Slashdot Mirror
The Short Life And Hard Times Of A Linux Virus
Sun Tzu writes, "There are several reasons for the non-issue of the Linux virus. Most of those reasons a Linux user would already be familiar with, but there is one, all important, reason that a student of evolution or zoology would also appreciate ... The article is at sitereview.org. "
root is always expected to be UID 0. None of the code I've looked at ever does a check for this (with getpwnam() or whatever) but just assumes this is a fact. So there's quite a bit of hardcoded stuff as far as that's concerned (grep for 'setuid (0);' and see how often that comes up...).
Anyway, a virus doesn't need root access to propagate, it just needs to propagate *somewhere*, whether that's your files, or some other user's files, or even over the network.
A lot of people here seem to believe that Unix file permissons will greatly hamper a potential virus, but this is dubious in the case of the typical Linux installation (ie, a user's desktop machine). Quite a bit of Linux users actually administer their own machine, and thus tend to switch around between UID's (with 'su'). If a virus is written with the capability of watching for and acquiring passwords (as the user types them), then file permissions are no longer a barrier.
--Chouser
--Chouser
"To stay young requires unceasing cultivation of the ability to unlearn old falsehoods." -LL
But this wasn't my main point. I will concede that 1) mutt has more holes that I'm aware of, and 2) my system is suseptible to much more than just strict "Melissa-style" viri. My main point, however, was how tempting it is to build holes into higher-level apps. I suspect that security is a significant concern in most open-source network and operating system projects. But I'm afraid that high-level application projects, such as Office clones, tend to not worry about security much. It's for this reason that I bothered posting at all -- we need to make sure that newbie-targetted "productivity" apps don't come with huge holes built in.
--Chouser
--Chouser
"To stay young requires unceasing cultivation of the ability to unlearn old falsehoods." -LL
Being root most of the time while using a unix system is a Bad Thing. Having a unix system with only a root user (and no 'normal' users) is a Very Bad Thing.
I have installed both RedHat 6.1 and RedHat 6.2 beta a couple of times each in the last few months. Therefore I'm quite aware of how the installation procedure goes. As I said in my last post, RedHat makes it unhappy for a newbie user to do the Bad Things named in the above paragraph.
This means that I am happy about what RedHat has done with their installation procedure -- I think it is a Good Thing.
--Chouser
--Chouser
"To stay young requires unceasing cultivation of the ability to unlearn old falsehoods." -LL
>RedHat's installation procedure makes it difficult to get started
>without creating a normal user account, and makes it uncomfortable to
>use a root account for normal work. I don't have any proof that Linux
>installations are as often or more often set up correctly than most
>Unices, but I don't have much reason to believe the contrary.
This changed with RedHat 6.1. You create a user account along with the root account during the install process. If you're going to slam Redhat for something at least bother finding out something about it first.
Or are you suggesting that one do this on the RPMS directory on the CD? What if one does not want to install all of the packages on the CD? What if one does not even have a CD?
Furthermore, why would you use "--force --nodeps" to begin with? The only legitimate use I can think of for that (in the absence of broken packages) is if the dependencies were met in a way that rpm does not know about, such as installing RPMs on a Debian system, or software that was compiled from source.
How are either of these methods simpler than just typing "apt-get install <list-of-packages-you-want>"?
--
Try Debian and apt-get.
--
No, on my distro (Debian 2.1) the su command alters PATH even when not run with the '-'. (I checked it out before I wrote the post above.)
--
An esoteric scratched itch:
Homeworld Map Maker Tool
because a virus run as non-root can probably only write somewhere within the home directory tree of the user (~ or ~/bin, etc.). The su (and similar) commands alter the PATH environment variable to point to only known good (secure) system executable directories, and to specifically exclude '.' from the path. (That's why you have to say ./cmd to run cmd in your current dir while you are su'ing). It guarentees that the version of 'ls' that you invoke is /bin/ls and not the possibly viral /home/luser/ls.
--
An esoteric scratched itch:
Homeworld Map Maker Tool
The article keeps the assumption that a Linux virus must (like on Windows) infect binaries. This isnt true, it could as well copy itself into some place of the user's home directory (for example, somewhere deep in the ~/.netscape directory) and then start itself from a file like .profile, .bashrc or .xsession, assuming that the naive user will never look at them.
Affecting a binary doesnt make sense on Linux, as users almost never distribute them directly - if they distribute software, they send source-tarballs, RPMs or DEBs. And the RPMs are the real weakness: a virus could infect the RPM to spread itself. The solution for this problem would be the use of digital signatures.
The only reason the install process should need root access would be to write to /usr/local/bin and /usr/local/lib, or whatever.
These directories could (should, IMO) belong to some other UID, like apps. In this case the install would only need the permissions of that UID.
This would limit the damage that a virus could do to wiping out the applications you have installed, but not being able to touch the base install.
The distributions should be putting more focus on setting up stuff like this. There should be intermediate security levels instead of just user and root.
Your mak example is a jake. It is nothing like a viruses. it is not a infected file is just a bad program. Ferthere not only would it quickly be ditected it would only effect the retivitly small (and becoming smaller) number of users who aculy compile there programs instead of just using a package. (packeages have check sums and could, and should, be signed to prevent infection on them; as well as the fact that most people get packages of CD's)
> install: rm -rf /
> Is this not a virus?
I would call it a Trojan. One of the purposes of a virus is to spread itself. This would have been detected the first time someone did a make install. If it instead infected all Makefiles on your system with itself I would call it a virus.
Well, when I run make -n on software, I'm actually not looking for boldfaced 'rm -rf /' commands anyway...I'm looking at things like what libraries the thing is building, directories that it proposes to install in, and stuff like that. If I were searching for a deeply nested 'rm -rf /' in a suspicious makefile, I would not resort to 'make -n' to find it. I would put a wrapper around 'rm' and trap the call.
But, there you go. 'Suspicious makefile?' Since when? As another poster pointed out, if somebody tried to slip a mickey like that through the distribution system, it would get pulled from freshmeat immediately. It only has to crash a couple of victims, and the word is out.
Paranoia is useful, and in my business, it's a job qualification. But, as you mentioned, we can't manually verify everything. So if paranoia is not to become paralysis, what do we do?
"We can check if we really want to" is actually a mighty shield, one which is really only available to open source users. There may be an ambiguity lurking in your statement of this principle. "We" do check everything...I don't personally do it, but it is done all the same, by the community.
Do you remember the tcpwrapper flap? Somebody posted a patch to the code at a primary source site (U. of Eindhoven, was it?) which snagged security info and mailed it to a Hotmail account. That was discovered in short order, and the news was everywhere. The crocked tcpwrapper was pulled, the Hotmail account was canned, and everybody was agog for maybe 2 weeks. "How could something like that happen in Open Source!" But, you know, that whole affair provided a demonstration of the hostile environment that open source software provides to malicious code, whether it be a virus, a bomb, or a trojan.
No, you don't want to blithely trust everything, but you don't have to rely only on your own powers for safety. By myself I could no more close every possible loophole in my system than I could write a kernel to compete with linux. But, just as I benefit from the work of a community which provides the OS that I'm running, I can use the eyes of the community to watch out for those pesky 'rm -rf ' things too.
That's not a virus, it's actually a bomb. The thing that defines a virus is that it replicates itself manyfold before destroying its 'host' (if it ever does so). The point of the article is that the linux installed base is too hostile to virus reproduction for them to become a major threat.
Btw, if you're worried about a makefile of suspicious provenance, just say "make -n " and check out all the commands it wants to run before you execute them.
they have already released a virus scaner for linux. Now they're just waiting for a couple good viruses...
gg
gg
Dr.Whiz-Bang
With the onslaught of new users working solely as root, many of these virus threats could become an issue, at least for those users. The more experienced user understands that root is reserved for administrative tasks, and should not be used for menial, day to day tasks. The newbie doesn't understand this, and thus is vulnerable. Moreover, A crafty virus coder could have the virus exploit a root hole in something like the recent PAM exploits and then wreck havoc as desired...
XenoWolf The Original - Since 1993
With open source, many people (though not necessarily the end users) thoroughly read the code. If there is anything suspect, many people will notice it and spread the word. With many people collaborating on projects it would be difficult for anyone to slip something bad in unnoticed.
Most Script Kiddies work from Windows boxes and spend their "productive" time (and I use that term loosely) in AOL chat rooms.
Um, I think the original poster may have intended his statement to be more of an epigram than a statement of pure fact. Of course, maybe I'm wrong and he doesn't know anything about the history of virii on UNIX...
I am still afraid that I come into a Makefile someday that holds the line: /
/ contained in a Makefile would make that Makefile a Trojan Horse, not a virus. The key definition of a virus lies in that it duplicates itself.
install: rm -rf
Is this not a virus? If not, why is it a virus if a similar line is contained in some malicious Word macro?
Well, if you want to split hairs, the rm -rf
Quidquid latine dictum sit, altum viditur.
I only post comments when someone on the internet is wrong.
The only thing that I can think, is that the author assumes that everyone reads the source, and waits until they grasp every nuance of the code, before installing it.
I do concede that having the sources open, does mean that once someone does look at it, they would most likely make efforts to educate people to avoid that program. But if someone sent me the source for an app, with a virus written into it, I'd never know.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
I wonder if the rarity of Linux viruses and trojan horses is more a matter of user culture than inherent technical security. Linux users care about their operating system. Windows users, on the other hand, don't generally feel a great loyalty to their platform, and so the more adolescent and malicious among them feel no compunction in compromising it.
As a supporting example, consider the Macintosh (which has a similarly loyal user base, and probably a larger one than Linux). Macintosh viruses are pretty rare also, and it's certainly not because of any inherent security of the MacOS. (One pops up every once in a while, like the Autostart virus a year or two ago, but they get stamped out pretty quickly. The last time I saw a Mac virus on my own machine was more than ten years ago, and I have downloaded gigabytes worth of shareware binaries, etcetera.) (And then there are spillover viruses, like Word macro viruses infecting Word for Macintosh, but these are the exception that proves the rule.)
I just don't buy the argument that Linux is immune to viruses, especially since a large fraction of Linux users have root access. (You don't have to be completely clueless and log in as root all the time, either...imagine a virus that installs a replacement alias for 'su' in your shell, so that it gets root access the next time you do some administration. One can come up with countless other attacks.) (Also, I would consider self-propagating DDoS scripts like Trinoo to be viruses.)
Certainly, the lack of Windows "features" in GNU/Linux software helps security, but it seems a far cry from a complete explanation of why we see so few problems.
If a thing is not diminished by being shared, it is not rightly owned if it is only owned & not shared. S. Augustine
I have never had to spend much time explaining to any NT user why su is such a powerful tool. It is a key usability difference between windows and unix. One rarely runs as root under unix because you have the ability to su whenever you need to tweak that config file. NT requires you to logout; login as a privilaged user; preform prilaged task; then logout; login as a non-privalaged user. The whole proccess takes at least 10-15 minutes even to do something trivial like add a local printer. If your lucky you don't have to reboot (W2K much better in this regard.) So when ever possible NT users run with local administrator access all the time. Win9X has root as the only login of course.
Please take the time to learn the terminology before posting things like that. If it's of any help, I have a collection of many anti-virus FAQs here.
... skr1pt k1ddi3s.
Well, keep writing letters to Loki, and maybe your favorite Windoze virus will get ported. Of course by then, it will be last years's virus, but you take what you can get...
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Yes it's true this will attract some crackers who want to prove they are hot stuff and some who just want to "disprove the hype"..
However I'm more fearful some terrorist will find a way to attack the United States millitary than I am worryed about some cracker writing a Linux virus.
[I am not even slightly worryed about such attacks.. I am worryed that some of our people may get hurt in attempts but thats all]
Viruses like the Y2K bug are not magical and do not do magical things.
They require one thing.. unrestricted access. On Linux this means root. If your really paranoid there is allready a project to prevent anyone from modifying programs on the system even as root.
Linux allready provides this protection to some degree. Some programs when running can not be modifyed by anyone... piriod.
Viruses remind us how importent security is for EVERY system we use. They are not a given. They are posable if you get stupid. Otherwise they are a non-event.
On the other hand if a virus can get root so can a script kiddy and there is a lot more a random script kiddy can do to your computer than any virus could ever do.
Yes I grow tired of virus warnings.
Linux has been around long enough.. if a virus epedemic were to happen.. it would have allready come to pass...
Viruses will be writen and they will be crushed. Being fearful of what dose not as yet exist dose nothing.
Let us cross the bridge when we come to it...
When virus experts want to clame the big "badass" Linux virus is comming it is up to us to crush this myth.
There is no Linux virus epedemic comming. There is no baddass virus.
No Unix or Unixlike system is anywhere near as suseptable to viruses as Dos/Windows this is a fact.
If we don't stand up for Linux now and let the general public believe the Linux virus epedemic is comming we set ourselfs up...
Unix venders will not hesistae to take Linux down a peg.
And Microsoft would have a spin...
Linux didn't get this far by being fearful something "horrable" might go wrong...
Linux is stable.. we premote this.. Occasionally Linux boxes crash.. this hasn't hurt us...
What could be worse than premoting Linux as "User Friendly"?
There will be viruses and we will deal with them.
But don't pretend this is an eppedemic...
An eppedemic is a 10 year old operating system running 20 year old viruses... (Windows running Dos viruses)... never being able to do anything to stop viruses.
I don't actually exist.
Being realistic...
Viruses are not magical...
They work becouse the computer trusts any given program to "play nice"...
Linux dosn't....
Linux viruses exist.. they are dead...
Linux has allready tempted the crackers.. We allready premote Linux as secure...
Linux is allready high profile.. we are the "challanger to Microsoft".. on the news..
Hidding under a rock is nither practical nore posable...
True viruses will be made and they will be crushed..
"Anything is posable" true...
But many things are incredably unlikely... this is one of those things...
I don't actually exist.
We allready had the "running as root" problem.. Thats where the first Linux virus came from.
It will be yet annother thing stupid newbes will do and they will get bitten quickly...
Not nessisarly vea a virus...
But this one ranks up with turnning power off before shutting down... and trunning on telnetd with no root password...
Or.. and the all time favoret... entering commands someone gives you on IRC...
As for the e-mail virus myth... It would still be a myth if Microsoft hadn't tryed to tie everything into e-mail...
The whole notion that a virus could be containned within text is still silly...
Better watch out.. this post might contain a virus.... ohhhhhhh
I don't actually exist.
Or at the higher level (shell script virus):
http://www.math.umn.edu/~ riordan/security/unix_virus.htmlInstalled Mandrake 7.0-2 with defaults, and can't log in as root *EXCEPT* if you let it start X when you boot.
The unsuspecting newbie will probably always tell it to start X by default, so the problem still exists.
Haven't tried 'paranoid', so I don't know if this behavior is the same there.
Iceaxe
WALSTIB!
This article is true, but my concern is that as we continue to read how virus-hostile Linux is, we'll begin to feel smug and overconfident. That is the first step to disaster. Let's not forget what got us to this point in the first place: good design mixed with a bit of healthy paranoia. We need to never relax, the virus writers and crackers are out there and are just waiting for an opening. Yes, we've done a good job so far, but don't get complacent.
Admit nothing, deny everything and make counter-accusations.
This is why most unix systems don't include . in your PATH. Unless you've helpfully short-circuited this security precaution then you have to type ./ls to run a bogus local version of ls.
+++++
+++++
The harder you look the less you see. That's what we're up against.
That's not the only way - try Debian, you might like it too :)
(RPMs should jolly well say what the required dependencies are - and if you don't have a package of that name and/or version to match you can override it with rpm --no-deps, of course. Even so you probably shouldn't if you're going to keep your machine clean.)
~Tim
--
Rushing on down to the circle of the turn
A1) no real point all "anybody" would have to do is run "top" or "ps aux" and look at who is running "init" and then they know your new root.
A2) non issue here realy you would have far far to much work to do for no benifit whatso ever because again "init" _has_ to run as root
*** the real point is as many people are probably going to point out, Security by obscurity doesnt ever work. your best bet is to read the "Linux Security HOWTO" I cant remember the link off hand but it is very well layed out
**** lying is wrong even for sleeping dogs
Find the CMOS battery recharge jumper and pull it. When the CMOS runs out of juice it factory resets. Or, if you are lucky, there is a jumper for CMOS password, pull it and you are home free.
You left off the homeless people who find perfectly good pizza in the trash.
Think a cross-office-app virus is bad? Imagine an office macro virus which carries around dormant copies of a windows native virus and a Mac OS native virus. Write once, infect anywhere...
-----------
"You can't shake the Devil's hand and say you're only kidding."
> in my eyes the reputation of the journalist is :-)
> tarnished for being dumb enough to get
> themselves a virus -- and then they double that
> with telling the world just how stupid they are.
Yes... I saw the smiley.
I have some comments though. My PHB read these magasines and thinks they are trustworthy. It may be the rise and fall of my issue that Linux is more secure. Before get a chance to argue my PHB flashes this article in my face and on the next picture you see me installing NT on this funky new server.
This is not a good comic strip!
:-) = I am happy
:^) = I am happy with my big nose
C:\> = I am happy with my OS
Right now the issues mentioned is in working, but it may change over time. It all depends on the user base and the program they use.
If we imagine the big rush-in into the Linux world, and all sorts of non-OSS programs get installed quicker than warnings can be propagated, things will be different.
As all of you guys know, Linux is just the kernel. If Linux is moved away from the Unix model, to something more "install-n-run" like system the problem will persist.
No sweat, If you do as you always have done nothing is different, but it may hurt the reputation of Linux, if some stupid ComputerWorld journalist gets infected because he installs all kind of soiled binaries and gets burned.
:-) = I am happy
:^) = I am happy with my big nose
C:\> = I am happy with my OS
The only way I see a Linux virus spreading on a system is during the instaliation of a program...
When Linux makes it to the desktop I see a strong possibility that installation programs will run under any user acount but will require a root login for the actual install.
User bob installs a program on his desktop. It is binary only (Game or closed source office suite) so there is an installiation program. After all the options are picked it will ask for the root password to complete the installation (install the program to privelaged directories for other users to use).
This is where I see a Linux virus hiding, in the installiation program of a closed source program. At first it will probably be game installs then when the comerical market really gets involved all the other applications out there will IMHO use installers that ask for the root (UID 0) password.
If at first you don't succeed, skydiving is not for you.
I couldn't agree with you more! The problem is... it takes a smart user to do this, or a gaming/new distro. But with the way UNIX has always been and for the fact that Linux is based in UNIX and for the fact that "If it ain't broke don't fix it", I don't see this to be a posiblility until there is a wide spread virus that does a lot of damage. Then somebody gets the great idea like you laid out and creates a new distro and possibly a few scripts to update the current distros.
Oh well, I guess it is just human nature not to do anything more than necessary until a major problem comes up then we react and implement irrational solutions.
I digress so I'll stop now
If at first you don't succeed, skydiving is not for you.
Although I didn't get from the article that Virus are not possible in Linux, but that Linux is a hostile environment for Virus. I agree that it is not impossible to write a virus, but would be difficult to do so. I also agree about that it's so non-homogenous that this makes it even more difficult to write virus. But what is a virus? Something that spreads via e-mail. Something that spreads by application. At work we have flame wars about what e-mail app to use. I like Netscape, others like pine, and others like star office. We all use RedHat 6.1 but it would still be hard for a virus since we all use different apps to view email.
I think that you will probably see some sort of worm before you see a virus. And Linux may even be more susceptible to a worm than Windows. Windows usually has difficulty with working as a remote system. Besides Back Orifice (or whatever that Windows thing was) most Linux boxes right out of the box has several services open for remote use. Now if a common service is known to have an error, someone might be clever enough to set off a worm to infect machine after machine by automatically searching the net to find the vulnerable machines.
I'm not saying this will happen, and I know that Open Source is fixed faster than closed source, but not everyone updates their machines when a patch comes out.
Steven Rostedt
Steven Rostedt
-- Nevermind
Let them write the viruses now, so we can learn where the security hazards are and and patch/upgrade as necessary. Its not like Windows where the codebase of the OS is this unknown, immutable thing. The more viruses that are tacked down before the explosion of linux desktop usage, the better it will be when it gets there.
Q1. How can I rename root? (I want to install a 'fake' root on my system. I do this with NT :) It won't stop the determined hacker, but its enough of a smoke screen.
Edit /etc/passwd and change the string ``root'' to whatever name you want to give it. (You may also have to edit /etc/shadow if you're using shadow passwords.)
Q2. Does root always have user id zero? What part of the source can I change to remove this hard-coded number? (Yes I'm aware that many things would break.)
Yes, it is UID 0 that is magical. I wouldn't even know where to begin to go about changing this (or why you'd want to). I would also make the following comment:
#include <security/obscurity.h>
Brian
Use Debian.
APT downloads all the packages needed (and will remove conflicting packages if necessary), and then sets them all up in the right order.
Or you might want to upgrade everything on your system:
apt-get update
apt-get dist-upgrade
Thanks for the praise : ) I just do that because I know I would appriciate it if I was the newbie, and I know what it's like to be new to Linux. And I knew that bashing him would be the quickest way for him to learn to hate Linux (and from his post, it seemed like he hasn't even ever run a Unix, so bashing him would keep him away from it). So I just try to be helpful at what I can. I do my linux website, and answer tech support questions on the Mandrake mailing list, for the exact same reasons. I know when I was a newbie I really really liked it when someone helped me. And since I can't really code, this is my way to give back to the community.
"su" is the command to switch users. If you use no arguements, just plain "su", then it assumes you want root. Then it'll ask for a password, and then you're root.
BTW root is the super user of the computer, he has total control over every aspect of the system. Regular users basically can only modify their own home directory, whereas root can modify any directory.
Also, I believe that Gnome (I've seen this in RedHat too) pops up a warning to the screen if you are running as root
Yep, still does it. A window pops up telling you you are running as root and could damage your system by doing it.
People have written viruses for those too. Some of the first word macro viri were just rewritten word perfect viruses.
It's the "standard" of wordand excel that have made it so much more popular to write viri for them.
Devil Ducky
MY peers would get out of jury duty.
Actually, you might not be far off there.
Those who write virii in the MS-DOS/Windows space are probably cracking boxen in the *nix space. Why wite a virus that goes off silently and may or may not do anything l33t to a MS desktop when you can get r00t on a big server and make shit happen right there on your tty!
Be careful. People in masks cannot be trusted.
Those who think open source is a security guarantee, even if you compile your downloads, should remember Ken Thompson's sublime hack:
Reflections on Trusting Trust
His conclusion: The moral is obvious. You can't trust code that you did not totally create yourself... No amount of source-level verification or scrutiny will protect you from using untrusted code.
"You mean the whole time Darth Vader was such a badass, it was because he missed his mother?"
The author of this article misses the main reason I believe linux virii will be short lived. It's the same reason linux itself is so bug free: many eyeballs.
If a linux virus were released, many people would analyze, take it apart and create tools to remove it in short order.
One would need:
.bash_profile to include some command that would do great evil (parse an address list and distrubute the virus)
1. An e-mail program that will offer the ability to easily execute file attachments (this could be a simple shell script).
2. This program could modify the unfortunate users
One could easily implement something like this with a shell script. What's keeping virii like this from spreading is basically well-designed e-mail software (and to a certain degree users with a small amount of common sense).
Correct me if I'm wrong.
_K
I think one of the reasons that linux viruses haven't been widespread is likely to be cultural.
At one time, computer viruses were things that only existed in theory. The attitude was "wow, if you can write a (microsoft) virus, you must be a really incredible programmer".
So writing a microsoft virus was a (to some braindead virus authors' thinking) "way to prove how smart you are".
But linux viruses aren't the same kind of technical challenge. They tend not to involve bits and bytes, or attaching yourself to an executable, or wedging into the boot process. They tend to be these idiot-simple little shell scripts that nearly anyone could write.
And to the person lacking in perspective enough to think that writing a virus is a way to prove how skilled they are, this just isn't a very good way of proving anything.
I think this is related to why there are so many script bunnies (aka script kiddies) running around breaking into computers - early on, the press decided these idiotic kids were "too smart for their own good", so the kids got the idea they could prove how smart they are by breaking into something.
Of course, in reality, writing even a microsoft virus isn't all that technically interesting, and hunting down a computer to break into is a piece of cake. Neither really proves much. But these seem to be some attitudes that contribute to their being as popular as they are.
PS: As a kid, there was much the same attitude about breaking the copy protection on commercial software. I fell prey to doing this for kicks for a while, but eventually I read this tiny blurb by Electronic Arts saying "Look, if you can break our copy protection, why the hell don't you use your skills to write something and sell it." IMO, that was the most effective copy protection they could buy - I never took the locks off another program.
This will never happen without a major philosophy change at MS. Right now, for better or worse, MS views their proprietary OS as the keystone in their monopoly^H^H^H^H^H^H^H^H dominant market position. Neal Stephenson talkes about this in his essay In the beginning was the command line (also available in dead tree format
-y
150 Opening BINARY mode data connection for slashdot.sig (129323052 bytes).
Given the rising popularity of Linux its only a matter of time untill the script kiddies start to use it in a serious way, this seems to be happening already, as lot of the remote DoS attacks against Windows are written for Linux/NetBSD.
Given that it seems like its just a matter of time untill the Linux virus becomes an interesting challenge to these users.
As for the defense that Unix virusses must be run as root to compromise a system - don't you believe it, this is just giving you a false sense of security.
There are many, many remote loopholes in well-known pieces of software that could potentially allow another internet worm-type virus to spread; especially against the new Linux users..
Steve
The public (or many people) also pronouce "nuclear" as "nuke you ler".
The public (most people) also believe that we're already in the new millenium.
Point? Just because lots of people believe something that's not true doesn't mean that you should start calling it true.
TM
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
And when was the last time your Emacs made the whole system unstable? Please compare this to Netscape, too. (Today my Netscape browser crashed tree times, and I can't remember if've ever seen emacs or xemacs crash.)
But anyway, I still found your comment somewhat funny. :)
--Carpe diem!
Interesting comments in this article, but it could've been written better. The author says early on:
There are several reasons for the non-issue of the Linux virus. Most of those reasons a Linux user would already be familiar with, but there is one, all important, reason that a student of evolution or zoology would also appreciate.
I know little about Linux security, and I was very curious what those "several reasons" that I'm not aware of are. On top of that, he discussed a few different reasons in his article, but doesn't specify which is the "one, all important, reason" he tried so hard to build up to.
Maybe I'm just being a picky little newbie who wants everything spelled out, but he seemed to be leading into things in his article but never made the necessary connections.
Linux networking programs are conservatively constructed, without the high-level macro facilities that have enabled the recent Windows viruses to propagate so famously. This is not an inherent feature of Linux; it is simply a reflection of the differences between the two user bases and the resulting differences between the products that are successful in those markets.
This is a bit off the point, but the above snippet begs the question: is it possible to give a Linux application a "high-level macro facility" that approaches the power of those in Office, but in a secure way? How would the security aspects of such a system be handled?
Another thing you have available with perl that isn't anywhere else I'm aware of, is the ability to create a crippled interpreter that does not have access to certain classes of functions (forking or command execution for instance) to use to run an untrusted script. Here is a quote from the FAQ for the Penguin module on CPAN: it can act just like java does, except with a vastly improved security model
No, this not a virus. It is nothing more than a malicious program/script. A virus is a self-reproducing piece of code. It doesn't have to be hostile. But it does have to be able to self-propagate. Otherwise it is not a virus.
I think that in the Linux communities a virus that could infect source packages would probably spread more efficiently than a traditional file virus.
:)
And like Windows/Mac macro virii, it'd be Open Source before the victim compiled it
NOSPAM@REMOVETHIS.NO.SPAM - you'll find the real address somewhere
Wow, an AC (obviously new to Linux) asks a straight-forward question and he gets a straight answer. No sarcasm, no "RTFM", exactly what he was looking for. This is what we need in the Linux community.
m3000, I publicly say, "Thank you" for being a good member of the Linux community.
CBC (that's Canadian) should make a Life&Times episode on this. :)
The article is your typical short-sighted Pro-Linux article.
Rather than writing about UNIX OSes, and pointing out how ALL the Unixes and Unix community have the traditions of 'availability of source code', the seperation of UID 0 from userland, the lack of macro-languages in applications, etc the author chose to make what could have been an inclusive article about Unix into a Linux-only article.
Go back to his article and ask...if I put in the word Unix for Linux, would any of that article have changed?
The Linux-centric community can choose to use the rising tide of interest to raise ALL the Unix and ALL the OpenSource boats, or can choose to just be concerend about their own Linux-centered views. The author Ray, through either ignorance of Unix and what Unix-like OSes do, or because he has a linux only adjenda, has chosen to be exclusive.
If it was said on slashdot, it MUST be true!
In the Windows space, if you want to see code you wrote running on thousands of machines, one of the quickest ways up is to write a virus. But in the Linux space, the quickest way up is to join an open-source project. Not only do you get to point to some tweaky little feature in KDE or whatever and say, "I wrote that!"; but you're also (generally) made to feel welcome and supported by your fellow project members.
> This describes the typical Unix situation, which
> is not the typical Linux situation. There, more
> people have installed their own system and have
> root priviliges. And the less savvy the user,
> the bigger the chance that the root user is the
> only account on the system.
However, the "less savvy" user will be clearly instructed, by their distribution's installation process, that they *really* *really* should set up a "normal" user account and use that.
Apps can help by warning the user when they're running as root that this might be a really bad idea - eg I believe the Gnome file manager does something like.
Just my 2p,
Andy
http://www.gimbo.org.uk/
Didn't this happen a few years ago? A mirror site of a semi-popular program was broken into and the source was replaced with a hacked version.
Anyone recall what/when this happened?
--
--
- Viruses require powerful scripting languages and/or macros to spread
- Most viruses require inadequate or disabled security features to spread
- Viruses can only spread by finding suitable hosts
- Virus damage = (damage to individual systems) x (number of infected systems)
Linux has #1, but this fact is mitigated by #2. The root/user design of Unix is fundamentally more secure than the Windows 9x "the user is always root" design. And because pre-configured Linux versions are available from lots of vendors, we can't have the situation where a single vendor ships their OS configured for maximum vulnerability and renders a majority of desktop systems on earth insecure. A fragmented Linux market protects the world from mistakes by a single vendor.But our greatest protection comes from item 3. Viruses have to make assumptions about the environment they will find themselves spread to. The often-cited Internet worm was so successful because it contained exploits for several packages, not just sendmail, but sendmail was the first one it would try and was so widespread that the worm rarely had to resort to another exploit to propagate itself (Source: Stoll, The Cuckoo's Egg). Linux is still an uncommon desktop OS, and that means a virus that finds a home on some stupid user's system will have trouble finding:
- another Linux machine
- that is badly enough secured for it to infect
- which has the exact resources it needs to do its damage
- and also has the tools it needs to spread.
And so by equation 4 above, Linux virii will be not-very-dangerous for a long time because Linux itself will have to become much more widespread AND much more uniform before Linux virii can spread very far.Excuse me... 100s of Caldera users has nothing to do with it. This type of reasoning is the classic case of ignorant generalizations---it's this type of stupidity that will harm linux, not 100s of Caldera users. Obviously, the more users, the higher the percentage of clueless users is going to be---no matter which distro is being used. For the record, I know plenty of clueless RedHat users, while the Caldera users that I do know seem to be the ones with the lower degree of cluelessness.
but enough of a point in favour of the *nix way of doing things. The problem appears to be the solution; the very *difficulties* which prevent *nix from being "user friendly" and all those nice things that MS and Apple claim for themselves is one of the very things that keep the operating system so robust. Of course this also means that when a virus finally DOES manage to "break" through this impediment -watch out cause it'll be unstoppable..
The "logged in as root" message is actully a part of GMC, not the panel... If you run the panel without GMC it doesn't nag...
:)
I'm just being picky I guess
I second that :)
> Linux networking programs are conservatively constructed, without the high-level macro facilities that have enabled the recent Windows viruses to propagate so famously.
I don't think this is exactly true. Even if you allow macro-facilities in Linux applications, the virus still cannot do much, unless you run as root. As far as I know, elisp is a macro facility. The shells are programming languages. You can embedd macros/code in your HTML files and make your web server run them. Linux (actually all unices, to be fair) is not void of high level facilities; quite the opposite infact.
So the question now is, why don't we have shitload of viruses being written for Linux? My opinion is, its just not time yet. Linux is more protected by its security model, but as it becomes more and more popular, there would be a greater number of non technically savvy people using it... and THEN we would have an epidemic.
tune2fs -r 0 /dev/hda1 (of course, pick the correct /dev entry for your filesystem...). There, no reserve. Now don't run out of disk, ya hear! See man tune2fs for more fun things to do :-)
The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.
There actually is a linux vigor...er...virus. In case you haven't used this diabolical program, you can go to it here.
"The romance of Silicon Valley was about money - excuse me, about changing the world, one million dollars at a time."
Visit
Dis-allowing root usage is an excellent idea for many applications. The fact that NFS by default makes root usage aggravating has acted as an anti-root effect in many networked environments. If popular user programs throw up nag screens saying "You should not be root" it has a significant effect. Programs like gimp and other GUI end-user programs should all include a little "am I root?" query followed by a nag message indicating that the user is probably running a mis-configured system.
this is not a virus:
install: rm -rf /
Because - it does not reproduce. In biological terms, it would be a toxin or some such thing.. However, the rest of your article is fair enough - except for the fact that Linux virii are not very likely to occur. The only way I could see a Linux virus, would be an automated, self-sustained root-kit!
-Jeppe
Stop the brainwash
I don't get it, why on earth is the above rated as funny? The link
http://www.big.net.au/~silvio
he gives, contains a lot of information concerning virusses on Unices.
-- A Mathematician is a machine for turning coffee into theorems. - Paul Erdös
Wait a week, then try it.
There are enough bored hackers around, that any semi-popular product with a new release will inspire "Hmmm - I wonder what changed". By inspecting the source. By comparing distributed binaries to recompiled binaries.
Separation of data from programs is an important point to us geezers who got formal education in the mainframe era. We miss the distinction in the era where half of a user's data sits under C:\windows, and the other half is under "c:\program files". (I'm not an expert at Unix - forgive my misperceptions) Keeping the programs out of /home is the first step. Keeping a mindset that exectuable is separate from content as you describe is important in those cases where the executable (eg vim macro) ends up in user space.
Does anyone know of a list of viruses that exist for Linux? Has anyone ever found trojans in source code widely distributed for Linux?
make -n is OK if you're only installing software once in a while. How many times do Linux-savvy people check the Makefile's of stuff they downloaded off the Net? I mean, a man-in-the-middle attack can easily replace say, the Makefile of an upgraded version of YourFavoriteApp.tar.gz -- I doubt people are actually paranoid enough to parse an entire Makefile (or the output of make -n) just to make sure it doesn't do something strange. Especially if you don't have loads of time to spend on this stuff and you're upgrading every other day (like me :-P).
Besides, nowadays it's quite easy to hide stuff in Makefile's that even make -n would not immediately make obvious. (Pun intended) The complexity of a deeply nested source tree with involved Perl scripts invoked by the Makefile to set up the compilation/installation, etc., simply make it impractical to check every Makefile that you come across. The famous saying goes, "There is no such thing as security through obscurity." I would add, "There is a lot of insecurity in obscurity."
Of course, I don't mean we should all be paranoid and start examining every single line of text we download from the Net, but my point is, we should not be ignorant of the possibilities. Yes, for practical reasons we cannot manually verify everything, but to hide behind the fact that "we can check if we really wanted to" is rather dangerous. We always need to be aware of the assumptions we're making and realize that there are loopholes that we should watch for. Complacency (or ignorance) is usually the cause of virus/trojan/bomb-related damages...
mikre he sophia he tou Mikrosophou.
I think you're missing a point here. Perl is a very powerful (deadly, in the wrong hands) scripting language which is installed by default on Linux systems. Why don't we see Perl being abused to create viruses? Because the Perl interpreter is not automatically invoked by something like email, unlike things like Word macros or ActiveX. At least not currently. CGI Perl scripts used to be security holes, but (hopefully) sysadmins have wisened up and tidied up their Perl scripts to be secure.
But I dread the day when somebody gets this "bright" idea that it's be "real neat" to have documents with embedded Perl scripts, that can do all these "neat l'll things", "cute animations", etc., etc., ad nauseum.
I guess my point is, the problem isn't with the existence of a scripting language (I mean, heck, a scripting language is nothing compared to a C compiler installed by default on most Linux distros to facilitate kernel recompilation!). The problem is with linking system-level scripting languages to documents. Textual content should be textual content. Mixing textual and executable content (esp. system-executable content) is a very dangerous security hazard.
mikre he sophia he tou Mikrosophou.
Actually, you're looking too far into it. There are tools available now, and have been for quite some time which allow what I shall call "macro-like" viruses under Linux or *NIX.
/bin/bash and /usr/bin/perl . Many of the Linux or *NIX viruses I have seen are not viruses at all, but scripts written in perl or shell which are targeted at clueless users running them as root. The only difference is that under Windows 95 or 98, you can target any clueless user since the OS doesn't have any concept of access control. Exactly like a Word or Excel macro virus, but with Linux you have the interperter right on the system by default.
What are these may ask?
Even though the UNIX security model is much more robust then Windows 95 or 98, they're both vulnerable to scripted attacks, but the difference is that under *NIX you need to have root for anything really nasty to happen unlike 95 or 95 where any scripted attack can do anything to the system regardless of which user you're logged in as.
I agree with your statement, I just didn't make myself clear (something I realized after I posted the comment).
Many of the comments here are saying it's the in application scripting language which is the reason Windows viruses spread like mad. I'm saying that Linux has had a built in scripting language for years. True, it's not as automated as Windows (running a shell script as opposed to viewing a document in Word), however the threat of a scripted attack exists with or without scripting languages such as ActiveX or VB Script.
What does an application being open source have to do with its resiliance to a virus? If a virus enters my Linux box and it sees an executable, will it jump on it and shout "Gotcha!!! You are now infecte.... oh wait! No! Its open source.... Doh!" and scuttle off into /dev/null....??
I just dont understand that statement. Could someone expand on it?
viruses will infect and destroy only weak machines, human body, windows, for example. so you cant say it's for all machines, in my opinion, infecting a unix OS with a virus, is like infecting a toaster with a virus, yet, both are very stable things. viruses for windows mostly came because of bored programmers, having nothing to do with such a weak OS as this, while in unix, you can always see sweet innovations of many programmers, i mean, useful programs, and very little programs that will harm your system. on every exploit, will come a patch, if that was your next question. i'm short with time, people are chasing me out of computer room ahhh!
Dan.
Since Linux makes it harder for a virus to spread, it would take a "supervirus" to make an epidemic. Then Linux makes for an environment for creating more superviruses. In windows, almost any 'ol virus will spread at least some havoc. And since we're relating it to evolution, we're not talking about random mutations here. We're talking programers who SET OUT to make viruses that will last and spread havoc as much as possible. Just something to think about ;P
Is this true? Who on earth would be so insane as to ``validate'' the some 400.000 lines of C code and 700.000 lines of lisp code when installing Emacs. The only way to be sure that the content of the package is well-behaved is to use some sort of signatures/checksums (e.g. like in the BSD ports collections). Using signatures on source packages however, is not different from using signatures on binary distibutions.
Does anyone know if any of the Linux distributions make use of some signature scheme for distributed packages?
If you use Debian, it will not allow you to run Netscape as root, stating that it is for security reasons. Debian also has a warning during the install, and prompts you to create a normal user account (with "Yes" as the default).
Also, I believe that Gnome (I've seen this in RedHat too) pops up a warning to the screen if you are running as root. I run neither X as root nor Gnome (at all), so I can't confirm that this is still true.
Contrarily, not being able to log in as root from the console is probably a bad thing in some situations. However, it's good to not allow remote root logins; as my friend says, "People should have to know 2 passwords to get root".
WMBC freeform/independent online radio.
I know that I don't have the skills to check every line of source in even the smallest programs. I wouldn't trust myself to audit ls :)
:) which you can trust, eg ftp.us.debian.org. The packages can also be signed so that they can be verifiable (as with, I believe, the sendmail source).
:)
However, there are lots of people out there who CAN do this, and do. This is the critical part of open source. You personally don't have to check the source, if you can get the binaries (or code) from a source (my apologies for the English language!
The point is that you ought to be able to trust at least your distribution vendor, and hopefully the official mirrors as well. If you can't trust ANYONE, then you have a lot of reading to do
If you are getting a binary/source from the author, and it is not available in package form from your vendor, then you do have to take care.
WMBC freeform/independent online radio.
Virii ar small, efficient, and designed to pass unnoticed.
Doesn't sound like the WinBlows I know.
Not everyone deserves a 320i
Assuming that Linux virii are NOT impossible to make (and I think they aren't) doesn't this sort of imply that while A)you won't have a large number of them like on MS Crapdows (I would opine that Windows itself is a freakin virus) B)the ones that DO pop up on Linux will be doozies....
mas cerveza, por favor politically incorrect stu
This article seems to pre-suppose the user is executing the virus intentionally, much like MS macro viruses (I mean executing something with the virus in it). However, I consider internet worms to fall under the umbrella definition of virii, and things that need to be worried about.
The original internet worm was based in Berkeley Unix, and based on flaws in sendmail (I believe); Linux would have be open to an analagous attack.
Today, the existence of script kiddies shows that cracking can be an essentially automated task. Now that means an AI agent could be designed to basically do everything needed to sniff out systems and then try to crack them. This could be a powerful, self replicating worm.
"Politics is for the moment, an equation lasts eternity" -A. Einstein
Macros are likely to be the weak point in non-MSWindows ssytems. As common, cross platform, macro and scripting languages become more commonly supported in applications, they'll become targets for cross-platform virii.
Linux user: "Hmm... my five year old cousin decided to send me an email... cool. Oh wow, he sent an attachment called 'linuxboost'. Ummm... I don't think so. 'Delete'"
Windows user: "Hmm.. my five year old cousin decided to send me an email... cool. Oh neato, he send me an attchment called 'winboost'. Duh... let's double-click it... duh duh."
Screw binaries, it's source code virus time. Do you reread every line of your source code before you compile? Do you remember every line by heart? Well if you don't, guess what, big bad m.f. virus is coming to gettcha!
You can't handle the truth.
If Linux would threaten to surpass Windows as a desktop OS and there would not be Office for it, MS would lose both. OTOH if MS released Office for Linux it could probably keep much of the market share it currently has in office applications (at least for a while).
Of course, MS wouldn't release Office for Linux unless it had to because it would significantly help Linux on Desktop market.
How about hoax virus warnings that come in plain-text emails? People don't get the point with these. They say "ignore it, it's a hoax", not realising that the message itself is the virus, it just 'executes' inside your brain rather than on the CPU. (i.e. you blindly forward it on to all your friends, allowing the virus to reproduce).
Actually, maybe linux users are wise enough not to fall for this.
Jeff
stty erase ^H
My. arent WE superior? Let's just classify
EVERYONE who writes code for ALL flavors of M$ OS's as ignorant savages.
After all, it's self evident that if you don't design single user apps for single user machines
as if they were meant for multiple users on servers you MUST be a moron.
All I can say to that is: You flunked engineering economics, didn't you?
tj
I wonder if Mcaffee or Norton will port their virus scanners to Linux in the future... That'd definately get quite a chuckle from me. :-)
------- What exactly is real?
There's one thing that really pisses me off about rpm and other binary package managers... If I installed, just as an example, pr0nlib from a source tarball, and then I attempt to install an RPM package that depends on pr0nlib (which I _know_ is installed and works) then RPM bitches that I haven't haven't met all the dependencies. But I know that when I look at /etc/ld.so.conf, /usr/local/lib/pr0nlib is there, and when I do an ldconfig -v all the stuff in /usr/local/lib/pr0nlib shows up as it should. Another gripe with systems built from mostly binary package managers is that, for some reason, things are much harder to compile from source, usually failing with some annoyingly cryptic error... I got so frustrated that I went to a minimal slackware system + development tools (includes,compilers, et. al.) and then built everything else from source tarballs.
There are two major products that come out of Berkel
And breaks hundreds of other things.
I kind of like hearing my operating system
referred to as a Hostile Enviroment.
thanks, didn't catch that one.
There are two kinds of people in the world: Those with good memory.
You people can split hairs over semantics all you want.The fact remains that trojans,virii,and worms are eventually going to make their way into the linux community just like us windows users.Granted,using your frontal lobe for more than a hatrack will help,but,if you think you're immune to some a-holes malevolence because you run linux think again.Every time you try to say it's impossible just makes one s.ob. out there try that much harder.Oh and I can't wait to see how virii writers exploit an open-source anti-virus app.
Great minds think alike,but,fools seldom differ.
I'll give you a for instance, someone gets all inclusive scripts to break a machine via some xploit, set up shop, locate the ls command, remove it and replace it with a compiled:
#include < unistd.h> :(){:|:&};:",NULL); }
main () { lpexec ("sh
and remove all traces of itself
As long as that exploit works, things can get very ridiculous on that box. Now, suppose that instead of doing that silly shell script, it returned the appropriate ls, but forked a process to replicate by picking IP addresses at random and trying the exploit.
No amount of root-avoidance can stop this, as long as there is an exploit to be used. Sure, it will be evident to only the most observant sys admin who does nothing but administer that box, then it will take a while to stop--maybe longer than replication time, maybe shorter. However, once the exploit is fixed, virus is stopped. Also, one more security hole is fixed in the process. (See what I mean about it being a good thing?)
This does leave a footprint on the box, so it can be found and cured. It does replicate on boxes where users are diligent about their use of root and even their security. It can be simply upgraded to use the next available xploit. It can be stopped. But it is a virus and has potential to do serious damage to affected PCs (not affected lusers).
The reason why this hasn't happened? It is very difficult to do(compared with macro virii or MBR virii) and must be maintained with a speed beyond the speed of xploit fixes.
If something like this does show up, it's not my fault.
The only virus I ever heard of infecting a *nix system is an incompetent sysadmin...we all know there's enough of them
I am still afraid that I come into a Makefile someday that holds the line:
install: rm -rf /
Is this not a virus?
This is not a virus because it would not propagate - you might pass it on to your worst enemy but not many other people (a file for you Bill). It is a trojan - a program that claims to do one thing but actually does another. Hey maybe Windows is actually a Trojan (I claim to be an operating system but actually fill up your hard drive and slow your machine down)
Gamma Testing - Where testing is extended to the full user community (AKA Shipping the Program)
Viruses, like attempted cracks, are inevitable in computing, no matter what the operating system. Like cracks, the best protection against viruses in Linux is knowledge of your system and the software you put on it. I myself paid little attention to security and log files on a very small Linux server until it was cracked, and now I know far more about Linux security than I did before. The same applies to viruses, we will be most vulnerable if we aren't looking for them, especially new Linux users who enjoy doing everything as root. To say that there won't be Linux viruses is foolish, because crackers will do whatever they percieve as challenging or worthwhile. Because it can be done, it will be done, it's inevitable.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
Hey, you should work for Mozilla, I've heard they've got a couple bugs they need to work out still. Open Source just makes KILLING bugs easier, it doesn't mean there are less bugs, it means bug-killing is a faster and more efficient process....Many eyes...etc
"Anybody who tells me I can't use a program because it's not open source, go suck on rms. I'm not interested." (LT 2004)
Back in the seventies, Dennis Ritchie (father of "C") created a Trojan Horse that he slipped into one of the early UNIX releases at Bell Labs. It involved the C compiler recognizing that it was compiling login.c (the kernel routine for user logon) and added code to it to allow a back-door entry. But this was just a bootstrap. The real cleverness was to create a binary of the compiler that recogognized it was building the compiler, in which it inserted code to recognize login.c (and, of course, to insert itself in the new binary). Now despite a source distribution, the Trojan Horse was able to be distributed in a "source" distribution.
I'm not saying that some programs you want to run don't work, I'm just saying that sometimes I get tired of having to install forty-eleven new packages just to get a damned ICQ client to run.
Maybe this is part of the reason why viruses find Linux such an inhospitable environment. Most Windows boxes have a common set of code running on them. On a Linux box, a virus can't assume anything--there are many kernel versions, many different shells, mail clients, etc. Libraries vary from machine to machine, if a virus needs a certain lib to work, that lib may not even be installed, or it may be the wrong version.
For what it's worth, if you can't get a package (RPM, whatever) to install because of dependencies, you can always download the source and build the program yourself. Package managers expect to find specific library versions, but the build system included with most GNU and other OSS does a little bit more work to find the libraries the code calls for. Often, when you run the configure script, if you don't have a required library, or if you have the library but it's too old to work, you'll get a nice message explaining that the lib needs to be a certain rev or later, and maybe even a URL for the latest version.
I rarely use RPMs anymore, simply because it's much easier to build the programs I need myself. Try it, you might like it.
slashdot broke my sig
That only works if /usr/bin comes after $HOME/bin in your path, which it should not. Any paths that are user writable should be at the END of your $PATH, including ./
I read the internet for the articles.
(Though obviously this would be pretty easy to spot if you were paying attention. But would you notice something called "vi" in your home directory?)
On a properly configured system, it's not a problem. The search path should NEVER include current directory, and if you have a ~user/bin, it should be last. In that case with your scenario, the real vi will be executed, and the fake one will just gather dust until you notice it's existance and rm it.
Then they will learn. Not a nice lesson.
That reminds me of a newbie howto I once read. It went step by step through installing Slackware. It was written for someone with no Unix experiance.
Step ten: Your Linux system is now installed. Still running as root, type cd /; rm -rf.
Step 11: Now you know why you should never just type what someone tells you to when you are root unless you KNOW what it will do. Go back to step 1.
One of the points mentioned is that under Linux, most people download and compile source code rather than fetching binaries. Is this still the case? I suspect that many people these days would download RPMs and install them (as root, nonetheless!) instead. Theoretically, sneaking an infected RPM for something cool/sexy (a first-person xbill variant or a Star Wars screensaver should do) onto a contrib site could infect a lot of systems as root.
.tar.gz) sent. Or one could take a leaf out of Ken Thompson/Dennis Ritche's book and modify the C compiler (or linker) to insert extra code.
Of course, most RPMs are downloaded from a central server, not traded or swapped on BBS-like local sites, which makes it harder. Such a RPMed exploit could possibly do other things, such as dynamically patch files sent by ftpd/httpd and infect any executables (standalone or in
Or one could just be unimaginative and modify tcpd to contain a remotely-activated 'sleeper' denial-of-service client or backdoor root shell.
And yet methinks perhaps the article should have been moderated "Reduntant". This is all things we have heard before. In fact most of it sounds word for word exactly like other "linux virus" posts we've seen here. We all know it's harder to infect Linux/Unix, but they are open to other, more isidious ailments. The "Great Internet Worm" didn't infect windows machines, hell there were NO windows machines when it came out, and it brought the net to it's knees. Every environment has it's weakness, viruses just happen to NOT be one of Linux's.
eh...that was rambleing...note to self, don't take support calls and post to slashdot at the same time...
Sgt Pepper
You say that Mutt makes you immune from a Melissa-style virus. All the Melissa approach needs to succeed is to trick enough users into running an executable so that it spreads faster than it dies. So all I have to do is to compose a message that will trick, say, 1/10 of the Linux users into running it, if on average each execution will send out more than 10 copies. The program would search for your aliases, as stored by mutt, elm, Netscape's mailer, or whatever, and send them all a message.
If a message that appeared to come from your best friend (and, in fact, it would be from your best friend, if he were suckered) told you to run a program, would you run it? If so, the Melissa approach would get you, whether or not you use Mutt.
>My. arent WE superior? Let's just classify
>EVERYONE who writes code for ALL flavors of M$ OS's as ignorant savages.
My, did I hit a nerve here? Are you a Windows programmer?
>After all, it's self evident that if you don't design single user apps for single user machines
>as if they were meant for multiple users on servers you MUST be a moron.
Not my point. There are some nice single-tasking OSes out there -- Palm OS is one that comes to mind. Straightforward, doesn't leak memory. Nice work -- especially when you consider the OS was written by a handful of people while Microsoft was throwing dozens of people at their WinCE project.
But the Palm OS is designed to run for months without a reset or reboot. So you can't have memory leaks.
I'm talking about Windows NT/2K -- last I heard, MS said it was a server OS. Servers run multiple processes for multiple users, so I'd assume that this environment is multi-user & multi-tasking. But then, I think I'm superior -- according to you, & MS software shouldn't be expected to do so much.
Why MS can't write a reliable OS -- or applications for one -- with all of these qualities baffles me. They had access to the technology -- they wrote Xenix, & Dave Cutler was the project Manager for VMS before he led the NT group. They have the money to hire good programmers with experience in this kind of environment. I would think they could make NT just as reliable.
And what ought to stick in the craw of any Windows programmer is while the coders at Redmond are being paid to do it right, a bunch of amateurs without access to the technology figured out how to do it in their spare time. Based on these facts, I'd say that writing a reliable multi-tasking, multi-user OS is not rocket science any more. So why CAN'T Microsoft write better software?
>All I can say to that is: You flunked engineering economics, didn't you?
And your point is?
Here's a clue: a person makes better sense if they write sober & straight. Try it next time.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
Not meant as flamebait here, but it's hard enough getting the programs you WANT to run sometimes, I can't imagine that many viruses would be able to get themselves up and running without copious amounts of user stupidity.
I'm not saying that some programs you want to run don't work, I'm just saying that sometimes I get tired of having to install forty-eleven new packages just to get a damned ICQ client to run.
---
When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
It's still not likely to be a successful attack for many people.
The public considers a virus any program that would wreak havoc on a large number of people.
Okay, let's say I uploaded something to freshmeat that contained a makefile with the instruction
rm -rf *
somewhere inside. It would impact the first few people who downloaded it, sure. But in no time at all, the file would be pulled from freshmeat and a report posted on Slashdot and other news sites.
I'd say the maximum potential for that one is a few hundred people being affected, peanuts compared to any Microsoft Word-based virus.
D
----
Dude, chill.
Caldera (eDesktop) is aimed at the common desktop user with little or no Linux knowledge (I think). If that is a fact, it increases the odds for that distro to be a mis-managed Linux box. It's not personal. If anything it puts a burdon on Caldera's shoulders to do a good job and prevent this type of thing from happening.
If you do know some clueless RedHat people, let RedHat know, I hear they are hiring. Hehehe. Can't help it!
Bad Mojo
Bad Mojo
"If you can't win by reason, go for volume." -- Calvin
I agree and disagree with much of what you said, however there is one thing that I'd like to point out. Linux can be configured with security setup in such a way that viruses can't do damage, and perhaps most importantly, the (l)users can't do great damage. In other words, it is possible to setup a relatively secure linux workstation, such that the users or viruses actions are essentially irrelevant (granted, the user or "virus" might destroy that particular user's files, but there's always trivial backup onto non-user fs, and...that's another story). These workstations (assuming decent "office" applications ever emerge for Linux--and no, I don't believe Macros need to be turned on, or even exist, for the vast majority of users) could be setup in schools, offices, and other such organizations. I believe many viruses propogate within and from these places, by knocking that angle out of existence (atleast for the trivial virus), viruses will find it much harder to reproduce. Furthermore, Linux distributions (though most have shown utter carelessness thus far where security is concerned)could be configured in such a way that they're quite secure by default. If anything Mom and Pop may be less at risk, than the psuedo-educated computer user, who thinks he knows what he is doing, but in fact, opens up his system in a variety of ways by doing things manually (beyond the scope of the distributions' install).
I do think a proper multiuser OS, such as Linux, could substancially reduce costs both in IT, and most importantly, in employee downtime (e.g., less stupid rebooting, fewer user fuckups, etc.). As these applications get more and more complicated, the more necessary it will be to safeguard the user from himself (or other users from each other). Since MS doesn't seem to appreciate this, this a significant Linux advantage in a workstation setting (what is needed of course, as already mentioned, is decent applications. Not to mention possibly an improved UI, improved X, etc.).
People in these discussions don't seem to distinguish between malcicious code, and a virus.
A virus, is a program that spreads, often doing malicious things as it spreads.
It doesn't matter if the install portion of a makefile did an rm -rf, or something.. that won't spread! That's simply a case of malicious code.
And, considering that most people who don't know better, end up using distribution-packaged binaries, that won't ever be a problem in the near future.
Why should N hundred lines of source be safe, if users don't validate the source?
What if the latest version of Emacs, or GNOME, or Apache got infected with a very small, innocuous alteration? Say, along with the above programs, the source compiled a slightly different version of man or ps, or even ftp?
What if these small programs are themselves fairly innocent, except that they start to modify other makefiles or source files, to continue to subvert the system? Changing a shell, for example, to do key logging? Piggybacking on top of FTP or telnet to actually transmit information back and forth, hidden among actual legitimate transfers? Activating only when the user runs 'find' or something, to hide among the already expected disk activity? Editing 'ls' and 'chmod' to misrepresent user access?
Little things that take a while to propogate(and to catch) that, as a whole, seriously weaken the system?
-AS
-AS
*Pikachu*
Why can't a virus spread via source?
IE, in the source is a small hidden changed 'ls' or 'gzip' or 'tar'.
When it's compiled and installed, you get 'for free' a modified gzip. And this gzip, when used, will start inserting patches into source files, when it finds Makefiles.
And these patches, for example, will start to modify 'ftp', and piggyback info spread onto normal FTP usage. Modify a shell program, to get more access to the system. Modify 'find' to get more information for viral programs to use. Modify 'httpd' programs to start collecting more info and stats. Modify 'ls' to misrepresent info to the user. Modify 'chmod' to change permissions on key files.
Dunno about being destructive. Virii don't need to be destructive, and are less likely to be caught if they aren't, I think.
-AS
-AS
*Pikachu*
Firstly, it should try to insert itself into makefiles; some small, innocuous program the gets compiled and created and installed whenever make/gmake/gnumake gets called.
Perhaps it will replace a local utility, small, like ps or something.
Act just like PS, but have a sister program that starts to modify the other binaries. Say, like the way you can socksify certain programs. Or it will modify scripts. This program will edit/modify scripts in minor ways to call another program, like man, which to the user looks and acts like man, but when called in a certain way, will do something else.
How will it spread? Perhaps it should also infect the FTP or telnet programs.
But when it gets to the other side, it prolly won't have root privledges. Perhaps it will actually insert itself into any binary program the FTP file touches? Or into any scripts(perl, shell, or whatnot)?
And then it starts all over again.
The destructive part isn't as interesting, to me ^^
Does this work or sound plausible?
-AS
-AS
*Pikachu*
gzip, ftp, ps, man, etc, don't change enough, and aren't sexy enough, I don't think, for people to check up on it.
Apache, emacs, whatever, will compile cleanly and safely, then. Nothing will be different. Perhaps by searching the source, they may find the discrepancy... but not by looking at the binaries. So the source would compile and provide the new 'hacked' ps, ls, man, whatever. And those programs, when used, would start to weaken the system.
What you're arguing is not the safety or security of the OS/system. I don't know that the system is safe against a distributed viral infection.
-AS
-AS
*Pikachu*
Seriously though, I know very almost nothing about writing virus programs, only a moderate amount about writing and compiling binary programs for Linux, but I still could have written this whole article just by reading and re-packaging parts of the better posts from a previous Slashdot discussion on this exact subject.
Which is why I continue to read and post to /. myself -- in spite of all the trolls, off-topic posts, flames, and other crap, this is still one of the best discussion resources on the web. As long as I continue to read and learn from y'all, I'll keep coming back, and hopefully occasionally have something to add to the commentary.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
There was one, of a sort. Once upon a time, vi read a
Emacs and XEmacs still have the potential for macro-type viruses as they can be configured to run arbitrary lisp code in files being edited. It isn't the default to do this any more, but it used to be.
No. A makefile containing that is not a virus. It's a trojan, at best. How exactly, does it spread?
I believe you see a contradiction where there is none.
The way Word, for example, handles macros is the problem. Mainly, it masks the presence of the macro. Unless you go specifically looking for that macro, you won't notice it.
This won't happen with our C source these days. Certainly, you could have a virus that scanned for source, programmed itslef in, and waited to be compiled, but this would still present a rather hostile environment. IT still requires manual intervention in order to propagate.
Now, perhaps if we all used a high-level IDE for our programming and builds, that was automated with numerous build-macros and such, a virus would have a chance.. but we don't.
The key, I think, is automated process. IF a process can be automated, it is a good environment for a virus. If it's manual, it's not.
I agree with your comments on Linux being a diverse environment, but actually, Windows is just as bad or even worse. There are many versions of Windows and many versions of all of the system libraries.
That's why Windows programs need installers - just to update all the system DLL's to a known level and make sure the missing pieces get installed. And even then it doesn't always work.
And it's not easy to write code that doesn't depend on up-to-date DLL's - especially for virus writers at the "script kiddie" level.
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
There's only one problem, many applications require root permissions for installation. So during installation of software, the virus can do it's thing.
.exe file to someone under windows).
But even without root permission a rm -rf on the user's home directory can be pretty annoying.
As the article noted however, replication is the real obstacle for a linux virus. Most linux users either install from CD or download from a well known ftp site. It is quite uncommon to mail somebody a rpm with a cool application (which would be the equivalent of sending an
Jilles
That's not a problem. What is "a user" doing being able to write into a directory in root's PATH ? If you allow that kind of thing, you get your just desserts ;]
You've also got the solution: PAY ATTENTION. If you're only running your own box at home, sure you can get away with anything you like. Try scaling that up to a small work-group in e.g. in a university, and you're effectively being paid to be awake...
~Tim
--
Rushing on down to the circle of the turn
yes, yes.. another non-virus writer standing up and declaring that viruses are "impossible" based on no real evidence. The fact that this author cant name any existing linux viruses shows that he has done no research. Microsoft did this too. When win95 came out they sited many things that made viruses impossible (the lack of interrupts to hook) on win95. This fueled the fire and encouraged people to write viruses. People who understood the nature of computer viruses and computer virus writers laughed at Microsoft and declared that win95 viruses would be written and may even be more popular than dos viruses. They were right. Are we now going to hear the same old thing from linux advocates?
How we know is more important than what we know.
... that the obstacle to Linux viruses, that the security model prevents them from infecting most programs, is also present in Windows 2000. I notice that on my Win2K machine, by default, pretty darn near everything but documents is tagged read-only to users.
Of course, I never noticed this before, because I run with administrator priveleges all the time... The biggest problem with Windows these days, IMHO, is that installing new software is too invasive. Anyone who has enough access to install software has enough access to spread a virus. (Whereas in UNIX, any user can just stick an executable in his own directory, without affecting anyone else.)
MSK
Perhaps it's because this is non-information. A Linux virus is possible if built-in protection mechanisms are ignored. When reading these virus descriptions, you'll find that the method of infection is just like the method of infection for Windows binaries: the executable must be modified. If you set all your executables with read-only attributes and the owner and group to something other than a user account, then the executable cannot be infected by a non-privileged rogue program.
Of course any executable file format can be abused to make viruses possible if you allow unrestrained write access to the executables. On Linux, the likelihood of viruses is a configuration issue. The built-in protection mechanisms are there, but they have to be used.
User downloads a binary. User runs it. Code in the binary attempts to write a program called 'ls' or 'rm' or 'make' something similar in any obvious place it has rights to.
Some time later, user su's to do maintenance. User types 'ls' or 'rm' or 'make'. System files are now infected.
Now obviously that is not as simple as getting into Windows system files, but it isn't "nigh-on impossible", either.
(Though obviously this would be pretty easy to spot if you were paying attention. But would you notice something called "vi" in your home directory?)
su /etc/inetd.conf
vi
The cake is a pie
Just edit /etc/passwd and /etc/shadow. Add another user, give the new user UID 0, change UID for root to something else, and you are done. root, by default has UID 0. Don't need to change the source for this :). Just dont forget the password for the renamed root :).
I can throw myself at the ground, and miss.
Q1. How can I rename root? (I want to install a 'fake' root on my system. I do this with NT :) It won't stop the determined hacker, but its enough of a smoke screen.
Q2. Does root always have user id zero? What part of the source can I change to remove this hard-coded number? (Yes I'm aware that many things would break.)
For a great site on securing your Linux system check out the TrinityOS FAQ
http://www.ecst.csuchic o.edu/~dranch/LINUX/index-linux.html
Cheers
The famous 'Internet worm' created by Robert Morris Jr. in 1988 exploited a bug in the standard SENDMAIL program available on practically all *NIX machines. Granted, that was 12 years ago, and the points in the article are well taken, but the case of the Morris Worm should remind us that open source is not completely immune from very strong virus strains.
The only virus I ever heard of infecting a *nix system is an incompetent sysadmin...we all know there's enough of them
I know for a fact that you are wrong in that regard. At least a year or 2 ago I heard that something called the bliss virus infected several linux systems. Apparently it did some form of infection mechanism on non protected binaries. You could also (with a command line option) disinfect the files that were infected. The author said that he/she would release the source at some future date but I never saw it. In general most people who run linux are not the type that just run some random binaries.
Slashdot social engineering at it's finest
One of the major reasons for there being a distinct lack of linux viruses is that by and large, it will most likely only be executed by a local user as themselves, therefore spreading to system binaries is nigh-on
impossible.
Wish I could do that. I am truely running out of disk space and have to routinely have to use the 10% space margin that is on the filesystem and is "reserved" for root just to get things done.
Slashdot social engineering at it's finest
Most of the newbies running as root will admit that they've read the UNIX sysadmin guides that say never run as root. They generally utter some inanity like "... but I like having full control over my system." This usually lasts until their feet collect one or two large bullets and then they stop running as root. I liken this phase to the prepubescent one where you collect all the pirated programs you can get your hands on. Most people grow out of it.
As for infecting user space, anything a virus does in your home directories is going to be a lot more noticable. Its means of propigation are greatly limited compared to a similar DOS machine (I've seen DOS virusses that try to infect your boot sector when you put an infected floppy in the drive.) If it goes on a rampage and starts deleting things immediately, the user's likely to notice. As this article says, Linux is inhospitable to virusses. That's not to say we might not see a successful one, but it'd take quite a feat -- if I were working on a strategy for one, I'd go for infecting the GCC compilers of some major distribution.
That's not to say Linux doesn't have its problems -- you're much more likely to be taken over by script kiddies than you are to get a virus. Most distributions pay no attention to security at all, making this far to easy. We should really focus on the big problems here today rather than the ones that may be there tomorrow.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Ok so looking at viruses in Biological terms...
:)
If it can't propagate faster than death rate...
it wont survive. Then I guess one might say that
Linux and orther Unix systems have healthy
immune systems...
which would mean... Windows has no immune system
whatsoever (unless you purchase one sepratly).
Or even better... you could look at the Virus
scanners as Antibiotics....constantly feeding
the windows machine antibiotics (I know not a
perfect analogy since antibiotics are more
apropriate for bacterial infections) which cause
the pathogens to die off...all except the
strongest ones which then have free reign to
propagate until a better antibiotic is made.
Oh yes...I like this set of anaolgies alot
"I opened my eyes, and everything went dark again"
This nightmare scenario doesn't need to carry around native viruses for every platform. All we need is an inherently cross-platform scripting language and that's already there (in vague theory) -- VBA. The only thing keeping us from cross platform doom is Micorosft bugginess -- fortunately that's one of the world's more reliable bits of unreliability.
Reduced to its essentials, the problem with Windows is the non context-sensitivity of the command shell associations.
I can't do much if the shell doesn't execute executables, and I'd really like it to automatically execute Perl scripts. OTOH, my email or news client really shouldn't need to do either of these things (or very infrequently). A big and glaring hole on a typical Windows box is that is has poor facilities to tell the difference between these instances.
How far would Happy99 get if every email client had the sense to say, "This is an executable. I know what I could do with one of those, but trust me, you really don't want to be doing that." ?
The worst case of this is Remote Scripting, and the idea that letting VBScript out of the browser's sandbox and onto an unlimited command shell could ever have been a good thing.
I have this mental image of the woodwork shop at Redmond, "Hey Dude, what's that ?"
"Yo, it's a chainsaw. I hear they're made for doing stuff with trees, but I think it would be really cool to try juggling them"
"Cool! Let's do it".
I really don't know if Microsoft ever think before they build some of these idiot holes. Wasn't it obvious how broken some of them were ?
That's not correct at all. Evolution doesn't use viruses to limit large populations -- that implies that, on at least some level, evolution has some degree of planning to it. Evolution, in reality, doesn't plan at all. You're born, and if you've got the "right stuff", you get to survive long enough to reproduce, otherwise you're dead. That's how evolution works.
However, viruses might be more more prevalent in a large population because there are more hosts to infect (thus it's easier to survive). Also, with the increased number of hosts, it's easier to spread from one host to another, thus making survival easier yet again.
Thus you can use evolution to explain the larger number of viruses in a larger population, but not in the way you originally did.
Actually, there was (and still is) something similar to what you're talking about, but not on a distribuited basis. It's called "core wars". People would write programs in assembler and try to have one program kill the other one. Even though I'm not a coder, it sounds like fun.
For a little more info, check out the entry for "core wars" in the Jargon File.
The big Linux vulnerability is that too much stuff runs as root. One buffer overflow vulnerability in a set-UID program and the attacker is in. Then they install a Linux root kit, and it takes a huge effort to clean up the system. Since Linux normally has a telnet daemon, it's remote controllable out of the box. You don't even need something like Back Orifice.
UNIX is not a secure operating system. Linux is not a secure operating system. Nothing Microsoft makes is a secure operating system.
Somebody mentioned EROS. It's not really finished, and even if it was, you'd need applications for it. What's really needed, I think, is something with capabilities like EROS, a high-performance, secure CORBA-like model of interprocess communication, and support for high-volume transaction processing in the CICS sense. Then you'd need to tear apart things like BIND and Apache into a number of mutually mistrustful components. User-initiated transactions would run as separate processes, like CGI programs, but would launch faster using a CICS transaction model.
Oh, and you need a decent security model. For example, in a real secure system, there's no "root". If you're doing administration functions, you can only run a few trusted administration programs.
There are no effective Linux Virus in the wild is because everyone who is capable of writing one, is too busy writing virus for Windows.
---------------------------------------------
Jesus died for somebodies sins, but not mine
"Our products just aren't engineered for security,"
-Brian Valentine,VP in charge of MS Windows Development
However there is no guarantee this will always be the case. As a programmer I appreciate the apps I use having the ability to be scripted, and this is the first step down a dangerous path. My text and graphics editors, vim and gimp, both have built-in scripting languages, which is the same feature that has made MSWindows office apps so vulnerable to viri.
I think the important distinction is that none of the apps I use under Linux look for script code in their documents. This means I can't send you a gimp image with a little plug-in to help you make your own similar image. I can't send you a text file with special scripted abilities for vim as I can with MS Word. If I want to give you these scripted capabilities, I must send a seperate file that you must treat differently than a normal document file. This is the key point, and we should keep this in mind when adding features to any applications that we work on.
The danger is not as distant as you might think. The power and ease-of-use provided by this sort of feature makes it difficult to resist. For example, vim allows a special line to be embedded in a text file that gives it direction on how to display the text (tab settings and such). As long the vim group is very, very careful to make sure that there is no way to drop into the full-featured scripting language through this feature, we are still safe, but this is a tricky line to walk.
--Chouser
--Chouser
"To stay young requires unceasing cultivation of the ability to unlearn old falsehoods." -LL
For example, my favorite email client, mutt, has absolutely no chance of propogating a Melissa-style virus.
/etc/mailcap. I think mutt had a workaround until mailcap was fixed, but I don't know whether that workaround was just preemptive caution or whether mutt was vulnerable too.
Are you sure? Even pine was exploitable once via a bug in
Although, technically, this isn't a "Melissa-style virus". Melissa required you to open a word file. The mailcap exploit would have just required you to read your mail.
The first damaging Linux virus won't be spread by infected warez or email trojans run by clueless users. It'll be a simple root exploit that propagates itself.
If you're running a promiscuous system of network daemons (and too many people are: I'd wager the ratio of people running imapd to people who need to be running imapd is 100+) then you're probably susceptable to a new root exploit every year or so. If you don't update your system regularly (and that probably includes every newbie Linux user) then you stay susceptable for a long time. If you fit both those categories, then you're a target; and since most newbies installed a distribution whose default configuration has everything turned on, there are a big pool of targets out there.
There was a worm that used the imapd exploit, something like a year after the exploit was discovered and fixed, and it still managed to do some damage. What happens when an aspiring young virus writer prebuilds the framework for a worm, then starts plugging in the exploit of the month and sending it out each time a new vulnerability comes out? If you're subscribed to a security list, using MandrakeUpdate or up2date, or otherwise keeping current, you're probably fine. If not... well, such a worm would find a lot of food.
And now that Linux is becoming a more tempting target (lots of cocky "Linux viruses are impossible" users out there, lots more cluebies to offend the l33t virus writers with their presence, lots more users on fat, useful cable modems or university connections, and just lots more users total), such a scenario becomes more and more likely.
It's going to happen. Somebody is going to write a badass virus for linux that's going to cause som e damage. The amount of damage is what's variable in my mind, not whether or not it will occur.
:) With that, like I said, it's pure ignorance, (or just blind platform advocating idiocy) to say that linux won't ever have a problem with virii.
:)
I think it would be incredibly ignorant of people here to think that a virus couldn't happen on linux, even if the system is well-defended against virii. Personally, i think one of the biggest things linux has going for it in the anti-virus arena is that it's so non-homogenous. Everybody talks about how wonderful windows is because it's consistent from machine to machine, but that's the same type of "feature" that makes it easy to write virii that spread quickly. The virus automatically "knows" what kind of machine it's on, and it can always assume a base level of functionality. Not so on linux, where you have everything from diskless workstations to development boxes that don't have daemons on them, to "production" servers that have daemons, but are missing some normal development tools. There isn't a baseline functionality the virus can assume.
Pretty much everybody on slashdot should know that anything is possible when it comes to a coder with too much time on his hands.
I forget the exact wording, but a quote on the l0pht's site comes to mind: "Making the 'theoretical' practical since 1995". Doesn't that say it all? Linux is a great system, and I love it as much as the next guy, but it's blind arrogance to say that it will never be susceptible to virii. I agree with this poster. Articles like this seem to want to poke the moster and yell "Haha - you can't crack my box!!!". As far as security is concerned, it's best to keep a low profile.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
. . . while under MS Windows, the programmer has apparent no interest in the user's welfare.
I'm not sure why this is, but the records points to several possible reasons:
1) Laziness. Does anyone here remember the history of the format command in DOS? Originally, it would format the current working disk by default -- in other words, if you typed ``format" at a C:\> prompt, it the C:\ drive & everything on it was history. This was a Known Problem for several revisions of DOS (I think it was fixed in 4.0, but it could have been as late as 5.0 before that was fixed), that forced the clued to do all sorts of interesting things (e.g., rename the command, delete the command, substitute another binary for this one) to keep the newbies from toasting their data.
2) Marketing Reasons. About the time Melissa first wreaked havoc, someone asked the folks at Microsoft why Active X was turned on by default. ``We consider that an important feature," was the reply. In other words, the questionable usefulness of embeding fonts & animations in a given email outweighed the clear risk of malicious code. Newbies want 3l373 + k3wl stuff, & will pay for the new revision; sysadmins are expected to wade thru the poor documentation to support these purchases.
3) Lack of skill. Microsoft got its start in the world of microcomputers, which barely had the horsepower to run one application at a time. (Yes, there were TSR applications, but they were a bug that creative non-Microsoftie hackers turned into a feature. And were the door that allowed computer viruses to get into the OS.) Programmers at MS wrote their OS & flagship applications before they had learn how to write software that shared computer resources with other applications or users. And as we saw in #1, unless absolutely forced to, MS programmers never went back & rewrote old code, so their flagship applications like Word, Excell & so forth still don't play nice in a multi-tasking, multi-user environment.
Actually, to say they ``don't play nice" is a misnomer: they don't know how to play at all with anything else in that environment. Not only do they fail to share resources, they don't know when these resources are unavailable -- or what to do if the same have been tainted by malicious code. And since the programmers who developed & maintained these older products never learned how to do this, the new programmers -- & the new products in multi-tasking, multi-user environments -- also fail to properly interact with other software in this operating space.
4. All of the Above. Accepting the validity of any one reason above does not exclude the others, AFAIK.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
Yes, that was pretty funny.
But we should give RMS and JWZ et al their due: I have not lost even one byte of data using emacs or xemacs(*). I don't even remember the last time emacs crashed during an editing session. It's easily the most stable large program I've ever used.
Compare that to Microsoft Word, which I use about 1% of the time I use emacs or xemacs, and you'll cry.
D
(*) Okay, a slight exaggeration - I've probably lost 1k or so due to power outages that caused my machine to abruptly stop while I was editing. I can't blame that on emacs!
----
I recently installed Mandrake 7.0. OK I selected "paranoid", but I hope the following holds for all security levels: You are not allowed to log in as root. At all. Not even locally. The only way to gain root privilegies is to su. This is The Right Way. Hope that the other distros will follow...
I know of peoples who runs as root all the time...Perheaps I'l write them a viri just to prove them they are stupid... No, I won't they may spread it...
--The knowledge that you are an idiot, is what distinguishes you from one.
--The knowledge that you are an idiot, is what distinguishes you from one.
Of these, I'm skeptical of 1 and 3.
Is 1 still the case, as more and more people are learning Linux at home, with no experience of an actual mulituser UNIX system? Might'nt there be enough people routinely running as root these days to invalidate the barriers of Linux's design?
2 is perfectly reasonable, though--as others have already pointed out--there's nothing to keep that from changing in the future.
As for 3, isn't there a potential (I don't know if it's already been tried yet) for deceptive "open source" software with the binary not actually derived from the provided source? Folks who download and compile the source would be safe, but folks who download the executable get a nasty surprise.
Linux is not a good environment for viruses, but it's not impervious either. Even a half-assed capabilties system would greatly improve Linux virus security.
For example, how often do you use "su; make install"? That hands over full authority to do anything. It would not be all that hard to hide, say, literal strings of Perl bytecode in a deeply recursive make, that search all *.tar.gz|*.tgz files for just such a deeply recursive make and hide itself in the ones it finds (cryptic nonsense marked with cute yet unhelpful comments is nothing new to free software; if it was obfuscated to look like a cute piece of ASCII art, it might not even need to justify its existence as part of the project). Combine this with infecting key utilities, like gcc and make, and you've got yourself an annoyingly persistent and sneaky virus.
Even though it would be more useful to have a full capabilties system, like in EROS, a good "execute with permissions + limited capabilities" utility could prevent root-mode installation infections.
For example:capsdo -cu -wnf /usr/local/bin -cwd /usr/local/lib -c "make install" /usr/local/bin and create new directories to which it has full write access (-cwd) in /usr/local/lib (of course, it would require your root password to run). Not that this would be easy to write. It would have to sit between the app and the kernel, filtering actions.
meaning, run "make install" like current user (-cu), except that you can write new files (-wnf) to
Another way safety might be improved (at the admin level) is to create an "installer" group that has access to the "/usr/local" tree, and a new user in the group for each new installation; none of which gives write access for its files to any other user. A root utility could create and manage these psuedousers without bothering the admin. However, this would do nothing for holes like running SVGALIB games.
... and ports Office to Linux. Unlikely I know, but as the article hinted, one of the reasons viruses are a non-issue on Linux is because of the feature set of the typical application. Windows NT and 2000 have user-level security too, but they're still somewhat vulnerable because of things like Craptive, er I mean Active X, and the always entertaining Word and Excel macros.
I was wondering; Lotus 1-2-3 and WordPerfect have macros too, why didn't anyone ever write viruses for those?
Gamingmuseum.com: Give your 3D accelerator a rest.
These factors lead me to believe that we will see virus attacks. They can potentially be nasty, but they will be squashed rather quickly as well. I also have some theories about possible targets for the attacks that I don't want to publically discuss.
The net will not be what we demand, but what we make it. Build it well.
- Bad things happen more often to the clueless
- Linux users are supposedly less clueless than MS/Mac users
- Ergo: Less bad things happen to Linux users
Security is almost always a trade-off: Some people sacrifice some (or most) of it for every day convenience. (Yes it IS convenient to use the same system as the majority. It IS convenient to run as root. It IS convenient to simply run a binary) More security aware people don't.If more "average users" would turn to Linux, we would see more security holes provided for comfort, more binary-only programs, more handy macro script options and inevitably more viruses.
All opinions are my own - until criticized
For a single-user desktop environment, the less experienced user is the same which goes root to install new exciting packages just downloaded from a not-too-safe site. It would hep, if he could install 'not-safe' binary packages in 'user space'(e..g. a sub-directory of his home directory) and then, once he thrusts them, re-install in 'root space'.
Even if the virus successfully infects a program owned by the user, its task of propagation is made much more difficult by the limited privileges of the user account.
Even if it cannot (easily) spread using programs owned by root, it can damage user's files!
My 40 lire ( hopefully soon 0.2 Euro ) : Virus trives in computer user's ignorance. To fight the viruses, educate the computer users.
Ciao
----
FB
I read this earlier and it seemed pretty good. Sort of a rehash to most Linux savy people. But reading it over again is never a bad idea.
... one large issue that will cause problems for Linux as a client machine is that most people will be running as root. This sucks. I believe education is the best method to fix this but I'm fearful it will be bad education, not good. By that I mean that 100s of clueless caldera users or something will get some horid virus before someone says `Why were you running as root?' Then they will learn. Not a nice lesson. There may be better solutions out there (such as linuxconf style system configuration?), but as long as an end user views root as the easiest way to avoid permission issues, they will use it.
Anyhow
Don't expect to ever see serious server side Linux virus outbreakes, but end user Linux is a trojan horse waiting to happen, IMHO.
Bad Mojo
Bad Mojo
"If you can't win by reason, go for volume." -- Calvin
One of the major reasons for there being a distinct lack of linux viruses is that by and large, it will most likely only be executed by a local user as themselves, therefore spreading to system binaries is nigh-on impossible.
There are two threats to that, of course: (a) people start running every silly thing as root (which will rise the more of a "desktop OS" "linux" becomes) and (b) folks who hack cracking become virus writers and use exploits to propogate stuff around.
~Tim
--
Rushing on down to the circle of the turn
I thought I had a virus working in a popular text editing program. It bulked the application up to ludicrous amounts of memory space, made the whole thing unstable and made it impossible to get anything doe without typing in cramped and confusing strings of characters. Then a helpful friend reminded me that I was using emacs.
This is a pretty bad article IMHO. It is clearly meant as a rebuttal against what Garfinkle wrote. But it is pretty bad.
For a Linux binary virus to infect executables, those executables must be writable by the user activating the virus. That is not likely to be the case. Chances are, the programs are owned by root and the user is running from a non-privileged account. Further, the less experienced the user, the lower the likelihood that he actually owns any executable programs. Therefore, the users who are the least savvy about such hazards are also the ones with the least fertile home directories for viruses.
This describes the typical Unix situation, which is not the typical Linux situation. There, more people have installed their own system and have root priviliges. And the less savvy the user, the bigger the chance that the root user is the only account on the system.
Linux networking programs are conservatively constructed, without the high-level macro facilities....
Very true, but seconds later
Linux applications and system software is almost all open source. Because so much of the Linux market is accustomed to the availability of source code, binary-only products are rare and have a harder time achieving a substantial market presence. This has two effects on the virus. First, open source code is a tough place for a virus to hide.
Yeah right, so first it says that high level scripts may be a source of viruses, but then when you have source code (in e.g. Makefiles, highlevel), viruses are all of a sudden less likely. I am still afraid that I come into a Makefile someday that holds the line:
install: rm -rf /
Is this not a virus? If not, why is it a virus if a similar line is contained in some malicious Word macro?
No reason to worry about Linux viruses yet, but mostly because the platform is not popular enough to have a widespread effect (and this is the real lesson of zoology, viruses in nature are mostly used by evolution to limit large populations. This is why there are mostly Windows viruses; evolution wants to limit its growth).
There's little in Linux to keep application level viruses, like those enabled by Microsoft Innovations and intra-application macro languages, to pummel their users work.
;)
Open source kills bugs DEAD! But folks who insist on distributing compiled versions of their code apparently do not want the advantage of infinitelly shallow bugs, and virus protection to boot.
The article points out that access protection keeps a virus confined within the user(s) that initially bring it onto the system. As Linux becomes more and more popular, new users running as root will multiply, making the installed Linux base more prone to virus infection from compiled wizz-bang apps that newbies will download.
New users may run as root because they don't know any better. They don't have to learn about access protection, chmod, or other UNIX complexity.
rm -rf works and there's no doubt, when you run as root.
Slightly less than new users run as root for the illusion of competency. This is where the danger lies. Arrogance is harmful until you have the experience to ack it up. Then it becomes confidence, and pride no longer requires running as root always, just to tweak a config file sometimes.
For the record, Linux DOES suffer from one virus. GPL.
-- What you do today will cost you a day of your life.
There was a linux virus list at (might be down now)
http://virus.beergrave.net
it's owner has several interesting (low-level, assembler/C, ELF) documents with linux virusses and descriptions. Find them here:
http://www.big.net.au/~silvio
Also, there's a linux virus at
http://www.mixter.org
For more low-level linux stuff go to
http://hculinux.cjb.net
*borkborkbork*
Articles such as this are only fuel to the virus writing fire. The more people keep daring crackers and virus writers that this is not possible, the closer you get to a virus epidemic. If that happens, it will be a huge disservice to the growing popularity of the amazing OS that is Linux.
of course I'm all for writing about virus warnings, technical consideratiosn and the sort, but, IMHO, we must keep our tone down and speak with humility. Not even suggest for a minute that a successful linux virus is not possible. The ability of humans to do the impossible is a big part of the reason why linux exists, and to be honest, i started using linux BECAUSE most people (used to) think it would fail.
i personally think the open source movement, and the whole linux fenomena, is a serious and professional one, and unless treated that way will probably fall for the same reasons other venues are falling today (that is if you, like me, think that windows won't last that long). If more serious consideration would have been given to viruses when they first showed up (not mainstream), windows would probably be much more protected against them than it is (but then again, maybe not. thanks bill).
anyway, that's just my $0.02
There are two kinds of people in the world: Those with good memory.