Slashdot Mirror
Linux Virus Alert
marcjw writes: "I don't see many of these (Linux virus alerts). In fact none in the six months or so since I've switched from MS. Maybe that's why this story from newsbytes caught my eye. At any rate, I'm not sure if this poses much of a threat to the general Linux community but it's always best to be forewarned."
Russell makes an excellent point there. All you have to do is distribute a file that "lets you own M$ boxen!" and there will still be a large number of script kiddies that will download the file and run it as root. Sure, it's not going to be able to be auto-executed, but it's just like virii back in the DOS days.
Why is is there are more viruses for MS platforms than Linux platforms?
The main reaseons are thus:
1) Microsoft attemps to grab marketshare by adding any 'feature' that appeals to the masses, rather than adding security that appeals to a few smart people.
2) Microsoft's security model has had only a few years of evolution, the UNIX/Linux/BSD model has had almost twenty years of networked connected time to get it right.
3) Microsoft is gready. Raher than give you a patch to fix the secutity problems of your old Microsoft software - they would rather force you to pay for their newer version.
4) Microsoft programmers are inept. Microsoft attracts greedy and underqualified programmers with the lure of stock options. Good programmers either work for themselves or for a company that puts pride in their work. Good programmers seldom do it for the money - witness the wonderfull security of the shoestring-budget OpenBSD versus the 1.2 billion USD Windows XP that had to be pathced within a month of it's consumer release.
In short - Microsoft's bad security is actually good for their bottom line, it forces you to pay money for their 'upgrades.'
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Has anyone actually seen this virus in the wild? I can't imagine it'd actually propigate...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
It's not impossible for the trojan to have infected a trusted binary, unless you're sure that root only runs programs that have always been not only writable only by root, but also in directories only writable by root.
It doesn't need to be as extreme as making /bin/ls world writable. For example, who has the right to change things in /usr/local/bin? Some distros make /usr/local/bin writable by a group called "staff", and on any system it's possible that you allow trusted users to put things in /usr/local/bin, or at least to compile programs which you then put into /usr/local/bin. And then that directory is often in root's path.
That would mean that a sufficiently trusted user who ran an infected binary could then allow the infection to spread to root. (People are often rather less careful with non-root accounts.)
GROGGS: alive and well and living in
I can write a binary that when run by root will erase your entire system. And I can probably do so in under a minute. Somehow, I doubt it will ever hurt anyone. Anyone smart anyhow.
Programs that exploit security holes are far and wide. Yet, they are typically released as source code, usually attached to messages in security mailing lists. We can take a quick glance over this source before compiling it and running it. And besides, if it IS your typical exploit code, nobody needs to run it as root. To do so would defeat the purpose of having an exploit in the first place.
I do like the statement, however, that linux users are less likely to open unknown attachments. Says quite a lot about our community right there.
-Restil
Play with my webcams and lights here
This is a trust issue and the entrusting of power into people that may or may not be up to or care for the task. RPMs are as easy to install as a setup.exe for people as long as there is not a slew of dependencies (which has been lessened with the advent of "smart" installers). It is that ease of use which is dangerous without precaution as we have seen with microsoft products. Implementing safety measures beyond those that we as accomplished users have grown accustomed to is a rising concern and still needs to be addressed.
An Education is the Font of All Liberty
"the type of person who installs Linux generally knows better..."
Exactly, its not Linux that is more secure/unsecure its the person who administers the box that makes it secure.
Good point, and there should be a focus on the potentual of Linux virii out there (though most of the focus has been on fixing probable remote exploits which in itself can do some contaminations since some servers NEED root permissions to run.) Again, distros SHOULD turn off servers by default, don't let X run its listener, etc, etc, to prevent remote exploits but also there needs to be a focus to scan for virii especially if you have a heterogenus network to work with in case there's multiple platforms that could be targeted. Though the article is correct; the reason why we Linux users don't get targeted is because we know better. This will change if Linux starts to gain market share to a point of at least 15%-25%. Either this 15%-25% will be bright, or they will be gullable to virii, I can't say.
Karma whorin' since 1999
Part of it's because of the relative lack of security on a Windows box; only NT and XP had/have an administrator level where regular users aren't allowed to do things.
95/98 let anyone run just about anything as default. And XP actually does this too... Default accounts are set up as administrator without passwords.
Let me add some items to your list...
- Linux installers are usually very good at teaching newbies the dangers of the root account. They will also make it real easy and natural to setup secured user accounts.
- The community is very good at reminding each other not to run as root, be it in weblogs, readmes, changelog, etc. In fact, they even go on running jokes about it. At the end of the day, it makes a wonderful job at passing the word to new users.
- Since there is already a critical mass of carefull users on linux, programs that use more permissions that they need to can expect to receive flews of angry emails. Under w2k/xp, where most home users run in administrator, those that do not are less likely to complain. The end result is, windows software too often crashes and bugs up unless run as root.
- Under Linux, it is real easy to become root the time of one punctual action (su, sudo, fakeroot), then relinquish the extra permissions. Under w2k, you have to create a shortcut to the executable, right click, check 'run as a different user', click ok, double click, click on the password field, enter the root password. A real pain in the ass. And again, alot of programs that would run otherwise correctly as administrator won't work with this method. In which case you have to save all your work, log out, log in as admin, run that program, log out, log back in, restart all the program you were using. Blah! Easily a ten minutes process.
- Under windows, it is always trivialy easy to runs programs. So much so, that I'm extra careful whenever I'm reading mail under windows, and slow down my perusal to be sure not to stumble and accidentaly run a virus. Under linux, running untrusted program is a two step process: first give it the permission to run (chmod +x virus.exe), then run it (./virus.exe) .
- Finaly, viruses need to pull their infection/clean up ration over the 1.0 bar in order to survive and outbreak. Linux, with it's smaller installed base and it's biodiversity of distributions, makes it hard for a virus to find its next vunerable target. With that in mind, we can expect somewhat more Linux viruses the day it takes over Windows as everyone's operating system.
This post was compiled with `% gec -O`. email me if you need the sources
Personally, I consider anti-virus software viruses themselves. They often cause more problems and interfere with your system much more than any 'virus' Just look at what they do...constantly run, constantly run every file access against a big-assed hash table, possibly causing problems with legitimate software. No thanks.
Who do email attachments target in windows? Windows newbies. Who run things as root without checking to make sure they're safe or thinking about what they're doing? Linux newbies and lazy people.
This virus would probably get me.. though I usually only get executables in packages made by my distro manufacturer (it's just easier and almost guaranteed to work), I find it annoying to su constantly, so I often just play around on my own box as root. I wouldn't administer a server that way (should someone ever be stupid enough to give me the responsibilities of doing so), but I don't think that's who the virus is targeting.
And waddaya know, UNIX application programmers are _still_ using the occasional gets(3) call in setuid root programs, more than a decade later, despite the fact that we all know that it doesn't check for buffer overflow and that a buffer overflow _can_ be used (read: _has_ been used in the past) to make a program execute code of the worm writer's choice and bring a significant part of the internet grinding to a halt.
Hasn't anyone here noticed that MOST if not ALL software written for Linux (GPL) either in source form or in binary form come with _ample_ information for contacting the author? Tell me how many Windows programs can boast the fact that if you have a problem, you can email the guy who wrote it and give props or scream a bit about a bug or something else? I don't know about the rest of you, but when I am seriously looking at a piece of sofwtare, I usually make sure I know who to go to if something goes hay-wire. If there was some trojan put into a source tree, then I'm sure the author would hear about it REAL quick. And fix it. REAL QUICK. I'm not even going to get into how you might be having snowball fights in hell before Microsoft fixes some random bug when its reported.
You'd read all of the source that KDE or Gnome requires for compilation and installation?
Not likely.
It doesn't matter if it requires root privs to run. Most programs have to be installed as root, and that's all that is needed. The make install step can do something nasty without telling you (how many people fully read & understand the Makefiles in the above scenario?), or it can install a trojan version of ls or any other program.
In a real emergency, we would have all fled in terror, and you would not have been notified.
I like that.
I expect to examine a package when I plan on installing it on a system I use for many 'important' tasks.
Take two extra minutues and use a bit of caution when accepting a gift horse. A lot of programs come with source code, making it even easier to verify integrity.
Would the computer community in general not be better off learning how to be pro-active about computer security?Is this too much to ask of people in general? To follow a few instructions to make sure they are not installing some root kit?
I hope not. Then again, people are SO busy, and should not have to take time for such things as LOOKING OUT FOR THEMSELVES>:]
I guess thats just my opinion.
Cheers!
rsklnkv@houseofthedead.org
_____ "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- Orwell
Yes, this is true. If the average secretary or receptionist ran Linux, a mail client with a feature set similar to Outlook would be demanded. It would then, most probably, be found to be more vulnerable than Outlook on Windows, owing to the history of attacks against Outlook and Windows, which have led to improvements in its security, but without sacrificing usability.
Remember that on a single-user system, the core objective of security is not to protect the system from the user (as on a multi-user one), but rather to protect the user from himself.
No. It's a virus - it attaches itself to an executable, and spreads to others by being run. A trojan horse is a program that is designed to look like some (legitimate) program, and may do what it advertises, but has some "extra" features that involve subverting security, damage and destruction (or some combination of those).
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
when was the last time you actually checked the code of something you've compiled?
This is a common strawman in discussions of viruses/trojans under Linux. Obviously noone has time to scan all the code they download for use on their systems. Fortunately, there are sites that you can trust offering the vast majority of software we use.
Receipt of an executable attachment is in no way similar to downloading files from gnu.org, [insert your favorite linux distribution here].com, idsoftware.com, etc. If you don't trust well-known packages from well-know sites (or mirrors linked from those sites) then you may as well hang it up right now.
True, but...
The issue is, the same people are vulnerable to this on linux, as are vulnerable on Windows -- the people who really don't know better.
It will be difficult to believe the linux community is serious about building an OS 'that grandma can use' until we accept that grandma really might 'fall for' the idea of a virus that needs to trick the victim into running as root.
So long as experts (or at least, knowledgeable users) who are serious about security are the only ones running a given OS, of course their machines will be safe from viruses.
Mahnamahna!
you clearly don't get it. if you had fully read his post, you would see that he's not as concerned with that type of attack.
imagine you're logged in as root, and instead of 'ls', you accidentally type 'sl'. unbeknownst to you, a trusted user had placed a binary named 'sl' in /usr/local/bin, which gets executed. game over.
the point is, you're taking a big risk when you have untrusted directories ANYWHERE in your $PATH.
The average Joe User doesn't know what an operating system is. Seriously. But at least they know what Microsoft Windows is.
I think that, apart from high system security, one of the main reasons that Linux virus infections are so rare is that they simply get caught quickly.
Imagine the following scenario: a person with an evil mind writes a piece of malicious software and posts it on the net. Two things can happen before the malicious part gets noticed:
1. A person reviewing the code finds it.
2. Someone experiences the consequences.
In either case, the word will be out fairly quickly, causing high alert and/or elimination of the software.
Spreading is just too hard...
Another story are of course worms, as we all know. Network security is harder to detect. But even worms have to exploit something, and these vulnurabilities (most of the time) also get fixed within very short time after they have been discovered.
The Morris worm is a nice spectre to pull out of the Unix closet and remind everyone that Unix is not infallable. Just look at all the damage done in the early internet days! Spooky.
However, this is history - ancient by Interent standards. Since then, there have been other Unix-based worms to hit the net at large. I can name three more recent examples off-hand. Sadmind spread amoung Solaris hosts to deface IIS sites. The ramen worm attacked Linux (specifically RedHat) hosts. And there were reports of ramen code being modified and sent on its way. And then there was another Linux worm called li0n.
In each case the worm hit the wild, was discovered and reported, had a brief life as appropriate counter measures were taken, then faded out. Missing was the media frenzy one would expect with something as damaging as the Morris worm. That came later on a different platform with a different worm: Code Red.
Once again - Unix is not infalliable. But various generations have been in the trenches dealing with infosec issues for years. Recent incidents have began to show off its experience, versitility, and resiliance. It is small wonder the Unix crowd tends to look at virus issues with almost a disinterest compared to their Windows counterparts who are burned either more often or more severely by such a threat.
I'm often asked - `won't viruses for Linux start to appear once Linux gains more desktop users?'. And I always explain what it is about Linux and Unix-like operating systems in general that make this very unlikely (the strict separation between root and users in particular). However, at present we have a situation in which there is a very strong sense of mutual trust: if you see some code being offered for download in the usual places you know that it's very unlikely that it will harm your system if you build it / install it as root.
It is worth thinking about the possible dangers of these particular waters getting muddied - as Linux gains more users, there will be more people around with less sophistication about these matters and there could be more people deliberately offering dangerous code for download.
So there are some reasons for concern but they are based on faults in the potential users, not in the OS.
Roger Whittaker
SuSE Linux Ltd London
Yeah, that's fine for people who have some experience with Unix, but for Joe Random User who's just bought this new Red Hat thing 'cos his friend said it was quite good and he doesn't want to spend more money on Windows it doesn't really help. I mean, he's not going to instinctively sit down and start ntsysv and appreciate what 'nfslockd' and 'portmap' do and whether he does or doesn't need them; he's probably not even going to understand the concept of services for a while. It's basically the old argument about Linux on the desktop again: everything has to work properly out-of-the-box, not work well if you just tweak this configuration file and patch and recompile your X server or people simply won't bother and will run away screaming because of all the scary things they're now being exposed to whereas with Windows it 'just worked'. Now, personally I'd hate it if all the distributions became like Windows and had irritating wizards all over the place and friendly quickstarts and so on, but making the default settings for things like security right is not hard and wouldn't have any negative effects at all as far as I can see. I think Red Hat's firewall set up is a good compromise; of course, the way Debian does it (not enabling this by default, and so on) is far better, but whatever its advocates might say Debian is not really as user-friendly for newbies as Red Hat (or particularly Mandrake) and isn't really designed to be. That said, I started with it...
Not trying to sound like a troll, but this post is an example of what is holding linux back from being a major contendor in the desktop OS market. Time and time again i see people saying that no self respecting linux user would run a program without first examining the makefile and looking over the source. The VAST majority of home computer users would have no idea how to do that, and that is even assuming they had any knowlege of coding. How likely is it that a new user would download the source if a binary is avalilble? Convenience and simplicity is what MS is targeting, and by all acounts it is working. Hate MS all you want, but the fact of the matter is that windows is run by virtually all home computers and is far more familiar and user-friendly for most simple tasks. It may not be as powerful, as secure, or as elegent at *nix, and though some may say is dumbs down the computing experience so that any moron can use a computer, that is precisely why MS owns the home computing market. The average person would not WANT to check the code for every program he or she installs, even if that person knew enough about linux and programming to make a difference. Sure, maybe all of those people that post on /. are smart enough not to get hit by this or any other virus, but /. readers do not make up the majority of computer users, as much as everyone wishes they were. Elitist atitudes about the linux 'community' is what keeps linux away from the general home computer community. As shown in this post, Linux users are just as bad at trying to downplay the possibility of being hit with a virus. Go count how many of the posts go on about how there is hardly any risk at all of viruses in Linux. I use and love linux, but instead of finding the type of constructive development I was hoping to find on how viruses were playing a part in linux, I found a bunch of people pounding their chests as to how THEY are so damn good that there is no threat to them, and how if you actually are hit by this virus, there must be something wrong with your head.
Linux, and the Unix world in general, is so hard to write virii for *because* of the sheer heterogeny of it all. Sure, we've developed tools over the years to deal with such things (autoconf), but the fact remains that you're never really sure just what you're going to get when faced with a given machine that has "#" for its administrator prompt... in point of fact, we already *have* diversified.
And then there's the fact that most of the folks that own those hash prompts are, in fact, paranoid bastards who won't, in fact, install a random package from a random source without at least some recommendation, much less save out an ELF file, go "su", and run the darn thing.... or if he does happen to be Joe Sixpack, he's at least been shown by his guru buddy how to run whatever updater thingy the distro comes with, so he's at least got a good chance of having all the latest patches... unlike That Other OS, wherein the fix came in months before Code Red hit, and there were still a couple of million machines unpatched...
Of course, a large number of those machines were left unpatched because the "sysadm" didn't want to reboot the machine just to patch the darn thing... it still chaps my hide that patching a *service* (Universal Plug'n'Play comes to mind) requires a fscking *reboot*....
So, no, heterogeny (and good software update practices) are, in fact, already alive and well in the world of Tux and Chuck... and so are a few million pairs of eyeballs keeping watch over their systems by night just to see what they throw at us next.