Slashdot Mirror
Garfinkel Warns Of Linux Virus "Epidemic"
An anonymous coward says: "Simson Garfinkel has an opinion piece at SecurityFocus called " The Coming Linux Plague." He argues that Linux is no less susceptible to viruses than Windows, and that an epidemic is inevitable.
" I'm sure most of us have read his books. What do you think of this commentary?
That may be the case, but it's pretty damned tough to write an effective virus that will propagate with any efficiency on a Linux box.
I'll first discuss binary viruses, then macro virii, as they are seperate issues. All system-installed programs are owned by root (modulo some daemons and the like owned by administrative account), so to infect "ls" or "emacs" the virus would either have to use some exploit to gain root priviliges, or get itself installed suid root. Root exploits tend to get closed, pronto. Whilst newbies wouldn't check to see if a program installed itself suid root, experienced users would, and would let the world know if a paint program from www.reallycoolsoftware.com was installing itself suid root for no good reason. So propagation by infecting system software would be pretty damn difficult.
What could a virus then do to propagate itself without root priviliges? It could infect any program it had write permissions to - that is, any executable owned by the user, or set group or world writable. Newbies don't tend to have executables that they own, group-writable executables are rare (and not a great idea), and world-writable executables are extremely bad practice. Not much room for propagating there.
Even worse for the virus, binaries don't tend to get shared around much in the Linux community. Binaries tend to get distributed using CD-ROM's, distribution ftp sites, and possibly project ftp sites - none of the rampant floppy-swapping that made the viruses of the 80's and early 90's so prevalent. Nor do Linux email programs allow the blithe execution of binaries as many Windows mailers do.
Therefore, I consider it extremely unlikely that Linux binary virii will be able to propagate effectively.
Macro virii are a different proposition. File permissions are not such a defence here. However, these beasties rely on macro languages which were enabled by default, which allow arbitrary macro code to be executed on loading a document. If auto-executable macros are disabled by default (or banned outright), and macro languages restricted in their power to prevent them altering documents other than the one they are embedded in, the macro virus cannot propagate itself. Why can Linux applications do this readily, while Windows is more restricted? Simple - because the foreknowledge of what has happened in the Windows world is allowing Linux applications to be designed with macro-virus proofing in mind.
In summary, Linux is a damned hard target for virus writers. Next time Mr Garfinkel tries to drum up some business for himself, he might consider doing a little more research.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
hehe.. more like:
./configure ./pointlessgadget
/usr/leet/leetgame
calvin:~$ wget http://somesite/pointlessgadget.tgz
calvin:~$ tar -xzvf pointlessgadget.tgz
calvin:~$ cd pointlessgadget
calvin:~$
calvin:~$ make
calvin:~$
"that was boring.. I'm gunna go shoot stuff"
calvin:~$ su
calvin:~$
pointlessgadget was infected with a virus.. when you ran the virus it infected every one of your running processes, including your shell. You su'd to root and it peaked at your psuedoterminal to snarf the root password. It then su'd to root and infected every running process on the machine. You then ran leetgame and the virus infected it. Next you'll probably run 'ls' and then it's all over.
Fiction? You can do it using ptrace. You can read about it here.
How we know is more important than what we know.
sticking your head in the sand is no way to defend against "a plague of viruses". Writing viruses is the only way to actively discover how it is possible to defend against them. A lot of linux viruses have already been written by very smart people and most have a scanner written for them too. Every virus developed introduces new information that can be added to a "generic scanner". Open and intelligent discussion of virus techniques is the solution to computer viruses.. on all platforms.. but the corporate antivirus companies dont want you to know that. They want you to subscribe to virus bulletin (a $5000/year subscription) and join the international computer antivirus standards body Caro (to join Caro you must be unaminously voted into Caro by current members. All current members are antivirus companies (or their founders) and have an interest in not voting you in - less competition). Dont let the anti-virus scam continue onto the linux platform. Do some research, address the problems. The most revealing linux virus research can be found at:
http://www.big.net.au/~silvio/
How we know is more important than what we know.
Of course, the biggest problem is that sometimes you are going to want to run as root, and you are probably going to want to install something while su'd to root. (It is wishful thinking to expect this not to happen. Someday there is going to be a really cool game for download in binary form that has a pop-up Window which says "enter root password" which may then turn out to be a trojan.)
My experience with virus checkers is that they don't work. I had a trojan eat an old Win95 machine of mine once, and the fact that it was running Norton's Anti-virus didn't help. However, Linux has more built in security against malicious actions than Win* systems, so I'm not expecting to see "a plague of Linux viruses."
All the creatures will die, And all the things will be broken. That's the law of samurai. (Jubai, 1605)
calvin:~$ wget http://somesite/happy99.tar.gz ./configure
calvin:~$ tar zxf happy9.tar.gz
calvin:~$ cd happy99
calvin:~$
calvin:~$ make
calvin:~$ su
calvin:~$ make install
calvin:~$ exit
calvin:~$ happy99
You must be root to run this program
calvin:~$ su
calvin:~$ happy99
(ops!)
This space left intentionally blank.
Most Linux users have no traditional Unix sysadmin, or user experience behind them. Traditionally the difficulty alone of installing Linux served as a sort of filter against immoral users engineering viruses. If you've ever administered a real system, or know of people who do, you're very unlikely to write a virus (unless you really have issues!).
I suspect that a rash of Linux viruses will come not from an economic depression (though that could certainley cause it too...think Russia), but from the midst of the masses migrating to Linux. While virtually everyone installing Linux, from "script kiddies" to Windows NT converts are scrupulous...you are bound to get a higher percentage of people who would be willing to write a virus.
Now granted, more of these people are incapable of programming such an entity compared with old Unix hands...but where there's a will there's a way. Somebody is bound to kludge together (or even finely tune, you never know) a series of downloaded hacks (hey! free source code!), and write a little code of their own...voila! Microwave virus. And it only takes one good virus to cause serious issues. Particularly because these things almost always encourage copy-cat crime. Odds are we'll see a rash of viruses any time now - whether the economy is strong or not.
Want to believe that even without a high "activiation energy" (ie the work and knowledge to install Linux) the pool of users will remain "clean"? One only has to look at Amateur Radio for a counter-example. For a long time proficieny with Morse Code was required to obtain a license. Now this may not seem like much of a barrier...but it was. When the "No-Code" license was introduced a wave of new radio operators began coming on the air. Now I don't dispute the overall effects of the new license, I think most agree they were good overall. No sense keeping a good thing to an "elite" group of people. But there was one strong negative effect - the introduction of a few, er, less than choice individuals.
Did such individuals exist in the "old world"? Well, yes. But they were a much lower percentage. Now radio had to deal with irritating interuptions and people refusing to follow protocol. A small loss, but many repeaters (stations that retransmit a weak signal) were unprepared and were abused as a result. Protection mechanisms were instituted, but it often took some months during which time a repeater was far less useful.
The long and short is that a company like Symantec (Norton) might find it worthwhile to have a Linux offering prepared. No use deploying it (well, not with scruples at least - I'm sure some morons will bite) until viruses exist. But when they do come, and I bet they will, that company will have a big lead. Other companies would probably take several months to a year to produce. By that time one could really corner the market. Linux users win, some lucky company wins (hopefuly whoever wrote the #*$&#*$&* virus shrivels up and dies). Yay!
I think few of us familiar with the sort of hacks we deploy on our systems, the sort of tricks a *nix system can perform...would deny the feasibility of writing a virus. To do so would be...naive. Now that I think of it, though I realize acting before the fact isn't the strength of the free software community, it would probably be good to begin working on a feasible free program soon. Hope we never would have to use it...but... It would be bad, bad, BAD for Linux systems to be crippled for 5 months, admins cowering in fear, because of a rash of viruses. That would take major PR recovery...and Linux really isn't that strong. Remember, the media likes biting those it adored mere months ago. Makes for good news.
-nullity-
I am nothing.