Slashdot Mirror
Garfinkel Warns Of Linux Virus "Epidemic"
An anonymous coward says: "Simson Garfinkel has an opinion piece at SecurityFocus called " The Coming Linux Plague." He argues that Linux is no less susceptible to viruses than Windows, and that an epidemic is inevitable.
" I'm sure most of us have read his books. What do you think of this commentary?
I have known profesional programmers and hobbyists and in my view profesionals are MORE likely to write viruses than less likely.
Add to the mix that back doors in software are writen almost exclusivly by profesional programmers working on high end systems.
This is just my point of view but it seems to me that viruses are writen to attack an operating system and/or platform a person dislikes.
A profesional is more likely to have access to a system he dislikes than a hobbyist who would presumably only have the system he likes the most.
Unix admin have long had to use systems they disliked. In some cases a Unix admin prefers one *nix platform but gets stuck with a diffrent *nix platform. He wouldn't write viruses on the companys own system becouse that would get him fired but he would unleash it "into the wild" if posable.
In over 30 years.. with every motivation... and a lot of Unix hobbyists (In casse you prefer to belive viruses only come from hobbyists) a Unix virus is vertually unheard of.
To back up my clame that over the years Unix people are every bit as likely to make viruses as anyone else.. even more so... look at the shear number of trojen hourses writen for Unix. Far outnumbering those for Dos.
There are sevral reasons for that.. One is that Unix people are not worryed about trojens comming back to haunt them sence they run something diffrent at home. If they use computers at home at all.
(Think 30 years ago... the standard admin 1970 used CP/M at home if he had a computer at all.. the standard admin 2000 almost certenly has a server class system at home)
Note shortly after the first Linux virus was uncovered one of the big antivirus companys made a virus scanner for Linux. Then the virus was distoryed rendering the product useless.
There is some Linux antivirus software outthere. They don't do anything useful sence theres no viruses to stop. But some hobbyists are sereous tweeks.
Check out freshmeat and take a look at the antivirus software selection
I don't actually exist.
Of course, I can imagine worms which trick the users in, for example, executing a shell script which then mails messages using sendmail and ~/Mail, ~/.tinrc, /etc/passwd, etc. However, Unix provides nice means to control the in- and outgoing e-mail, and the root account would be in that case untouchable - I think.
But how about some evil-minded hacker (yes, you read it right: hacker, not cracker), who contributes for example to the kernel effort, and installs somewhere in an obscure driver a nice backdoor, and waits till a new major stable version of Linux comes out? Say, 2.4.0. Then all the people who download this kernel are vulnerable: the hacker waits till the 2.4 becomes popular, and then spreads the worm for the designed wormhole. Anyway, in that case he would be probably finished...
Well, I don't know. I'm not much of a hacker. But I think that getting a virus is in the case of Linux much less likely then in the case of Windows. And besides -- I haven't seen a virus for Windows ever since 1996 or something, so is there really a thing to worry about?
Regards,
January
...impossible to counterfeit, then the smarter half of the whole Linux community (who verify packages before installation) should be safe from viruses and trojans. Let's cross our fingers and hope the heavily used mirrors don't let their security down. Perhaps a review board of mirror site security should be establish. Even the most parnoid should be be able to sleep at night knowing that someone checked their mirror before they downloaded that last package.
On the issue of trojans, no one has seemed to have brought up the issue of trojans that could possibly make unannounced changes to source code as it is being compiled. Wouldn't that be harder to detect than a trojan as signatures can't protect uncompressed source? Imagine if your copy of Tripware, Necruss, GnuGP or perhaps even the kernel being comprised at compiliation time, meaning that your security could be comprimised without being able to realise it or detect it until it is too late? Now that's scary.
For the really paranoid, I recommend that you check out Kurt Seifried's extremely comprehensive Linux Administator's Security Guide (aka. LASG) at https://www.seifried.org/lasg/
If followed, it can put anyone's mind at ease.
-- "I can't tell the future, I just work there." -- The Doctor
That may be the case, but it's pretty damned tough to write an effective virus that will propagate with any efficiency on a Linux box.
I'll first discuss binary viruses, then macro virii, as they are seperate issues. All system-installed programs are owned by root (modulo some daemons and the like owned by administrative account), so to infect "ls" or "emacs" the virus would either have to use some exploit to gain root priviliges, or get itself installed suid root. Root exploits tend to get closed, pronto. Whilst newbies wouldn't check to see if a program installed itself suid root, experienced users would, and would let the world know if a paint program from www.reallycoolsoftware.com was installing itself suid root for no good reason. So propagation by infecting system software would be pretty damn difficult.
What could a virus then do to propagate itself without root priviliges? It could infect any program it had write permissions to - that is, any executable owned by the user, or set group or world writable. Newbies don't tend to have executables that they own, group-writable executables are rare (and not a great idea), and world-writable executables are extremely bad practice. Not much room for propagating there.
Even worse for the virus, binaries don't tend to get shared around much in the Linux community. Binaries tend to get distributed using CD-ROM's, distribution ftp sites, and possibly project ftp sites - none of the rampant floppy-swapping that made the viruses of the 80's and early 90's so prevalent. Nor do Linux email programs allow the blithe execution of binaries as many Windows mailers do.
Therefore, I consider it extremely unlikely that Linux binary virii will be able to propagate effectively.
Macro virii are a different proposition. File permissions are not such a defence here. However, these beasties rely on macro languages which were enabled by default, which allow arbitrary macro code to be executed on loading a document. If auto-executable macros are disabled by default (or banned outright), and macro languages restricted in their power to prevent them altering documents other than the one they are embedded in, the macro virus cannot propagate itself. Why can Linux applications do this readily, while Windows is more restricted? Simple - because the foreknowledge of what has happened in the Windows world is allowing Linux applications to be designed with macro-virus proofing in mind.
In summary, Linux is a damned hard target for virus writers. Next time Mr Garfinkel tries to drum up some business for himself, he might consider doing a little more research.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
hehe.. more like:
./configure ./pointlessgadget
/usr/leet/leetgame
calvin:~$ wget http://somesite/pointlessgadget.tgz
calvin:~$ tar -xzvf pointlessgadget.tgz
calvin:~$ cd pointlessgadget
calvin:~$
calvin:~$ make
calvin:~$
"that was boring.. I'm gunna go shoot stuff"
calvin:~$ su
calvin:~$
pointlessgadget was infected with a virus.. when you ran the virus it infected every one of your running processes, including your shell. You su'd to root and it peaked at your psuedoterminal to snarf the root password. It then su'd to root and infected every running process on the machine. You then ran leetgame and the virus infected it. Next you'll probably run 'ls' and then it's all over.
Fiction? You can do it using ptrace. You can read about it here.
How we know is more important than what we know.
sticking your head in the sand is no way to defend against "a plague of viruses". Writing viruses is the only way to actively discover how it is possible to defend against them. A lot of linux viruses have already been written by very smart people and most have a scanner written for them too. Every virus developed introduces new information that can be added to a "generic scanner". Open and intelligent discussion of virus techniques is the solution to computer viruses.. on all platforms.. but the corporate antivirus companies dont want you to know that. They want you to subscribe to virus bulletin (a $5000/year subscription) and join the international computer antivirus standards body Caro (to join Caro you must be unaminously voted into Caro by current members. All current members are antivirus companies (or their founders) and have an interest in not voting you in - less competition). Dont let the anti-virus scam continue onto the linux platform. Do some research, address the problems. The most revealing linux virus research can be found at:
http://www.big.net.au/~silvio/
How we know is more important than what we know.
Of course, the biggest problem is that sometimes you are going to want to run as root, and you are probably going to want to install something while su'd to root. (It is wishful thinking to expect this not to happen. Someday there is going to be a really cool game for download in binary form that has a pop-up Window which says "enter root password" which may then turn out to be a trojan.)
My experience with virus checkers is that they don't work. I had a trojan eat an old Win95 machine of mine once, and the fact that it was running Norton's Anti-virus didn't help. However, Linux has more built in security against malicious actions than Win* systems, so I'm not expecting to see "a plague of Linux viruses."
All the creatures will die, And all the things will be broken. That's the law of samurai. (Jubai, 1605)
calvin:~$ wget http://somesite/happy99.tar.gz ./configure
calvin:~$ tar zxf happy9.tar.gz
calvin:~$ cd happy99
calvin:~$
calvin:~$ make
calvin:~$ su
calvin:~$ make install
calvin:~$ exit
calvin:~$ happy99
You must be root to run this program
calvin:~$ su
calvin:~$ happy99
(ops!)
This space left intentionally blank.
Most Linux users have no traditional Unix sysadmin, or user experience behind them. Traditionally the difficulty alone of installing Linux served as a sort of filter against immoral users engineering viruses. If you've ever administered a real system, or know of people who do, you're very unlikely to write a virus (unless you really have issues!).
I suspect that a rash of Linux viruses will come not from an economic depression (though that could certainley cause it too...think Russia), but from the midst of the masses migrating to Linux. While virtually everyone installing Linux, from "script kiddies" to Windows NT converts are scrupulous...you are bound to get a higher percentage of people who would be willing to write a virus.
Now granted, more of these people are incapable of programming such an entity compared with old Unix hands...but where there's a will there's a way. Somebody is bound to kludge together (or even finely tune, you never know) a series of downloaded hacks (hey! free source code!), and write a little code of their own...voila! Microwave virus. And it only takes one good virus to cause serious issues. Particularly because these things almost always encourage copy-cat crime. Odds are we'll see a rash of viruses any time now - whether the economy is strong or not.
Want to believe that even without a high "activiation energy" (ie the work and knowledge to install Linux) the pool of users will remain "clean"? One only has to look at Amateur Radio for a counter-example. For a long time proficieny with Morse Code was required to obtain a license. Now this may not seem like much of a barrier...but it was. When the "No-Code" license was introduced a wave of new radio operators began coming on the air. Now I don't dispute the overall effects of the new license, I think most agree they were good overall. No sense keeping a good thing to an "elite" group of people. But there was one strong negative effect - the introduction of a few, er, less than choice individuals.
Did such individuals exist in the "old world"? Well, yes. But they were a much lower percentage. Now radio had to deal with irritating interuptions and people refusing to follow protocol. A small loss, but many repeaters (stations that retransmit a weak signal) were unprepared and were abused as a result. Protection mechanisms were instituted, but it often took some months during which time a repeater was far less useful.
The long and short is that a company like Symantec (Norton) might find it worthwhile to have a Linux offering prepared. No use deploying it (well, not with scruples at least - I'm sure some morons will bite) until viruses exist. But when they do come, and I bet they will, that company will have a big lead. Other companies would probably take several months to a year to produce. By that time one could really corner the market. Linux users win, some lucky company wins (hopefuly whoever wrote the #*$&#*$&* virus shrivels up and dies). Yay!
I think few of us familiar with the sort of hacks we deploy on our systems, the sort of tricks a *nix system can perform...would deny the feasibility of writing a virus. To do so would be...naive. Now that I think of it, though I realize acting before the fact isn't the strength of the free software community, it would probably be good to begin working on a feasible free program soon. Hope we never would have to use it...but... It would be bad, bad, BAD for Linux systems to be crippled for 5 months, admins cowering in fear, because of a rash of viruses. That would take major PR recovery...and Linux really isn't that strong. Remember, the media likes biting those it adored mere months ago. Makes for good news.
-nullity-
I am nothing.