Re: Does Linux have viruses?
Hi,
On Sat, 04 Dec 2004, Ralf Gesel|ensetter wrote:
> Second thought: There is yet too few Linux boxes (as for Desktops) to
> make it spread. Now, how about Linux reaching a share of more than 20%
> at desktop pcs?
Personally, I think this oft quoted argument is bogus. There have been
several worms which have spread across vulnerable linux systems. These
include Ramen and Lion. There were plenty of linux machines then for a
worms/viruses to spread and there are many more now.
One could argue that virus writers don't target linux because they want to
get the credit for the greatest number of compromises which only Windows
could provide. However, as someone else mentioned, the credit for writing
the first truly successful linux virus/worm would be enormous.
For what it's worth, here's how I would explain it. You might get
something useful from it. Unfortunately, there is no black and white answer
and the issue is an inherently technical one. Herman's mention of the
difference between "open" and "run" is an absolutely central point.
=================================
A computer is a machine which blindly follows instructions. A computer
virus is really just a set of malicious instructions which include methods
to propogate themselves on to other computers. For this reason, any
connected computers are (in theory) vulnerable to viruses of some form but
one can make things difficult for virus writers with good safety procedures.
First, a distinction must be made between computer instructions (exectuable
programs) and simple data (images, audio files, text) which must be opened
by a supporting program[1].
One way for a virus to infect a computer is simply to send the malicious
instructions (in the form of say a small executable program) to many users
and trick them into running them (eg with the promise of pictures of Anna
Kournikova). This is called `social engineering' and effectively involves
users voluntarily running the virus.
Unix & linux systems discourage this in several ways. Firstly, it is a
very uncommon practice to send programs like this around. By contrast it
is very common in Windows (self-extracting zip files, animated greetings,
etc). Second, you cannot just double click a program and have it run, you
must explicitly grant the program permission to execute (run). This is
much like a safety catch on a gun, it stops you from doing anything by
accident. Should the need ever arise, it is even possible for a paranoid
system administrator to revoke this capability from users[2].
Ideally, users should understand that any time they run a program, they
cede total control of their files and account to that program which might
do anything. For this reason they must have good reason to trust the
program. If the program has just arrived in an unexpected email, that's
not trustworthy.
A second, more difficult infection method is to create carefully crafted
ordinary files (images, office documents, ...) which exploit a bug or
weakness in a system program and thus manage to covertly run some malicious
instructions. An ordinary user might innocently go to a webpage, open an
email or play an mp3 which contained the virus. If the computer is running
network services (eg file sharing), they can be remotely exploited in a
similar way by feeding bad data to the installed program. This, it must be
emphasised, is the fault of the buggy program, not of the user.
The best defense against this "bad data" attack is to install only what you
need (both user programs and services), avoiding ones with poor security
records (Internet Explorer, Outlook, IIS, sendmail) and keep them
up-to-date with security patches. The addition of a firewall is only of
real benefit to protect running services. Linux desktop systems tend to
run few if any network services by default.
Whether the linux or windows environment has the better security record is
a somewhat controversial question. However, those who favour the latter
are invariably not neutral parties.
[1] There is some ambiguity in this distinction (eg Word Document macros,
vb or perl scripts) but it is not really a helpful discussion for ordinary
users.
[2] In an extreme situation, one could mount /tmp and the home directories
of ordinary users "noexec". The system will then refuse to run anything
stored there. It should be said that this doesn't stop someone from
running interpreted instructions, eg a perl script by 'perl myvirus.pl' but
that would be an act of extraordinary idiocy.
=================================
Reply to: