Slashdot Mirror
The Short Life And Hard Times Of A Linux Virus
Sun Tzu writes, "There are several reasons for the non-issue of the Linux virus. Most of those reasons a Linux user would already be familiar with, but there is one, all important, reason that a student of evolution or zoology would also appreciate ... The article is at sitereview.org. "
I'm not saying that some programs you want to run don't work, I'm just saying that sometimes I get tired of having to install forty-eleven new packages just to get a damned ICQ client to run.
Maybe this is part of the reason why viruses find Linux such an inhospitable environment. Most Windows boxes have a common set of code running on them. On a Linux box, a virus can't assume anything--there are many kernel versions, many different shells, mail clients, etc. Libraries vary from machine to machine, if a virus needs a certain lib to work, that lib may not even be installed, or it may be the wrong version.
For what it's worth, if you can't get a package (RPM, whatever) to install because of dependencies, you can always download the source and build the program yourself. Package managers expect to find specific library versions, but the build system included with most GNU and other OSS does a little bit more work to find the libraries the code calls for. Often, when you run the configure script, if you don't have a required library, or if you have the library but it's too old to work, you'll get a nice message explaining that the lib needs to be a certain rev or later, and maybe even a URL for the latest version.
I rarely use RPMs anymore, simply because it's much easier to build the programs I need myself. Try it, you might like it.
slashdot broke my sig
That only works if /usr/bin comes after $HOME/bin in your path, which it should not. Any paths that are user writable should be at the END of your $PATH, including ./
I read the internet for the articles.
(Though obviously this would be pretty easy to spot if you were paying attention. But would you notice something called "vi" in your home directory?)
On a properly configured system, it's not a problem. The search path should NEVER include current directory, and if you have a ~user/bin, it should be last. In that case with your scenario, the real vi will be executed, and the fake one will just gather dust until you notice it's existance and rm it.
Then they will learn. Not a nice lesson.
That reminds me of a newbie howto I once read. It went step by step through installing Slackware. It was written for someone with no Unix experiance.
Step ten: Your Linux system is now installed. Still running as root, type cd /; rm -rf.
Step 11: Now you know why you should never just type what someone tells you to when you are root unless you KNOW what it will do. Go back to step 1.
One of the points mentioned is that under Linux, most people download and compile source code rather than fetching binaries. Is this still the case? I suspect that many people these days would download RPMs and install them (as root, nonetheless!) instead. Theoretically, sneaking an infected RPM for something cool/sexy (a first-person xbill variant or a Star Wars screensaver should do) onto a contrib site could infect a lot of systems as root.
.tar.gz) sent. Or one could take a leaf out of Ken Thompson/Dennis Ritche's book and modify the C compiler (or linker) to insert extra code.
Of course, most RPMs are downloaded from a central server, not traded or swapped on BBS-like local sites, which makes it harder. Such a RPMed exploit could possibly do other things, such as dynamically patch files sent by ftpd/httpd and infect any executables (standalone or in
Or one could just be unimaginative and modify tcpd to contain a remotely-activated 'sleeper' denial-of-service client or backdoor root shell.
And yet methinks perhaps the article should have been moderated "Reduntant". This is all things we have heard before. In fact most of it sounds word for word exactly like other "linux virus" posts we've seen here. We all know it's harder to infect Linux/Unix, but they are open to other, more isidious ailments. The "Great Internet Worm" didn't infect windows machines, hell there were NO windows machines when it came out, and it brought the net to it's knees. Every environment has it's weakness, viruses just happen to NOT be one of Linux's.
eh...that was rambleing...note to self, don't take support calls and post to slashdot at the same time...
Sgt Pepper
You say that Mutt makes you immune from a Melissa-style virus. All the Melissa approach needs to succeed is to trick enough users into running an executable so that it spreads faster than it dies. So all I have to do is to compose a message that will trick, say, 1/10 of the Linux users into running it, if on average each execution will send out more than 10 copies. The program would search for your aliases, as stored by mutt, elm, Netscape's mailer, or whatever, and send them all a message.
If a message that appeared to come from your best friend (and, in fact, it would be from your best friend, if he were suckered) told you to run a program, would you run it? If so, the Melissa approach would get you, whether or not you use Mutt.
>My. arent WE superior? Let's just classify
>EVERYONE who writes code for ALL flavors of M$ OS's as ignorant savages.
My, did I hit a nerve here? Are you a Windows programmer?
>After all, it's self evident that if you don't design single user apps for single user machines
>as if they were meant for multiple users on servers you MUST be a moron.
Not my point. There are some nice single-tasking OSes out there -- Palm OS is one that comes to mind. Straightforward, doesn't leak memory. Nice work -- especially when you consider the OS was written by a handful of people while Microsoft was throwing dozens of people at their WinCE project.
But the Palm OS is designed to run for months without a reset or reboot. So you can't have memory leaks.
I'm talking about Windows NT/2K -- last I heard, MS said it was a server OS. Servers run multiple processes for multiple users, so I'd assume that this environment is multi-user & multi-tasking. But then, I think I'm superior -- according to you, & MS software shouldn't be expected to do so much.
Why MS can't write a reliable OS -- or applications for one -- with all of these qualities baffles me. They had access to the technology -- they wrote Xenix, & Dave Cutler was the project Manager for VMS before he led the NT group. They have the money to hire good programmers with experience in this kind of environment. I would think they could make NT just as reliable.
And what ought to stick in the craw of any Windows programmer is while the coders at Redmond are being paid to do it right, a bunch of amateurs without access to the technology figured out how to do it in their spare time. Based on these facts, I'd say that writing a reliable multi-tasking, multi-user OS is not rocket science any more. So why CAN'T Microsoft write better software?
>All I can say to that is: You flunked engineering economics, didn't you?
And your point is?
Here's a clue: a person makes better sense if they write sober & straight. Try it next time.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
Not meant as flamebait here, but it's hard enough getting the programs you WANT to run sometimes, I can't imagine that many viruses would be able to get themselves up and running without copious amounts of user stupidity.
I'm not saying that some programs you want to run don't work, I'm just saying that sometimes I get tired of having to install forty-eleven new packages just to get a damned ICQ client to run.
---
When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
It's still not likely to be a successful attack for many people.
The public considers a virus any program that would wreak havoc on a large number of people.
Okay, let's say I uploaded something to freshmeat that contained a makefile with the instruction
rm -rf *
somewhere inside. It would impact the first few people who downloaded it, sure. But in no time at all, the file would be pulled from freshmeat and a report posted on Slashdot and other news sites.
I'd say the maximum potential for that one is a few hundred people being affected, peanuts compared to any Microsoft Word-based virus.
D
----
Dude, chill.
Caldera (eDesktop) is aimed at the common desktop user with little or no Linux knowledge (I think). If that is a fact, it increases the odds for that distro to be a mis-managed Linux box. It's not personal. If anything it puts a burdon on Caldera's shoulders to do a good job and prevent this type of thing from happening.
If you do know some clueless RedHat people, let RedHat know, I hear they are hiring. Hehehe. Can't help it!
Bad Mojo
Bad Mojo
"If you can't win by reason, go for volume." -- Calvin
I agree and disagree with much of what you said, however there is one thing that I'd like to point out. Linux can be configured with security setup in such a way that viruses can't do damage, and perhaps most importantly, the (l)users can't do great damage. In other words, it is possible to setup a relatively secure linux workstation, such that the users or viruses actions are essentially irrelevant (granted, the user or "virus" might destroy that particular user's files, but there's always trivial backup onto non-user fs, and...that's another story). These workstations (assuming decent "office" applications ever emerge for Linux--and no, I don't believe Macros need to be turned on, or even exist, for the vast majority of users) could be setup in schools, offices, and other such organizations. I believe many viruses propogate within and from these places, by knocking that angle out of existence (atleast for the trivial virus), viruses will find it much harder to reproduce. Furthermore, Linux distributions (though most have shown utter carelessness thus far where security is concerned)could be configured in such a way that they're quite secure by default. If anything Mom and Pop may be less at risk, than the psuedo-educated computer user, who thinks he knows what he is doing, but in fact, opens up his system in a variety of ways by doing things manually (beyond the scope of the distributions' install).
I do think a proper multiuser OS, such as Linux, could substancially reduce costs both in IT, and most importantly, in employee downtime (e.g., less stupid rebooting, fewer user fuckups, etc.). As these applications get more and more complicated, the more necessary it will be to safeguard the user from himself (or other users from each other). Since MS doesn't seem to appreciate this, this a significant Linux advantage in a workstation setting (what is needed of course, as already mentioned, is decent applications. Not to mention possibly an improved UI, improved X, etc.).
People in these discussions don't seem to distinguish between malcicious code, and a virus.
A virus, is a program that spreads, often doing malicious things as it spreads.
It doesn't matter if the install portion of a makefile did an rm -rf, or something.. that won't spread! That's simply a case of malicious code.
And, considering that most people who don't know better, end up using distribution-packaged binaries, that won't ever be a problem in the near future.
Why should N hundred lines of source be safe, if users don't validate the source?
What if the latest version of Emacs, or GNOME, or Apache got infected with a very small, innocuous alteration? Say, along with the above programs, the source compiled a slightly different version of man or ps, or even ftp?
What if these small programs are themselves fairly innocent, except that they start to modify other makefiles or source files, to continue to subvert the system? Changing a shell, for example, to do key logging? Piggybacking on top of FTP or telnet to actually transmit information back and forth, hidden among actual legitimate transfers? Activating only when the user runs 'find' or something, to hide among the already expected disk activity? Editing 'ls' and 'chmod' to misrepresent user access?
Little things that take a while to propogate(and to catch) that, as a whole, seriously weaken the system?
-AS
-AS
*Pikachu*
Why can't a virus spread via source?
IE, in the source is a small hidden changed 'ls' or 'gzip' or 'tar'.
When it's compiled and installed, you get 'for free' a modified gzip. And this gzip, when used, will start inserting patches into source files, when it finds Makefiles.
And these patches, for example, will start to modify 'ftp', and piggyback info spread onto normal FTP usage. Modify a shell program, to get more access to the system. Modify 'find' to get more information for viral programs to use. Modify 'httpd' programs to start collecting more info and stats. Modify 'ls' to misrepresent info to the user. Modify 'chmod' to change permissions on key files.
Dunno about being destructive. Virii don't need to be destructive, and are less likely to be caught if they aren't, I think.
-AS
-AS
*Pikachu*
Firstly, it should try to insert itself into makefiles; some small, innocuous program the gets compiled and created and installed whenever make/gmake/gnumake gets called.
Perhaps it will replace a local utility, small, like ps or something.
Act just like PS, but have a sister program that starts to modify the other binaries. Say, like the way you can socksify certain programs. Or it will modify scripts. This program will edit/modify scripts in minor ways to call another program, like man, which to the user looks and acts like man, but when called in a certain way, will do something else.
How will it spread? Perhaps it should also infect the FTP or telnet programs.
But when it gets to the other side, it prolly won't have root privledges. Perhaps it will actually insert itself into any binary program the FTP file touches? Or into any scripts(perl, shell, or whatnot)?
And then it starts all over again.
The destructive part isn't as interesting, to me ^^
Does this work or sound plausible?
-AS
-AS
*Pikachu*
gzip, ftp, ps, man, etc, don't change enough, and aren't sexy enough, I don't think, for people to check up on it.
Apache, emacs, whatever, will compile cleanly and safely, then. Nothing will be different. Perhaps by searching the source, they may find the discrepancy... but not by looking at the binaries. So the source would compile and provide the new 'hacked' ps, ls, man, whatever. And those programs, when used, would start to weaken the system.
What you're arguing is not the safety or security of the OS/system. I don't know that the system is safe against a distributed viral infection.
-AS
-AS
*Pikachu*
Seriously though, I know very almost nothing about writing virus programs, only a moderate amount about writing and compiling binary programs for Linux, but I still could have written this whole article just by reading and re-packaging parts of the better posts from a previous Slashdot discussion on this exact subject.
Which is why I continue to read and post to /. myself -- in spite of all the trolls, off-topic posts, flames, and other crap, this is still one of the best discussion resources on the web. As long as I continue to read and learn from y'all, I'll keep coming back, and hopefully occasionally have something to add to the commentary.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
There was one, of a sort. Once upon a time, vi read a
Emacs and XEmacs still have the potential for macro-type viruses as they can be configured to run arbitrary lisp code in files being edited. It isn't the default to do this any more, but it used to be.
No. A makefile containing that is not a virus. It's a trojan, at best. How exactly, does it spread?
I believe you see a contradiction where there is none.
The way Word, for example, handles macros is the problem. Mainly, it masks the presence of the macro. Unless you go specifically looking for that macro, you won't notice it.
This won't happen with our C source these days. Certainly, you could have a virus that scanned for source, programmed itslef in, and waited to be compiled, but this would still present a rather hostile environment. IT still requires manual intervention in order to propagate.
Now, perhaps if we all used a high-level IDE for our programming and builds, that was automated with numerous build-macros and such, a virus would have a chance.. but we don't.
The key, I think, is automated process. IF a process can be automated, it is a good environment for a virus. If it's manual, it's not.
I agree with your comments on Linux being a diverse environment, but actually, Windows is just as bad or even worse. There are many versions of Windows and many versions of all of the system libraries.
That's why Windows programs need installers - just to update all the system DLL's to a known level and make sure the missing pieces get installed. And even then it doesn't always work.
And it's not easy to write code that doesn't depend on up-to-date DLL's - especially for virus writers at the "script kiddie" level.
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
There's only one problem, many applications require root permissions for installation. So during installation of software, the virus can do it's thing.
.exe file to someone under windows).
But even without root permission a rm -rf on the user's home directory can be pretty annoying.
As the article noted however, replication is the real obstacle for a linux virus. Most linux users either install from CD or download from a well known ftp site. It is quite uncommon to mail somebody a rpm with a cool application (which would be the equivalent of sending an
Jilles
That's not a problem. What is "a user" doing being able to write into a directory in root's PATH ? If you allow that kind of thing, you get your just desserts ;]
You've also got the solution: PAY ATTENTION. If you're only running your own box at home, sure you can get away with anything you like. Try scaling that up to a small work-group in e.g. in a university, and you're effectively being paid to be awake...
~Tim
--
Rushing on down to the circle of the turn
> The more experienced user understands that root
> is reserved for administrative tasks
Yes. But...
As with the HIV virus: The more careless people are getting HIV, the more the careful vulnable needs luck. Think bleeders here.
Even if clever crafted virii exists, they still have a hard time spreading. If we get more careless people in the community, we will see more infected system that are not careless maintained.
(If you don't know what I am talking about, let me ask you this: How did you check your source tar.gz last time you installed something? Oh, you saw the date stamps.)
:-) = I am happy
:^) = I am happy with my big nose
C:\> = I am happy with my OS
yes, yes.. another non-virus writer standing up and declaring that viruses are "impossible" based on no real evidence. The fact that this author cant name any existing linux viruses shows that he has done no research. Microsoft did this too. When win95 came out they sited many things that made viruses impossible (the lack of interrupts to hook) on win95. This fueled the fire and encouraged people to write viruses. People who understood the nature of computer viruses and computer virus writers laughed at Microsoft and declared that win95 viruses would be written and may even be more popular than dos viruses. They were right. Are we now going to hear the same old thing from linux advocates?
How we know is more important than what we know.
... that the obstacle to Linux viruses, that the security model prevents them from infecting most programs, is also present in Windows 2000. I notice that on my Win2K machine, by default, pretty darn near everything but documents is tagged read-only to users.
Of course, I never noticed this before, because I run with administrator priveleges all the time... The biggest problem with Windows these days, IMHO, is that installing new software is too invasive. Anyone who has enough access to install software has enough access to spread a virus. (Whereas in UNIX, any user can just stick an executable in his own directory, without affecting anyone else.)
MSK
Perhaps it's because this is non-information. A Linux virus is possible if built-in protection mechanisms are ignored. When reading these virus descriptions, you'll find that the method of infection is just like the method of infection for Windows binaries: the executable must be modified. If you set all your executables with read-only attributes and the owner and group to something other than a user account, then the executable cannot be infected by a non-privileged rogue program.
Of course any executable file format can be abused to make viruses possible if you allow unrestrained write access to the executables. On Linux, the likelihood of viruses is a configuration issue. The built-in protection mechanisms are there, but they have to be used.
User downloads a binary. User runs it. Code in the binary attempts to write a program called 'ls' or 'rm' or 'make' something similar in any obvious place it has rights to.
Some time later, user su's to do maintenance. User types 'ls' or 'rm' or 'make'. System files are now infected.
Now obviously that is not as simple as getting into Windows system files, but it isn't "nigh-on impossible", either.
(Though obviously this would be pretty easy to spot if you were paying attention. But would you notice something called "vi" in your home directory?)
su /etc/inetd.conf
vi
The cake is a pie
Just edit /etc/passwd and /etc/shadow. Add another user, give the new user UID 0, change UID for root to something else, and you are done. root, by default has UID 0. Don't need to change the source for this :). Just dont forget the password for the renamed root :).
I can throw myself at the ground, and miss.
Q1. How can I rename root? (I want to install a 'fake' root on my system. I do this with NT :) It won't stop the determined hacker, but its enough of a smoke screen.
Q2. Does root always have user id zero? What part of the source can I change to remove this hard-coded number? (Yes I'm aware that many things would break.)
For a great site on securing your Linux system check out the TrinityOS FAQ
http://www.ecst.csuchic o.edu/~dranch/LINUX/index-linux.html
Cheers
The famous 'Internet worm' created by Robert Morris Jr. in 1988 exploited a bug in the standard SENDMAIL program available on practically all *NIX machines. Granted, that was 12 years ago, and the points in the article are well taken, but the case of the Morris Worm should remind us that open source is not completely immune from very strong virus strains.
The only virus I ever heard of infecting a *nix system is an incompetent sysadmin...we all know there's enough of them
I know for a fact that you are wrong in that regard. At least a year or 2 ago I heard that something called the bliss virus infected several linux systems. Apparently it did some form of infection mechanism on non protected binaries. You could also (with a command line option) disinfect the files that were infected. The author said that he/she would release the source at some future date but I never saw it. In general most people who run linux are not the type that just run some random binaries.
Slashdot social engineering at it's finest
One of the major reasons for there being a distinct lack of linux viruses is that by and large, it will most likely only be executed by a local user as themselves, therefore spreading to system binaries is nigh-on
impossible.
Wish I could do that. I am truely running out of disk space and have to routinely have to use the 10% space margin that is on the filesystem and is "reserved" for root just to get things done.
Slashdot social engineering at it's finest
Most of the newbies running as root will admit that they've read the UNIX sysadmin guides that say never run as root. They generally utter some inanity like "... but I like having full control over my system." This usually lasts until their feet collect one or two large bullets and then they stop running as root. I liken this phase to the prepubescent one where you collect all the pirated programs you can get your hands on. Most people grow out of it.
As for infecting user space, anything a virus does in your home directories is going to be a lot more noticable. Its means of propigation are greatly limited compared to a similar DOS machine (I've seen DOS virusses that try to infect your boot sector when you put an infected floppy in the drive.) If it goes on a rampage and starts deleting things immediately, the user's likely to notice. As this article says, Linux is inhospitable to virusses. That's not to say we might not see a successful one, but it'd take quite a feat -- if I were working on a strategy for one, I'd go for infecting the GCC compilers of some major distribution.
That's not to say Linux doesn't have its problems -- you're much more likely to be taken over by script kiddies than you are to get a virus. Most distributions pay no attention to security at all, making this far to easy. We should really focus on the big problems here today rather than the ones that may be there tomorrow.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Ok so looking at viruses in Biological terms...
:)
If it can't propagate faster than death rate...
it wont survive. Then I guess one might say that
Linux and orther Unix systems have healthy
immune systems...
which would mean... Windows has no immune system
whatsoever (unless you purchase one sepratly).
Or even better... you could look at the Virus
scanners as Antibiotics....constantly feeding
the windows machine antibiotics (I know not a
perfect analogy since antibiotics are more
apropriate for bacterial infections) which cause
the pathogens to die off...all except the
strongest ones which then have free reign to
propagate until a better antibiotic is made.
Oh yes...I like this set of anaolgies alot
"I opened my eyes, and everything went dark again"
This nightmare scenario doesn't need to carry around native viruses for every platform. All we need is an inherently cross-platform scripting language and that's already there (in vague theory) -- VBA. The only thing keeping us from cross platform doom is Micorosft bugginess -- fortunately that's one of the world's more reliable bits of unreliability.
Reduced to its essentials, the problem with Windows is the non context-sensitivity of the command shell associations.
I can't do much if the shell doesn't execute executables, and I'd really like it to automatically execute Perl scripts. OTOH, my email or news client really shouldn't need to do either of these things (or very infrequently). A big and glaring hole on a typical Windows box is that is has poor facilities to tell the difference between these instances.
How far would Happy99 get if every email client had the sense to say, "This is an executable. I know what I could do with one of those, but trust me, you really don't want to be doing that." ?
The worst case of this is Remote Scripting, and the idea that letting VBScript out of the browser's sandbox and onto an unlimited command shell could ever have been a good thing.
I have this mental image of the woodwork shop at Redmond, "Hey Dude, what's that ?"
"Yo, it's a chainsaw. I hear they're made for doing stuff with trees, but I think it would be really cool to try juggling them"
"Cool! Let's do it".
I really don't know if Microsoft ever think before they build some of these idiot holes. Wasn't it obvious how broken some of them were ?
That's not correct at all. Evolution doesn't use viruses to limit large populations -- that implies that, on at least some level, evolution has some degree of planning to it. Evolution, in reality, doesn't plan at all. You're born, and if you've got the "right stuff", you get to survive long enough to reproduce, otherwise you're dead. That's how evolution works.
However, viruses might be more more prevalent in a large population because there are more hosts to infect (thus it's easier to survive). Also, with the increased number of hosts, it's easier to spread from one host to another, thus making survival easier yet again.
Thus you can use evolution to explain the larger number of viruses in a larger population, but not in the way you originally did.
Actually, there was (and still is) something similar to what you're talking about, but not on a distribuited basis. It's called "core wars". People would write programs in assembler and try to have one program kill the other one. Even though I'm not a coder, it sounds like fun.
For a little more info, check out the entry for "core wars" in the Jargon File.
The big Linux vulnerability is that too much stuff runs as root. One buffer overflow vulnerability in a set-UID program and the attacker is in. Then they install a Linux root kit, and it takes a huge effort to clean up the system. Since Linux normally has a telnet daemon, it's remote controllable out of the box. You don't even need something like Back Orifice.
UNIX is not a secure operating system. Linux is not a secure operating system. Nothing Microsoft makes is a secure operating system.
Somebody mentioned EROS. It's not really finished, and even if it was, you'd need applications for it. What's really needed, I think, is something with capabilities like EROS, a high-performance, secure CORBA-like model of interprocess communication, and support for high-volume transaction processing in the CICS sense. Then you'd need to tear apart things like BIND and Apache into a number of mutually mistrustful components. User-initiated transactions would run as separate processes, like CGI programs, but would launch faster using a CICS transaction model.
Oh, and you need a decent security model. For example, in a real secure system, there's no "root". If you're doing administration functions, you can only run a few trusted administration programs.
There are no effective Linux Virus in the wild is because everyone who is capable of writing one, is too busy writing virus for Windows.
---------------------------------------------
Jesus died for somebodies sins, but not mine
"Our products just aren't engineered for security,"
-Brian Valentine,VP in charge of MS Windows Development
However there is no guarantee this will always be the case. As a programmer I appreciate the apps I use having the ability to be scripted, and this is the first step down a dangerous path. My text and graphics editors, vim and gimp, both have built-in scripting languages, which is the same feature that has made MSWindows office apps so vulnerable to viri.
I think the important distinction is that none of the apps I use under Linux look for script code in their documents. This means I can't send you a gimp image with a little plug-in to help you make your own similar image. I can't send you a text file with special scripted abilities for vim as I can with MS Word. If I want to give you these scripted capabilities, I must send a seperate file that you must treat differently than a normal document file. This is the key point, and we should keep this in mind when adding features to any applications that we work on.
The danger is not as distant as you might think. The power and ease-of-use provided by this sort of feature makes it difficult to resist. For example, vim allows a special line to be embedded in a text file that gives it direction on how to display the text (tab settings and such). As long the vim group is very, very careful to make sure that there is no way to drop into the full-featured scripting language through this feature, we are still safe, but this is a tricky line to walk.
--Chouser
--Chouser
"To stay young requires unceasing cultivation of the ability to unlearn old falsehoods." -LL
For example, my favorite email client, mutt, has absolutely no chance of propogating a Melissa-style virus.
/etc/mailcap. I think mutt had a workaround until mailcap was fixed, but I don't know whether that workaround was just preemptive caution or whether mutt was vulnerable too.
Are you sure? Even pine was exploitable once via a bug in
Although, technically, this isn't a "Melissa-style virus". Melissa required you to open a word file. The mailcap exploit would have just required you to read your mail.
The first damaging Linux virus won't be spread by infected warez or email trojans run by clueless users. It'll be a simple root exploit that propagates itself.
If you're running a promiscuous system of network daemons (and too many people are: I'd wager the ratio of people running imapd to people who need to be running imapd is 100+) then you're probably susceptable to a new root exploit every year or so. If you don't update your system regularly (and that probably includes every newbie Linux user) then you stay susceptable for a long time. If you fit both those categories, then you're a target; and since most newbies installed a distribution whose default configuration has everything turned on, there are a big pool of targets out there.
There was a worm that used the imapd exploit, something like a year after the exploit was discovered and fixed, and it still managed to do some damage. What happens when an aspiring young virus writer prebuilds the framework for a worm, then starts plugging in the exploit of the month and sending it out each time a new vulnerability comes out? If you're subscribed to a security list, using MandrakeUpdate or up2date, or otherwise keeping current, you're probably fine. If not... well, such a worm would find a lot of food.
And now that Linux is becoming a more tempting target (lots of cocky "Linux viruses are impossible" users out there, lots more cluebies to offend the l33t virus writers with their presence, lots more users on fat, useful cable modems or university connections, and just lots more users total), such a scenario becomes more and more likely.
It's going to happen. Somebody is going to write a badass virus for linux that's going to cause som e damage. The amount of damage is what's variable in my mind, not whether or not it will occur.
:) With that, like I said, it's pure ignorance, (or just blind platform advocating idiocy) to say that linux won't ever have a problem with virii.
:)
I think it would be incredibly ignorant of people here to think that a virus couldn't happen on linux, even if the system is well-defended against virii. Personally, i think one of the biggest things linux has going for it in the anti-virus arena is that it's so non-homogenous. Everybody talks about how wonderful windows is because it's consistent from machine to machine, but that's the same type of "feature" that makes it easy to write virii that spread quickly. The virus automatically "knows" what kind of machine it's on, and it can always assume a base level of functionality. Not so on linux, where you have everything from diskless workstations to development boxes that don't have daemons on them, to "production" servers that have daemons, but are missing some normal development tools. There isn't a baseline functionality the virus can assume.
Pretty much everybody on slashdot should know that anything is possible when it comes to a coder with too much time on his hands.
I forget the exact wording, but a quote on the l0pht's site comes to mind: "Making the 'theoretical' practical since 1995". Doesn't that say it all? Linux is a great system, and I love it as much as the next guy, but it's blind arrogance to say that it will never be susceptible to virii. I agree with this poster. Articles like this seem to want to poke the moster and yell "Haha - you can't crack my box!!!". As far as security is concerned, it's best to keep a low profile.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
. . . while under MS Windows, the programmer has apparent no interest in the user's welfare.
I'm not sure why this is, but the records points to several possible reasons:
1) Laziness. Does anyone here remember the history of the format command in DOS? Originally, it would format the current working disk by default -- in other words, if you typed ``format" at a C:\> prompt, it the C:\ drive & everything on it was history. This was a Known Problem for several revisions of DOS (I think it was fixed in 4.0, but it could have been as late as 5.0 before that was fixed), that forced the clued to do all sorts of interesting things (e.g., rename the command, delete the command, substitute another binary for this one) to keep the newbies from toasting their data.
2) Marketing Reasons. About the time Melissa first wreaked havoc, someone asked the folks at Microsoft why Active X was turned on by default. ``We consider that an important feature," was the reply. In other words, the questionable usefulness of embeding fonts & animations in a given email outweighed the clear risk of malicious code. Newbies want 3l373 + k3wl stuff, & will pay for the new revision; sysadmins are expected to wade thru the poor documentation to support these purchases.
3) Lack of skill. Microsoft got its start in the world of microcomputers, which barely had the horsepower to run one application at a time. (Yes, there were TSR applications, but they were a bug that creative non-Microsoftie hackers turned into a feature. And were the door that allowed computer viruses to get into the OS.) Programmers at MS wrote their OS & flagship applications before they had learn how to write software that shared computer resources with other applications or users. And as we saw in #1, unless absolutely forced to, MS programmers never went back & rewrote old code, so their flagship applications like Word, Excell & so forth still don't play nice in a multi-tasking, multi-user environment.
Actually, to say they ``don't play nice" is a misnomer: they don't know how to play at all with anything else in that environment. Not only do they fail to share resources, they don't know when these resources are unavailable -- or what to do if the same have been tainted by malicious code. And since the programmers who developed & maintained these older products never learned how to do this, the new programmers -- & the new products in multi-tasking, multi-user environments -- also fail to properly interact with other software in this operating space.
4. All of the Above. Accepting the validity of any one reason above does not exclude the others, AFAIK.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
Yes, that was pretty funny.
But we should give RMS and JWZ et al their due: I have not lost even one byte of data using emacs or xemacs(*). I don't even remember the last time emacs crashed during an editing session. It's easily the most stable large program I've ever used.
Compare that to Microsoft Word, which I use about 1% of the time I use emacs or xemacs, and you'll cry.
D
(*) Okay, a slight exaggeration - I've probably lost 1k or so due to power outages that caused my machine to abruptly stop while I was editing. I can't blame that on emacs!
----
I recently installed Mandrake 7.0. OK I selected "paranoid", but I hope the following holds for all security levels: You are not allowed to log in as root. At all. Not even locally. The only way to gain root privilegies is to su. This is The Right Way. Hope that the other distros will follow...
I know of peoples who runs as root all the time...Perheaps I'l write them a viri just to prove them they are stupid... No, I won't they may spread it...
--The knowledge that you are an idiot, is what distinguishes you from one.
--The knowledge that you are an idiot, is what distinguishes you from one.
Of these, I'm skeptical of 1 and 3.
Is 1 still the case, as more and more people are learning Linux at home, with no experience of an actual mulituser UNIX system? Might'nt there be enough people routinely running as root these days to invalidate the barriers of Linux's design?
2 is perfectly reasonable, though--as others have already pointed out--there's nothing to keep that from changing in the future.
As for 3, isn't there a potential (I don't know if it's already been tried yet) for deceptive "open source" software with the binary not actually derived from the provided source? Folks who download and compile the source would be safe, but folks who download the executable get a nasty surprise.
Linux is not a good environment for viruses, but it's not impervious either. Even a half-assed capabilties system would greatly improve Linux virus security.
For example, how often do you use "su; make install"? That hands over full authority to do anything. It would not be all that hard to hide, say, literal strings of Perl bytecode in a deeply recursive make, that search all *.tar.gz|*.tgz files for just such a deeply recursive make and hide itself in the ones it finds (cryptic nonsense marked with cute yet unhelpful comments is nothing new to free software; if it was obfuscated to look like a cute piece of ASCII art, it might not even need to justify its existence as part of the project). Combine this with infecting key utilities, like gcc and make, and you've got yourself an annoyingly persistent and sneaky virus.
Even though it would be more useful to have a full capabilties system, like in EROS, a good "execute with permissions + limited capabilities" utility could prevent root-mode installation infections.
For example:capsdo -cu -wnf /usr/local/bin -cwd /usr/local/lib -c "make install" /usr/local/bin and create new directories to which it has full write access (-cwd) in /usr/local/lib (of course, it would require your root password to run). Not that this would be easy to write. It would have to sit between the app and the kernel, filtering actions.
meaning, run "make install" like current user (-cu), except that you can write new files (-wnf) to
Another way safety might be improved (at the admin level) is to create an "installer" group that has access to the "/usr/local" tree, and a new user in the group for each new installation; none of which gives write access for its files to any other user. A root utility could create and manage these psuedousers without bothering the admin. However, this would do nothing for holes like running SVGALIB games.
... and ports Office to Linux. Unlikely I know, but as the article hinted, one of the reasons viruses are a non-issue on Linux is because of the feature set of the typical application. Windows NT and 2000 have user-level security too, but they're still somewhat vulnerable because of things like Craptive, er I mean Active X, and the always entertaining Word and Excel macros.
I was wondering; Lotus 1-2-3 and WordPerfect have macros too, why didn't anyone ever write viruses for those?
Gamingmuseum.com: Give your 3D accelerator a rest.
These factors lead me to believe that we will see virus attacks. They can potentially be nasty, but they will be squashed rather quickly as well. I also have some theories about possible targets for the attacks that I don't want to publically discuss.
The net will not be what we demand, but what we make it. Build it well.
- Bad things happen more often to the clueless
- Linux users are supposedly less clueless than MS/Mac users
- Ergo: Less bad things happen to Linux users
Security is almost always a trade-off: Some people sacrifice some (or most) of it for every day convenience. (Yes it IS convenient to use the same system as the majority. It IS convenient to run as root. It IS convenient to simply run a binary) More security aware people don't.If more "average users" would turn to Linux, we would see more security holes provided for comfort, more binary-only programs, more handy macro script options and inevitably more viruses.
All opinions are my own - until criticized
For a single-user desktop environment, the less experienced user is the same which goes root to install new exciting packages just downloaded from a not-too-safe site. It would hep, if he could install 'not-safe' binary packages in 'user space'(e..g. a sub-directory of his home directory) and then, once he thrusts them, re-install in 'root space'.
Even if the virus successfully infects a program owned by the user, its task of propagation is made much more difficult by the limited privileges of the user account.
Even if it cannot (easily) spread using programs owned by root, it can damage user's files!
My 40 lire ( hopefully soon 0.2 Euro ) : Virus trives in computer user's ignorance. To fight the viruses, educate the computer users.
Ciao
----
FB
I read this earlier and it seemed pretty good. Sort of a rehash to most Linux savy people. But reading it over again is never a bad idea.
... one large issue that will cause problems for Linux as a client machine is that most people will be running as root. This sucks. I believe education is the best method to fix this but I'm fearful it will be bad education, not good. By that I mean that 100s of clueless caldera users or something will get some horid virus before someone says `Why were you running as root?' Then they will learn. Not a nice lesson. There may be better solutions out there (such as linuxconf style system configuration?), but as long as an end user views root as the easiest way to avoid permission issues, they will use it.
Anyhow
Don't expect to ever see serious server side Linux virus outbreakes, but end user Linux is a trojan horse waiting to happen, IMHO.
Bad Mojo
Bad Mojo
"If you can't win by reason, go for volume." -- Calvin
One of the major reasons for there being a distinct lack of linux viruses is that by and large, it will most likely only be executed by a local user as themselves, therefore spreading to system binaries is nigh-on impossible.
There are two threats to that, of course: (a) people start running every silly thing as root (which will rise the more of a "desktop OS" "linux" becomes) and (b) folks who hack cracking become virus writers and use exploits to propogate stuff around.
~Tim
--
Rushing on down to the circle of the turn
The people and pizza hut have been pissin' me off lately. Anyone know of a virus that will access a users modem and call pizza hut and order a bunch of pizza to people that don't exist?
The Pizza Virus effect could be great for alot of people. 1) More wasted food means better prices for farmers. 2) More wasted food means more work for sanitation workers. 3) Somebody might be thinking "hey, I want a pizza" and suddenly, the pizza virus will unexpectedly deliever a pizza to their door. I guess the people at pizza hut wouldn't like it much, but they are bastards anyway, so screw them.
I thought I had a virus working in a popular text editing program. It bulked the application up to ludicrous amounts of memory space, made the whole thing unstable and made it impossible to get anything doe without typing in cramped and confusing strings of characters. Then a helpful friend reminded me that I was using emacs.
This is a pretty bad article IMHO. It is clearly meant as a rebuttal against what Garfinkle wrote. But it is pretty bad.
For a Linux binary virus to infect executables, those executables must be writable by the user activating the virus. That is not likely to be the case. Chances are, the programs are owned by root and the user is running from a non-privileged account. Further, the less experienced the user, the lower the likelihood that he actually owns any executable programs. Therefore, the users who are the least savvy about such hazards are also the ones with the least fertile home directories for viruses.
This describes the typical Unix situation, which is not the typical Linux situation. There, more people have installed their own system and have root priviliges. And the less savvy the user, the bigger the chance that the root user is the only account on the system.
Linux networking programs are conservatively constructed, without the high-level macro facilities....
Very true, but seconds later
Linux applications and system software is almost all open source. Because so much of the Linux market is accustomed to the availability of source code, binary-only products are rare and have a harder time achieving a substantial market presence. This has two effects on the virus. First, open source code is a tough place for a virus to hide.
Yeah right, so first it says that high level scripts may be a source of viruses, but then when you have source code (in e.g. Makefiles, highlevel), viruses are all of a sudden less likely. I am still afraid that I come into a Makefile someday that holds the line:
install: rm -rf /
Is this not a virus? If not, why is it a virus if a similar line is contained in some malicious Word macro?
No reason to worry about Linux viruses yet, but mostly because the platform is not popular enough to have a widespread effect (and this is the real lesson of zoology, viruses in nature are mostly used by evolution to limit large populations. This is why there are mostly Windows viruses; evolution wants to limit its growth).
There's little in Linux to keep application level viruses, like those enabled by Microsoft Innovations and intra-application macro languages, to pummel their users work.
;)
Open source kills bugs DEAD! But folks who insist on distributing compiled versions of their code apparently do not want the advantage of infinitelly shallow bugs, and virus protection to boot.
The article points out that access protection keeps a virus confined within the user(s) that initially bring it onto the system. As Linux becomes more and more popular, new users running as root will multiply, making the installed Linux base more prone to virus infection from compiled wizz-bang apps that newbies will download.
New users may run as root because they don't know any better. They don't have to learn about access protection, chmod, or other UNIX complexity.
rm -rf works and there's no doubt, when you run as root.
Slightly less than new users run as root for the illusion of competency. This is where the danger lies. Arrogance is harmful until you have the experience to ack it up. Then it becomes confidence, and pride no longer requires running as root always, just to tweak a config file sometimes.
For the record, Linux DOES suffer from one virus. GPL.
-- What you do today will cost you a day of your life.
There was a linux virus list at (might be down now)
http://virus.beergrave.net
it's owner has several interesting (low-level, assembler/C, ELF) documents with linux virusses and descriptions. Find them here:
http://www.big.net.au/~silvio
Also, there's a linux virus at
http://www.mixter.org
For more low-level linux stuff go to
http://hculinux.cjb.net
*borkborkbork*
Articles such as this are only fuel to the virus writing fire. The more people keep daring crackers and virus writers that this is not possible, the closer you get to a virus epidemic. If that happens, it will be a huge disservice to the growing popularity of the amazing OS that is Linux.
of course I'm all for writing about virus warnings, technical consideratiosn and the sort, but, IMHO, we must keep our tone down and speak with humility. Not even suggest for a minute that a successful linux virus is not possible. The ability of humans to do the impossible is a big part of the reason why linux exists, and to be honest, i started using linux BECAUSE most people (used to) think it would fail.
i personally think the open source movement, and the whole linux fenomena, is a serious and professional one, and unless treated that way will probably fall for the same reasons other venues are falling today (that is if you, like me, think that windows won't last that long). If more serious consideration would have been given to viruses when they first showed up (not mainstream), windows would probably be much more protected against them than it is (but then again, maybe not. thanks bill).
anyway, that's just my $0.02
There are two kinds of people in the world: Those with good memory.