More FUD about potential linux viruses

Story: The truth about virusesTotal Replies: 24
Author Content
phsolide

Mar 21, 2008
6:21 AM EDT
This article is a complete farce.

First, file-infector viruses were first studied scientifically (mathematically?) under Unix, by Fred Cohen, in 1984: http://vx.netlux.org/lib/afc01.html

So, the initial paragraph of this article is trivially true. And, I have to note, like just about everything else in the Windows world, Unix had viruses first.

The last paragraph of this article is just the "market share argument": if Linux had the market share of windows, it would be a virus magnet, too.

In 1988, the first huge PC virus came around, "Brain". Surely Linux now runs on more computers than MS-DOS did in 1988, so can't we put this one to sleep?

The true reasons for Windows attracting a virtual cloud of malware lie in it's beyond Byzantine complexity, and it's willingness to execute any "document" (a.k.a. "file"). This gets us into the Land of Insanity, where changing a file's name makes it executable, but nobody ever bothered to write down the exact list of file suffixes that cause Windows to execute a file, but that's were I stop.

This article is just plain wrong.
dinotrac

Mar 21, 2008
6:34 AM EDT
In terms of intent to excuse Microsoft, yup. Absolutely.

That's the problem with the article...it seems designed to excuse Microsoft by saying Linux would be a lot worse than it is if it were more popular.

There is a major hole in that argument, by the way. Linux is indeed a small percentage of the desktops out in the world. However, the most desirable machines to hack are servers, not desktops. Not only does Linux run on a sizeable number of servers, it powers the majority of Web servers -- the machines most exposed to attack.

That said, yes!!! We do need to be vigilant in Linuxland and we do need to keep track of where we get our software.
Sander_Marechal

Mar 21, 2008
8:20 AM EDT
Actually, the article is pretty good. But what you guys read isn't the article. It's one of the comments on the article. Read the original article at http://blogs.techrepublic.com.com/security/?p=286
dinotrac

Mar 21, 2008
8:54 AM EDT
Sander -

Thanks for the link. Yes, the article is pretty good.
phsolide

Mar 21, 2008
11:06 AM EDT
And I'm going to second: the original article is OK, but the comment, which I mistook for the article, stinks.

The orignal article does make the mistake that all (or at least the very great majority) of viruses propagate due to "bugs". They don't: Cohen's original research (liked to above) demonstrates that. The file read/write/modify/execute priviliges of almost all OSes allow virus propagation.

But like real viruses, the *transmissibility* of OS file-infectors varies widely. The per-user discretionary access controls in Linux/BSD/etc seem to give those systems some level of resistance. The file-name-makes-it-executable design of Windows seems to decrease its resistance.

But really, the only "viruses" that were widespread, even under MS-DOS were either MBR infectors like BRAIN, Jerusalem or Stoned, or MS-Word macro viruses. Regular file infectors never got much of a foothold even under DOS. And there we can see where the Anti-Virus industry got it wrong. A program, TSR or not, cannot prevent against a power cycle to "fix" some nominally hung program. And MBR infectors need lots of reboots to propagate. "Word" auto-runs certain macros, as I understand it, and "Word" documents get widely circulated.

Virus epidemic have everything to do with culture, and very little to do with software, not unlike real-world epidemics of STDs.
Sander_Marechal

Mar 21, 2008
12:21 PM EDT
Quoting:That's the problem with the article...it seems designed to excuse Microsoft by saying Linux would be a lot worse than it is if it were more popular.


I've been having an interesting discussion about that with a co-worker of mine. He trolled out the argument that Windows has more virusses because it's more popular and I came with the Linux/Apache defense. We then ended up discussing the differences between desktop and server OS's. End users are a lot easier to trick then sysadmins. My counter argument was that there are also a lot more virusses targetting Windows servers specifically (IIS, SQL-Server) than Linux servers.

Our discussion then shifted to the technical differences between Linux and Windows. How Linux has all these permissions and security stuff built in. And that breaking into one Linux machine doesn't mean you get into all of them. After all, they're all different. Different distros. Different software. Different configuration. Different security mechanisms (SELinux, AppArmour, etcetera). He then made a very good point that I haven't been able to counter (yet): It's about market share after all. Write a virus for Windows and you can grab potentially up to 25% of the servers. Write a Linux virus and you'll capture at most 1%-2% of the Linux servers. (1) because they're all different and (2) because the exploit gets patched so fast it stops your virus in it's tracks.

So, his point is that it's not the market share of the OS that counts, but the (potential) marketshare of the virus. For Windows servers that is much higher, even though the marketshare of the OS is lower.

Comments?
tuxchick

Mar 21, 2008
12:47 PM EDT
Sander, he is correct, but it sounds like he is ignoring the fact that Windows is trivially easy to exploit. Also, Linux code is wide-open and Windows code is closed, so common sense might assume that open code would present an easier target. But the richest software company on the planet can't implement security worth a darn, while all those unwashed FOSS hippies are very good at it.

I believe, if I remember correctly, that the biggest holes in FOSS-land these days are dynamic web sites. They're complex, and there is an awful lot of bad scripting, plus known vulnerabilities that don't get patched even when fixes are available. But that's all the goo on top of Apache and Linux, which are very strong. Which is the opposite of Windows, which is an integral part of a giant vertical stack that's porous no matter where you poke at it. And there is nothing in Windows-land analogous to SELinux or AppArmor, which are able to mitigate even bad scripting and unknown security holes.

I'll agree that greater popularity = presenting a more attractive target. But if Windows and Linux/Unix were magically equal overnight, Windows would still be the undisputed malware king by a factor of thousands, simply because it is so weak.
tracyanne

Mar 21, 2008
12:50 PM EDT
Quoting:So, his point is that it's not the market share of the OS that counts, but the (potential) marketshare of the virus. For Windows servers that is much higher, even though the marketshare of the OS is lower.


I'd say he's effectively argued that Linux is less susceptible to malware.
Scott_Ruecker

Mar 21, 2008
1:46 PM EDT
Quoting:I'll agree that greater popularity = presenting a more attractive target. But if Windows and Linux/Unix were magically equal overnight, Windows would still be the undisputed malware king by a factor of thousands, simply because it is so weak.


EXACTLY!!

The popularity premise is a severely flawed one, but easy to for the "unwashed masses" to fit in their heads. It is one of those arguments that "sounds" like it makes sense, until you really think about it. Which is why it's believed so easily.

As Carla points out, How can a bunch of "unwashed FOSS hippies" do security better than the multi-billion dollar Microsoft Corporation can? Its because MS is not concerned about computer security, their concerned about corporate security.

Nudge nudge, wink wink, know what I mean?

bigg

Mar 21, 2008
4:39 PM EDT
> Comments?

Sure. Who cares?

There are a lot of Windows viruses. There are no widespread Linux viruses. End of discussion.

Let's imagine you are having a different discussion with a potential Linux user. Potential user: "I'd really like to switch to Linux, but there's no native iTunes for Linux." You: "That's because iTunes is closed and Apple won't port to Linux." Potential user: "Oh, wonderful, now that you've explained why there's no iTunes, I will switch to Linux." This won't happen, because the why doesn't matter. It doesn't change the fact that there's no iTunes.

You can have philosophical discussions about why Windows has so many security problems. It would be just that - philosophy. If you are making a choice about which OS to use, you look at the things that are important to you. If you need iTunes, don't use Linux. If you want to avoid viruses, don't use Windows. It doesn't matter why Windows has more, it just does. There are more today and there will be more five years from now. Paris Hilton will not be interested in me even if I explain why I have a large belly, and I will not be interested in Windows even if someone can explain why it is so insecure.
dinotrac

Mar 21, 2008
7:03 PM EDT
Of course, we don't want to mention root kits...
jdixon

Mar 21, 2008
8:06 PM EDT
> Of course, we don't want to mention root kits...

The most widespread root kit I know of was the one distributed by Sony on their CD's. It was Windows specific. I believe the recent Linux root kit used to distribute javascript attacks pales in comparison.
dinotrac

Mar 22, 2008
5:56 AM EDT
>The most widespread root kit I

So?
jdixon

Mar 22, 2008
7:01 AM EDT
> So?

Your comment made it sound like you thought Windows would compare favorably with Linux wrt root kits.
dinotrac

Mar 22, 2008
7:42 AM EDT
No, but even you should see that the Sony CDs were a special case.
tuxchick

Mar 22, 2008
9:29 AM EDT
Sony wasn't all that special a case, there have been several incidents of big companies installing sneaky rootkits in the name of protecting their ohsospecial eye pee. They just got the most attention.

Another significant advantage in the linux/unix world are SELinux and AppArmor, which are effective protections against rootkits. Rootkits are over-emphasized anyway- plenty of damage can be done from unprivileged user's accounts: data theft, spam spewing, proud member of the worldwide botnet, hosting warez, and so forth. You don't need root to do significant damage.
jdixon

Mar 22, 2008
6:13 PM EDT
> No, but even you should see that the Sony CDs were a special case.

Only moderately so. There were more CD's released with the root kit than any other equivalent infection I know of, but media/hardware being released with malware already installed is a common story now. Even FOSS isn't immune.
moopst

Mar 22, 2008
9:25 PM EDT
Two things haven't happened yet. The promissed virus problem for Linux hasn't materialized - and - a secure version of Windows hasn't been released.

I'm not holding my breath for either to happen anytime soon.
jdixon

Mar 23, 2008
3:26 PM EDT
> The promissed virus problem for Linux hasn't materialized...

There is a current active root kit problem with Linux servers, which has been discussed here in the recent past. The means of compromise is still unknown at this time, though it may be the recently patched overflow hole in the kernel.
Sander_Marechal

Mar 24, 2008
3:41 AM EDT
Quoting:The means of compromise is still unknown at this time


I thought that the consensus on that was that the attacker had social engineered his way to a list of root passwords. That meshes well with the observation that virtually all the compromised machines with that rootkit were from the same hosting company.
ColonelPanik

Mar 24, 2008
6:40 AM EDT
Root Kits Can some one put up a link on root kit detection?
jdixon

Mar 24, 2008
6:47 AM EDT
> I thought that the consensus on that was that the attacker had social engineered his way to a list of root passwords.

Possible, but I haven't heard anything definitive. If you do, please pass it on. I'm sure others besides me would be interested.
jdixon

Mar 24, 2008
7:08 AM EDT
> Can some one put up a link on root kit detection?

Joe Barr had a recent review of three alternatives on linux.com which was linked to by LXer: It's pretty good:

http://www.linux.com/feature/128450
Sander_Marechal

Mar 24, 2008
7:26 AM EDT
@jdixon: What I read wasn't definitive either, but it's the gist of the various threads I read over at webhostingtalk.

@ColonelPanik: I use Rootkit Hunter and DenyHosts (with central synchronisation) on all my (server) machines:

http://rootkit.nl/projects/rootkit_hunter.html http://denyhosts.sourceforge.net/
ColonelPanik

Mar 24, 2008
4:41 PM EDT
A salute for those links! /°_°

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!