around.

Virus vs. Trojan

[Double+A]

/begin{rant}

It's important to keep in mind that a Trojan is not the same as a virus.

A virus is a self-replicating piece of machine code that usually attaches itself to the end of executables. It does not have to be malicious. It merely has to be able to replicate itself and spread. Just like a real virus.

A Trojan, on the other hand, is a program (not necessarily self-replicating) that piggybacks along with a familiar, trusted program. Malicious hackers and computer criminals have been using Trojans to propagate malicious code on other systems since computers and criminals met each other.

Viruses are often Trojan'd onto familiar programs as a method of introducing them into a system, but once there, they take care of spreading themselves.

/end{rant}

Re:Head in the sand?

[Bun]

' "Wer nicht hören will muss fühlen!"
(Who don't want's to listen must suffer)
Anyone have a better translation for this? '

"Who will not listen, will surely suffer."

Cheers,
Bun

Reality Check - Virises are executable

[acidrain]

Remember, most of the new Linux users will spend their whole life running as their personal userid - and a virus will not need root access to their email, compromise their information and files and so on

Sorry, but a virus needs to be executed! And the package management system and therefore the installed programs will not be running as root.

To be effective a Linux viris needs a root exploit.

Re:Reality Check - Virises are executable

[CmdrPinkTaco]

This is kind of a "what-if" situation

What about a virus that was similar to the Melissa virus in that it was able to propegate itself. Suppose that it was not able to go through your e-mail files, but instead it could ls /homes/ and then send itself to the users on the local system. After it sent itself it would rm the users files (or whatever said virus wanted to mangle). While it is true that it would not damage most of the root processes it would be a huge annoyance to the local users of the system, and could potentially bog down a system. If this was a university that had thousands of users, there would be a lot of pissed off students.

Maybe I am being naive, but is there anything that could prevent such a "virus" (if you want to call it that) from happening?
-------------------------------------- ------

Re:Reality Check - Virises are executable

[phantomcow]

I assume since you say it won't email itself, that it is supposed to copy itself to every users directory... infect their .login or suchlike Everyone's home directory would have to be world writable.

Don't make your home directory world writable. At my school you could lose your account for being that stupid. Just because you don't think anyone wants to take your silver (it's really only plasticware) is no reason to leave your door unlocked.

Re:Head in the sand?

[Ventilator]

How intuitive is it, when you need to press the RESET-Key-combination to start using the computer, and how intuitive is it, when you need to press "START" to end your session?

On my Linuxbox, I type "startx" to start the GUI, and I click on "exit" to exit the GUI.
That's what I call intuitive. And M$ is not gonna change that any time soon.

Re:Head in the sand?

[Ventilator]

Well... who said that using a computer requires no skills? When you want to drive a car, you need a license too.

I remember when I got my Amiga, two weeks later, the machine started to behave really weird. The computer would suddenly freeze with a black screen and I had no clue what was wrong. I phoned up some friends and asked them, what this could be since it only happened when I booted the Workbench. One mentioned a virus called "Byte Bandit" and told me, how to remove it.
So I cleared it off the disks and three days later I read in a Mag that there are virus-checkers that help you removing those viruses.

Note that I had to know what write-protection-tabs are for, I needed to know how to install new bootblocks and how a virus on an Amiga actually works.

Todays Newbies often show a great amount of arrogance to computers. "WTF do I need a manual? I want the computer to do what I tell it and I want it to understand what I tell it! I don't read any manuals, reading sucks! I want videoclips!"
I often tell them, that it'd be good invested time to just try out things, read a manual or a book. All I get to hear is: "I have no time for this learning stuff!" And then, they burn up hours and hours just to figure out, how to print the groceries-list with Excel...

Therefore, when there ever will be a linux-virus, I think it'll mostly harm those arrogant dumbsters running any program as root since they don't know better.
And IMHO, they deserve it!

"Wer nicht hören will muss fühlen!"
(Who don't want's to listen must suffer)

Anyone have a better translation for this?

Re:virus threats

[nhowie]

Interesting point, but you forget one thing: if programmers can use it, then it will have either a known structure, or an API (which I doubt). Either way, a free version can be written, negating the need for the M$ Office license. OTOH, if Linux programmers actually needed a M$-style registry, it would probably already have been written.
--

Re:It will happen - but not as bad as windows

[thogard]

While were talking about current developments:

Trojans have recently been found in things like wuarchive ftp.

Re:Head in the sand?

[m3000]

Most such things for Linux are distributed as source code, and so can be examined for malicious content.

Ah, but we have Joe "New to Linux" Doe who can't program to save his life. How is he supposed to know what a "good" program or "bad" program is? He can't, he's just as helpless on Windows as he is on Linux.

Re:Head in the sand?

[m3000]

when you need to press "START" to end your session?

I HATE that analogy. The very first time I had ever booted Linux, I had no fscking idea how to get it to reboot so my dad could use the computer (for Windows). A big foot is no more initive than a Start button. But at least to the very beginner, they see "Start", and think "oh, I must have to click this". Then hopefully they'll see a "Shut Down" option in that start menu. I'd say it's a lot more initutive to the vigin newbie than a big foot or big K.

Also, you run "exit" from the command prompt, not from X. So I don't see how that as any reverance to how easy Linux/Windows is to a newbie, as a newbie would stay in X.

not to nit-pick...

[paRcat]

Shouldn't that last line be

calvin:~# happy99

?

Re:Would it be possible to "listen" to the keyboar

[QuantumG]

not the keyboard, the psuedo-terminal. snarfing authentication tokens is a way to jump from user to user and yes, to root. The technique is follow the user and it is what modern linux viruses are about.

Re:Reasons enough

[QuantumG]

ignore me. I am trying to inform people that you dont need root to spread and you dont need to modify the kernel.

Re:I'd say linux is less virus-friendly...

[QuantumG]

hehe

Re:Don't run as root.

[QuantumG]

you dont have to be root to spread. Modern linux viruses dont run as root, they dont infect the kernel, they follow the user and snarf authentication passwords. So when you download that game and run it as user "safedude" and it says "this game must run as root" and su to root, it is sitting there snarfing your psuedoterminal for the root password. It then spawns it's own su, enters the root password and infects every running process. Even if you only su to "safedude2" it will follow you there too, and all the executables you run as safedude2 that are writable (or owned by safedude2 and can be chmod()'d) will be infected.

Re:I ain't no linux guru...

[QuantumG]

you most certainly are not

Re:Root isn't a barrier any more

[QuantumG]

even then, you don't need root.. if your average user is downloading binaries then one infected binary can infect all their binaries.. give one of those binaries to a friend and you have an active virus. I think viruses will really take off when binary distributions become common place and warezing starts happing.

Re:Maybe the software isn't ready but some users a

[QuantumG]

unless you get down with gdb then you don't know squat. redhat could get infected (especially seeing we all know linux viruses don't exist) and give a copy of it to everyone.

Re:By his logic, we already do have Unix Virii

[QuantumG]

there are linux virii and quite interesting ones.. is the world plaqued by them? no.. is it ever likely to be? maybe.. it really depends on how many young coders start joining the linux band wagon (it is usually beginner and inexperienced coders who find spreading viruses entertaining).. Will we have a defense? Only if we support virus authors and researchers.

Re:No Virus == No Anti-Virus software

[QuantumG]

there are linux viruses, they are just not spreading. Anti-virus research for linux must be supported now to ensure there will be a defense when linux viruses do start to spread.

Re:Remember the Worm!

[QuantumG]

ok.. the concept is to snarf the user's authorization tokens. You read the user's pseudo terminal when they are running 'su' to get root.. note that you don't need root to propogate.. if the user has writable binaries you can infect those and he can give them to another user. This is how traditional viruses spread. If you can follow a user through an su (that is over a suid binary) then you can infect every running process of that new user, and from there any file that new user opens that is writable. If the user su's to root then you can infect every running process on the system and from there every binary that is opened. Note that you could search for binaries or infect everything in /bin but that is almost breaking the number one rule: follow the user.

Getting off the box is a worm problem. You can snarf hostname+username+password when a user runs ssh and then just move like a worm (over a secure connection!) and the same with ftp, telnet (slightly harder, but not much), etc etc.

Re:How?

[QuantumG]

modern linux virus technology does not use exploits.. that's rule number one.. a virus that is based on an exploit will last as long as the exploit.. modern viruses follow the user and attempt to gather authorization tokens. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Re:Remember the Worm!

[QuantumG]

virus != worm.. though when it comes to linux we will really start to blur that line.. the Internet worm mainly spread by the finger exploit.. but the strength was that exploits were commonly unfixed and there were a lot of them. Modern viruses do not rely on exploits to propogate.. in windoze virus terminology, most linux viruses are "ring-3" (commonly called userland), not "ring-0" (kernel). The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Re:Reasons enough

[QuantumG]

kind of abusive arnt we? Writing viruses is no simple task (I exclude macro viruses.. there's a legal requirement that you shove your head up your own arse before you can write a macro virus). Now spreading a virus is simply stupid.. you gain nothing from it and make people's lives hard. Writing viruses is just as hard as uncovering a security flaw and writing an exploit.. if not harder.. do some research before you preach. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Re:Figthing Virus

[QuantumG]

that's right.. an open community can do more to defend against viruses than an antivirus company ever could. The first step is to admit that it is possible and investigate the ways that it could be done. Many linux viruses have been written and most have a scanner written for them too. Every new virus provides information for a "generic scanner". The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Re:Hard to imagine

[QuantumG]

thank you! thank you! No.. there arnt really any computer viruses.. they are written, they do not spread.. macro viruses spread and email worms spread.. but they are signs of poor understanding or apathy on behalf of users. most computer virus authors write viruses for the sake of understanding the technology. Spreading computer viruses is considered taboo in the computer virus community. linux is not exception. there is a lot to be learnt about linux viruses, and yes they are possible. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Re:Reasons enough

[QuantumG]

bah.. we think those guys are dickheads too. But I dont see a vcl for linux do you?

Re:Will it be too fast, too much?

[QuantumG]

viruses are a crucial part of all complicated systems.
- Kevin Kelly

Re:An EFFECTIVE Linux virus is very difficult

[QuantumG]

all good points.. but just things to get around. As linux becomes more popular binary distributions will become common. Download a binary that has a virus and run it as a normal user. Now you can infect every process that is currently running by that user, not the binary, the process. Everything that user touches that has executable and writable permissions will be infected. Lets say the user now compiles some code, that binary will be infected, the user puts the binary into a tar ball and shoves it onto their ftp site for distribution.. the virus spreads. This is just file infection. When you add to that gathering authorization tokens and other methods of "following the user", an effective virus can be written and has been. You can look at the source, and hopefully the idea will not scare you so much that people like Mr Garfunkel drive this research underground. check it out:

http://www.big.net.au/~silvio/

Re:I'd say linux is less virus-friendly...

[QuantumG]

bah.. I typed 'make' and it gave me a binary, obviously I ran it. Read the source!? try to think outside the square you live in. You mom doesn't read the source, hell, your mom would probably go for the binary distribution.

Re:Wasn't there a virus once before in Linux...

[QuantumG]

modern linux viruses do not run as root.. they do not use exploits and they do not infect the kernel. Modern linux viruses are about following the user. You can read about recent linux virus research at http://www.big.net.au/~silvio/.. this is the first step to making a viable defense system to viruses. One must understand viruses to defend against them. I dont think you have to be "stupid" to get a computer virus (though it doesnt hurt).

Re:Voodoo Virus?

[QuantumG]

viable linux viruses are more than possible, they are written. check out http://www.big.net.au/~silvio/ for three.. I happen to know for a fact that this isn't even the total of this individual's research. He is currently on a holy quest to stop "oppression" and hasn't posted his latest code. Windows is getting boring, people don't copy binaries anymore (unless they're setup.exe which gets a bit tiresome), so linux, with it's unfashionable but existing binary distributions is a new target.

Re:anti-virus software

[QuantumG]

modern linux viruses do not run as root. They run as the user and follow them around. As for the interactive password, it's an authorization token, the virus can snarf it and pretend to be the user.

Commercial usage of viruses

[QuantumG]

In trying to justify the creation of viruses for other than research and the resultant defence against them, I have come to a few possible uses for computer viruses. Perhaps none of them are useful but they all reek so much of science fiction that they are worth stating.

1. Spy Shit. Viruses are great things for getting into systems when you have no known exploitable entrypoints. Just infect an employee of your favourite company / government and wait until it has penetrated their network. Once there it can tunnel out and give you full access.
   
2. Marketing / Tracking. Yes.. it's worse than cookies. Viruses are really really good at following people around. So they could gather up info and sell it to the highest bidder. How often you use your computer, what times of day, what programs you have and whether you run them often.
   
3. Law Enforcement. Yep. Put this under spying. But consider that most viruses spread because of warez and you have a neat way of tracking who warezez with who and how. Oh, and don't forget about tracking those linux radicals out there :)
   

This all steams from the old debate of "are there good viruses?". The unanimous decision was that there is nothing you can do with a virus that you cant do with a normal program. This was back in the days when people thought about single computers. Why risk having a virus escape to another computer when you can just run a controlled program on the one computer. The net changes everything.

Re:Linux doesn't have enough popularity yet

[QuantumG]

have been created. They don't run around infecting people because of the popularity problem. They people with the skills to program linux viruses are not interested in releasing them into the wild. They want to understand the various ways that a linux virus can spread and develop tools to stop that spreading. One day there will be enough people coding on the linux platform to find those few who like to cause people greif. Hopefully the anti-virus software will be far enough ahead to thwart them.

Re:Linux Viruses

[QuantumG]

that's stupid.. the virus spreads because people copy the binaries from one machine to another.. why would you copy an x86 binary to a ppc box? You wouldn't! Thus you could write an x86 ELF infector and it would spread to every box that someone copied infected binaries to. Yes, it is not going to jump to a PPC box but who the hell said it would? Does it even make sense that it should? here is your virus and it is mainly C, you can recompile it for any linux box you want (oh.. and fuck a.out, who the hell needs it.. ELF is everywhere).

correction :)

[QuantumG]

linux viruses have been created. They don't run around infecting people because of the popularity problem. They people with the skills to program linux viruses are not interested in releasing them into the wild. They want to understand the various ways that a linux virus can spread and develop tools to stop that spreading. One day there will be enough people coding on the linux platform to find those few who like to cause people greif. Hopefully the anti-virus software will be far enough ahead to thwart them.

Re:This is a Hot Grits Topic!

[QuantumG]

check out http://www.big.net.au/~silvio/.. you can infect a user as non-root, follow that user around, snarf their authorization tokens and move on. As for damage, viruses arnt about damage.

How is this an "epidemic"?

[CentrX]

Even in the horribly vulnerable Windows systems of the world, the number of viruses has never reached the proportions of an "epidemic." If the spread of viruses never reached epidemic proportions with the insecurity of Windows, how is it going to cause so much more of a problem with a more secure system?

Even the most intelligent and informed Windows user is susceptible to viruses, simply by the way Windows is put together. Naive users are even more susceptible. However, in Linux, an intelligent and informed user is not susceptible to viruses. You have to be the naive user in order to be infected. Any person who gets infected with a virus in Linux has this happen to them because of ignorance or stupidity. In other words, while this may sound Draconian, it's their own fault.

Chris Hagar

Head in the sand?

[soulhuntre]

This is clearly true - as Linux becomes more and more common there will be more and more less sophisticated users... and a system that relies for it's security on the interlocking permission settings on thousands of files is inehrantly hard to evaluate in this regard for them.

Remember, most of the new Linux users will spend their whole life running as their personal userid - and a virus will not need root access to gra their email, compromise their information and files and so on - it only needs to compromise their account.... a trivial task.

If you think Linux is safe... your wrong.

Ken

Re:Head in the sand?

[plague3106]

True, unless a normal user has some kind of admin power, a little or a lot. But usualy people with that kind of access will know what to look for. So i guess the biggest threat would be a company, if say someone on the sales team somehow launched a virus, it could potentonally damage the sales group files. But for the most part i doubt even that. Anyone know of any unix virii that have run amuck (like moderate to serious damage)? If not, linux is probably say b/c if someone hasn't been comprimised by a unix virus before, i don't think its going to happen. its been around what, 20, 30 years now?

Re:Head in the sand?

[stephensamuel]

A Linux viri might be able to infect a USER easy enough, but infecting a SYSTEM would be MUCH harder. It would require two stages:
1) Infect the user
2) root exploit.

Part 2) is only easy if the virus is executed by a user running as root/administrator, or has access to files that are used system-wide. Under Win95, this is trivial. Under NT it's a bit harder, but -- as pointed out elsewhere, much software (esp. Microsoft software) requires write access to system-wide files. This is mostly a legacy of the dos->Win{3.1,9?}->win{NT,2000}.
With linux, getting a root execute often requires some serious social engineering. This impedes the spread of viri to something much slower than the spread of news about it.

In almost any case, he most drastic action needed to sanitize a Linux system is to scrub the system of every file writable by the infected user.
For Linux modularity, this is usually containable. With windows, this often requires the destruction of enough pieces that you might as well scrub and re-install the whole system.

I think the quick summary is that -- Yes, Linux is susceptible to viri, but:
Most unixen (inc. linux) comes with a package of condoms. (remember to read the cautions on the insert).
If you're lucky, your Windows box will come with a big box of neo-citrin, and a "Just Say NO" sticker.

Re:Head in the sand?

[DrgnDancer]

I think the article specifically targets Linux because it is the most vulnerable form of Unix to this problem. The problems forseen by Garfinkle rely on mass public acceptance of the OS, and Linux is closest to that goal. Users of other Unicies remain largely programers, adminstrators, and various other techo-ppl. Back when I was doing tech support, I had two occations where I had to indstruct a new Linux user on how to make a non-privilaged account so they would not access their machine as root ALL THE TIME (This was not a Linux company BTW, we were just a hardware vendor. I just happened to be the only tech with Linux experience, so I got tranfered all the calls that weren't Windows machines). They had no concept of a seperate admin account. Newer installers are helping (They allow you to make a non-privilaged account during install), but many newbies still have no understanding of Unix security (I know I didn't when I first started. I actually found Practical Unix and Internet Security a big help). He is not saying that the Linux software is inherently any less secure than other Unix's, but rather that Linux is starting to attract a less security conscious user, and that it's popularity is soon going to cause more of an effort to made toward creating "viruses" for it. If anything the article is complementry to the success of Linux, and a prediction of its continued growth.

As to the use of the word "virus", I believe that Mr. Garfinkle was using the Windows world definitionm which from what I can tell is "any malicious piece of code that you accidently get on your computer somehow." Not a correct definition technically, but when writing it is a heck of a lot easier to refer to genreal "viruses" than to have to type out "viruses, trojans, worms, and other malicious code" everytime you want to make a general statement.

Re:Head in the sand?

[pvcf]

I agree that Linux is not entirely safe. But, any attempt to stop the spread of viruses and the like must go hand in hand with packages that help secure the system in general.

Simply installing a virus protection program may lead to a false sense of security. Although I am sure I am preaching to the converted on this point. My point is simply that Mr. Garfinkel's article fails to mention this.

The original poster does ask, "What do you think of this commentary?". I feel the above was an important thing to leave out. Moreso because the article itself mentions that gaining "root" access can be integral to the virus attack.

Paul

Re:Head in the sand?

[sjwt]

>> True, unless a normal user has some kind of admin power, a little or a lot. But usualy people with that kind of access will know what to look for.

If i didnt make a mistack wasnt the point of this guys artical that with more and more ppl with next to no knolage of linux, the sorts of ppl who can read a source file and who would just use an installer package incressing and maybe even set to bomb that in a few years there coudl well be a signifactne percantage of linux systems with joe blow runing as root all the time, instlling this and that..

Re:Head in the sand?

[Suidae]

"Anyway, none of the computers that I ever owned ever had any kind of anti-virus software on them. Ever. Yet, I've never been infected."

Not having any anti-virus software, how can you be sure of that? Perhaps you just never noticed, or do you regularly examine all your EXE's and boot sectors?

Perhaps it would be better to say that you've never had a system failure that you could conclusivly track back to a virus.

"I personally believe that the vast majority of viruses on Win systems come from stupid people opening executables in the email attachments. I seriously believe that if EVERY EMAIL CLIENT simply disregarded (throw away) executable attachments, we'd see a HUGE decrease in virulent outbreaks. After all, we have FTP and the web for distributing programs. Using email for that purpose is a complete waste."

Unfortunately computers and the internet ought to be usable by the average joe as well as the technicly savvy. It is important that all users be able to share files easily, and safely.

The proper solution is to make it hard for the virus writters, not the users.

Re:Head in the sand?

[babykong]

The REAL False sense of security is in thinking that it only happens to someone elses operating system.

This like the argument that you should not wear your set belt lest you be lulled into reckless driving by a false sense of security.

Some Linux servers were turned into attack zombies in the spate of Ddos attacks recently. I am currently using Mcafee uvscan on my Linux boxes which will scan for Trinoo and the rest.

Then of course there are the people who will put there infected DOC files up on the linux server to be downloaded by others.

Doing this, I can assure you, has not made me warm and fuzzy enough to not bother downloading the saint beta 2.0 which will scan for vulnerabilities for same.

Virus checking should be a part of the security program for any network.

Re:Head in the sand?

[Eil]

Someone moderate this guy up!

I've been stating for years that as long as you are smart and careful about what you download, you will never catch a virus. I've been using using computers for (looks at watch) holy shit, 12 years to the day! :P) Anyway, none of the computers that I ever owned ever had any kind of anti-virus software on them. Ever. Yet, I've never been infected.

I personally believe that the vast majority of viruses on Win systems come from stupid people opening executables in the email attachments. I seriously believe that if EVERY EMAIL CLIENT simply disregarded (throw away) executable attachments, we'd see a HUGE decrease in virulent outbreaks. After all, we have FTP and the web for distributing programs. Using email for that purpose is a complete waste.

And I completely agree with statement against executable documents.

Re:Head in the sand?

[Jacques+Chester]

> The original poster does ask, "What do you
> think of this commentary?". I feel the above
> was an important thing to leave out. Moreso
> because the article itself mentions that
> gaining "root" access can be integral to the
>virus attack.

And - as others have pointed out - why bother with a virus when you can get root access? JC.

--

Re:Head in the sand?

[arivanov]

If you think Linux is safe... your wrong.

Your statement is overrated. Here is why:

In order for a virus to proliferate it needs to execute and infect executables. Even on "home" linux systems the executables are 99.999% not owned by the user. The user has no +w on them. So unless the virus attempts an exploit it will not be able to infect executables. There are few notable exemptions of course:

• College campuses and enterpirse networks with a d...head sysadmin. Users install their own software in their home dirs. Guess what happens next.
• Debian and Co and users in the group staff. /usr/local/bin is writable. Oh-oh...
• Developer users that write their won software in C. Yeah viruses here. On a linux system. Right... What have I been smoking anyway...

In order for computer viruses to proliferate you need to follow the same rules like in the life world. Namely you need the infection rate/death rate to exceed a certain threshold. All the cases above give you thresholds for good size local outbursts, but not for an epidemy. Which is not the case with Windows 9x, MacOS and their predecessors.

There are few notable examples when the above situation will drastically change. The most important one is:NO EXECUTABLE DOCUMENT FORMATS!!!". If MSWord will be ported or a similar abomination will become a predominant software product on Linux than there will be trouble. Because there will be "executable" user writable formats floating all over the place. Than the treshold for selfsustained infection will be exceeded.

Paranoia

[TheTomcat]

In my experience, and speaking generally, unix/linux/*bsd users are too paranoid to get a virus.

We often gruel over things like md5's and we encrypt our email with 1024bit encryption.

It's the same thing as any other OS. If you have stupid users (and by stupid, I mean ignorant and uneducated) with access to things they shouldn't have access to (the windows Registry, or a root acct.), Bad Things are bound to happen.

When were Word & Outlook for Linux Released?

[Cy+Guy]

Unless someone comes out with a virus that uses desktop applications as their means of spreading, I doubt their will be an epidemic on the scale of DOS/Win viruses. Most people new to Linux already practice safe computing and know not to share disks, or download from unsecure sites.

I know I only install from CD-ROM or from RPMs available directly from RedHat.

This is a Hot Grits Topic!

[tilleyrw]

I challenge anyone in the computing community to tell me how a virus can infect/damage your Linux system if the current user is not running as root.

EOF

Re:How to get infected using Linux...

[Dr.+Blue]

Think again! A process can access and modify the memory of any other process running by the same user (how do you think debuggers work?)! So yes, a process can go change environment variables or other things in the user's shell. Do this -- start a new shell running, and find the PID of that shell, say it's 3451. Now go into /proc/3451 and look at the file "mem" -- who is the owner and what are the permissions? That's the memory of that process! Open it and go to town!

Now you can't access other user's processes of course, so you can't "promote" yourself to root or anything like that, but you can still cause some havoc for that one user. And if they ever do an "su" then all bets are off!

Re:Remember the Worm!

[frobnoid]

finger and sendmail exploits, Morris gave us a two for one special.

By his logic, we already do have Unix Virii

[frobnoid]

By Garfinkel's logic, we already have linux virii. Under Windows, the general feeling is "oh crap, I've executed some rogue code or let my browser or mail reader (or whatever) execute it for me, and now I'm infected." While Linux people think "That foolish sysadmin ran that as root, thats what you get. Let this be a lesson to you all."
As someone else said, the general user population is much more sophisticated, but it's also worth noting that the general population is also much less forgiving.

Most people have the attitude "Unix is (relatively) secure, any virus is using an exploit and replicating itself (a worm) or it's user error."

Ha!

[karb]

lol

Even if there wasn't, half the point of being a geek is making up your own words.

Consider : "wordicize" both an idea and an embodiment of that idea. (hee hee)

Re:Deutsch

[matthead]

Wer nicht hören will muss fühlen!

• Wer is "who" in the nominative, and in this context can be taken to mean "He who..."
• Nicht is a negator, and in this case negates hoeren will (sorry, I don't know how to do umlauts from this computer, so I add the e, which indicates an umlaut when it occurs right after a vowel).
• Hoeren will means "wants to listen" in the third person singular. Wollen (will in the infinitive) actually has no real direct translation. It's partway between "want" and "need." My college German instructor put it best: Americans say "I want a hamburger" at McDonalds, but in Germany you're more polite: "ich moechte ein Hamburger." Moechte means "would like to have," and is basically common decency. Using "ich will" instead would pretty much be saying that you can't live without the hamburger. It's considered rude to use it, unless you really mean it.
• Muss comes from muessen, and means, well, "must."
• I've only seen fuehlen used to mean "feel," so I'm not sure here.

I'd say "He who refuses to listen must suffer!"

Actually, Linux is probably vunerable...

[NoWhere+Man]

I wouldn't be surprised, I remember a few attacks for 4.2 of Redhat, but those were DOS (Denial of Service) attacks.
I think the main reason that Linux has been around so long without a virus has more to do with being faithful to the OS. Because it is open source, people treat it like thier own child, watchin it grown and develop over time. Would anyone be happy if a virus came out that brought down Linux? Obviously not, in fact the virus' creator would most likely be hunted down by Linux users. But you see any Windows system go down cause of a virus (or just some random fault) and what do most people do? Laugh; laugh like hell.
The difference is all in how you feel about it. Windows is thiers, but Linux...that's ours.

Re:Hmmm,did anyone notice....

[MarkKomus]

So if his arguments were said by someone outside the security field you'd take them?

You cannot discount his arguments just on the basis that he is a security consultant. You can examine what he says in greater detail to make sure it makes sense, but outright saying "He is a security consultant therefore his arguments are invalid" is invalid in itself.

Trust

[RussRoss]

One source of potential problems is that people download binaries and/or source and install them without checking them out too closely. Sure, you feel more secure after downloading 200k of source code and compiling it yourself, but how often do you actually read through the code before using it? RPMs are often available (or .tar.gz files with install scripts) and we happily run all associated scripts as root, as well as installing any arbitrary code that happens to be in a package. So far, I think our main assurance has been that nothing too bad has happened (at least nothing malicious) in the past, and we count on communities like /. to warn us if there is anything we should watch out for.

As projects get bigger and the user community gets bigger, it will become easier and easier to download a trusted package, patch a nice trojan into the source code in some obscure place, package a few RPMs, and stick it in a public place. Even most people who download source packages don't examine the source too closely (until it crashes). Checksums? Sure, I can make a checksum if that will make you feel better. The point is, we don't always download from trusted sites, and even if we do it's doubtful that the packages we download have been scrutinized. Someone could slip a trojan into emacs and upload it to a public download site and thousands of people would probably download & use it without ever knowing until it's too late. If you were subtle, you might even get one into a widely used distribution. You think the RedHat folks have read through all the hundreds of megabytes of code on a source RPM CD? It seems unlikely to me.

So what's the point? Some kind of trusted authority system might be helpful. Verisign, etc., have their problems, but at least you have some idea of who you are trusting when you use a verification system. If there's a system already in place, I don't use it, and I suspect most others don't use it either. I usually ignore checksums and signatures that some sites provide with packages. We need a system that is more integrated. Every time I do rpm -ivh .rpm I'd love to see a message that says "package verified by Linuxone.com." Okay, maybe not that exact message, but something like that where the verification was a process I could trust. We run too many install scripts as root, so the Linux security model doesn't really offer as much protection as we'd like.

- Russ

Sigs only solve the problem of trojans.

[Tau+Zero]

As long as MD5, RSA, and PGP sigs remain impossible to counterfeit, then the smarter half of the whole Linux community (who verify packages before installation) should be safe from viruses and trojans.

Trojans, perhaps. Not from viruses or worms, and this is by far the greater threat just because of the enormously greater rate of spread. The Morris worm and the BubbleBoy virus didn't have anything to do with normal distribution channels; they relied on defects in the system software to take control of it.

The real source of Linux's protection against viruses isn't user vigilance per se, it is the architecture of the OS and its utilities. There are no ActiveX security craters on Linux because there is no ActiveX, and Linux developers have (so far) been smart enough not to write too many utility programs with scripting languages capable of hosting a virus. Even Java, the most conspicuous exception to this rule, has a security model which tries to ham-string malware. Ultimately, the difference between Windows "security" and Linux security is the driving force behind the features; Windows is pushed by marketeers who couldn't care less, Linux by geeks who have to live with their work.
--

Maybe the software isn't ready but some users are.

[Merlin.]

I have never had problem with Viruses on my Windows machine because I know what shit I'm loading into it.

When i started using linux it wasn't any different. I dont install anything on my system unless i know it's clean.

Then to top it... for a virus to "live" on a Linux/UNIX system i dont think that being a normal user would be enough.

I am not worried. Not worried at all.

He's right you know.

[Lion-O]

Offcourse, there will be virus plague within the Linux community. Not in the form of software as this clueless^H^H^Hwriter describes, thats impossible for decently setup systems, but just more stories like this.

Repeat this nonesense often enough and you will have newbies believe in it. After that it will take not that long before it is a commonly accepted fact.

Therefor I believe the writer is right about this prediction since he is one of the many who is trying to make it come true.

Re:Open World

[Sygnus]

Okay, I've been reading the comments, and I keep seeing your posts which say exactly the same thing. To make things worse, so far, every single one has been "(Score:3, Interesting)" or "(Score:3, Informative)".
Some moderator must be smoking crack, because your posts are becoming redundant - you don't need to beat us upside the head with your link.

flame-bait me, or whatever you will - Im just sick of these "linux virus research" replies.

--
Sygnus (who will be looking for these to show up in Meta-Moderation)

What does being rootless have to do w/ desktop LNX

[Rares+Marian]

As Linux becomes a "desktop operating system", the slim levels of protection against computer viruses vanishes.

??????????????

Newbies will learn. Or they can use windows.

Re:Hmmm,did anyone notice....

[flyneye]

It is proper to question the argument.(who knows
what this mans sources and qualifications let alone motivations are?)
What can we really prove about any of this?
By the nature of your own logic you set yourself up for a fall in the real world.
In other words"Brother let me put you in this
Oldsmobile today".
Get Slack man,loosen up that tie and quit working for the conspiracy.

Re:Hmmm,did anyone notice....

[flyneye]

No,i cant discount his arguments on that basis,but I can feel my intuitive crap detector
going off.
I also couldnt be bothered to spend the weeks
or more necessary to verify the (dis?)information
to find PROOF of anything.In the end I suppose one
would have to write or experience a virus in order to find out.
ALL ELSE IS JUST PISSING IN THE WIND.
I also dont take as gospel the conclusions of
Doctors,Lawyers,Preachers,Teachers and Blondes with
Busty Features.

A Virus for Linux

[Artie+FM]

I read this article and spent some time thinking about it. My reaction? The article is full of FUD.

He concludes that Linux needs software that stops virii in it's tracks, despite the facvt he says earlier there are no serious virii for Linux yet.
Kinda like saying we need to develop weapons which can defeat godzilla even tho we haven't ever really seen him yet. Right!!!

he says we are vulnerable because people download, compile and install things as root. But really hat percentage of people do this? How could it amount to a plague?

In reality there are two ways to get a linux plague. 1) another internet worm is created and 2) someone making a distribution puts one in there.

Instead of talking about software to protect against exploits which don't exist why not address these two very real threats.

--
Be insightful. If you can't be insightful, be informative.
If you can't be informative, use my name

No Virus == No Anti-Virus software

[nachoman]

Correct me if I'm wrong, but most Virus software finds programs that have known viruses attached to them and warns the user. If there are no known viruses that are extremely dangerous then of course there is no software to battle them. You can't make a program to fight something that doesn't exist yet (if you can then you can make millions).

If indeed we get a "plague" of virus attacks on Linux then the anti-virus software will start becoming more available then.

If it's not broke don't fix it.

Re:How to get infected using Linux...

[flawed]

Too bad the SAK does nothing else but killing off every process spawned under that virtual console,
so it is not a good idea if you use shell escapes or job control.

Re:Viruses will come...Free Software isn't ready!

[inburito]

I have known profesional programmers and hobbyists and in my view profesionals are MORE likely to write viruses than less likely.

UH! So you're saying that if we pick a professional programmer the chances that he will write a virus are greater than those that he won't? So over half of all the professional programmers are virus writers? That is a pretty harsh accusation and probably insults most of the people who make a living out of programming..

Openness protects against hidden things

[porttikivi]

Linux is simple and well understood. This goes for the kernel, this goes for the whole Linux culture. Open source and generally open communication ensures optrimization and simplicity, power, flexibility and finally, I predict, also ease of use.

Above all it gives insurance againts malicious, hidden, evil things. If there is a security problem in Linux, everybody will know it. If someone has a fix, it is ditributed to all, for free, fast.

Re:An EFFECTIVE Linux virus is very difficult

[tc]

Root exploits tend to get closed, pronto. Whilst newbies wouldn't check to see if a program installed itself suid root, experienced users would, and would let the world know if a paint program from www.reallycoolsoftware.com was installing itself suid root for no good reason. So propagation by infecting system software would be pretty damn difficult.

Of course, experienced users don't just blindly run whatever executable attachments arrive in their email either. Newbies and the less computer literate, OTOH just think "Cool! VIRUS.EXE, wonder what that does...".

Right now, Linux hasn't suffered to anything like the same extent as Windows because a far higher proportion of Linux users are clueful enough to take reasonable care of their system. If Linux gains mainstream consumer acceptance, the average expertise of the userbase will go down, and viruses will find it easier to propagate.

Re:How to get infected using Linux...

[smash_phase]

Okay, but how about your program "exiting normally", trowing you in a virtual (striped down) bash shell, that allows you to su to root while logging keyboard input and next start a thread/child whatever.. with root rights to do it's thing?

The real problem starts, if these virii starts manipulating startup scripts or host.* etc.. and making your system act like, say, it's been BackOrificed..
Especially since *nux default remote control abilities are much more powerfull than other OS-es...

Just my 2 no 3 eurocents (devaluation, you know..)

He is a jackass

[Kamel]

Ive said it once and Ill say it again. The author is a jackass. He never seems to know exactly what he is talking about. While Linux is not invincible as most would believe, it is arguably *much* better than windows 95/98 with respect to virii. Although I agree with the author with his idea that everyday people, who run *everything* as root are prone to problems, if you are a competent *ix user, even an admin, you are far better protected from Virii than you would be on a win 95/98 (and I bet Milly too...) KAMEL

Re:He is a jackass

[phred]

Wow, another substantial comment. When you grow up, Kamel, and stop flinging the insults of a 10-year-old at things you have no knowledge of, perhaps you will have something of interest to say.

-------

Voodoo Virus?

[stickytar]

I'm not really up for some early morning troll fishing. I'm just mildly curious. Why would anyone with background in unix/linux enviroment worry about "viruses"? The resility of -unix- has been by large far greater than any Limpdows '98 against foreign bacteria. It's been said a thousand times. File permissions baby! I think their might be some confusion on the board about what we are talking about. A virus is not some dumb script that Mr. Joe Malicious user loaded with his login. A virus is a self-propigating infection which has slipped in amongst the heaps of data and has nestled itself into a cosy home with it's own personal PID #. Thanks to a few incidents that have happened in the past (blimp and the infamous worm) unix has evolved past it's infancy. Although not past susceptibility, open source is the key to destroying viruses right away. Some of you remember the days when a patch would take SCO three or four days to get out, but the same "cold" was remedied in hours by our friends on efnet. ( I'm almost done preaching here. hang on. ) Who is this anonymous coward that posted this story??? Billy is that YOU? Let's not be fooled by some corporates idea of a funny ha-ha. Neither can we be locked on to a dependency with a certain company by distribution or support. This is where are hands have been tied up in the past by relying on ABC, inc. to fix our problems. I don't know about you Mr. Garfunky but I'd rather have 10,000 esteemed colleages aiding our companies systems that some bureacratic suits who take to spreading "terror" on newsgroups. ( stepping down. going for the coffee.)

Re:OT: Virii vs. viruseses.

[benwb]

Virii is the correct latin declination, but the standard english plural of virus is viruses. I don't have an oed in front of me, but dictionary.com has a definition.

Authorisation of set-uid binaries

[~roman]

I thing a classic run-time anti-virus module in the kernel is nonsense as it has to check for special behaviour of the affected programs, so it would needed to be actualised with every new generation of viruses....
What about the PGP-like authorisation of set-uid programs? The kernel would apply public key(s) (one of your trusted distribution, your own one for complied programs + alternative trusted ones) on the binaries. The kernel itself can be authorised by the boot loader :). Of course it will have some performance "issues" as the programs have to be decoded on the fly (but only root set-uid's have to be encoded), anyway the performance critical programs should reside in the memory as stand-alone daemons or the kernel can manage a special "decoded" cache of programs.... The kernel can check also for "known security holes" in a small fast database (updated periodically by cron) and eventually force you to fix holes by updating the program.

Cheers,
Roman

"Mischief", Perhaps...But "Virus"?

[Coldraven]

Throughout high school & college, some friends & myself would have a little "fun" by kicking hosts off their own BBSes, or going to a physical location (acquaintance's house, retail cashier terminal) and screwing with the memory settings in DOS.

Like the song goes, "Merrily we trolled along..."

Despite a lot of FUD in the article, a valid point is made: unsecured linux structures, in spite of the grassroots cred & popularity, are just as vulnerable to getting hosed as any NT or Netware setup caught with its pants flapping in the breeze. Giving credit to basic nature, just about any OS (or NOS) is fodder waiting to be struck.

Had Garfinkel used the term exploits or some other, his piece would've served as a nice wake-up call. But "virus alerts" are the sort of crap that only succeeds in more day-trading stupidity (IPO, IPO, it's off to work they go) and a guranteed guest slot on MSNBC and Nightline.

Holy Shit, Batman!

[Coldraven]

I just reread what I posted, and it's practically a Katz article! I gotta stop drinking decaf...

Re:Hmmm...

[Shimbo]

I agree entirely with the first point. However, on the second, you've described fairly well what we should be doing. In general we probably don't but yes, we should be checking signatures of files we download, and using an intrusion system like Tripwire to protect our configuration.

I think this goes to prove the point - we know what to do to improve our security but we don't always do it. And so far, most of the time we get away with it.

Re:Common sense VS Anti-virus software

[jon_c]

I've been on the net since the best web browser was lynx, I've never run a virus protection and (guess what) I've never got a virus.

now like you I am moderately careful, i don't run anything called "runme.com", etc.. but then again I do run piece of shit VB apps from time to time :)

my friend works over at symantec. he says most of the viruses come from three guys. no-one is knows where they get their virus from.
and for all I know they write the things.

all I'm saying is that virii are not that big of a deal. now Trojan horses thats something to worry about. back in the 0ld sk00l da
ys when I was leaning C I used to run a BBS off WWIV, it was a pseudo-open-source deal where if you registered you could get the source (for about 80 bucks). anyway. the night before the grand 4.xx release me and my friend put in a backdoor to give us super user access. zipped up the puppy and uploaded it to all the major warez sites that carried the WWIV source.

most people didn't use it, but one site. a hak0r site called l0pht (no affiliation, I believe) DID. and I actually got in.

I don't know how easy it would be for someone to do something like this to say.. wuftp. but the possibility is obviously out there.

-Jon

Oi!

[ASM]

Ok so I'm not any sort of Linux god, but I eat X86 assembly for breakfast. Hence, I have spent countless hours reverse engineering viruses, as well as removing them from M$ boxes by hand, as well as writing them. I even collect them (don't even ask. If you want one, go catch it yourself!). So here's the deal. Viruses are at best very dificult on Linux, and certianly so complicated as to be too big to survive long as a virus.

But lets talk about the technical side. Viruses replicate by attaching itself to other files. In Linux, that cannot happen (at least, its difficult to do). First, Linux uses very nice file protection, so that J RAndom User cant modify /bin, and neither can any of his processes. Second, a virus, if it gets executed, will exist only inside on the process of the program it is attached to, meaning, first, that its difficult to modify other processes (ever wonder why when Linux programs crash, the system is unaffected). Second, that it is restricted to the same privledges as the process it is in (ie the privledges of the user at execution time), so it cannot write to any files the user does not have access to (sure, some idiot could get infected running as root, but that's no epidemic..). So viruses cant spread through the system.

That being said, it is possible that the virus could wait on the user to for example su to root, but given the permissions of the process it is in, I don't think it'd have much luck anyway, outside sniffing the passwd to root. Also, there is the possibility of exploits, but as it has been repeatitively said, those get closed FAST.

So can viruses get into a system? yes, can it get far? no. even it if infects everything in a user's permission domain, the system is still functional (yes, some idiots.. but I'm not worried about them, they'll likely break their system faster than the virus anyway).-Just delete the infected stuff from their permisson domain, slap them on the wrist, and go administrate on some other task.

If you don't get it yet, chew on this. I've considered experimenting with a Linux virus, just to see what one would look like, but I trashed the idea. Why? not that Linux viruses cant be written, that's easy. But because the barriers it would have to break in order to spread are too difficult to do in 5K of code (optimal size for a really nasty virus).

Once again, I know that there are stupid people out there running Linux, who haven't a clue how to keep it secure (I admit, I'm not so contientous myself), but that's not a matter of AV software, or anything so foolish, that's a matter of educating them about security. -And in any case, there's no worry for virus attacks on an epidemic scale.

note: All viruses I have worked on are EXPERIMENTAL ONLY. I worked on an isolated machine, so I could learn more about them. So don't go telling others I spread viruses.

Re:Oi!

[Ace905]

I'll admit, the best I've done to destroy a computer was editing dos 5's version of format.com to say it was installing a game. That was funny, but dos 6 came out the same day, I suck.
We all know Microsoft has warped our perception of legitimate application sizes. Every time the standard in HDD size increases by a gig, so does Microsofts O/S, Office, and even the documents you create.
Regardless, Open-Sourcing may be getting application sizes down to an acceptable level, but with the advent of periphereal devices, and the cross-platform applications which are to be ported to Linux under WINE, we are still going to see ever-increasing standards in Application size.
Linux itself, in all of its various forms still moves with the standard. When a new scripting language is released, which generates code slightly larger than the last, it will still be implemented.
What will happen when 500k bin's and 1 Meg MicroSoft executables are running under Linux? The size of a program which can overcome all obstacles will suddenly go unnoticed to everyday users.
People don't get smarter, complicated things just get simpler.

not that Linux viruses cant be written, that's easy. But because the barriers it would have to break in order to spread are too difficult to do in 5K of code (optimal size for a really nasty virus).

Viruses?

[linux_penguin]

errr, ok, sure

a) NEVER login as root for general use
b) limit the number of daemons running as root and stuff thats suid root... if you're running a home pc, who cares, if its a production system and you havent got the source, dont run it....simple
c) properly protect your box with firewalling etc to limit worms etc
d) install any 'untrusted' software (ie s/w not from a large company or well known open-source developer) as anything but root.

If you take normal unix precautionary measures, and the kernel developers/daemon/suid root programs keep auditing their stuff for security holes, I think you're pretty safe.

People quote windows as being more prone to viruses because they are single user systems (any program can alter anything) and usually the users arent as knowledgable and will run any .exe file anyone sends them. This is unix, if you dont know how to protect yourself, buy a book.

Can anyone think of any way a 'virus' could attack a secured machine from an unpriveledged user account? besides once-off security holes.

Re:Viruses will come...Free Software isn't ready!

[swdunlop]

Mmmm.. I always thought the reason that there were more trojans for unix than for dos was.. Dos doesn't have network connectivity out of the box? ;) Kinda hard to write Back Orifice for MS-DOS using sneakernet as the transmission medium.

Re:Figthing Virus

[batmans_byte]

This isn't "insightful", it's "conventional (slashdot) wisdom"!

The community

[tribbel]

I don't think the chance of becoming a millionare is a reason for not writing viruses. If that was true, there wouldn't be any windows-viruses out there as well.

I think that when somebody writes something in a UNIX-environment, he is more likely to write something useful, make it free software and donate it to the open source community. This way he has a chance of becoming respected and famous, which, imho, is much cooler than being "pheared".

OT: Mac's have few if any viruses now

[yuriwho]

Funny, when I first started using Macs, viruses were all over the place (this was in a University setting circa 1986). The only viruses I detect now are MS office related viruses sent to me by Windows folk. Most of these appear to do nothing to a Mac. Is it just that virus writers gave up on the mac platform due to loss in market share after windows came on the seen? Or is it because virus writers decided that they dislike windows more than macs. I feel like I wasted money on a antivirus product cause I havent found anything in the last 3 years.

Also, I had never even heard of a UNIX virus before this thread....guess there are none worth worrying about.

I guess we can thank Bill "the pied virus piper" Gates for our luck.

Are there any linux viruses today?

[joshua42]

It's not like linux is too small to be an attractive target for virus hackers. Think of Atari and Amiga, their use base were probably smaller than the Linux/FreeBSD community is today.

Why has not Linux/FreeBSD been plagued by viruses in the same way as Dos/Windows or Amiga/Atari? Actually it should be even worse as Linux computers are usually networked and, again, has a larger amount of users than the latter two OSs. Another thing that should make it easier for virus makes is the source being availble.

The only reson I can think of why viruses are not a major problem is that it is much more difficult to write a "useful" virus for a linux enviroment.

In unix we have hackers (in a system intrusion sense) and in Dos/Windows and other more primitive non-networking OSs they have viruses. I takes more to penetrate unix security, obviously, as a stupid virus program won't do - it takes a rather highly skilled hacker to do that.

Re:Are there any linux viruses today?

[shub]

I have two words for you -- Script Kiddies. The people writing rootkits and script-kiddie toolkits will surely migrate to writing full-blown viruses, and even virus toolkits (so that the script kiddies can "write" their own viruses).

It's just a matter of time. Meanwhile, you damn well better hope that your OS is secure.

If you're using Linux, you should check out Bastille Linux. If you're a BSD fan, I recommend you look at OpenBSD, although hopefully FreeBSD will catch up soon thanks to the FreeBSD Audit Project.
--
Brad Knowles

WHERE DID ALL MY PORN GO??? Hello, tech support?

[kaoshin]

This is a little different, but I remember when I was about 10 years old going into the computer store and typing 10 PRINT "I AM TOO EXPENSIVE!!!" 20 GOTO 10 RUN Of course this was hardly destructive, but the reason why I did it was because it was easy, much like hacking microsoft is today. I think a growing number of people are becoming constructive, but as long as software is written extremely crappily and there is a motive behind the hack (Microsoft? pick one) people will continue to write viruses. I grew up with a hella lot more obstacles than losing files that can easily be backed up. People whine too much because they are uneducated, lazy and other bad qualities. I think the real plagues are made by the government to keep us from spreading too much. Computers will hopefully at least harness and direct the better of our combined ignorance into something.

[OT] Re:Open World

[Gurlia]

Hmph, is this some new way of trolling slashdot? Find an interesting Linux link, relate it to the current article, reply to next to every thread in the article. As a bonus you even get lots of karma points and generate lots of hits. Wake up, moderators!!!!!!

How?

[cuvavu]

If there are almost no known linux viri then how can someone write a program to test them, unless there are known holes in the system, in which case wouldn't it be better to fix them?

Re:How?

[John+Allsup]

What you are describing is a capability system.

Take a look at EROS for a GPL'd example of this.

In particular, note the principal of least privaledge -- just because a program needs one small aspect of root's privaledges, doesn't mean it necessarily needs to be given all of them -- in practice, this gets rid of the root account per se., which is never bad where security is concerned.

John

Re:How?

[Windigo+The+Feral+(N]

Mashiara dun said:

*Bzzzt!* Wrong,(solely) pattern based virus detection became obsolete with the first polymorphic viruses and this was in the late 80s.

Well, yes, at least for binary viruses (the largest problem nowadays is actually Word macro viruses, and new binary viruses are fairly rare (with the exception of CIH and the occasional Word macro virus that has a dropper)...)

Then again, it's far more safe not to look for patterns so much as to look by heuristics for programs that can potentially do Very Bad Things. (This pretty much Works on binaries except for a very few programs that rely heavily on system hooks or do "naughty" behaviour legitimately (like disassemblers), and pretty much Works 100% on macro viruses which are the major problem nowadays.)

All modern scanning systems have multiple scan modes with different types of execution emulation along with pattern based detection system and on top of that a more or less sophisticated heuristic scanner that can detect previoysly unknown viruses by searching for virus like behaviour (often only simple ones, excemptions to this rule are coming up like F-Secure Orion that detects all known 32bit windows viruses purely on heuristics).

Well put.

As it is...yes, Linux viruses are a worry, but not a MAJOR worry. I've posted a more complete post here on what I think we do need to worry about (namely, not repeating the same basic design mistakes in Windoze that allow viruses to propogate like crazy on those boxes, and increasing security in general to eliminate ways to let viruses in period).

Re:How?

[phred]

So why did this, the first posting with ANYTHING substantive to say on the issue, get moderated as "redundant"?

C'mon, fess up, who did it?

--------

Re:How?

[phred]

Never mind. I saw this before seeing all the others.

The referenced papers are mildly interesting, but whether the approach is a potent line of attack is conjectural at this point.

-------

Re:How?

[Goonie]

A cursory browse at the example virii there (I didn't read all the papers, I admit), doesn't explain how a virus could gain root privileges (which it requires to propagate effectively), without being executed by root. Could you give me a pointer to a specific paper?

Virii? Not on _my_ system...

[Sundiata]

Of course the current Linux community is relatively safe from viruses. Most Linux users know damn well what they're doing, understand the importance of password complexity, know how to properly set up and maintain their machine, check regularly for updates, the whole nine yards. Virii (and other hostile programs) will become a problem, though, once Linux becomes the system of choice for John Q. User. The vast, vast majority of computer users in this world are marginally comfortable with using Win95/MacOS; if something goes wrong, they either freak out and call their geek friend or push the big, shiny button and hope a reboot fixes it. The average desktop user is one of the single greatest liabilities in the battle against viruses and invasive programs; practically any OS today can be made safe from virii assuming that the person running the machine knows their stuff and has a fundamental understanding of how things work. The reason Win users get hosed by virii so often isn't necessarily a symptom of the fact that Win systems aren't as securable as Linux systems; rather, the vast, vast majority of virii, worms, trojans, and other hostile programs survive through the oversight and sheer stupidity of the average user. Maude P. Dingbat gets a file from her sister. Is her sister a trusted source? "Of course! She's my sister!" Don't think for a second that if Maude were running linux that she wouldn't go and do the exact same thing. Also, don't assume that Maude would have a properly configured Linux box. Also, don't assume that Maude would have downloaded the latest upgrade from Red Hat 6.0 to protect herself from things such as the glaring wu-ftp bug. Also, don't assume that Maude would have the sense not to run under a root-enabled account (it can be so pesky getting those darn access denied messages all the time!) Average users are stupid. They'll find a way around/ignore security precautions, because security precautions are generally more trouble than they're worth to the average user.

Even smart users are very often stupid. A password audit of my college's Math/CS network several years ago revealed that roughly 7% of the users (including 4 professors) were either using {username}, {usernameusername}, or {} as their passwords. These are people who know damn well the importance of computer security. Sure, you can put password auditing software in place, but the fact remains that people will always look for the path of least resistance when dealing with computers, and as security increases, convenience decreases.

Way back when, the Morris Internet Worm attacked systems that should have been secure; systems populated largely by at least semi-intelligent, semi-computer literate users. Though it was programmed with several bug exploits, the most successful attack it used by far was a simple dictionary password cracking routine. Knock knock, good to see ya, whoop--here's a load average of 50. Yes, systems security has progressed in leaps and bounds since this day, but system complexity has done the same. It's perfectly conceivable that another Worm-style program could come along and cripple the Internet--without even having to gain root access.

The point?

1. As more and more users flock to Linux as their desktop platform of choice, the mean intelligence/saavy of Linux users will drop, perhaps even as far as that of the mean intelligence of Windows users today.
2. The stupider the Linux community gets as a whole, the more people will do stupid things, like not resetting root passwords, or disabling security checks because they're a nuisance, or failing to update bugs and exploits as they're discovered and fixed.
3. The easier it will become to write a malicious program that relies less on technological prowess and more on the idiocy of the average user.

Remember, computers are wonderful tools, but they're just that. Tools. They're only as smart as the person using them. Bad, bad things can happen when tools start using tools.

Not as Stupid as Win-users

[ClubStew]

One thing /. readers might keep in mind, though, that most people who use Linux aren't dumb enough to open and run an executable attachment in email from someone we don't know. And thanks to /., readers can know very quickly if a new virus is out (how 'bout it, /.? Think a section or side-box is worthy of posting new viruses when they hit mainstream?) At least we'll be seeing more creativity in viruses on Linux than these d#$m macro-viruses that takes no brains to write!

Re:Head in the sand?.....maybe.....

[knowfear]

I think they haven't had their success because of the need for them to run as root. This will stop most viruses.
Sure, some viruses may go around in the Linux world, but as for a virus to spread, it needs to be able to jump from one infected machine to another. This is easy in the windows world because of the large number of windows users, and the popularity of programs such as outlook express, IE, and MS office. Also, in the windows world there's no need to be a special account to do real damage(even NT).
Put these reasons together and you'll have the answer to why Linux viruses haven't spread much. If Linux does get a lot more popular in the newbie desktop arena, and programs become more standardized across the board, a virus threat is a difinite possibility.
I think we're pretty safe. For now.

I think the users accounts are in the real danger

[mpost4]

I think that yes the security of the Linux box will keep 75%+ of the Linux box safe (the other 25%+ are the people who do everything for root, this might be a exaduation) but the real danger is to the users accounts, not all of them only one at a time. because if you do get a virus all it can do is delete files that belong to the user and that the user have sufficiant rights to, other wise you will get a error, this will also help to id the virus and so that the "victim"/discover of the virus can let other people know about it.

Just my stupid rambilings

Is this his real name?

[thatdelphiguy]

Is Simson Garkinkel his real name?

Did he write "The Bixer" and "Brodge Iver Tribled Warters"?

I think we need to know

Re:Open World

[weisserw]

I agree...look at his user info...49 comments on this article? We need some sort of posting limit.

-W.W.

Re:How to get infected using Linux...

[rcw-home]

Yes, your hypothetical virus could drop you into a fake bash that looks just like real bash, then also present you a fake su, capture your password, then run the command you wished under the real su transparently as well as do whatever it was gonna do as root.

Luckily the kernel sysrq feature has a secure attention key (for the console anyway), all you have to do is get in the habit of using it.

Have fun getting your new toy to spread :P

Hello linux my old friend..

[gatekeep]

What do Simon and Garfunkel know about virii? Hello Linux, my old friend, I've come to hax0r you again.

I've heard this a milion times before.

[datadictator]

Guys, there has been Unix virusses for a long time, the one that you need to worry about still doesn't exist.
Anybody remember blimp ? The Virus MIT developed to test Unix vulnerabillity ? That managed to infect and destroy files only in the directory of the user who ran it ? Keep in mind that Unix has decent file premision settings, a program is only as the user who runs it. Sure you could build code into a virus to make it hack for root, but a virus needs to be small, and that is by nature big code. The only major risk we face is that a lot of newer users still do everything as root.
The root users path should include exactly one directory:
/sbin Nothing else, no porgrams not installed there should ever be run by root. If you run other stuff as root, virusses are the least of your worries, your gonna rm something important at some point.
For a lot of good information on Linux and virusses check out Rick Moens opinion page at LinuxMafia.com I based most of this post on what I learned there.

Re:I've heard this a milion times before.

[datadictator]

source code for blimp: #!/bin/sh rm -rf ~ This must be the best flame I have ever recieved in my life!

Oh yeah, it's the ONLY flame I have ever recieved in my life.

Re:virus threats

[datadictator]

This is so true, however you left something very important out:
To port office to Linux in less than 50 lifetimes will require that minicrap implement some sort of registry, can you imagine trying to change all the office code that relies on it ?
Now what happens, 50,60 percent of the newbies install MS-Office for Linux, get stacked with linux.reg (hopefully in /etc at least)
Programmers begin to use it.
We have a flooding of of programs requiring it.
We thus have a milion nice apps requiring you to have installed ms-office at some point.

You end up with a Linux box that cost you an ms-office license, and has a 400 meg text file, impossible to keep uncorrupted, non-user-editable, and able to make the entire system crash.
You cannot killall -9 linux.reg
And you can't get any tech support because all the reall hackers have moved on to freebsd or beOS or hurd or sumfin

Show me any other virus that could fsck a linux system like that.
And of course it requires root, and it doesn't look like a trojan right-away.

We need secure-sites

[gnalle]

I study physics and I have used a lot of packages that I have got from people around the globe. These packages have been send to me via e-mail, so I know who I should blame if something goes wrong but if one of these programs contained a virus I wouldn't be able to tell.

If viruses start to come around, I don't think that anti-virus-programs is the only right solution. Aa an example dedebian is updated so slowly that it will always be behind in the race.

Instead of developing we should develop a kind of secure sites, where people can post there personal programs and have them virustested automaticly.

Unix virii already exist.

[Rei]

A friend of mine, and a few of his friends, working together wrote a virus that works on all unixes a while back. Its rather interesting. Basicly, its a shell script that attaches itself to the beginning of a binary. When the "binary" is run, the shell script copies itself, then executes the binary thats attached to its end. He keeps the thing under lock and key; he's paranoid about it getting out.

However, I think bsd and especially linux are less succeptable than other unices, and *especially* than windows/macintosh. Why? Simple: Free software. Free software is typically downloaded from centralized servers that mirror each other; commercial software is typically downloaded by most people as warez from who knows what site, or passed between friends. Near all the software I use in linux is free, and was, as stated, downloaded from a centralized server (I use rpmfind.net for 95% of my software). Near all I used to use when I used windows was commercial, and cracked.

Just neglecting the inherent OS security issues that make virii harder in unix, I think this is the greatest issue that limits their spread. To infect, say, metalab.unc.edu or rpmfind.net, would *not* be an easy task (and like noone would notice every tar.gz on metalab being unpacked, the source code modified to include the virus, being repacked... like noone would notice that the site is infected... etc.)

- Rei

Re:Remember the Worm!

[IO+ERROR]

Modern viruses do not rely on exploits to propogate.

There's nothing obvious on the site you posted that says anything about how a virus might propagate, that is, get off one system and onto another system (whether those two systems be networked or not).

I have the following questions:

• How does a "modern virus" propagate from one system to another?
• How does a "modern virus" obtain root access?

Come on, EARN your "Informative" moderation.
---
Microsoft spel chekar vor sail, worgs grate !!

Celebrate Diversity

[fawlty]

I've been saying for years that CPUs, OSs, systems and networks ought to be diverse in order for everyones systems to be more secure overall. A monopoly in any area (mail program, java interpreter, word editor, whatever) just puts the same weak links everywhere. Spreading viruses effectively requires a sort of critical mass/density.

Unfortunately, I don't think we'll ever dilute the masses enough to get rid of hoax viruses.

Re:Celebrate Diversity

[luckykaa]

I agree about diversity. Diversity is normally a good thing. Nature proves this. This is why penguins are so different from Hippos.

Although as far as claims to fame goes, I would have thought that the first ever Linux virus would be a big enough claim to fame. Look at the fame of the Mellisa virus as the first email virus.

Re:Celebrate Diversity

[HiQ]

Totally agree.

Given the fact that:
a) Unix/Linux is still a diverse, not quite compatible market, and
b) You can easily write a virus that attack DOS, Win95, Win98, NT (and Win2K)
it is obvious that by writing a virus for b) you cover a larger area, and so gives the writer a bigger 'claim to fame' (at least that's what the little weasels are after).

So diversity is not (always) a bad thing

Just show me a few Linux virii/viruses

[revengance]

I don't understand about all the stuff that is going on here. Why don't someone just show me a few linux virii/viruses? Otherwise, what epidemic?

Re:I'd say linux is less virus-friendly...

[icqqm]

The problem is that the expert linux user world is changing, and as more newbies get involved in linux, more mistakes will be made. Since in most cases they own root privileges on their computer, it's just a simple matter of getting them to install something as root. As the intelligence of the average linux user goes down (as did that of the Windows user long ago), the easier it will be to get them to do what you want -- something stupid. It's almost impossible to secure something from the guy in front of the keyboard.

Re:Hot Grits Virus

[kwsNI]

Wolf! Wolf! Wolf! Wolf!!!!

Sorry, I almost think this thread is funny. For the time being, it's about as likely as any other Linux virus.

Right now, there are no Linux viruses and no one has really been able to back up a claim that they have made a virus for Linux. For the time being, I don't really know what they think we should do to "prepare" for the coming wave of viruses (besides removing all modems, NICs, FDDs, TBUs, and CD-ROM drives, punched tape readers and the power cord from my machine). I have to say that until I see one, I'm not going to be too concerned about it.

kwsNI

The thing about Linux

[Dungeon+Dweller]

Well, first, Linux users tend to be a little bit more intelligent as computer users go. I think that the migration to linux will probably cause a greater awareness in the general community of end users, which will cause people to be less stupid about performing actions that will cause them to get viruses.

Also, the security in linux is far better than the paper cutout security in that other more popular OS. When your system has actual access permissions set up, rather than just a little game that sits on top of the OS and plays dungeon master, and you truly have well defined user restrictions in place, there is little that a virus could do, even if you are infected.

Linux doesn't have enough popularity yet

[krogoth]

I think there hasn't been a linux virus because it isn't popular yet. Windows has thousands of viruses because nearly everyone uses it, but linux isn't affected by them and no one has bothered to make a linux virus. Or maybe all the potential linux virus makers went and made a better kernel or something usefull :)

Re:virii vs viruses. LAST WORD (I doubt)

[luckykaa]

According to this site the correct plural is "viruses". The full reasoning behind it is also there.

Although I really don't see why the previous poster has such a problem with it. I mean, correcting someone once is all well and good, but shouting about it again and again with no references or reasons is just pathetic. Its like he learned it once and is just desperate to show us all how clever he is.

Re:Common sense VS Anti-virus software

[luckykaa]

As far as I understand it (According to this site), in Latin it was a only mass noun. You couldn't have A single virus in much the same way that you can't have a water, so there wasn't a plural.

Admittedly, all my knowledge here is second hand, because I never did latin.

Well he has a point there

[Buz+Humbar]

At one time, I thought the notion of a macro virus in Word was silly. After all, you can just delete the macro, right? Which I've actually done with some of the macro virii. However, a lot of Word users are not aware of the macro system at all, and for them, the macro virus would run unnoticed.

If Linux picks up a lot of just-average users, malicious code could actually be written in source form, distributed with packages and compiled in. Frankly, I don't think I've looked at as much as .01% of the source on my Linux box, there's just so much of it.

Heh, come to think of it, some software vendors might think of all Linux as malicious code! Bwuhahahahahaha...

Many eyes make for better code

[Buz+Humbar]

After a little more thought, I've realized that this is the greatest advantage of open source, and does not require me to personally review every line of source. The Debian site has a ready list of security alerts, and whenever someone finds so much as a _weakness_ in the system, a patch is usually ready within a few days.

Actually, if Mr. Garfinkel is so worried about virions, howcome he doesn't 'show us the source'?

That being said, I do think that Linux is destined to be used by a lot more naive users, and stupid things like malicious scripts will make their way around. Whether you think of a macro virus (read 'script') as a virus or minor annoyance is mostly a matter of your skill level, and the unwashed masses are going to use the term 'virus'.

As will hucksters like Garfinkel.

virus threats

[kilf]

I think that the goodwill shown towards Linux by non-professional programmers will protect it from "conventionally developed" virii. Potential virus writers are unlikely to disrupt the Linux OS, which is closer to the haxx0r "ethic" than Windows and the like.

Linux's biggest threat from malicious software would be if MS ported Office or Explorer. Spreads like wildfire, ties up system resources, fills disks with huge files....

Re:Hard to imagine

[BMazurek]

The point of the comment to which you were replying was that this would be unlikely in free software, because there would be many more people looking at the modified code. If Ken Thompson's backdoor had been distributed to thousands of kernel hackers around the world when he came up with it, someone would have noticed.

But, according to this scenario, the suspect code never appears in any source code. It only exists in binary form inside the compiler (and login). The beauty of this is that it will self propagate itself, and it won't matter how many eyes look at the code (free or not), because the code isn't present.

Granted, you need an "infected" compiler to start with...but thereafter all subsequent compilers that are compiled are also infected. Binary distributions and/or cross-compilers to bootstrap particular architectures would also become infected.

Re:Common sense VS Anti-virus software

[keli]

Hmmm...
The pural for virus in Latin is vira, not viruses.

Yeah great

[bcilfone]

And communism is going to take over the world right after Russia nukes the United States, and the world will run out of oil just as the last remaining bits of the ozone layer and tropical rainforests are destroyed, until finally aliens with their laser beams and force fields enslave mankind.

Seriously though, Windows users are used to getting binaries only. Linux users are used to getting source code. If someone gave me a binary with no source for Linux, I would immediately become suspicious. This combined with the fact that pine doesn't run arbitrary executables (Outlook not so good) should at least raise the bar for the skill of virii writers.

Re:As long as MD5, RSA, and PGP sigs remain...

[roundand]

Think of Melissa - the other strength that Linux has v. Windows is that you don't have Microsoft designing weaknesses into the system, trying to bring forward the day when the "join the crew" hoax becomes a reality.

OT: Virii vs. viruseses.

[Quintus]

People who (originally) say "virii", are, in fact, of the blessed of this world, for they have studied Latin! Now, I'm an 11th. grade student, and take Latin. The average student's reaction to Latin is one of wretching, but seriously, it makes nearly every other language a walk in the park, and isn't bad in and of itself. It's great for learning languages. I really reccomend it.

"Virus" is in fact a latinate and latin-derived word, and if we decline it appropriately, we do indeed get "virii". So these people are not like those who say "boxen", as "virii" has some real foundation.

As for sounding more sophisticated than they really are, well, using "virii", truth be told, probably is at some level intellectual chest-beating. (But it is correct!) However, it is justified because a) it's easy to remember (unlike, say, practicum -> practica) b) the alternative is FAR worse. Viruses? Viruseses? I rest my case. ;-)

______________________

Re:An EFFECTIVE Linux virus is very difficult

[Zetschka]

To sum up:
1st lots of clueless users
2nd clueless software companies with a lot of sales
3rd viruses

Doesn't anyone *read* the story

[foofc7ca]

(yes, this is flamebait -- but it's TRUE!)

According to the article, there are about 6 known Linux viruses. At least one of these used root-exploits to run as a user. Currently, the level of expertise in these viruses isn't that high.

Secondly, the author doesn't mention FreeBSD because some things about those trees make it a lot harder -- the security levels making system files unchangeable (ie, you have to boot into single-user mode to change your kernel, and forget about loading any modules!), and furthermore, FreeBSD doesn't have a snowball's chance in hell of being a desktop operating system.

As Linux becomes a "desktop operating system", the slim levels of protection against computer viruses vanishes. There is no longer a seperate God-like admin who greps the source for system(), and doesn't install binaries. Instead, there's a harried user who has to put on the 'root' hat. For the history buff's, what operating system did Fred Cohen write the first computer virus on, and demonstrate their success? Just a hint -- it was before Windows and it wasn't VMS ...

Further, because Linux now has a number of binary package-managers, with commercial software released binary only, it's relatively easy for both viruses and worms to spread. Even when you have to build your programs from source on each architecture, you can have viruses and worms (think Morris Worm, for example).

I disagree with the author on why this hasn't happened yet -- right now, Linux is "counter-culture" - people who have the skills to write viruses for it are having fun playing with the kernel. When Linux has a significant share of the public market, it will no longer be a hobbyists toy, but the product of the Redhat-Caldera-Suse (or some other combination) corporation. At that point, it will become a target instead of a toy.

Further, the solution is NOT anti-virus software in the Windows sense -- the solution is likely to be more technical, including access right lists (what do you mean, my 'ls' is trying to exec() something? Or my binary mozilla package is trying to write to some other program file? ) The operating system can and SHOULD enforce sensible limits.

What this means is that 'root' isn't going to be 'root' anymore. And that's a good thing.. I want a installation process to install certain binary files, not send my video card information (quake3) or my credit card information to some server, or add blank entries to /etc/passwd, or otherwise wreck havoc. If you've read this far, thank you for listening to me rant.

Re:Doesn't anyone *read* the story

[otis+wildflower]

Hi,
I agree that Linux needs stronger security (how about a free Tripwire + active systems security agent?) but a few things first:

o when enough people in the Linux community need more security, it'll happen.
o if you can't wait that long, look into openbsd.
o encrypt your personal data files and anything that you don't want the world to know about.
o run tripwire or a free variant.
o whatever the solution, keep it opensource, and GPL if possible. Don't buy into a proprietary product that could possibly be doing naughty things in the background.

CHeers,
Your Working Boy,

Making Linux More Secure?

[Jacques+Chester]

My question is this: would it be reasonable to assert that the kernel might act as a general-purpose virus checker? If anything it gets loaded before everything else.

I note peripherally however - and others have pointed this out before - that programs like Tripwire can already do "delta checks" for you. Simson points out that the techniques used to gain root access are the same ones a cracker would use. Presumably, the answer is then the same: practice good security.

be well;

JC.

--

I ain't no linux guru...

[logistix]

But couldn't you just bypass linux altogeather and in-line assembly to do nasty stuff. Of course that'd only work on the linux machines running. Are the BIOS chips still active?

Seriously, there's the old addage, "be careful what you wish for, you might get it." If Linux ever does get to be on everyone's desktop, users will make today's newbies look like sysadmins. And that's what will drive people to write virii for Linux. As the old pros become disillusioned, some of them will start to write virii.

The reason most virii are on windows is because the people writing them think people who use windows are stupid. The day will come when people get sick of "all these stupid Linux newbies, using Corel" and decide they're going to teach them a lesson

Open World

[CGU_Grey]

Whoa, I think many of us (here, no offense) would be Virus gurus here if there would not be Open Source Community avable to "waste" our scources. When it comes to Virus coding, its done to harm others (ok ok, sometimes to learn too). It seems to be against ethics of open source to harm those wo help you.

Re:Open World

[QuantumG]

bah.. willfully infecting people is bad (m'kay) but what I program on my own computer is my business. Viruses are damn interesting and writing viruses is the first step to defeating them. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Reasons enough

[HiQ]

I think there are a couple of reasons why there are no (or few?) Linux-viruses around:

The graffiti principle
I think that a lot of the losers that write viruses just want to see what effect their 'work' has in the world; same reason as the nobrainers that spray their names on every wall they see.

Smaller target
No matter how much much you want to see that changed, the Linux/Unix market is smaller than te Wincrap market.

Effort
Due to all the differences in the Unix world, even between Linux distributions, it is harder to write a virus for these platforms. By writing virusses these guys already showed to be having no brain; so it's probably a bit more difficult for them to understand Unix.

Re:Reasons enough

[HiQ]

Sure, how many of those guys really dit write a new virus, without use of a 'viruslab' or simply copying the work of others?

Wasn't there a virus once before in Linux...

[mallie_mcg]

Was there not a virus embeded into one of the early distros of linux, or one of the games (one of the tetris like clones) ages and ages ago (pre 1996)
Was this not a non event

I can understand that a virus can affect files that it has permission to affect, and that if it can break system secucurity it can do what it likes, but a virus to get root, is it not going to be huge?
Current (antivirus) security for me (when done) is:
Only download from trusted sites and mirrors, check the checksum on D/L file before running/compiling.
Always use a non admin acccount (i dont usually do, as my systems are never on the HDD long enogh) boring -- long story
Backup all work -- REGULARLY DONE to CD


A virus that can alster kernel code, so how long will that last as a viable virus?
A patch to the source tree so that how/where the virus entered does not exist, reinstall from clean CD, upgrade kernel *POOF* problem gone. (for a while)
Big deal, IMNSHO the unix file security is secure enough as long as the kernel, and SUID progs are secure enough, that the WHOLE system should not really have problems.

Who really cares if a few ^Lusers lose/corrupt a few files through stupidity?

Linux Virus "Epidemic"

[a+poor+scribbler]

Confucius, he say:
Inoculate your system
With fearsome penguin.

Re:Hmmm...

[CaptainAlbert]

Hmmm indeed. I reckon there's not much of a way round the virus cycle (i.e. someone writes and releases something malicious, someone else notices, works out how to detect/cure/remove it etc. etc), and it doesn't matter what the underlying system is. What I *do* believe is that Linux will be less prone to virus attacks than certain existing desktop OSes, because its security model is fundamentally much more sound.

(OK, UNIX security was an afterthought. But Windows Security.... is there any??)

Re:Software will just "require" you be root 2 inst

[Suidae]

"Linux spreads to the clueless mass desktop user who *just* *doesn't* *care* the way we do about security, our concerns will not matter." Which is why the operating system must be designed to take care of this transparently. The vast majority of home users should not have access to their system files, but should still be able to install new software. Perhaps some kind of encrypted, signed installation packages that the system can verify as valid, then install into the system for the user, without letting the braindead user get to the system (without knowing what they are doing) would be a workable solution for home users.

Less sophisticated users == more virus problems

[imagineer_bob]

It's been my experience that the less sophisticated the user, the more likely he is to be affected by a virus. I've _still_ yet to be affected by one, even when half the office gets it. I just don't click on .EXEs that come in the mail, and I don't download and run software I don't have the source to, unless it comes from a known vendor. As the Unix community dumnbs down, I suppose they'll start getting viruses, too.

--- Speaking only for myself,

Source Virii

[Nuitari]

I remember a while back when the unix-virus list was active that someone actually made a "proof of concept" of a virus that will infect the source code in /usr/include when a program is run as root (witch can be frequent).

If this happen and actually gets out of hand, every program compiled on a machine could be infected by a virus.

Re:How to get infected using Linux...

[Erich]

Bzzt. Sorry.

calvin:~$ ./pointlessgadget

Okay. This can set several things. But there are lots of things it can't do:

1. Change env vars in the current running shell
2. Change the binary of your shell, unless you own it.
3. Change the memory of your shell process (or any running process). That's what virtual memory spaces are for.

I guess it could do something like spawn a new shell. That might be trickier to notice.

'Course, if you ask me, it's your own damn fault for running games as root. :-)

Knowlegeable users and admins...

[Codifex+Maximus]

are the ones who rarely get hit by viruses. The saying, "Prevention is worth a pound of cure" has never been more true.

If you are a Windows user, having Anti-Virus Scanners and Shields are a must. As is, utilizing safe practices like not running any code that is attached to mail or other documents without being real sure of it's being safe. Running cute little programs distributed by email is a good way to be infected with viruses!

Many of the same common sense ideas about viruses in Windows also holds true for any system including Linux. If you get code or programs from untrusted sources, you run the risk of getting hacked. With Linux, though, the source is open and under the scrutiny of many eyes - this tends to eliminate such vulnerabilities.

Bottom line: Safe practices will prevent the lion's share of problems.

Re:Hard to imagine

[C.Lee]

>patches. This is not Windows world, where you get the programs from
>your friends or some obscure web pages: usually, programs are
>distributed much more professionaly than in the case of Windows
>programs.

Exactly. Most people don't get software for linux from the Shareware-type sites that cater to the Windows crowd. We tend to get it from the author's homepage or a mirror site of Redhat,SuSE,Slackware ect. The Linux/Unix software distrubtion model is diffrent from that of Windows, which is something else the idoits who keep writing these ads,err "articles" for the Anti-virus software companies don't understand and tend to overlook.

Re:Linux Viruses

[jd]

Let's say that 10% of all installations out there are Slackware.

Let's assume that another 10% of all installations are Corel Linux.

Let's assume that a further 30% of all installations are Red Hat, with 75% of these being recent versions of Red Hat.

Then, let's assume that an additional 20% of all installations are Debian.

Now, let's assume that 20% of all installations are Mandrake.

To finish things off, let's say that 5% of all Linux installations use any other Linux distribution, and that 5% use =ANY= legacy Linux distribution.

To complicate matters, let's assume that 25% of all distributions are modified significantly from their original form. (eg: Upgrading the kernel, upgrading key libraries, replacing or upgrading key packages, installing software that affects the system operation)

Now, let's assume a virus is built to run under an original Red Hat 6.1. Then, you've 75% of 75% of 30% of the distributions, or just under 17% of what's out there.

A virus that will only infect 17% of its target audience isn't much of a threat to anyone. It'll die out from a lack of computers to infect. And that's from targetting the most common distribution out there.

The filing systems are important if you're going to write something more sophisticated, such as a virus that hides itself by marking some of itself as bad blocks. (The virus merely has to ignore the bad block markers to load itself in.)

However, SuSE is going to use ReiserFS by default and other distributions may follow suit. With no means of telling what the underlying FS is, in advance, the virus would need to be coded for them all. Otherwise, you lose out on the distributions.

Let's say you wrote a virus targetted at ext2fs systems with Glibc. Now, many distributions use that. Let's give it a generous 90%. But Slackware only recently moved over to Glibc, so that goes down to 70%.

Any person can switch over to ReiserFS, or some other non-ext2 system. Let's say that of the 25% of people who have significantly altered their system, 15% have migrated to another filing system. You're down to 55%. Let's make things easy and say that 5% use UMSDOS. Now down to 50%.

We're dealing with low-level operations, so RAID is going to seriously screw things up. Because Linux =is= used more for servers than the desktop, it's not unreasonable to put this at another 10%, bringing the total to 40%. Because something this low-level would require root privs, you're talking about a user who admins regularly with root privs. More than half of all sys admins know better, so we're talking a very optimistic 50% of users would be open to this. The total is now 20%.

Now, 20% is not much better, but it =is= an improvement. It means that 1 in every 5 computers targetted will be capable of running the virus, AND where the computer is regularly exposed enough for the virus to be able to infect it.

On every machine it cannot run on, it can't propogate. Thus, if there are entire regions in which NO machine can run the virus, NO copies of the virus can be spread by them.

This will =HEAVILY= retard the spread of any ext2 virus, to the point that you'll be up to antidote version 7.5.5 =LONG= before the virus has reached anyone you know.

Re:Linux Viruses

[jd]

When was the last time you saw anyone in the Linux community copy binaries by disk from one machine to another? If they have binaries, the chances are they either d/led them or they have the (usually free) CD. Either way, copying by floppy is DEAD.

(Well, almost. I admit I've been known to cart 100+ 3.5" floppies around, when there's no CD burner handy.)

Nor do any of the three viruses on that page obviate a single point. They're not going to work on different C libraries, and the distributions are (gratifyingly!) ultra-diverse there. Nor are any of these guaranteed to be kernel-independent.

The second one explodes, if you use "strip" on it, which makes it somewhat less than fearsome, and all three will set off Tripwire. They won't do terribly well agianst any restrictions on the number of threads allowed, either.

The "Linux Virus Plague" is more myth than reality, and more hype (to sell books & software) than substance. All the viruses documented have common, widely-available tools for detection and elimination, as well as being ultra-specific to a very narrow range of computers.

Now, if you want to claim that a virus threat exists, within that subset of Linux boxes that are identical to the virus writer's machine and have no Intruder Detection software, no binary verification, no restrictions on use, no ACL software, where the user always logs in as root, where a group of such people are geographically close and where only one person out of that group has a fast Internet connection, I'd have to agree.

On the other hand, I don't really think there are terribly many such groups, do you?

P.S. If you think a.out is dead, re-read the docs for the 2.3 kernel, specifically the /proc stuff.

Just sbin? You're mad

[Improv]

Only /sbin in the root path? Nothing else
should be run by root? That's crazy. You
mention that if you run other stuff as root,
you're going to rm something important at some
point. Really? Well, I guess your solution of
having root never even run rm *EVER* is certainly
a way around hat... Come on. While you don't want
'.' in your root path, at least the following
should be in there:
/bin /sbin /usr/bin /usr/sbin
and possibly /usr/local/bin and /usr/local/sbin

Devoid of Clues

[Dagmar+d'Surreal]

The author of the article was clearly writing outside of his field of expertise. Linux is not as vulnerable to virii because it actually has a security model. For a virus to infect a Linux machine, it would have to compromise the security model. For a virus to infect a Windows machine, it merely has to make a few function calls to start copying itself around.

Actually, I'm so irritated at this kind of irresponsible fear-mongering nonsense, I'm not going to comment further, because there's not a single nice thing I can think of to say about the guy at the moment, aside from possibly he might one day stop a bullet from killing someone with a clue.

Re:Devoid of Clues

[phred]

Yes indeed, the author, Simson Garfinkel, who co-wrote Practical Unix & Internet Security and Web Security and Commerce with Gene Spafford for O'Reilly is not qualified to talk about this issue. Yes indeed.

OK, now let's talk about "Devoid of Clues,' shall we.

-------

Linux viruses are possible, but harder. :)

[Windigo+The+Feral+(N]

Yes, it's possible to write viruses for Linux. folks. The first viruses period were for Unix and VMS boxen (back when the entire concept of viruses was still "proof of concept") though for the most part they never spread widely...

Right now, about five or so viruses exist for Linux, all of which are for the most part "proof of concept" viruses. They've not spread widely, in part (methinks) because nobody yet wants to spoil a Good Thing...there eventually do come Bad Folks who do want to break things just out of meanness, though (look at the history of Usenet going into the shitter for a class example), so we can't rely on the good graces of most Linux users for long.

That said...I can state that writing viruses for Linux would be considerably harder. Basically, the virus would have to propogate as root to spread much of anywhere; the fact that most Linux programs are still distributed as source code also helps much in preventing infections. (This is not to say it's impossible, just much harder.)

About the easiest ways I could actually see viruses spreading under Linux the way they do under certain Microsoft OS's That Shall Not Be Mentioned are under the following conditions:

Binaries which must be installed from RPMs and as root become a lot more common. (As others have noted, there are early signs of this occuring, and to be honest I'm as nervous of this as other folks. All the more reason for teaching folks to "Use the Source, Luke" ;)

If a virus comes out that can also take advantage of system insecurity to get root. (If memory serves, at least one of the "proof of concept" viruses for Linux already does this. This is not impossible.)

If (Cthulhu forbid) a virus were to come out that specifically targeted GCC and/or other compilers. (Again, "proof of concept" exists in a roundabout way for this--specifically, the infamous "backdoor" in early versions of GCC...an original copy was made with backdoor code, and whenever it sensed it was compiling code for the login portion of the OS it inserted the code for the backdoor even if it did not exist beforehand. Even worse, if it sensed it was compiling another copy of itself, it inserted the backdoor code even if it did not exist in the source...a very nasty and clever hack, and one which could cause viruses under Linux to spread like wildfire were it to be repeated to spread viral code (say, as an RPM of GCC binaries--frighteningly enough, these actually exist in most flavours of Linux that install from packages of any sort) and it would be almost next to impossible to avoid (you'd have to recompile from a known, clean version)...)

If (Cthulhu forbid!) Microsoft Word or some similar word-processing program that has macro languages that commit Serious Misbehaviour were to become widely used. (Don't laugh this one off, either, folks. Word macro viruses are the SINGLE worst virus problem nowadays--more Word macro viruses exist than binary viruses, and more than one Word macro virus has been found with "droppers" for binary viruses or trojans...even worse, Word macro viruses with droppers for Mac andWin32 viruses are known. If Microsoft gets split up and Linux becomes much more popular, it is conceivably possible Office might get ported to Linux...even if it doesn't, it's also possible someone will write an office suite with hooks into the OS (which is the source of most probs with Word macro viruses--Office's macro languages have hooks into Visual Basic, and VB has a crapload of hooks into Win32 itself to the point some folks actually write entire Win32 applications in VB) which would cause similar misbehaviour, because a lot of folks from the Windoze world REALLY like their damned macros...which, incidentially, is why offices seem to get continually infected with Word macro viruses if they don't take "precautions".)

IMHO, all except the last two are fairly unlikely (and the second to last is unlikely unless you were to get a rogue person in place at one of the distro sites)...the things Linux has to worry about more (in fact, the things that are becoming an increasing worry even in the Windoze world) are trojans and worms.

Worms, after nearly having died off a few years back, are now back with a vengeance. First it was mIRC macro-worms (mIRC, a common IRC client in the Windoze world, has a rather powerful scripting language that can unfortunately be abused to create worms that propogate largely through DCC chat requests), now the big problem seems to be both trojans (like PrettyPark.exe) and an increasing number of Word macro worms which propogate through taking advantage of security holes in almost every program that exists for Internet apps in Windows (Agent, Eudora, Outlook Express are just a short list of programs in which worms have propogated in).

Trojans and worms have existed before with *nixes (Washington University FTP has frequently been trojaned with backdoor code, among others; I think we all know about the infamous Morris Worm). If we let security practices get lax in writing Linux apps (especially the "user-friendly" sort of apps) and especially if we do Bad Security Practices with stuff like scripting languages, etc. for apps, we could probably end up in the same boat as far as worms and trojans go. Hell, as someone noted, DDoS apps like Trin00 have been found on Linux boxen that have been compromised; I'd be really shocked if someone doesn't figure out some way to distribute a DDoS client as a worm...

So, no, we can't be lax. But part of the battle is knowing what exactly to worry about. Win32 in general, and especially Win9X, has a lot of basic security flaws that enable stuff like viruses and worms and trojans to propogate. Linux has a more secure setup if used properly--we don't want to turn it into a Windoze clone (lest we end up with the same problems) but in making Linux easier to use we want to learn from the mistakes made by a certain company in Redmond (and also by a company started by the Brothers Steve, for that matter) so that we don't repeat those mistakes. :)

Re:Hard to imagine

[Cardinal+Biggles]

But how about some evil-minded hacker (yes, you read it right: hacker, not cracker), who contributes for example to the kernel effort, and installs somewhere in an obscure driver a nice backdoor, and waits till a new major stable version of Linux comes out?

I'm a bit skeptical about this backdoor possibility in official versions of the kernel (or gcc or some other important piece of free s/w). People have been suggesting it for years, but it's never actually happened.

How hard would it be to do this without any of the other developers noticing, and (important for virus authors) remaining anonymous? Too hard, I guess.

I think that backdoors in proprietary software are a much bigger danger. It's much harder to tell whether there is one, and if so, where it comes from.

Poor commentary

[sparks]

The argument that potential virus writers are holding back because they're too busy making money off the web is just silly. It's a very superficial level of analysis. What's more, it's based on ignorance.

After all, if every potential Linux virus writer were only holding back because they're too busy making money off the web, wouldn't the same be true of Windows virus writers? So we'd expect a tailing off in the number of new viruses? In fact, there are more new viruses around now than there have ever been.

Furthermore, historically the worst (greatest?) virus writers have been from the deprived, poverty-stricken communist states of Eastern Europe. That was back in the bad old days of course - things have changed. Now, they're deprived, poverty-stricken capitalist states. But they still write really clever viruses. And Linux is incredibly popular there.

One notable thing about a 15-year-old computer geek from Romania with an inclination towards malicious coding; his opportunity to get rich from a .com IPO is very slim indeed.

So the talent is there; the circumstances are there; but the viruses are strangely absent. Why? Two reasons, I think:

• Virus writers don't hate Linux they way many of them hate Windows. Maybe that will change, but I don't think it will.
• Linux is more secure than Windows (certainly in its 9X incarnations). It *is* a challenge to get malicious code run as root - if only through age-old security practices such as not having the current directory in root's path, which every Linux distribution enforces as default. A lot of code *is* compiled from source on the box it is run from. We by and large *don't* share fourth- and fith-generation copies of pirated games (complete with "extra functionaity" picket up at some stage) on Linux.

As if the "web commerce" theory wasn't silly enough, Garfinkel then suggests Linux needs anti-virus software before it can be taken seriously by business.

Excuse me?

Even although there are no Linux viruses, he thinks there is a business need for software to remove them?

How can it possibly be better to have viruses and anti virus software than to have no viruses in the first place? Which makes better business sense?

It's a symptom of the Microsoft-inspired brain softening that so many journalists seem to suffer from. Anti-virus software is not a good thing for an environment to need. Not needing it, and therefore not having it, is a good thing.

The poor design of certain Microsoft products allows malicious code to spread easily. That's a fault. Software exists which, at great expense, time and effort can keep your systems pretty much free of it. That's a kludge, albeit a necessary one. This is not a model we in the Linux community should seek to emulate!

So will there never be a real Linux virus? Well, I think there probably will be. Probably a good few. But will be as dangerous as windows ones? I don't think so. Will they spread as easily? Certainly not. Simply employing good security practice on your Linux box should be enough to keep it clean forever.

Minor correction (sorry)

[Goonie]

Add "binary" to the first "virii" in the last paragraph.

Hmmm...

[BJH]

A couple of points (I'm paraphrasing here):

o "There will be a flood of Linux viruses after the economy goes south": Why? Because all those programmers who would otherwise have been able to make millions via IPOs will to turn to virus writing instead? What kind of argument is that? Most virus writers don't have the business acumen or social skills of a dung beetle.

o "We need programs that will prevent viruses from mdifying the kernel": And how, exactly, are they supposed to do that? The most common way of cracking a system through kernel changes is use of modules. How is this hypothetical virus detection program supposed to distinguish between genuine modules and viral modules? You'd have to have a list of approved modules with MD5 checksums for each of them, and that'd still leave you open to subversion of either the applicable areas of the kernel or the virus detection program itself.

Re:Viruses will come...Free Software isn't ready!

[Cycon]

There is some Linux antivirus software outthere. They don't do anything useful sence theres no viruses to stop. But some hobbyists are sereous tweeks.
That's not true. We happen to run linux antivirus software at the elementary school where I work. Why do we do it? Because we user linux for our mail/web server, and it's pretty damn convenient to have your mail server check incoming mail for macro and other viruses, instead of just relying on the individual machine's protection.

If we used a linux box running samba as our main file server, I imagine such software would also be helpful.

Besides, it's easier to update an individual system on a regular basis than to have rely on the assumption that the automatic software worked on each and every machine on the network.

--Cycon

Re:An EFFECTIVE Linux virus is very difficult

[Bad+Mojo]

The boxen thing is actually not typically someone trying to sounds really important or complex. In my experience, most people use boxen exclusivly to refer to computer boxes. Never as boxen of doughnuts or similar. The reason seems to be that a computer box is an animal. And the plural of box (as an animal) is boxen, in order to denote some difference from boxes (non animal/computer).

Get yourself in a room with 10 Sun Enterprise 250's and 10 Sun Enterprise 250's shipping boxes and tell someone to throw the sun boxen out. See which `asset' you lose first. ;)


Bad Mojo

Real, as in significant damage on the aggregate.

[FallLine]

Well true, I'm not forgetting that by any means. I regard a "real" threat though, as being something more than just the ability to erase a few files on a few isolated individuals. For me, to be a "real" threat, it must be sufficiently viable to travel across the country for a couple generations, and must have the ability to set back a great number of users who employ reasonable generic countermeasures. For your information, I don't regard Norton antivirus, or what have you, as being particularly "reasonable" because it requires an extensive database and direct knowledge of each paticular virus.

If your primary concern is the destruction of documents, it would be a trivial matter to make a "secure backup" by simpling crontabbing a cp to copy all the users critical files to inaccessible parts of the file system (without any additional hardware. In fact, it might be kind of intriguing to create a "delta" filesystem, where the user can recover/mirror any changes made to defined parts of his filesystem (maybe virtual fs) in, say, 10 minute intervals. So if I were to erase or corrupt all documents, i could just step back 10 minutes or up to, say, 20 days, and recover trivially...maybe my next project). Additionally, most of these dos viruses even don't go straight for the documents, they go after crucial system binaries, the MBR, you name it...which have the same effect, with only a few lines of code. Furthermore, in order for the virus hurt Joe Schmoe Linux user with any real likelyhood, it needs the ability to propogate itself; the file system and the general design of Unix makes this task require something more than just basic skills with ASM, VBA, or what have you. In other words, unlike windows systems, the hax0r needs to be somewhat innovative (assuming the vendors/distros start paying real attention to security issues) at the very least to create a viable virus, and particularly to sustain that threat.

Re:Real, as in significant damage on the aggregate

[FallLine]

Well any sensible user is apt to have the applications installed (owned by) as root, or some other user. Thus, since you can't modify the application binaries (baring some kind of exploit), you couldn't have the application corrupt or encrypt the documents. The hax0r could, of course, write a program that just goes straight for the documents (though that would likely be quite ugly and detectable).

While I guess it is possible encrypt the documents, it doesn't make a great deal of advantages over erasing. I, a half intelligent user, could write a trivial crontab script (or for that matter just about any other backup scheme) that just backs up /home/fall/documents/ to /backup/documents/$date/ (root owned of course). In other words, whether the files are erased, corrupted, or encrypted is essentially irrelevant.

In regards to my "delta" backup scheme (though most likely overkill), it is essentially foolproof within the confines of its design (e.g., unless root is attained and the HD itself is accessed). My initial mention, simply takes snap shots of all files in the defined filesystem (or rather virtual filesystem, as opposed to having to check part of an ext2 partition every other minute) on a given interval (though I could do it continously (e.g., on every write and erase)), and, with the intent to conserve space, only the DIFFERENCE [hence the word 'delta'] between the previous snapshot and the current snapshot would be physically saved. Most users' documents in a given year(or code, or what have you) are typically relatively small, and, I believe, that with my delta scheme even all the changes to the files over the course of, say, 90 days could be stored without a great deal more physical storage required. Thus, no matter what happens at the user level, the user always has the options of returning to the state of his filesystem up to 90 days before. In other words, if I have preexisting 'snapshots' of unmolested files, and the user (virus) encrypted/corrupted his files, the only thing that would happen is that he'd waste that many bytes of physical data...

It might have other uses as well. Though for people who're heavily into graphics/multimedia or what have you, the space requirements might make it infeasible for such applications.

UNIX (and Linux) viruses - the real story

[seifried]

I've written an article on this topic:

UNIX (and Linux especially) viruses - the real story

Re:UNIX (and Linux) viruses - the real story

[QuantumG]

hey silvio :)

Re:UNIX (and Linux) viruses - the real story

[QuantumG]

you make some good points in your article. But most of the things you say stop viruses are just hurdles, things to get around. There is research into getting around these hurdles and then battling those techniques. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Mean scripting

[Graymalkin]

Virii need not be the all powerful super destructo weapons that bring systems to their knees. They can just be annoyances that don't actually do "damage". Here's an example of one I've seen. Someone writes a little ditty and names it ls, they upload it (you figure out a way to do it and it'll get done). Then when someone lists the files in the directory it runs instead and does something cute like change the user's password. The user logs in the next day only to find he/she cannot log into their account so they have to email the admin to get their password changfed back. It doesn't really harm anything except a user's productivity. This is where Unix finds itself susceptible to unauthorized programs. Linux isn't anymore invincible to virii attacks than Windows is, it merely makes the attackers me a little more clever. Users who aren't familiar with proper security run as root a good deal of the time, they also like to download little goodies since they are free afterall. Joe Newbie downloads what is supposed to be a desktop toy for KDE and it turns out to nuke his home directory or change his password or some such thing. It's no different than getting a malicious Windows virus.

Disappointment

[phred]

This is one of the most disappointing story blocks I've seen on Slashdot in a good long while. The self-absorption and lack of even basic rhetorical skill is pretty disheartening. Not to mention the shallow understanding of the issues. It makes the few comments that really get into the technical considerations stand out that much more.

The number of "write-mostly" humanoid bots on Slashdot these days is the most dismaying thing, though.

For those still not clear on who Simson Garfinkel is yet, here is your FREE CLUE!.
--------

Re:Linux Viruses

[Sloppy]

It has to support Linux 1.x.y and Linux 2.x.y kernels, It has to support libc5, glibc 2.0 and glibc 2.1. It has to support ix86, IA64, ARM, Alpha, Sparc, Sparc64, m64k, ppc, S/360 and any other architecture Linux supports.

Support 2.2 kernel, glibc 2.1, i386, and your virus will do fine. In that regard, the virus writer's challenge isn't any worse than a close-source commercial developer. If Loki can get Myth2 to run on your box, so can a virus writer.

And because you can't know what the virus will run on ahead of time, it would have to run on EVERYTHING to survive.

That's quite a leap of logic. It doesn't have to "run on EVERYTHING to survive." Windows viruses don't run on everything -- they only run on Windows. Amiga viruses don't run on everything -- they just run on Amigas. But the viruses survive. Sure, they will fail to infect some systems. But it just has to succeed sometimes -- and that will be good enough.

Any claim that someone could =write= a Linux virus which is not so specific as to be useless is plain stupid. Such an animal does not and CAN NOT exist. Linux is far too diverse, now.

I hope that someday, you prove to be correct. But for the time being, Linux is still fairly homogenious. Use the default Red Hat 6.1 installation options on a x86 box, and you will have a "typical" Linux configuration that will serve as a pretty good development target for your virus.

---

Common sense VS Anti-virus software

[J�r�me+Zago]

I must say I don't understand all this fuss on computer viruses... I have run a Windows box without any virus protection for many months, it was on the Internet most of the day, and I never had any problems with viruses. I do believe it's mostly a matter of only downloading software from trustable locations, and not running any executable sent by email or DCC GET from someone you don't know or don't trust to be careful enough.

Of course, these principles also apply for any operating systems, including AmigaOS (where I actually got viruses from pirated floppies) and Linux.

Re:Contagion

[Kaa]

if someone actually wrote a mail reader for Linux that was so helpful that it says, "hey -- here's some new mail for you! Let me immediately display it in this window for you!

Well, besides the obvious note that in order to look at an email you *have* to display it, AFAIK at least some mail readers in EMACS would helpfully execute any emacs-lisp code they found in the mail message. Of course that probably was in the olden days and these readers got patched many moons ago...

Kaa

Re:Hard to imagine

[PhoboS]

But how about some evil-minded hacker (yes, you read it right: hacker, not cracker), who contributes for example to the kernel effort, and installs somewhere in an obscure driver a nice backdoor, and waits till a new major stable version of Linux comes out?

This would be really difficult to accomplish. If the driver is for a popular hardware there will be more coders looking at the driver and thus a bigger chance to spot the backdoor and remove it. And if the driver if for a more unusual hardware, so that nobody will notice the backdoor, then very few users will be affected.

Re:It will happen - but not as bad as windows

[powerlord]

But what about the effort to incorporate a scripting language into KDE as well as the interoperability of the the KOffice and Konqueror. I'm not sure that there is a mail client included (which might limit the distribution mechanism), but it does seem like the desktop may soon get quite a few of the 'pieces' needed for a mellisa-alike.

This isn't ment as a flame against KDE. I keep switching off between KDE and GNOME and like a lot of the aspects of both (although it seems like KDE will have more 'killer apps' sooner, I like the 'feel' of Gnome better). Please, someone explain what about the nature of the apps will keep something like this from happening?

Re: Debian

[coyote-san]

Debian *releases* tend to come out at a glacial pace (but still at a faster pace than most other OSes - 1 year vs. 3 for MS (95, 98, 01)), but Debian *security patches* appear within hours of the problem being reported on Bugtraq, CERT, etc.

Re:Hard to imagine

[dlc]

Well... not so hard to imagine. Remeber Ken Thompson's CC hack? (slashdot rated it 3rd in the Top 10 Hacks Of All Time thread).

Cthulhu for President!

Re:How to get infected using Linux...

[QuantumG]

can happen, has happened, check silvio's source in the next few days for code to make it happen.

Root isn't a barrier any more

[Junks+Jerzey]

Lots of people are saying "but a virus needs root access" and so on. In the olden days of yore, only a few sysadmins had root access. Mere users had to install software in their home directories, or they had to ask a sysadmin to put it in a global location. Things are much different now, with almost every Linux user being his or her own sysadmin. Every time someone grabs a new kernel, a new version of GNOME or KDE, a new version of gcc, a new video card driver, or just about any software, that person becomes root to do the installation. It would be relatively easy to upload a trojan horse claiming to be so-and-so and thousands of people would download it, switch to root, and run it. Then something could be installed in the .bashrc file for any user--or in the crontab--for example, and only the very hardcore are going to realize it. And that's just a simple case.

It's not the OS or the uses; It's the culture.

[AdrianG]

When M$-Word is released with an appallingly unsecure macro language, and when the virus writers demonstrate this, it never occurs to the M$ developers or their user community that the answer is to remove those capabilities in the macro language that make it unsecure. Their answer is to live with the unsecure language and construct an elaborate system of virus signature scanners, virus cleaners, and a virus signature distribution system.

When sendmail or pine is discovered to have a flaw that can be exploited to gain unauthorized access to a system, we, as a community, see this as a problem, and the problem gets fixed. It would never occur to Eric A. to leave an exploitable flaw in sendmail, because he knows that we won't accept it.

As long as we, as a community, are determined to see security flaws as unacceptable aberations, we will never see a proliferation of Unix/Linux viruses that we see in the M$ world.

Linux Virii whole different ballgame

[karb]

The hardest part about making linux virii is making the infection available in the first place.

The only effective ways I'm aware of involve tainting the source of a major distribution, or the patch to a program.

Since these are very closely monitored, a virus writer would actually have to crack a server, and place a virus/trojan in the code (which did happen to win.tue.nl a year or so back).

Because of this, really strict control by distributors would fix virii problems (excluding worms). And you know what? Having 7 distributions really helps. Having a virus in your distribution code could quite possibly be fatal for your business.

No-Code didn't hurt Ham Radio

[wowbagger]

The No-code license didn't hurt Amateur Radio, the lack of enforcement from the FCC did. Just listen to 75 Meters, which a no-coder like me is prohibited from operating on. It's the biggest cesspool imaginable. While some of the operating practices on 2 meters (where most no-coders operate) have dropped a little, the major problem is a lack of substantive enforcement.

Same thing for Linux: We must enforce rules to prevent the spread of viruses and trojans. Minimize suid programs, discourage binary-only distributions, encourage distro vendors to close known security holes by default, and last but not least, nuke the living hell out of anybody who creates a virus! Find the person responsible, and make sure they only get to see striped sunlight for a long time.

anti-virus software

[KGBear]

Instead of anti-virus software, why not software that helps people plug security holes? Software that could advise on proper use of the root account, sensible measures when installing rpms or kernel modules, and require an interactive password before writing to +x files?

Economic ties and crime

[Duxup]

"But if the economy goes south, we're likely to see a suddenly bloom of viruses from out-of-work overachievers."

I've seen many studies where traditional crime levels do indeed react with the prosperity of a nation or state, or even city's economy. It would be interesting to see if viruses react the same way (as adjusted for it's normal growth rate). I can't see why not.

That's not to say that if the majority of programmers out there lost their job that they would turn to producing a virus or two (heck, maybe we'd see a jump in independent contributions to OSS programming). However with an economy as such I've found myself working extra hours (hey they're paying for it!) and less time spend on personal computer interests . . . for all I know during that time I may just have turned those idle hands to something less "productive." For myself I'm sure it would be something more horrible like Pokemon . . . but for others maybe viruses.

Will it be too fast, too much?

[Duxup]

The only thing that worries me about this is that for such a long time Linux has been relatively (sure a few here and there) virus free. Those producing anti-virus protection MS world (not to say that they're the panacea of virus protection) had viruses from the early days when they traveled from floppies to floppies slowly but surely. Early viruses were quite crude and most very early ones didn't actually damage squat. Some outbreaks were damaging but relatively slow and the anti-virus packages evolved with the viruses and do pretty well (IMHO).

Linux however now finds its self growing in popularity at an astonishing rate, connected to a great virus spreading medium, humans on the inet. If viruses did start to break out and they were fairly mature, could it be too fast for people to avoid some severe damage.

I'm reminded of a military strategy taught in a collage course I took once where a fairly simple theory was demonstrated that actually not hitting a target often pulls an enemy's resources to the areas where you are attacking (away from your next likely target). Then striking that target often is easier since the defenses are weaker and have not prepared for such an attack.

Real damage?

[jesser]

The hax0r, to do real damage, must find some way to get his code executed as root.

It's been said before by other people, but...

You can do a whole lot more damage on a single-user computer by wiping out his/her documents than by messing up the operating system. The operating system (and programs) can be reinstalled in a few hours. Personal work can't.

--

Re:Real, as in significant damage on the aggregate

[jesser]

Ok, I think it's safe to limit this discussion to machines with one or two users who don't normally log in as root.

[Disclaimer: I'm not a linux user.]

It's possible for a virus to modify the programs that each user has installed so that the file formats are changed, perhaps to include encryption with a unique key for each instance of the virus. That makes any normal form of backup bad. Your "delta" idea would work a lot better, although any changes made after the virus started encrypting data would still be lost unless a method could be devised to get the virus to give up its encryption key. (And this would be worse than having your data wiped out at first, because you could recover everything in that case using the diffs.)

--

Intrusion Detection Software offers protection

[G27+Radio]

The fact that root priviledges are required offers a great deal of protection in Linux (and other *nix's.) Of course a lot of software needs to be installed as root so we aren't completely protected. I think people are more likely to write trojans than viruses for Linux due to the fact that Linux boxes are useful to remote users as well as local users. That's neither here nor there though...

If you are running Linux you should absolutely be using some sort of IDS (Intrusion Detection Software.) I use aide. It's a 'tripwire' type program that detects changes in files (using an MD5 hash.) I have it configured on my home PC and my server. It runs via cron once a night, then e-mails me the results. That way if someone (or something) changes the kernel or an executable, library, script, etc, I'll know and be able to replace the altered (or infected) files. Software like this should be part of Linux distributions IMHO.

I realize that Virus Detection is not the same thing as active Virus Prevention. Of course, the root login requirement goes a long way as far as prevention.

numb

I'd say linux is less virus-friendly...

[D.+Mann]

...not because Linux has superior virus detection, but because the average Linux user won't execute a file named "HAPPYFUN.EXE" that's emailed from someone he doesn't know. Please excuse the generalization, but the average Linux-user is much more computer saavy than the average Win95/98 user. Plus, the open source spirit does a lot to cut down on a virus. It's very difficult to hide a virus in source code. "Hmm, what's this stretch of uncommented assembly language?"

Re:Viruses will come...Free Software isn't ready!

[jw3]

Disce, puer, Latinae.

Salve,

Ianuarius

Apples, Oranges

[swdunlop]

Thompson's hack was not part of a large open source project, with many, many people eyeballing it. We are talking about a very, very pure and special case. Here's why his hack would fail, today:

He's not the only game in town.

The cc/login backdoor was so damned clever, because that was the only C compiler available. You needed a C compiler to compile and generate newer versions of C, therefore the hack was propagated.

Nowadays, there are many C compilers, and they have become the de facto standard for building software. (Not a preferred standard. Python/Perl/Eiffel/Fortran fans please direct your flames to /dev/null or root@microsoft.com)

The point we are trying to make is, if a product is distributed as source, these kinds of blatant backdoors are going to be discovered. If not by someone auditing the code, then by someone who wanted to 'patch' some broken functionality. The /real/ danger are the little buffer overruns, race conditions and other common bugs.

Why viruses don't happen on Linux

[Tetsujin]

OK, so it's not, strictly-speaking, impossible for a virus to attack a system that's not 100% securely managed - but there are a few reasons why Linux viri are still -impractical-

1: In order to gain any substantial power on the system, the virus needs to use an exploit of some kind - the available exploits tend to change as software evolves, security information spreads, etc. So even if there are plenty of openings, they may not be the ones that were there when the virus was written.
2: The opportunities to spread are very limited. Unless there's a known remote exploit the virus can use to spread to other systems, it isn't likely to be able to do so. This means it'll really just wind up being a trojan horse program. And once the virus is found, and its source determined, the alert will be out and no one will get that "virus" anymore. Since remote exploits are taken very seriously these days, it's quite unlikely that any given exploit will exist long enough for a virus to take advantage of it.
3: Prepackaged Linux. Sure, so a lot of users aren't that security-minded - that's why low-maintenance prepackaged distros make it simpler. By not including unneeded service daemons, the potential for exploits is cut back. By providing most of the needed software on the distro site itself, most of the potential for introduction of malicious programs is removed. And while a lot of these systems will be running a lot of games, remember as well that SVGAlib is on the decline - systems like X DRI and framebuffers are on the way in - when game makers can rely on these technologies, there won't be need for any more SUID root games.
4: They're just not tolerated on Linux - it's really that simple. In the DOS/Windows world, viri are considered almost a fact of life - and if you get one, well it sucks to be you. In the Linux world, the existance of a virus indicates that there's some sort of flaw in the system design, and developers will work to disseminate information on the flaw, and fix it.

Who is Simson L. Garfinkel?

[cburley]

Articles in the Christian Science Monitor:

1989-09-12 Page 8
Software Makers Row Over Patents

1989-07-12 Page 9
Developing Software Is No Picnic

Sometime around 1988
A large article I can't lay my hands on, in which he describes Project GNU. This was one of the articles that inspired me to contribute to GNU by 1989, which led to the development of GNU Fortran (g77). At least, I'm pretty sure it was authored by SLG!

Article in Technology Review:

1991-02/03 Pages 53
Programs to the People "Computer whiz Richard Stallman is determined to make software free -- even if he has to transform the industry singlehandedly."

SLG may be wrong in his predictions, but he's not writing as a newcomer to Linux, Unix, GNU, or free software in general.

Figthing Virus

[AmoebafromSweden]

But the linux community should be/are going to be more open in acknowledging security bugs and virus.
Therefore fighting Virus and other security bugs or whatever that may arise would go faster and be more efficient. There is no big company that can issue a propagandistic pressrelease to cover up the truth.

Therefore Linux should evolve faster and in the end be strongest in a security perspective.

The openness is a strong pillar for linux to rest on.

Diversity will reduce the problem

[Megane]

Let me start by asking: why haven't there been many Macintosh viruses? Sure, it's not that popular a platform to begin with, but it had its share of viruses at first.

Then something happened. The first "stealth" virus, the WDEF virus, came out. Instead of using the OS calls like a good little virus, it tried to bypass them and jump right into the ROM, to avoid detection. This was about the time the Mac IIci came out, with a completely recompiled ROM. Instead of spreading, it crashed the machine. There have been a few recompiled ROM versions since then, but then Apple switched over to the PowerPC, increasing the diversity level. If a virus is incompatible with a good number of its target machines, it doesn't spread well. It's much harder to write a virus for a diverse platform.

And have you noticed how all the virus threats lately have been involving e-mail viruses and worms? This is because MicroSloth came up with a pitifully easy virus transmission method, by allowing live code in what was formerly only data. Worms and viruses spread best when they have a convienent way to propagate.

And how many Windows NT viruses are out there anyhow? I'm not talking about macro viruses here, I'm talking about real native code viruses infecting NT. Not too many of those, huh? Because, like Linux, there are more internal barriers for a virus to overcome. Plus, some of the macro viruses don't work under NT, even when the user logs in as Administrator all the time, because NT stores some of its files in different places than 95/98.

Now back to Linux. The creators of various distributions are having a hard enough time agreeing where to put various kinds of files, that a virus can't depend on their location. Diversity again.

About the only thing that is consistent is services on various ports, but you can't even rely on a consistent set of vulnerabilities, because the more clued admins will be able to upgrade from a source tarball.

In what form does Linux lack diversity? First of all, in a common binary format. This means that a virus can know where to patch, and a worm will run on many machines. There can be some problems in library availability, but a worm could just statically link itself. It could also spread by source code, but it can't rely on a given Linux box having a C compiler (or Perl interpreter for Perl worms!) installed.

And diversity is reduced by popular distributions like Red Hat and Mandrake which tend to be preferred by the "naive" (in a Unix admin context) users. I recently got DSL, and at least one port probe I received came from a system on a cable modem running (surprise!) Red Hat 5.2. And finger said nobody was logged in. I am quite sure the port scan was NOT initiated by the owner of the machine.

Now a big question: why a virus over other forms of attack? Personally, I think a "worm" (a program which spreads intact copies of itself, rather than inserting itself in other executables) is better suited to the Unix and Internet environment. All it has to do is carry around enough "skr1pt k1dd33" code and it can spread through less-protected systems.

However, as awareness over stack overflow bugs increases and other vulnerabilities, such holes will decrease over time. The slow animals in the herd (Red Hat 5.2 "default" installs) will be more easily taken down than others.

Are we likely to see another "RTM worm" incident in the next year or two? Probably. Now that broadband 7/24 connections are on the rise due to DSL and cable modems, the percentage of unsecured hosts will rise. And with the increase in opportunity will come an increase in exploits. However, as the RTM worm incident showed, writing a good, well-behaved worm isn't as easy as it sounds.

As to viruses in source tarballs, those are rather unlikely. Certainly it is difficult to generically add virus code to source code, but many source releases include some sort of validity check like an MD5 signature. And these days, the source is usually taken from THE official archive.

In summary, I think Linux is diverse enough that viruses will be too much effort to write. Worms are much more likely to become a problem in the near future.

Linux Viruses

[jd]

Yes, I believe Linux Viruses will take over the world!

What carp!

Stop and think for a moment. To produce a binary Linux virus (as opposed to a script virus), you have to have a virus capable of handling a.out and elf binaries. It has to support Linux 1.x.y and Linux 2.x.y kernels, It has to support libc5, glibc 2.0 and glibc 2.1. It has to support ix86, IA64, ARM, Alpha, Sparc, Sparc64, m64k, ppc, S/360 and any other architecture Linux supports.

Why? Because if it can't run, it won't spread. And because you can't know what the virus will run on ahead of time, it would have to run on EVERYTHING to survive.

Then, of course, if it's doing low-level appends, it's got to support ext2fs, ext3fs, reiserfs, xfs, jfs, ufs, umsdos, and any other filing system that Linux could be run off of.

Script viruses don't have it any easier. You've no way of knowing if bash 1, bash 2, csh, tcsh, ksh, zsh, perl, tcl/tk, python, or any other given shell is present, never mind used. Nor can you rely on a given version being present. Perl and Tcl are extremely version-sensitive, making viruses in these languages either dependent on there being specific versions installed, or having support for many many versions.

Then, there's always the problems produced by the International Kernel Patch (which can encrypt partitions for you), Tripwire and its many clones, the various Linux Kernel hardening projects, etc. If a virus can survive all of that, it almost deserves to conquer the world.

Windows viruses have proliferated because there is a high degree of uniformity at the low-levels. This just doesn't exist in Linux (thank God!) and probably never could, at this point.

Any claim that someone could =write= a Linux virus which is not so specific as to be useless is plain stupid. Such an animal does not and CAN NOT exist. Linux is far too diverse, now.

Some people may have heard of the concept of "biodiversity", whereby living organisms protect themselves from real diseases or attacks by being as different and diverse as possible. Linux has gained that same protection, now, and is immune to all-encompassing attacks. Only specific attacks are of any use, and the more diverse Linux is, the more specific those attacks need to be. It could reach the point where they can only run on one machine. OOOOH! SCARY!

MISSING THE POINT

[Bilbo]

You're missing the whole point of the article. What the author is trying to point out is, the reason we don't see Linux viruses is not because Linux is "immune", but because (a) current users are mostly techie types who understand basic security, and more important, (b) the pool of targets is smaller.

Think about it... I'm some bored script kiddie who wants my 15 minutes of fame. Am I going to try to write a virus to infect hundreds of systems, or hundreds of thousands?

The point the author was trying to make is that the landscape is changing. As we are celebrating all the new people who are starting to use Linux, and all the easy-to-install distributions, the "average user" is changing. You no longer need a degree in CS to simply use a Liux system. Just as there are plenty of unsophisticated Windows users, there will be unsophisticated Linux users. Add to this the hordes of home users signing up every day for always-on fat pipe Internet connections. There are ways to worm your way into a Linux system, especially if the "administrator" is clueless about security. (Read: buffer over-run bugs, SMTP vulnerabilities, etc...)

I'm not about to plunk down $50 for a questionable Linux "security" product, but I do try to keep an eye on what's happening to my system. More important, distributions like RedHat and ilk need to carefully consider what their default configurations look like, knowing that setting up maximum security as the base configuration is a wise thing to do. If users need more flexibility, then let them learn about what the tradeoffs are, so they can open up only the doors they need. Support organizations need to make security a top priority, making sure that everyone -- even the clueless newby -- can keep their systems up to date with the latest security patches.

Security -- no matter what your OS is -- doesn't come for free.

It will happen - but not as bad as windows

[szyzyg]

Viruses in various forms will propagate - there's loads of programmes which are vulnerable. But I don't see the huge problems with macro viruses occurring, there won't be any 'melissa'.

Trojans are already turning up here and there.

The trick is not to assume that something is more secure than windows, if you end up being copmplacent about security threats then you get what you deserve. You don't need to be paranoid either, and being paranoid doesn't mean spending money to support the anti-virus software industry. It just means making sure your code doesn't increase the risk to the whole.

So - if you spot a problem - then talk to the people who should deal with it.

Re:It will happen - but not as bad as windows

[QuantumG]

really the key here is to keep linux viruses open source and support linux virus developers.. it's really quite comparable to the biological warfare debate.. if your own people arnt making them then how will you know how to combat what the enemy is doing? The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Re:An EFFECTIVE Linux virus is very difficult

[Goonie]

As linux becomes more popular binary distributions will become common.

Agreed - in fact, they already are

Download a binary that has a virus and run it as a normal user. OK - where from? ftp.debian.org? If I check the signature on the package I can be sure that it's as the package author sent it out, and I trust that package author not to have virii on his/her machine. I (as a programmer), wouldn't download binaries from an untrusted source (as I might get a trojan, which could do far more vicious things than a virus), but a newbie might and would get infected.

Lets say the user now compiles some code, that binary will be infected, the user puts the binary into a tar ball and shoves it onto their ftp site for distribution.. the virus spreads.

The type of people who download untrusted binaries don't tend to upload binaries either.

I still remain unconvinced about the abilities of virii to do real damage in the Linux environment (heck, binary virii haven't really caused problems in the Windows environment for years). However, you make some good points. Now that these vulnerabilities in the ELF file format and the Linux kernel have been pointed out, is there any work being done to close them?

Possible, but far far more difficult.

[FallLine]

The file system, while not perfect, does complicate things significantly. The hax0r, to do real damage, must find some way to get his code executed as root. This means he must:

a) Convince the user to run his stuff as root.
- This of course will not work against most intelligent people
- If, and when, such viruses start emerging, the current Linux using populous can be educated about this.

b) Have the user unknowingly run an exploit (to get root privs) plus virus code.
- The problem with this, though clearly possible, is that, in order to gain huge distribution, it needs a relative stable set of exploits. Most known exploits do get patched relatively quickly, just many current users are sufficiently dilligent to apply them. Here again, a linux virus/hacking epidemic would get most users act in order. Things such as automated patch retrievals/installation (or, at the very least, email) could also be implimented. Furthermore, this revolves more around the stupidity of the vendors (read: distributions) than it does the actual design flaw. I might be alone, but I think the vast majority of these exploits could have been prevented if they really put any effort into security. The bottom line is: Instead of trying to 'detect' and 'fight' each viruses individually, you attack their points of entry directly (knocking out hundreds of would-be viruses for each buggy program you shutdown)

c) Have the user run non-root code, which actually trojans password entering programs, and wraps the IO to the real program, while trapping the input. For example, create own su program in ~bin/, change PATH precedence such that ~bin/ proceeds the real su's path (e.g., /sbin, /usr/sbin, etc) Wait till user runs 'su -'

- Possible, and much harder to prevent. But this depends on the user acting in a certain way.

Furthermore, the very nature of the Linux community poses a real obstacle to any viruses success. Whether or not people admit it, Microsoft plays a large contributing role in the success of its many viruses. Where Microsoft is unresponsive to most security problems, the linux community is very responsive. A published virus is likely to result, in a detailed plan of action against future attacks -- Microsoft simply isn't interested in this unless it can be proven that it'd hurt or help their bottom line significantly. Right now, to the best of my knowledge, most common windows exploits either come in shareware type programs (downloaded from some random site on the internet, or from a friend) or they're macroviruses (totally not an issue for linux yet). Linux, of course, is all about sharing software over the internet, as a result programs and code tend to recieve a considerable amount of scrutiny, even if only from 1% of the users (especially if primarly distributed as source). These users, can, and do, in turn, make a stink if something looks foul, making it unlikely to get archived on official sites and what not.

In conclusion, I don't have the time to analyze each and every difference between Linux and Windows; however, the differences between them will make Linux a relatively virus free platform. That being said, I do believe a few linux viruses will emerge pretty soon. Perhaps one or two will really take off, but the rest will fail. After that, the community and vendors at large will mend their ways, and stem the "reproduction" of viruses down to negligible levels.

Contagion

[The+Famous+Brett+Wat]

Boot Viruses are virtually extinct in their pure form. They relied on people booting of floppy disks. Several different floppy disks. The only boot viruses left are file viruses that get their dirty hooks into the boot sector as a means of making sure they are installed. We can ignore this category -- it's dead.

File Viruses are still out there, of course, but not nearly as much as they used to be. A "pure" file virus is one that inserts itself into some other executable (or executables in general). These are less of a problem than they used to be because software is generally obtained off a CD-ROM or remote download site, and viruses can't touch these files (unless the software company or FTP hoster does something really dumb). Not much actual copying of executables off one machine onto another is done anymore, which is how these things spread. Anyone old enough to remember when we used to copy executables as a matter of course? Come on, 'fess up! Gee -- I can remember those quaint old programs which you didn't "install" as such because they consisted of one executable.

Macro Viruses are still big, though. And Microsoft's feature-driven focus will assure that this problem only gets worse. The big problem is that their software is so ubiquitous, making them a big easy target. And they keep doing really dumb stuff. Everything keeps getting more and more "active". They love that word, don't they? "Active" means "I'm a big gaping security hole just waiting to be exploited!" Linux won't have this problem until either Microsoft starts porting their stuff, or we get virus-compatible equivalents, or somehow the marketroids take over Linux software development and we throw all common sense out the window. I mean seriously, if someone actually wrote a mail reader for Linux that was so helpful that it says, "hey -- here's some new mail for you! Let me immediately display it in this window for you! And run this javascript thing in it for you!" -- would anyone use it? Any takers? Maybe if you run it under jail, right?

Trojans on the other hand, have come into their own. I still see the damn Happy '99 trojan wandering around now and then. The trojan that emails itself to everyone in your address book is one of the more popular forms. The great thing about trojans is that they rely on the human to be the weak link, not some software hole that would get closed up the moment it was discovered (or at least would if the software in question was open source). Human stupidity is here to stay! It's going to decrease, but only because people are now growing up with email and learn the tricks at a young age. It is, however, entirely feasible to write a trojan email attachment for Linux. It's not likely to be worth anyone's while, though, because of the small target market and high likelyhood that the user has at least half a clue with regards to this sort of thing. In any case, the user isn't likely to be running an email reader which makes activating the attachment a "double click" operation, and which address book are you going to read?

In summary, I don't see a big target market for viruses here. I think that worms are more likely to be the issue. That, and security holes that get exploited manually. These all come under the banner of cracking, rather than viruses (although worms are a sort of overlap point). Another possibility, as others have suggested, is back-door code being placed in a kernel module or something which explicitly creates an exploitable weakness. We'll see if the "bug-finding is parallelable" principle of Linux development also maps to the finding of deliberate security holes. I think accidental ones are likely to be the real problem, however.

-- The Famous Brett Watson

Re:Head in the sand?.....maybe.....

[Sun+Tzu]

Color me wrong, but why haven't the "half-dozen or so known Linux viruses" been detectable on the virometer yet? Sure, the boom is "coming", but why haven't the viruses that are already here had any success?

Re:An EFFECTIVE Linux virus is very difficult

[QuantumG]

sure.. the same guy who wrote these viruses has written scanners for each of them and is working on a "generic scanner" which detects such things as "entrypoint in the data segment", which he then defeats by overwriting the start of the original entrypoint with a jump to the data segment, etc. It's an arms race of sorts and the first step is to identify the possible techniques.

As for programmers not downloading binaries. There are times when you need a binary because there is no source. If you are downloading the binary from redhat.com, you may think that it is safe but without getting down with the instructions and checking out what it does you can't be certain. Good reverse engineering tools are still lacking and are desperately needed for security purposes. If it is possible for an ordinary user to get infected then it is not a giant leap to see a programmer getting infected and from there it is not difficult to see a distribution getting infected and a whole lot of users getting infected and thus a whole lot of programmers getting infected - especially with most of the linux community being programmers (of one sort or another).

More like...

[DerMarlboro]

rpm -ivh stoned.rpm
Missing dependencies:
glibc6
imlib
virus.so.4

But seriously, we scoff at this because most of us have never had a virus on a linux box. I know I never have, and I don't know anybody who has. But don't let this lull you into a false sense of security. Murphy's law has been proven true over and over and over again.

Linux is a very large and complex system. And as we all know, in any sufficiently complex system, there are bugs. If we get arrogant, those bugs will be exploited.

On a lighter note, the throroughly open nature of linux means that any virus written will be rendered useless in the next patch. But I don't think it's a problem we should ignore until systems are going down left and right.

Diversity is good - don't live in a monoculture ..

[taniwha]

Biologyn teaches us a lot

Bad things to do around visuses:

• Never change
• always use the same software
• encourage monopolies
• don't build up an immune system (security, anti-viral programs)

Good things:

• change often, adapt
• everyone use different software (diversity of distributions, kernels, desktop environments is a VERY good thing)
• security
• actively hunt down stuff in your system that changes unexpectedly
• stay away from those who seem to get infected a lot

You get the idea - M$'s world lives in a monoculture - just like a genetically engineered crop where everything is the same they are prey to that one viral mutation that can wipe out everyone

Hmmm,did anyone notice....

[flyneye]

Using basic powers of observation we can see:
1.This guy is a security consultant,one who makes money off computer users misery.
2.In order to market many products and/or
services a demand must be created if in fact it does not exist.
3.Software is created by people who hold
an interest in creating it,such as an out of work
security clown creating a virus,were it possible.
4.If you take off his diguise of glasses
and that ridiculous wig,you could see we are dealing with Elmer FUD.

Re:Hard to imagine

[BMazurek]

I'm a bit skeptical about this backdoor possibility in official versions of the kernel (or gcc or some other important piece of free s/w). People have been suggesting it for years, but it's never actually happened.

Never actually happened, eh? Taken from the Jargon Dictionary entry for Back Door:

Historically, back doors have often lurked in systems longer than anyone expected or planned, and a few have become widely known. Ken Thompson's 1983 Turing Award lecture to the ACM admitted the existence of a back door in early Unix versions that may have qualified as the most fiendishly clever security hack of all time. In this scheme, the C compiler contained code that would recognize when the `login' command was being recompiled and insert some code recognizing a password chosen by Thompson, giving him entry to the system whether or not an account had been created for him.

Normally such a back door could be removed by removing it from the source code for the compiler and recompiling the compiler. But to recompile the compiler, you have to use the compiler -- so Thompson also arranged that the compiler would recognize when it was compiling a version of itself, and insert into the recompiled compiler the code to insert into the recompiled `login' the code to allow Thompson entry -- and, of course, the code to recognize itself and do the whole thing again the next time around! And having done this once, he was then able to recompile the compiler from the original sources; the hack perpetuated itself invisibly, leaving the back door in place and active but with no trace in the sources.

Re:Viruses will come...Free Software isn't ready!

[Felinoid]

I have known profesional programmers and hobbyists and in my view profesionals are MORE likely to write viruses than less likely.

Add to the mix that back doors in software are writen almost exclusivly by profesional programmers working on high end systems.

This is just my point of view but it seems to me that viruses are writen to attack an operating system and/or platform a person dislikes.
A profesional is more likely to have access to a system he dislikes than a hobbyist who would presumably only have the system he likes the most.

Unix admin have long had to use systems they disliked. In some cases a Unix admin prefers one *nix platform but gets stuck with a diffrent *nix platform. He wouldn't write viruses on the companys own system becouse that would get him fired but he would unleash it "into the wild" if posable.
In over 30 years.. with every motivation... and a lot of Unix hobbyists (In casse you prefer to belive viruses only come from hobbyists) a Unix virus is vertually unheard of.

To back up my clame that over the years Unix people are every bit as likely to make viruses as anyone else.. even more so... look at the shear number of trojen hourses writen for Unix. Far outnumbering those for Dos.
There are sevral reasons for that.. One is that Unix people are not worryed about trojens comming back to haunt them sence they run something diffrent at home. If they use computers at home at all.
(Think 30 years ago... the standard admin 1970 used CP/M at home if he had a computer at all.. the standard admin 2000 almost certenly has a server class system at home)

Note shortly after the first Linux virus was uncovered one of the big antivirus companys made a virus scanner for Linux. Then the virus was distoryed rendering the product useless.

There is some Linux antivirus software outthere. They don't do anything useful sence theres no viruses to stop. But some hobbyists are sereous tweeks.
Check out freshmeat and take a look at the antivirus software selection

Hard to imagine

[jw3]

OK, so I'm just a lame biologist, still -- I can't quite imagine how this would happen. I mean, of course you can write viruses for Linux, but to spread them would be very hard. I can only judge from my own case: places where I get software for Linux I can count on the fingers of one hand -- in 95% of the cases, it's a SuSE mirror. Yes, I can imagine some evil-minded soul who tricked SuSE into getting an infected package. But even though I could have been infected then, SuSE would be able to quickly track the virus and submit sufficient patches. This is not Windows world, where you get the programs from your friends or some obscure web pages: usually, programs are distributed much more professionaly than in the case of Windows programs.

Of course, I can imagine worms which trick the users in, for example, executing a shell script which then mails messages using sendmail and ~/Mail, ~/.tinrc, /etc/passwd, etc. However, Unix provides nice means to control the in- and outgoing e-mail, and the root account would be in that case untouchable - I think.

But how about some evil-minded hacker (yes, you read it right: hacker, not cracker), who contributes for example to the kernel effort, and installs somewhere in an obscure driver a nice backdoor, and waits till a new major stable version of Linux comes out? Say, 2.4.0. Then all the people who download this kernel are vulnerable: the hacker waits till the 2.4 becomes popular, and then spreads the worm for the designed wormhole. Anyway, in that case he would be probably finished...

Well, I don't know. I'm not much of a hacker. But I think that getting a virus is in the case of Linux much less likely then in the case of Windows. And besides -- I haven't seen a virus for Windows ever since 1996 or something, so is there really a thing to worry about?

Regards,

January

As long as MD5, RSA, and PGP sigs remain...

[Netsnipe]

...impossible to counterfeit, then the smarter half of the whole Linux community (who verify packages before installation) should be safe from viruses and trojans. Let's cross our fingers and hope the heavily used mirrors don't let their security down. Perhaps a review board of mirror site security should be establish. Even the most parnoid should be be able to sleep at night knowing that someone checked their mirror before they downloaded that last package.
On the issue of trojans, no one has seemed to have brought up the issue of trojans that could possibly make unannounced changes to source code as it is being compiled. Wouldn't that be harder to detect than a trojan as signatures can't protect uncompressed source? Imagine if your copy of Tripware, Necruss, GnuGP or perhaps even the kernel being comprised at compiliation time, meaning that your security could be comprimised without being able to realise it or detect it until it is too late? Now that's scary.
For the really paranoid, I recommend that you check out Kurt Seifried's extremely comprehensive Linux Administator's Security Guide (aka. LASG) at https://www.seifried.org/lasg/
If followed, it can put anyone's mind at ease.

An EFFECTIVE Linux virus is very difficult

[Goonie]

After all, it's not too terribly hard to write a virus for any computer operating system

That may be the case, but it's pretty damned tough to write an effective virus that will propagate with any efficiency on a Linux box.

I'll first discuss binary viruses, then macro virii, as they are seperate issues. All system-installed programs are owned by root (modulo some daemons and the like owned by administrative account), so to infect "ls" or "emacs" the virus would either have to use some exploit to gain root priviliges, or get itself installed suid root. Root exploits tend to get closed, pronto. Whilst newbies wouldn't check to see if a program installed itself suid root, experienced users would, and would let the world know if a paint program from www.reallycoolsoftware.com was installing itself suid root for no good reason. So propagation by infecting system software would be pretty damn difficult.

What could a virus then do to propagate itself without root priviliges? It could infect any program it had write permissions to - that is, any executable owned by the user, or set group or world writable. Newbies don't tend to have executables that they own, group-writable executables are rare (and not a great idea), and world-writable executables are extremely bad practice. Not much room for propagating there.

Even worse for the virus, binaries don't tend to get shared around much in the Linux community. Binaries tend to get distributed using CD-ROM's, distribution ftp sites, and possibly project ftp sites - none of the rampant floppy-swapping that made the viruses of the 80's and early 90's so prevalent. Nor do Linux email programs allow the blithe execution of binaries as many Windows mailers do.

Therefore, I consider it extremely unlikely that Linux binary virii will be able to propagate effectively.

Macro virii are a different proposition. File permissions are not such a defence here. However, these beasties rely on macro languages which were enabled by default, which allow arbitrary macro code to be executed on loading a document. If auto-executable macros are disabled by default (or banned outright), and macro languages restricted in their power to prevent them altering documents other than the one they are embedded in, the macro virus cannot propagate itself. Why can Linux applications do this readily, while Windows is more restricted? Simple - because the foreknowledge of what has happened in the Windows world is allowing Linux applications to be designed with macro-virus proofing in mind.

In summary, Linux is a damned hard target for virus writers. Next time Mr Garfinkel tries to drum up some business for himself, he might consider doing a little more research.

Re:How to get infected using Linux...

[QuantumG]

hehe.. more like:

calvin:~$ wget http://somesite/pointlessgadget.tgz
calvin:~$ tar -xzvf pointlessgadget.tgz
calvin:~$ cd pointlessgadget
calvin:~$ ./configure
calvin:~$ make
calvin:~$ ./pointlessgadget

"that was boring.. I'm gunna go shoot stuff"

calvin:~$ su
calvin:~$ /usr/leet/leetgame

pointlessgadget was infected with a virus.. when you ran the virus it infected every one of your running processes, including your shell. You su'd to root and it peaked at your psuedoterminal to snarf the root password. It then su'd to root and infected every running process on the machine. You then ran leetgame and the virus infected it. Next you'll probably run 'ls' and then it's all over.

Fiction? You can do it using ptrace. You can read about it here.

Re:Viruses will come...Free Software isn't ready!

[QuantumG]

sticking your head in the sand is no way to defend against "a plague of viruses". Writing viruses is the only way to actively discover how it is possible to defend against them. A lot of linux viruses have already been written by very smart people and most have a scanner written for them too. Every virus developed introduces new information that can be added to a "generic scanner". Open and intelligent discussion of virus techniques is the solution to computer viruses.. on all platforms.. but the corporate antivirus companies dont want you to know that. They want you to subscribe to virus bulletin (a $5000/year subscription) and join the international computer antivirus standards body Caro (to join Caro you must be unaminously voted into Caro by current members. All current members are antivirus companies (or their founders) and have an interest in not voting you in - less competition). Dont let the anti-virus scam continue onto the linux platform. Do some research, address the problems. The most revealing linux virus research can be found at:

http://www.big.net.au/~silvio/

Don't run as root.

[ronfar]

Rick Moen's Comments on this subject and also read this one http://linuxmafia.com/~rick/faq/#virus Basically, the best security against evil binaries (which of course run into the sub-goblins of viruses, worms, Trojan Horses, and the like) is to not run as root.

Of course, the biggest problem is that sometimes you are going to want to run as root, and you are probably going to want to install something while su'd to root. (It is wishful thinking to expect this not to happen. Someday there is going to be a really cool game for download in binary form that has a pop-up Window which says "enter root password" which may then turn out to be a trojan.)

My experience with virus checkers is that they don't work. I had a trojan eat an old Win95 machine of mine once, and the fact that it was running Norton's Anti-virus didn't help. However, Linux has more built in security against malicious actions than Win* systems, so I'm not expecting to see "a plague of Linux viruses."

How to get infected using Linux...

[ralmeida]

calvin:~$ wget http://somesite/happy99.tar.gz
calvin:~$ tar zxf happy9.tar.gz
calvin:~$ cd happy99
calvin:~$ ./configure
calvin:~$ make
calvin:~$ su
calvin:~$ make install
calvin:~$ exit
calvin:~$ happy99
You must be root to run this program
calvin:~$ su
calvin:~$ happy99
(ops!)

Re:How to get infected using Linux...

[rcw-home]

You can't ptrace setuid processes, and if you ptrace the parent bash process, you don't get the keystrokes from the su process.

Viruses will come...Free Software isn't ready!

[nullity]

Most Linux users have no traditional Unix sysadmin, or user experience behind them. Traditionally the difficulty alone of installing Linux served as a sort of filter against immoral users engineering viruses. If you've ever administered a real system, or know of people who do, you're very unlikely to write a virus (unless you really have issues!).

I suspect that a rash of Linux viruses will come not from an economic depression (though that could certainley cause it too...think Russia), but from the midst of the masses migrating to Linux. While virtually everyone installing Linux, from "script kiddies" to Windows NT converts are scrupulous...you are bound to get a higher percentage of people who would be willing to write a virus.

Now granted, more of these people are incapable of programming such an entity compared with old Unix hands...but where there's a will there's a way. Somebody is bound to kludge together (or even finely tune, you never know) a series of downloaded hacks (hey! free source code!), and write a little code of their own...voila! Microwave virus. And it only takes one good virus to cause serious issues. Particularly because these things almost always encourage copy-cat crime. Odds are we'll see a rash of viruses any time now - whether the economy is strong or not.

Want to believe that even without a high "activiation energy" (ie the work and knowledge to install Linux) the pool of users will remain "clean"? One only has to look at Amateur Radio for a counter-example. For a long time proficieny with Morse Code was required to obtain a license. Now this may not seem like much of a barrier...but it was. When the "No-Code" license was introduced a wave of new radio operators began coming on the air. Now I don't dispute the overall effects of the new license, I think most agree they were good overall. No sense keeping a good thing to an "elite" group of people. But there was one strong negative effect - the introduction of a few, er, less than choice individuals.

Did such individuals exist in the "old world"? Well, yes. But they were a much lower percentage. Now radio had to deal with irritating interuptions and people refusing to follow protocol. A small loss, but many repeaters (stations that retransmit a weak signal) were unprepared and were abused as a result. Protection mechanisms were instituted, but it often took some months during which time a repeater was far less useful.

The long and short is that a company like Symantec (Norton) might find it worthwhile to have a Linux offering prepared. No use deploying it (well, not with scruples at least - I'm sure some morons will bite) until viruses exist. But when they do come, and I bet they will, that company will have a big lead. Other companies would probably take several months to a year to produce. By that time one could really corner the market. Linux users win, some lucky company wins (hopefuly whoever wrote the #*$&#*$&* virus shrivels up and dies). Yay!

I think few of us familiar with the sort of hacks we deploy on our systems, the sort of tricks a *nix system can perform...would deny the feasibility of writing a virus. To do so would be...naive. Now that I think of it, though I realize acting before the fact isn't the strength of the free software community, it would probably be good to begin working on a feasible free program soon. Hope we never would have to use it...but... It would be bad, bad, BAD for Linux systems to be crippled for 5 months, admins cowering in fear, because of a rash of viruses. That would take major PR recovery...and Linux really isn't that strong. Remember, the media likes biting those it adored mere months ago. Makes for good news.

-nullity-

I am nothing.