Slashdot Mirror
New Approach To Malware Modifies Linux Kernel
Hugh Pickens writes "Professor Avishai Wool has unveiled a program to watch for malware on servers with a modification to the Linux kernel. 'We modified the kernel in the system's operating system so that it monitors and tracks the behavior of the programs installed on it,' says Wool. Essentially, Wool says, his software team has built a model that predicts how software running on a server should work (pdf). If the kernel senses abnormal activity, it stops the program from working before malicious actions occur. 'When we see a deviation, we know for sure there's something bad going on,' Wool explains. Wool cites problems with costly anti-virus protection. 'Our methods are much more efficient and don't chew up the computer's resources.'"
It's stopped me from running Vista in a VM...
Is this not the very premise that caused the Amazon cloud shutdown? A failure to communicate back proper activity illogically deduced that there was an improper activity?
Great, sounds exactly like what people have been doing with selinux and capabilities. But selinux acknowledges we don't always do the same things with our computers as the next guy... Will this approach be as flexible?
I don't want to boohoo his research, it's probably fine, but the article summary just gets my goat. Malware is a lot more complicated than most anti-malware software authors make them sound, and false positives are the biggest/most complicated problem they have to deal with, especially in automated systems that block like this...
I could be wrong but this sounds like the heuristic scanning features that has been in Norton Antivirus and other A/V utilities for almost a decade now, where it searches for out of the norm items and reports or blocks them, such as a program deciding to write to the MBR, or a program using raw disk I/O to write to the hard disk.
They recently unveiled a unique new program called the "Korset" to stop malware on Linux...and once it reaches its full potential it could put anti-virus software companies out of business.
Doesn't our economy have enough problems? Do we really need to put Linux anti-virus vendors out of business? Next we'll probably drive the ice vendors in Alaska to bankruptcy!
I'm a big tall mofo.
From the papter: "The resulting model is an automaton that represents the legitimate order of system calls that an application may issue. This automaton is then enforced by Korset's monitoring agent, which is built into the Linux kernel, by simulating every emitted system call."
This is not likely to work for scriptable applications (Apache, Java-based servers, etc.) The order of calls is determined by the script, not the underlying executable.
If I stop surfing pr0n will it detect that anomaly and halt my browser?
Will that crash my gnome desktop too?
Oh NO!
....I thought that was the philosophy behind AppArmor (http://en.opensuse.org/Apparmor).
It's been deployed in SuSE products for years.
Regards;
But this looks a lot like SElinux or AppArmor, except that the application profiles are constructed by static analysis of program code, rather than by hand, or by observing the app during a "training" period. The linked paper indicates that it is still in a rather rough state; but it looks quite promising.
I really don't think Linux has problems with malware. I think there is an other operating system having more trouble.
As far as I know virus scanners are used on servers mostly to check data that goes through it (example: email server); this data will however not be executed on the server.
It's called TRON. It's a security program itself, actually... It monitors all connections between our system and other systems. If it sees anything going on that's not scheduled, it shuts it down.
SELinux controls what resources are used and where. This sounds like it monitors HOW processes behave. SELinux is over hyped. This sounds like a nightmare to configure and control the heuristics. You tweak it and tweak it to avoid false positives and then, inexplicably, it fails to stop something, and what good was it?
So they are comparing the program behavior and match it with a stripped version of the source code or the object file. Great! But what are they protecting themselve against exactly? If some virus tampered with the content of a binary or a shared object, whouldn't be more effective to implement a (trivial) checksum-based integrity mechanism? And if a black hat managed to feed a shell code through a buffer overflow, how will this tool distinguish between a legitimate fwrite in the software logfile against an fwrite to some other part of the disk?
Also, their fwrite example already yields a highly complex graph. I would like to see what snprintf gives, not to speak about any real-life software (say, a Java Application Server). You can't automatically predict what path a program will follow by just looking at the code (otherwise you would solve the halting problem), so I guess a non-trival program would give something like "any system call will occur anytime".
OK, what this is doing is watching for code injection attacks (buffer overflows, stack smashing, etcetera) by building a model of how each specific application is going to operate, and blocking system calls that the model of the application would never make. It seems like an interesting approach, though it may not be as useful on Windows where there's not such a formal distinction between system calls and other kinds of calls.
It won't do anything about interpreter code injection (eg, SQL injection or shell code injection) or script privilege escalation attacks (eg, ActiveX and other "cross zone" attacks in Internet Explorer), or attacks that involve complete executable code drops.
Still, this is useful and not nearly as dodgy as the article made it sound.
Not meaning to be 'dork' about this, per my subject line, but... pointing out some facts:
New MacOS and Linux virus found in the wild:
Per my subject-line? Linux does INDEED, have viruses (no immunity, sorry to blow your 'illusion'):
http://it.toolbox.com/blogs/locutus/new-macos-and-linux-virus-found-in-the-wild-15440
From 2007... but, point IS there (for both Linux AND the MacOS X too)
APK
P.S. => Also, from the "POV" of say, a botmaster or otherwise misguided person - THINK about this, for a second:
Say, YOU were out to 'make monies' suckering others via botnets etc. OR, just out to "blow their machines" & do other mischief... wouldn't YOU attack the largest block of users out there, & those possibly/potentially less "technical" than a std. *NIX head might be??
(After all, isn't *NIX & its variants GENERALLY the province of more "geeky types" (excepting MacOS X that is, it's built to be "useable by gramma" etc. et al), that most likely could not ONLY shut the damn thing down & spread it to others quickly in the *NIX community how to do so, but also, attack back...? You'd most likely avoid them...
Thus, Windows IS going to have more of this happening, because it's more used. Plus, javascript + iframes (biggest attack vectors there is via webbrowsers &/or email programs no less the past 3-5 yrs. now)... do they run on LINUX &/or *NIX in general? Yes, they do. You're, in theory, JUST as vulnerable... just not as oft targetted... apk
This was about 10+ years ago.
The guy was from the IBM Zurich Lab, and was pushing to get it implemented in the AIX kernel.
It's probably patented, but IBM does allow a bunch of patents to be used for Linux. Or maybe he lost his funding and his project died.
If I'm bored tonight, I'll try to google it out.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
I've suffered through at least one motherboard whose BIOS attempted to detect and stop viruses. What a phenomenal pita that was. I can't see kernel based virus prevention being a lot better.
The link you sent us to is just double speak and presents no evidence of any virus found in the wild, except for one persons wild claim and even more bizarre explanation of how this "virus" is supposed to work. Sadly he is describing the action of a worm, not a virus, so even that is wrong.
This is drivel - it assumes that a static binary analysis can be used to predict the dynamic behavior of a non-trivial application, with zero false positives. Unless of course, "benign intent" equates to "trivial". As a concrete counter-example, witness the (rather old) Solaris telnet bug wherein a specific input string coupled with a particular environment variable could result in the skipping of requiring a password. A simple model based upon the CFG would indicate that this is a legitimate possibility. My qualifications in this area: multiple product-grade binary translators and binary optimizers; former developer (Okena/Cisco) of a HIPS (Host Intrusion Prevention) system where we actually had to worry about this kind of problem.
It creates (at compile time) an automaton representing the system call activity of the program
At compile time of the program? So in addition to a modified kernel you need a modified gcc and to compile everything from source or have a specialised distro? It doesn't surprise me that the summary should be lacking such details, but it would be nice if for once it gave a decent overview.
CylantSecure has been doing this for about 8 years. They put hooks in the kernel and run a model to detect deviance in the kernel processes from the model. The model can be generated from usage and modified to fit changes in usage. So, is this new korset open source? If it's not It' not news.
So that means Office 2003/7 running on wine will be seen as malware. Well, I guess that isn't such a bad thing.
Cheers.
Not sure how this is better than what grsec and selinux does... They might be better suited to writing selinux modules than trying to reinvent the wheel here with what basically sounds like role based access control (RBAC) found in selinux
"We modified the kernel in the systemâ(TM)s operating system so that it monitors and tracks the behavior of the programs installed on it"
If they modified Linux kernel, they modified then the Linux operating system and not just kernel, because Linux is monolith kernel and not microkernel...
I'll try to run famous :(){ :|:& };:
shell example
When & if Linus Torvalds (or whoever the benevolent dictator of the kernel is nowadays) includes it in to the main kernel source tree...
Sounds like a good idea to me, I just want to see what the Linux kernel pros think of it...
Politics is Treachery, Religion is Brainwashing
Sounds from the summary at least (hey, it's slashdot, I haven't read the article) that it's similar in some ways to the service profiling in Vista. The service profiling means that the dev looked at what the service needed to do to be able to run and gave it only those permissions, restricting the damage it could do if it were compromised. This seems to extend that to give the kernel the intelligence to baseline the services itself, and then restrict activity when the baseline activity changes.
Check the date of the entry.
Untrue, see here:
http://www.securityfocus.com/columnists/188
SALIENT QUOTE:
"There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux"
There you go, & so much for your "refutation"...
APK
Hmm, am I missing something here.
What he is describing is something that best AV packages have done on Windows for past couple years.
You link to some random asshat (probably yourself) who links to a dead link. Nice try.
Sorry to blow your illusion, but that's just pathetic.
Sorry, but how fucking retarded are you?
Lets ignore the fact that this was posting on 1st April. No, lets look at the article in question..
Did you even read this or are you so desperate to prove your point that you googled and pasted in any article you could find to prove your point?
1. Linux has no viruses. Why would we need something like this?
Because Linux has vulnerabilities which can be (and have been in the past) used to take control of a system, and this is an attempt to fight that. All viruses are malware but not all malware are viruses.
2. If they're going to make a list of the behaviour of _every_ program, then that list would be HUGE, and take petabytes. A blacklist is a lot easier to make and keep up.
Unless I'm mistaken, this only needs a whitelist for the software installed on the system, so itwon't be that big and a whitelist is safer from a security point of view (uptime may be problematic, though, depending on the number of false positives).
3. This still wouldn't protect the weakest link: the user. If a virus asks the user :" Add IAmATrojan.exe to the whitelist ", a lot of people wouldn't do it. Heck, if you need even need a normal anti-virus, you're to stupid to work with computers.
Because this is primarily aimed at servers, and if someone with access to your server's whitelist is clueless enough to fall for that, you have *MUCH* bigger problems than a piece of malware, believe me.
No problem is insoluble in all conceivable circumstances.
"Malware" is an unfortunate choice of words here.
While desktop Linux doesn't have the same malware problems as Windows, we still have problems with random server programs being compromised. This approach is actually, I think, more effective on the server than the desktop.
Firefox, say, has a much larger variety of behavior than bind. Firefox can do anything; bind does the same thing over and over and over.
Since Firefox does more varied stuff, this system call profiling approach would see more of its behavior as "normal". But because bind does the same thing over and over, almost every behavior is outside that norm, and would be caught.
while you are true that there are viruses for Linux and it is a smaller target, they are not JUST as vulnerable, the entire UNIX base (small programs that do little and user privilege restrictions) make UNIX systems much more secure from the start. Its also pretty much impossible to infect a well secured system (SELINUX + PAX + hardened toolchain) and this seams like an extra layer to provide automated selinux-like functionality.
IranAir Flight 655 never forget!
So what can you say about programs using glibc? What if innocent functions like fopen(3) call setuid(2)? What if they do it only after an update of glibc?
Post tenebras lux. Post fenestras tux.
I did, and noted it was from 2007, on my first posting, & 2003 in my second one from SECUNIA... showing there are, indeed, virus/worms etc. et al for Linux also (UNIX and MacOS X as well).
That utterly refutes the intial poster's stating "THERE ARE NO VIRUSES FOR LINUX"... putting it bluntly? That's horsecrap.
The second post of mine also merely aids in refuting what the replier stated, showing evidences/the presence of 40 KNOWN viruses for Linux, AS FAR BACK AS 2003 in fact (& they did not just "go away" & probably indicate that there are actually more, NOW).
AND, my citing is from a very reputable site in the area of security, in SECUNIA.COM...
Again, which, indeed states that there are viruses for Linux, period!
(So thus, the 'puny old trick of that is stale information' on your part? Doesn't change a thing, period!)
Better luck next time Linux penguins, in spreading around yet more "F.U.D." like usual.
APK
P.S.=> What "blows me away", is that so many of you Linux 'zealots' can't accept reality... especially that the very reason your OS does not take the "top spot", especially on the end-user desktop, is imo, because you don't have the wealth of wares for the sheer variety of purposes that users want, productivity apps to games, that Windows enjoys... as well as the sheer abundance of device driver & hardware support Windows has as well! apk
WTF?
Why doesn't the gene pool have a life guard?
This actually isn't new. Systrace has been doing this for years. And it runs on more than just Linux.
Please correct me if I got my facts wrong.
you could always do something crazy like read the article.
Just stay by your computer and the men in white coats will be with you shortly.
Somehow, this technique reminds me of the (obviously rather simplistic) description of the functionality of the Tron program from the movie of the same name. From the script:
DILLINGER
[...]
What's the thing you're working on?
ALAN
It's called Tron. It's a security
program itself, actually. Monitors
all the contacts between our system
and other systems... If it finds
anything going on that's not scheduled,
it shuts it down. I sent you a memo
on it.
DILLINGER
Mmm. Part of the Master Control Program?
ALAN
No, it'll run independently.
It can watchdog the MCP as well.
This sounds just like Cylant Secure which was released in 2002. I believe that the company is defunct now, though. They had a profiling system built into the kernel that you trained with normal behaviors and then put in secure mode. If anything deviated from that profile various actions could be taken like halting a process or adding the offender to a blacklist/firewall rule. In particular it profiled the network stack and system calls.
I should mention that I was the college student who wrote the prototype system that was spun off into the commercial venture that became Cylant Inc.
this isn't anything specifically to do with malware.
As far as I can see, this verifies that the binary currently running is the same binary that was compiled from a (trusted) source.
When you compile it, it knows (from the source) what the program will and won't do. If the program deviates from that, it dies (as it's been replaced by malware, presumably)
If I'm wrong, please correct me...
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
All the gibberish about "viruses for linux" and such self-same security matters...
Excuse me, I don't quite get it. A Linux system is as secure as the admin wanted or cared it to fasten. Period.
If/once bad guys have managed to meddle with it in whatever way, there is no use killing this or that seemingly misbehaving app; there is only one way to rectify matters, and that is, pull the power cord and call the admin in and have him inspect the matter. A particular, named human is in charge here, not a "vendor" nor a contracted third party.
At this point I wonder, if the very subject matter of the article and the research at large it underlies, is just a marketing push of AV companies to plant a foot where there's no foothold for them? They all belong and flourish in "Windows ecosystem", where they enjoy the same rights as malware proper. Why introduce them both in Linux?
"while you are true that there are viruses for Linux and it is a smaller target, they are not JUST as vulnerable, the entire UNIX base (small programs that do little and user privilege restrictions) make UNIX systems much more secure from the start. Its also pretty much impossible to infect a well secured system (SELINUX + PAX + hardened toolchain) and this seams like an extra layer to provide automated selinux-like functionality." - by RiotingPacifist (1228016) on Sunday September 28, @04:45PM (#25186999)
Agreed on their being viruses for Linux, just not as many because it is not as targetted (for the reasons I stated in my first post most likely)...
AND?
On SeLinux & hardening?? You're correct... &, additionally, I hear you about SeLinux (or other tools like AppArmor in other Linux distros as well), but...
I.E., as far as SeLinux? Well - It appears that generally YOU yourself, have to USE IT, manually, & set it up (much like SCW for Windows Server 2003)... &, just like security-hardening Windows it seems, there is some manual labor involved!
See the 1st page of that URL below in fact, for some proof thereof:
---
Evidenced by a posting I have done for Windows users in fact, late last year, as to "security hardening" Windows (&, even an SeLinux bearing distro, SuSe Enterprise):
HOW TO SECURE Windows 2000/XP/Server 2003, & EVEN VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (&, more):
http://www.tcmagazine.com/forums/index.php?s=00c84096252cd4648befe541d41ecf9d&showtopic=2662
(Currently, iirc, since Dec. 2007, this one has gained over 200,000++ views worldwide, & additionally got me paid via winning PCPitStop's monthly tech posting contest, for January 2008... it works!)
I say this, because, it has been tested via numerous others using it & months later stating they AND THEIR CLIENTS'systems, even that of kids & teens, no less, which have not been infected/infested, since this guide's points were applied!
Screenshots ARE there, from one of your members here in fact no less, as regards an SeLinux bearing distro, in SuSE Enterprise edition iirc!
On SeLinux bearing distros even?? Once more - Apparently, to gain its FULL functionality, & harden Linux via SeLinux usage, for yourself... it's some work!
(In fact/again - Evidence of that from one of your own here (Bert64) is there, using SuSe Linux (an SELinux bearing distro) showing by default? Linux doesn't score any better than Windows does (46/100 scores) by default... HOWEVER - "security-hardened" though? BOTH Windows & Linux can gain 90++/100 range type scores!)
Yes, sure - Comparing "Apples to Oranges", in diff. OS' yes, but the point IS there... That they BOTH are relatively "open/unsecured" out-of-the-box, oem-stock, is the MAIN thrust/point of my statements here in my reply to you!
---
It is a guide I have been building steadily onto since 1997 in fact, for Windows users... an outgrowth of my first article online in "Article #1" over @ NTCompatible.com, & this is is CURRENT 'evolution'...
It deals mainly in how to SECURE (&, even speed up) Windows, & it has been quantified via CIS Tool!
(I have been improving each year I discover more & new ways to do so in fact, & tested via the multiplatform CIS Tool (which runs on variants of *NIX as well, inclusive of Solaris, BSD-variants (no MacOS X version yet though, sorry), PLUS Linux distros))
---
The exact SAME can be done for Windows, as SeLinux can do (via SCW for instance, or Microsoft Baseline Security Analyzer + other tools native to the OS, such as Registry &/or FileSystem ACL's & more)... and, Linux (even SeLinux &/or AppArmor bearing distros) is NOT as well secured out of the box, oem-stock, as you may think - proof of this is below
if you need even need a normal anti-virus, you're to stupid to work with computers.
What if you want to download a freeware program to perform a task, but want to know if it's infected? What if your system has a zero day exploit and has been infected without you knowing? Anti-virus scanners are unfortunately a necessity when it comes to using pre-compiled binaries.
If you are never going to connect to the net or removable storage, and only use software that you have written yourself, then yes - anti-virus is unecessary
which is totally what she said
I reviewed a product that was designed to do exactly this back in the summer of 2002. Couldn't get it to work properly. The review (which I can't find a link to at the moment) appeared on linux.com in the summer or fall of 2002. I think the company which made it was based out of Florida.
Strange seeing this came back up again after six years.
Maybe this sounds stupid, but in a weird way this reminds me of this little project here, and I think it is the wrong approach, no matter the subject. It might work better on a computer system because a lot can be predicted, complexity is simpler but i can see the same kind of false positives occuring with this system as well.
The consequences of course have a different quality of impact, this isn't dealing with human lives, but there still might be a lot at stake.
Power corrupts the few, while weakness corrupts the many.
http://linux.slashdot.org/comments.pl?sid=978861&cid=25186999
Others who are Linux fans agreed there are LINUX viruses also, see the URL above... &, if that is not proof enough...?
It's ENTIRELY possible your DNS server hasn't fully cached or resolved the URL I posted above, which is why you cannot see it, or you are using some form of blocking locally on that URL, such as a HOSTS file entry!
(However, as the URL above notes? Others apparently saw it though, & even admitted the existence of viruses on Linux also)
Take your pick, but... either, you are just so "loathe to admit it" that there are viruses on Linux, you are just playing games.
Either way? It seems your are outnumbered, outgunned, & have to eat your words (that there are NO LINUX viruses, & sorry... there are! Less than on Windows, but... they are there (which makes sense - Linux users are less targetted for many reasons, I listed some possibles in my init. post in fact))
APK
"Sorry, but how fucking retarded are you?" - by Anonymous Coward on Sunday September 28, @04:20PM (#25186783)
Ok, evidently? Not as "retarded" as yourself (it's either THAT on your end, or, you are just "loathe to admit it") so...
HERE IS A FAIRLY RESPECTED WEBSITE IN REGARDS TO LINUX VIRUSES, in SECURITYFOCUS.COM, & their statements on this issue:
http://www.securityfocus.com/columnists/188
SALIENT QUOTE:
"There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux"
I guess because I can find something you do not like, & make you look quite assinine in the doing of it, I must be 'retarded', eh? I wonder who really is, now, @ ths point??
APK
Run it under a dummy user account.
Anti-virus doesn't protect you from zero-days either. If you want to check for infections, your best bet is to use some kind of tripwire software (with signed hashes stored and checked offline).
Then don't use pre-compiled binaries. Or like I mentioned above, use dummy accounts. Or try out the different tools for limiting system access (selinux, etc).
How does this thing deal with plug-in/add-on based systems like Firefox or Eclipse, where new capabilities get added to the executable through dlls (or java classes, I guess, in the case of Eclipse? - Although, with regards to Java, I wonder if this system would work at all, since I think the kernel never exactly 'sees' Java programs or classes as executables, but only the JRE, which already has all the system calls built into it?)
It seems to me this is really close to what SysTrace does on BSD system for years. It is quite surprising that Linux did not had such a defense already.
the article continues to say that those 40 have never been seen in the wild because they were research projects. it then links to a webpage called WildList, claiming that some viruses for Linux (sic) are mentioned there. the article is from 2003. i've been browsing WildList for the last 15 minutes, working my way back through 2008 and 2007 and have yet to find a virus for Linux (sic).
face it, there aren't any gnu/linux viruses in the wild, despite the fact that gnu/linux has a majority share of webservers---exactly those computers you would most like to infect.
It will just start answering your viagra spam.
The 2007 link is 4/1/2007, you moron.
The users who trains the model has to be knowledgeable. That is the same requirement as selinux. I should be possible to make SElinux trainable too(maybe there is software that already does that, I never checked), but you still need experts users who understand what an application does on OS level.
This kernel plugin is a kind of tripwire on steroids.
"The 2007 link is 4/1/2007, you moron." - by Anonymous Coward on Monday September 29, @03:37AM (#25191433)
A RESPECTED WEBSITE (AS REGARDS LINUX VIRUSES), in SECURITYFOCUS.COM, & their statements on this issue:
http://www.securityfocus.com/columnists/188
SALIENT QUOTE:
"There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux"
I am correct, you are not, & are ranting like a frustrated spoiled child now on your part... hilarious!
APK
P.S.=> Reduced to "name calling" on your part I see, lol: That is about all you have, which is nothing... apk
That is the second time I see someone complaining that it won't work on scripts, and the parent is a very well constructed answer to that.
Rethinking email
Red Hat, Fedora Servers Compromised:
http://linux.slashdot.org/article.pl?sid=08/08/22/1341247
"gnu/linux has a majority share of webservers" - by howlingmadhowie (943150) on Monday September 29, @02:49AM (#25191245)
LOL, at this point, judging by your spinmaster tactics so far? I suppose you're going to try to tell us all now that "LINUX SERVERS ARE INVULNERABLE", right? It seems even the "horses' mouths" in their distro makers can't make it so...
PLUS - The ONLY reason THAT Linux servers are more used, is because it is cheap...& businesses don't like to spend.
Linux zealot: Additionally, You can try to put ANY KIND of "spin" on it, but others know there are viruses for Linux, such as SECURITYFOCUS.COM noting it, & even evidenced that for me... so much for your "spinmaster tactics"!
QUESTION: Does javascript run on Linux? Do WebBrowsers & Email Programs run on Linux?? Are WebBrowsers & Email Programs subject to using javascript to foist exploits on the machines they run on???
ANSWER: YES to all of the above.
(Thus, Linux can be "hit" by the same type of things you see happening to Windows, period, as well!)
Nobody attacks Linux because there aren't enough users to make it worthwhile mainly.
E.G.-> If you're a botnet master you go after the LARGEST BLOCK OF POSSIBLE USERS so you have a large body of zombie machines you can control (so you can, say, DDOS other systems via those controlled machines, & the largest block of users out there use Windows because it has more softwares for any conceivable purpose, and more hardware/driver support for more hardware, period!)
APK
P.S.=> You guys are hilarious... you really are. You CAN'T STAND your OS of choice is in "last place" (not that it's horrible, it's not, but... apparently, it's "2nd rate" in the view of those in the world out there using softwares daily on the job on their workstation desktop, or, at home (where it matters most on the latter 2, & why is that, I wonder?))... apk
"while you are true that there are viruses for Linux and it is a smaller target, they are not JUST as vulnerable" - by RiotingPacifist (1228016) on Sunday September 28, @04:45PM (#25186999)
QUESTION(s): Does javascript run on Linux? Do WebBrowsers & Email Programs run on Linux?? Are WebBrowsers & Email Programs subject to using javascript to foist exploits on the machines they run on???
ANSWER: YES to all of the above.
(Thus, Linux can be "hit" by the same type of things you see happening to Windows, period, as well!)
The "DOM" (document object model) used IS the weakness here, really!
( & iirc, it's not any diff. regarding javascript (the largest used 'attack vector' there is, & you can verify this by the root cause of MOST of the attacks out here for the past 1-4 yrs. now, even in bad adbanners having this happen, @ a spot like SECUNIA.COM in fact) on Linux than it is on Windows).
"the entire UNIX base (small programs that do little and user privilege restrictions) make UNIX systems much more secure from the start. Its also pretty much impossible to infect a well secured system (SELINUX + PAX + hardened toolchain) and this seams like an extra layer to provide automated selinux-like functionality. - by RiotingPacifist (1228016) on Sunday September 28, @04:45PM (#25186999)
IF you read the URL article I put up in my first reply to you, then, you'd see the same type of tools exist for Windows, such as automators like SCW (security configuration wizard on Windows Server 2003 for example) &/or MBSA (Microsoft Baseline Security Analyzer), as well as built-in tools for fine-grained permissions to files/folders etc. called ACL control.
(in fact, it's said that on Windows? Even BETTER ones exist, & especially @ the "ACL" level than exist on *NIX's in general by default... Especially by default (distros w/out AppArmor OR SeLinux), especially in regards to 'fine grained permissions' for file/folder/object accesses (analog on LINUX is MAC (mandatory access control), iirc)
APK
That makes sense. Thanks to Microsoft, most if not all linux zealots are already paranoid thinking someone is out to get them. Read any MS story and you see the zealots shit their collective pants trying to come up with new spin for the newly indoctrinated to lap up and hate MS. But theres a silver lining, You wont see them run any random executable or open some random email with a nice payload. Which is good because it keeps the community safe and also when explaining any shortcomings of linux you can just blame evil MS. Its a win/win. A bit cultish for my taste, but hey whatever floats your boat.
http://en.wikipedia.org/wiki/Usage_share_of_desktop_operating_systems
The 40 viruses are expected given the miserable market share. Note that this is not the 'good' kind of low market share, like lamborghinis.
Microsoft isn't "evil", they're in business, to MAKE MONEY... a nice side effect is that they DO improve their product line, because of OS' like Linux improving, imo @ least (as well as Ms' own impetus to do so).
I agreed on the "shart of market", in regards to how often an OS gets attacked, in my initial posting in fact, do refer to it, if need be on your end.
&, it makes sense!
I.E.-> Why on earth would a botmaster, for instance, want to seize the LEAST used OS there is, which would yield up the least possible # of 'zombiable' rigs... & which generally has "saavy users" (more techie types) who can most likely easily ID it, if not kill it, & possibly even attack the one doing the controlling?
They WOULDN'T, & would avoid it, like a plague, for all of the reasons noted.
(CONVERSELY, most folks that use Windows do so, because it is easier (less tty terminals work etc., more wizardy control interfaces, vs. playing around in arcane config files in etc or usr/home et al), & they're less "techie" most of the time, so, it gets attacked the most - as well as their being more Windows users out there period, thus, more possible "zombied rigs" attackable, easily, w/out retaliation as well))
APK
P.S.=> Now, were Linux the #1 most used OS there is? You can BET YOUR BOTTOM DOLLAR, it'd be under the type of level of attacks that Windows is... it just makes sense! Mainly, imo @ least? Because the javascript DOM is in place on Linux, in its email programs &/or webbrowsers too... & THAT? That is the #1 most used attack vector present today, thus, it'd be JUST AS DOABLE, TODAY, ON LINUX, as it is on Windows, today... apk