Linux and UNIX-like operating systems in general are regarded as being more secure for the common user, in contrast with operating systems that have "Windows" as part of their name. Why is that? When entering a dispute on the subject with a Windows user, the most common argument he tries to feed me is that Windows is more widespread, and therefore, more vulnerable. Apart from amusing myths like "Linux is only for servers" or "does it have a word processor?", the issue of Linux desktop security is still seriously misunderstood.

There are numerous reasons why a Linux PC is more secure from malicious software than a Windows PC. The most obvious is the way a user interacts with his operating system. Virus and worm writers make heavy use of social engineering to trick users into opening a file. One day you receive an attachment disguised as an image that promises you a heaven of naked movie stars, and without thinking twice, you click and open. No image there, but your antivirus may or may not go berserk in flashes of red. Linux users teach themselfs to be more careful and we know better than to log in as root for simple daily tasks.

A Linux virus is doomed from early conception and there's a rough jungle awaiting. For an ELF binary file to get infected by a virus, the malicious program has to first get write access to other binaries. Prior to that, it must somehow disguise itself. Binary-only applications are so rare in the Linux world that any software not designed by a major developing firm is subject to inquiry. After a day in the wild, someone will figure out the binary file hides something else and the element of surprise will be gone. We're used to having the source code at our disposal. Try hiding a malicious code in plain text...

The diversity of distributions and packages is also a factor that drastically slows down the spreading of a virus. Unlike Windows operating systems, Linux distributions run on a great variety of architectures and that also tends to slow the virus spreading rate.

Windows users are accustomed to constantly running applications with administrative rights. The first account you create on a Windows XP machine is in most cases the only one you'll ever use, and that one has administrator privileges. It's fairly easy for a virus or worm to spread with all those doors open, while in Linux, after a user installs a fresh system and all the applications he needs, he seldom uses the root account. In most cases, even if an infected file is launched, it cannot propagate itself beyond the user's home directory, leaving the rest of the system intact.

Some Linux systems make use of chroot environments, making it even harder for a virus to multiply. And - again - a virus that cannot replicate itself, won't go very far.

Linux however is not completely immune. With enough help from the user and access to an administrator's password, viruses can do damage to your system. Let's take for example Bliss, a concept virus developed for POSIX-compatible systems. It was first sighted at the beginning of 1997 and lacks the stealth characteristics we see in modern viruses. It tries to infect and attach itself to binary files that are writable and copy itself on other machines through rsh. Being a concept virus, it even keeps a log of all infected files in /tmp/.bliss. Running the virus as root results in an attempt to patch the kernel source, if present. The fun part is that Bliss can be removed from the system by simply using the --bliss-uninfect-files-please option.

1996 was the year that the Staog virus was found in the wild. It exploited two buffer overflow vulnerabilities and a suidperl bug, remained resident and once it gained root access, infected every program a user launched.

Winux was called the first true cross-platform virus. It was capable of infecting both Windows PE executables and Linux ELF files. It used Linux as a means of propagation, and - being a good concept virus - it only changed the filenames of the infected Windows files to uppercase. The Linux.Ramen worm was built on the same principle as the now-famous Morris worm. It affected unpatched versions of Red Hat Linux 6.2 and 7.0 and manifested itself by replacing the webserver's main page with one that read "RameN Crew - Hackers looooooooooooove noodles". That is, if Apache was installed.

Another interesting piece of malware is OSF.8759. Files infected by this virus gain an extra 8759 bytes in size while a backdoor part of the code tries to replicate and infect everything executable in the current and /bin directory. The clever part is that OSF.8759 doesn't touch the /dev and /proc folders and starts listening on port 3049, providing a way for an outside attacker to execute certain commands on the target system. However, the virus doesn't infect more than 201 files at a time and can be quickly removed with this tool.

The Devnull virus tries to exploit a now-patched OpenSSL vulnerability. To do that, it first has to execute a shell script from a webserver, download and extract a gzip file, create a folder called /.socket2 in your /home directory, download another file, use GCC to compile a binary called sslx and execute another file to start scanning for vulnerable hosts. You don't need an antivirus for this one. If all these actions don't catch your eye, the newly-created files and directories will. Removal is as easy as deleting the devnull and sslx binaries.

As you can see, Linux is a rough environment for replicating malware. There are maybe 70 known viruses for Linux, including variants. In comparison with the hundreds of thousand Windows viruses, that's a drop in the ocean. Some may ask what is the need of Linux antivirus binaries if the danger can almost be ignored. Antiviral software on Linux can be extremely useful to keep those Samba shares clean. Mail servers can also be scanned for infected attachments, so that Windows networks can remain safe. Clamav is an excellent Linux antivirus program that can accomplish these tasks. Other notable names in the market would be Avast!, Kaspersky, Vexira or AVG.

However, if you're in a Linux-only environment, the only thing you should ask yourself is... what to do with the money you would have otherwise spent on antivirus products.

More on the subject of Linux viruses

Comments

Add New Search RSS

Cypress   | Super Administrator | 2008-07-19 02:00:45 Wohooo... 5661 de read-uri de ieri si 91 diggs pana acum... http://digg.com/linux_unix/ Debunking_the_Linux_ virus_myth_2

A.Faith   | Author | 2008-07-19 06:00:20 page not found si nu vad decat 5 digg-uri la url-ul la care am dat eu aseara digg

Cypress   | Super Administrator | 2008-07-19 06:10:29 Pagina e acolo, atat doar ca e un spatiu intre "/" si "Debu..."

A.Faith   | Author | 2008-07-19 06:47:48 do I smell a frontpage ?

Cypress   | Super Administrator | 2008-07-19 06:58:55 Sa speram. Si daca ajunge acolo, sa speram ca nu pica serverul

adrian   | Registered | 2008-07-21 10:12:23 Ati ajuns pe prima pagina pe osnews.com . Feliciari ! http://osnews.com/story/20087/ Debunking_the_Linux_ Virus_Myth

Only registered users can write comments!

Powered by !JoomlaComment 3.12

Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved.