Slashdot Mirror
The Short Life And Hard Times Of A Linux Virus
Sun Tzu writes, "There are several reasons for the non-issue of the Linux virus. Most of those reasons a Linux user would already be familiar with, but there is one, all important, reason that a student of evolution or zoology would also appreciate ... The article is at sitereview.org. "
However there is no guarantee this will always be the case. As a programmer I appreciate the apps I use having the ability to be scripted, and this is the first step down a dangerous path. My text and graphics editors, vim and gimp, both have built-in scripting languages, which is the same feature that has made MSWindows office apps so vulnerable to viri.
I think the important distinction is that none of the apps I use under Linux look for script code in their documents. This means I can't send you a gimp image with a little plug-in to help you make your own similar image. I can't send you a text file with special scripted abilities for vim as I can with MS Word. If I want to give you these scripted capabilities, I must send a seperate file that you must treat differently than a normal document file. This is the key point, and we should keep this in mind when adding features to any applications that we work on.
The danger is not as distant as you might think. The power and ease-of-use provided by this sort of feature makes it difficult to resist. For example, vim allows a special line to be embedded in a text file that gives it direction on how to display the text (tab settings and such). As long the vim group is very, very careful to make sure that there is no way to drop into the full-featured scripting language through this feature, we are still safe, but this is a tricky line to walk.
--Chouser
--Chouser
"To stay young requires unceasing cultivation of the ability to unlearn old falsehoods." -LL
For example, my favorite email client, mutt, has absolutely no chance of propogating a Melissa-style virus.
/etc/mailcap. I think mutt had a workaround until mailcap was fixed, but I don't know whether that workaround was just preemptive caution or whether mutt was vulnerable too.
Are you sure? Even pine was exploitable once via a bug in
Although, technically, this isn't a "Melissa-style virus". Melissa required you to open a word file. The mailcap exploit would have just required you to read your mail.
The first damaging Linux virus won't be spread by infected warez or email trojans run by clueless users. It'll be a simple root exploit that propagates itself.
If you're running a promiscuous system of network daemons (and too many people are: I'd wager the ratio of people running imapd to people who need to be running imapd is 100+) then you're probably susceptable to a new root exploit every year or so. If you don't update your system regularly (and that probably includes every newbie Linux user) then you stay susceptable for a long time. If you fit both those categories, then you're a target; and since most newbies installed a distribution whose default configuration has everything turned on, there are a big pool of targets out there.
There was a worm that used the imapd exploit, something like a year after the exploit was discovered and fixed, and it still managed to do some damage. What happens when an aspiring young virus writer prebuilds the framework for a worm, then starts plugging in the exploit of the month and sending it out each time a new vulnerability comes out? If you're subscribed to a security list, using MandrakeUpdate or up2date, or otherwise keeping current, you're probably fine. If not... well, such a worm would find a lot of food.
And now that Linux is becoming a more tempting target (lots of cocky "Linux viruses are impossible" users out there, lots more cluebies to offend the l33t virus writers with their presence, lots more users on fat, useful cable modems or university connections, and just lots more users total), such a scenario becomes more and more likely.
It's going to happen. Somebody is going to write a badass virus for linux that's going to cause som e damage. The amount of damage is what's variable in my mind, not whether or not it will occur.
:) With that, like I said, it's pure ignorance, (or just blind platform advocating idiocy) to say that linux won't ever have a problem with virii.
:)
I think it would be incredibly ignorant of people here to think that a virus couldn't happen on linux, even if the system is well-defended against virii. Personally, i think one of the biggest things linux has going for it in the anti-virus arena is that it's so non-homogenous. Everybody talks about how wonderful windows is because it's consistent from machine to machine, but that's the same type of "feature" that makes it easy to write virii that spread quickly. The virus automatically "knows" what kind of machine it's on, and it can always assume a base level of functionality. Not so on linux, where you have everything from diskless workstations to development boxes that don't have daemons on them, to "production" servers that have daemons, but are missing some normal development tools. There isn't a baseline functionality the virus can assume.
Pretty much everybody on slashdot should know that anything is possible when it comes to a coder with too much time on his hands.
I forget the exact wording, but a quote on the l0pht's site comes to mind: "Making the 'theoretical' practical since 1995". Doesn't that say it all? Linux is a great system, and I love it as much as the next guy, but it's blind arrogance to say that it will never be susceptible to virii. I agree with this poster. Articles like this seem to want to poke the moster and yell "Haha - you can't crack my box!!!". As far as security is concerned, it's best to keep a low profile.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
. . . while under MS Windows, the programmer has apparent no interest in the user's welfare.
I'm not sure why this is, but the records points to several possible reasons:
1) Laziness. Does anyone here remember the history of the format command in DOS? Originally, it would format the current working disk by default -- in other words, if you typed ``format" at a C:\> prompt, it the C:\ drive & everything on it was history. This was a Known Problem for several revisions of DOS (I think it was fixed in 4.0, but it could have been as late as 5.0 before that was fixed), that forced the clued to do all sorts of interesting things (e.g., rename the command, delete the command, substitute another binary for this one) to keep the newbies from toasting their data.
2) Marketing Reasons. About the time Melissa first wreaked havoc, someone asked the folks at Microsoft why Active X was turned on by default. ``We consider that an important feature," was the reply. In other words, the questionable usefulness of embeding fonts & animations in a given email outweighed the clear risk of malicious code. Newbies want 3l373 + k3wl stuff, & will pay for the new revision; sysadmins are expected to wade thru the poor documentation to support these purchases.
3) Lack of skill. Microsoft got its start in the world of microcomputers, which barely had the horsepower to run one application at a time. (Yes, there were TSR applications, but they were a bug that creative non-Microsoftie hackers turned into a feature. And were the door that allowed computer viruses to get into the OS.) Programmers at MS wrote their OS & flagship applications before they had learn how to write software that shared computer resources with other applications or users. And as we saw in #1, unless absolutely forced to, MS programmers never went back & rewrote old code, so their flagship applications like Word, Excell & so forth still don't play nice in a multi-tasking, multi-user environment.
Actually, to say they ``don't play nice" is a misnomer: they don't know how to play at all with anything else in that environment. Not only do they fail to share resources, they don't know when these resources are unavailable -- or what to do if the same have been tainted by malicious code. And since the programmers who developed & maintained these older products never learned how to do this, the new programmers -- & the new products in multi-tasking, multi-user environments -- also fail to properly interact with other software in this operating space.
4. All of the Above. Accepting the validity of any one reason above does not exclude the others, AFAIK.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
Yes, that was pretty funny.
But we should give RMS and JWZ et al their due: I have not lost even one byte of data using emacs or xemacs(*). I don't even remember the last time emacs crashed during an editing session. It's easily the most stable large program I've ever used.
Compare that to Microsoft Word, which I use about 1% of the time I use emacs or xemacs, and you'll cry.
D
(*) Okay, a slight exaggeration - I've probably lost 1k or so due to power outages that caused my machine to abruptly stop while I was editing. I can't blame that on emacs!
----
I recently installed Mandrake 7.0. OK I selected "paranoid", but I hope the following holds for all security levels: You are not allowed to log in as root. At all. Not even locally. The only way to gain root privilegies is to su. This is The Right Way. Hope that the other distros will follow...
I know of peoples who runs as root all the time...Perheaps I'l write them a viri just to prove them they are stupid... No, I won't they may spread it...
--The knowledge that you are an idiot, is what distinguishes you from one.
--The knowledge that you are an idiot, is what distinguishes you from one.
Of these, I'm skeptical of 1 and 3.
Is 1 still the case, as more and more people are learning Linux at home, with no experience of an actual mulituser UNIX system? Might'nt there be enough people routinely running as root these days to invalidate the barriers of Linux's design?
2 is perfectly reasonable, though--as others have already pointed out--there's nothing to keep that from changing in the future.
As for 3, isn't there a potential (I don't know if it's already been tried yet) for deceptive "open source" software with the binary not actually derived from the provided source? Folks who download and compile the source would be safe, but folks who download the executable get a nasty surprise.
Linux is not a good environment for viruses, but it's not impervious either. Even a half-assed capabilties system would greatly improve Linux virus security.
For example, how often do you use "su; make install"? That hands over full authority to do anything. It would not be all that hard to hide, say, literal strings of Perl bytecode in a deeply recursive make, that search all *.tar.gz|*.tgz files for just such a deeply recursive make and hide itself in the ones it finds (cryptic nonsense marked with cute yet unhelpful comments is nothing new to free software; if it was obfuscated to look like a cute piece of ASCII art, it might not even need to justify its existence as part of the project). Combine this with infecting key utilities, like gcc and make, and you've got yourself an annoyingly persistent and sneaky virus.
Even though it would be more useful to have a full capabilties system, like in EROS, a good "execute with permissions + limited capabilities" utility could prevent root-mode installation infections.
For example:capsdo -cu -wnf /usr/local/bin -cwd /usr/local/lib -c "make install" /usr/local/bin and create new directories to which it has full write access (-cwd) in /usr/local/lib (of course, it would require your root password to run). Not that this would be easy to write. It would have to sit between the app and the kernel, filtering actions.
meaning, run "make install" like current user (-cu), except that you can write new files (-wnf) to
Another way safety might be improved (at the admin level) is to create an "installer" group that has access to the "/usr/local" tree, and a new user in the group for each new installation; none of which gives write access for its files to any other user. A root utility could create and manage these psuedousers without bothering the admin. However, this would do nothing for holes like running SVGALIB games.
... and ports Office to Linux. Unlikely I know, but as the article hinted, one of the reasons viruses are a non-issue on Linux is because of the feature set of the typical application. Windows NT and 2000 have user-level security too, but they're still somewhat vulnerable because of things like Craptive, er I mean Active X, and the always entertaining Word and Excel macros.
I was wondering; Lotus 1-2-3 and WordPerfect have macros too, why didn't anyone ever write viruses for those?
Gamingmuseum.com: Give your 3D accelerator a rest.
These factors lead me to believe that we will see virus attacks. They can potentially be nasty, but they will be squashed rather quickly as well. I also have some theories about possible targets for the attacks that I don't want to publically discuss.
The net will not be what we demand, but what we make it. Build it well.
- Bad things happen more often to the clueless
- Linux users are supposedly less clueless than MS/Mac users
- Ergo: Less bad things happen to Linux users
Security is almost always a trade-off: Some people sacrifice some (or most) of it for every day convenience. (Yes it IS convenient to use the same system as the majority. It IS convenient to run as root. It IS convenient to simply run a binary) More security aware people don't.If more "average users" would turn to Linux, we would see more security holes provided for comfort, more binary-only programs, more handy macro script options and inevitably more viruses.
All opinions are my own - until criticized
For a single-user desktop environment, the less experienced user is the same which goes root to install new exciting packages just downloaded from a not-too-safe site. It would hep, if he could install 'not-safe' binary packages in 'user space'(e..g. a sub-directory of his home directory) and then, once he thrusts them, re-install in 'root space'.
Even if the virus successfully infects a program owned by the user, its task of propagation is made much more difficult by the limited privileges of the user account.
Even if it cannot (easily) spread using programs owned by root, it can damage user's files!
My 40 lire ( hopefully soon 0.2 Euro ) : Virus trives in computer user's ignorance. To fight the viruses, educate the computer users.
Ciao
----
FB
I read this earlier and it seemed pretty good. Sort of a rehash to most Linux savy people. But reading it over again is never a bad idea.
... one large issue that will cause problems for Linux as a client machine is that most people will be running as root. This sucks. I believe education is the best method to fix this but I'm fearful it will be bad education, not good. By that I mean that 100s of clueless caldera users or something will get some horid virus before someone says `Why were you running as root?' Then they will learn. Not a nice lesson. There may be better solutions out there (such as linuxconf style system configuration?), but as long as an end user views root as the easiest way to avoid permission issues, they will use it.
Anyhow
Don't expect to ever see serious server side Linux virus outbreakes, but end user Linux is a trojan horse waiting to happen, IMHO.
Bad Mojo
Bad Mojo
"If you can't win by reason, go for volume." -- Calvin
One of the major reasons for there being a distinct lack of linux viruses is that by and large, it will most likely only be executed by a local user as themselves, therefore spreading to system binaries is nigh-on impossible.
There are two threats to that, of course: (a) people start running every silly thing as root (which will rise the more of a "desktop OS" "linux" becomes) and (b) folks who hack cracking become virus writers and use exploits to propogate stuff around.
~Tim
--
Rushing on down to the circle of the turn
The people and pizza hut have been pissin' me off lately. Anyone know of a virus that will access a users modem and call pizza hut and order a bunch of pizza to people that don't exist?
The Pizza Virus effect could be great for alot of people. 1) More wasted food means better prices for farmers. 2) More wasted food means more work for sanitation workers. 3) Somebody might be thinking "hey, I want a pizza" and suddenly, the pizza virus will unexpectedly deliever a pizza to their door. I guess the people at pizza hut wouldn't like it much, but they are bastards anyway, so screw them.
I thought I had a virus working in a popular text editing program. It bulked the application up to ludicrous amounts of memory space, made the whole thing unstable and made it impossible to get anything doe without typing in cramped and confusing strings of characters. Then a helpful friend reminded me that I was using emacs.
This is a pretty bad article IMHO. It is clearly meant as a rebuttal against what Garfinkle wrote. But it is pretty bad.
For a Linux binary virus to infect executables, those executables must be writable by the user activating the virus. That is not likely to be the case. Chances are, the programs are owned by root and the user is running from a non-privileged account. Further, the less experienced the user, the lower the likelihood that he actually owns any executable programs. Therefore, the users who are the least savvy about such hazards are also the ones with the least fertile home directories for viruses.
This describes the typical Unix situation, which is not the typical Linux situation. There, more people have installed their own system and have root priviliges. And the less savvy the user, the bigger the chance that the root user is the only account on the system.
Linux networking programs are conservatively constructed, without the high-level macro facilities....
Very true, but seconds later
Linux applications and system software is almost all open source. Because so much of the Linux market is accustomed to the availability of source code, binary-only products are rare and have a harder time achieving a substantial market presence. This has two effects on the virus. First, open source code is a tough place for a virus to hide.
Yeah right, so first it says that high level scripts may be a source of viruses, but then when you have source code (in e.g. Makefiles, highlevel), viruses are all of a sudden less likely. I am still afraid that I come into a Makefile someday that holds the line:
install: rm -rf /
Is this not a virus? If not, why is it a virus if a similar line is contained in some malicious Word macro?
No reason to worry about Linux viruses yet, but mostly because the platform is not popular enough to have a widespread effect (and this is the real lesson of zoology, viruses in nature are mostly used by evolution to limit large populations. This is why there are mostly Windows viruses; evolution wants to limit its growth).
There's little in Linux to keep application level viruses, like those enabled by Microsoft Innovations and intra-application macro languages, to pummel their users work.
;)
Open source kills bugs DEAD! But folks who insist on distributing compiled versions of their code apparently do not want the advantage of infinitelly shallow bugs, and virus protection to boot.
The article points out that access protection keeps a virus confined within the user(s) that initially bring it onto the system. As Linux becomes more and more popular, new users running as root will multiply, making the installed Linux base more prone to virus infection from compiled wizz-bang apps that newbies will download.
New users may run as root because they don't know any better. They don't have to learn about access protection, chmod, or other UNIX complexity.
rm -rf works and there's no doubt, when you run as root.
Slightly less than new users run as root for the illusion of competency. This is where the danger lies. Arrogance is harmful until you have the experience to ack it up. Then it becomes confidence, and pride no longer requires running as root always, just to tweak a config file sometimes.
For the record, Linux DOES suffer from one virus. GPL.
-- What you do today will cost you a day of your life.
There was a linux virus list at (might be down now)
http://virus.beergrave.net
it's owner has several interesting (low-level, assembler/C, ELF) documents with linux virusses and descriptions. Find them here:
http://www.big.net.au/~silvio
Also, there's a linux virus at
http://www.mixter.org
For more low-level linux stuff go to
http://hculinux.cjb.net
*borkborkbork*
Articles such as this are only fuel to the virus writing fire. The more people keep daring crackers and virus writers that this is not possible, the closer you get to a virus epidemic. If that happens, it will be a huge disservice to the growing popularity of the amazing OS that is Linux.
of course I'm all for writing about virus warnings, technical consideratiosn and the sort, but, IMHO, we must keep our tone down and speak with humility. Not even suggest for a minute that a successful linux virus is not possible. The ability of humans to do the impossible is a big part of the reason why linux exists, and to be honest, i started using linux BECAUSE most people (used to) think it would fail.
i personally think the open source movement, and the whole linux fenomena, is a serious and professional one, and unless treated that way will probably fall for the same reasons other venues are falling today (that is if you, like me, think that windows won't last that long). If more serious consideration would have been given to viruses when they first showed up (not mainstream), windows would probably be much more protected against them than it is (but then again, maybe not. thanks bill).
anyway, that's just my $0.02
There are two kinds of people in the world: Those with good memory.