LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Trojans, viruses, worms | How vulnerable is Linux (http://www.linuxquestions.org/questions/linux-security-4/trojans-viruses-worms-%7C-how-vulnerable-is-linux-534427/)

the_gripmaster 03-04-2007 05:25 AM

Trojans, viruses, worms | How vulnerable is Linux
 
The popularity of Linux has been mounted and is mounting by the participation of thousands of individuals and groups writing software according to the needs. Many such software are available on sites owned by individuals. Since many Linux users are not comfortable with installing programs in Linux, they tend to follows directions in such sites blindly (often using root account for installations). So, it is possible to fool Linux users into installing trojans, viruses, etc. In this context, how vulnerable is a Linux box to malicious code?

Jaqui 03-04-2007 06:40 AM

Currently, the only malware that any Unix like operating system is vulnerable to is a rootkit.

any software not installed as root is only available to the particular user that installed it, so installing software for multiuser systems has to be done as root.
is this a serious security risk? not really.
the only software that runs wth complete system access is the shell and kernel. everything else is run with a limited permissions account.

the modularity of the system and the granularity of the permissions both contribute to making any unix or unix like os extremely difficult to exploit with viral type code.
an exploit has to affect the majority of systems and be embedded to the point of extreme difficulty in patching it completely without breaking the system in order for malware to be effective, because the base system is the only guaranteed code for most systems, that code is under the highest level of scrutiny for exploitable bugs, making it more secure as time passes.

a rootkit is software the user is tricked into installing that essentially steals the root password then sends it to someone. It's generally recommended to install chrootkit when installing the os, so that all software installed afterwards is checked for rootkit coding, and all active processes are checked for rootkit activity.

true malware isn't possible with the multiuser operating systems because of the permissions, and system design are designed to inhibit that type of risk.

yes, end users can be fooled into installing some malicious software, but that's usually how malware starts getting onto even windows systems.

Capt_Caveman 03-04-2007 08:05 AM

Quote:

a rootkit is software the user is tricked into installing that essentially steals the root password then sends it to someone.
I believe you're thinking if a trojan here. A rootkit is basically a toolkit installed by an attacker who has already compromised a system (gained root) and wishes to hide their presence from the system admin and other users. They exist in a wide variety of forms such as fake (trojan) binaries, malicious kernel modules, code for patching kernel memory. Trojans (like their name suggests) are malware that poses as a legitimate piece of software but has malicious code installed (e.g. an sshd binary with a backdoor installed).

There are viruses for linux. They are in the wild. However, they are exceedingly rare and Jaqui's description of how Unix permissions contribute to their rarity is accurate. Though to be fair much of the success of widows viruses is due to users running as admin.

@the_gripmaster: To address your original question, only install software from sites that you trust. You *are* taking a risk every time that you install programs from someone's site. Not only that they haven't put backdoors in the program but also that they've secured their site so that someone hasn't cracked their system and replaced the software with malicious versions. This last part is why things like MD5 sums and GPG signatures should be validated before installing. Ideally learn C and thoroughly review every line of source code before compiling ;)

Emerson 03-04-2007 08:43 AM

Quote:

Originally Posted by Capt_Caveman
Ideally learn C and thoroughly review every line of source code before compiling ;)

I could never install x264 then. :(

:p

the_gripmaster 03-04-2007 11:31 AM

Quote:

Originally Posted by Capt_Caveman
@the_gripmaster: To address your original question, only install software from sites that you trust. You *are* taking a risk every time that you install programs from someone's site. Not only that they haven't put backdoors in the program but also that they've secured their site so that someone hasn't cracked their system and replaced the software with malicious versions. This last part is why things like MD5 sums and GPG signatures should be validated before installing. Ideally learn C and thoroughly review every line of source code before compiling ;)

That is the fact I was stressing. It is kind of a myth that Linux viruses do not exist. This myth and the increasing popularity of Linux will likely encourage malicious code writers to compromise the security of Linux users.

However, even if someone is a C/C++ expert, reading through the thousands of line of code :scratch:, say x264, doesn't always seem feasible.

2damncommon 03-04-2007 11:46 AM

Quote:

So, it is possible to fool Linux users into installing trojans, viruses, etc. In this context, how vulnerable is a Linux box to malicious code?
I am surprised you continue to ask once you have identified the weakest link as people but want to blame the software.
Companies often put signs on the road to draw your business. How vulnerable is your car to this?

Capt_Caveman 03-04-2007 12:00 PM

Quote:

Originally Posted by the_gripmaster
That is the fact I was stressing. It is kind of a myth that Linux viruses do not exist. This myth and the increasing popularity of Linux will likely encourage malicious code writers to compromise the security of Linux users.

I think this myth is really perpetuated because they really are that rare, so in most circumstances a linux user will never be infected with one ever. The one exception is that they do tend to be more common in cracking tools, so you need to be careful when testing anything of questionable origin.

Quote:

However, even if someone is a C/C++ expert, reading through the thousands of line of code :scratch:, say x264, doesn't always seem feasible.
That was meant as a more tongue-in-cheek answer, but to some extent it is true. People have identified malicious code that way. That is one of the benefits of Open Source software. If say you don't trust Redhat, you could theoretically sit down and analyze every single line of code, with Windows that isn't an option.

You're right though, that really isn't a realistic option for anyone who has a busy schedule. Plus intentionally obfuscating malicious code would make it hard to detect, even by experienced programmers. Which is why it's a good idea to take some proactive measure that *could* detect malicious activity on your system. Things like SELinux, integrity checking software like Tripwire/AIDE, and rootkit scanners like Rkhunter/chkrootkit will give you an advantage in detecting something like that. For viruses, there are now a bunch of AV packages for linux, like ClamAV, Panda, Kaspersky, etc. As a general rule of thumb though, I would recommend only installing software from sites/repositories that you trust and always verify the MD5 sums and signatures.

the_gripmaster 03-05-2007 12:31 PM

Thanks for your input people, especially Capt_Caveman

jiml8 03-07-2007 10:23 AM

There is one other point pertaining to Linux malware that no one has brought up.

Aside from the fact that Microsoft encourages people to run Windows as Administrator, the dominant microsoft environment consists of Windows/IE/Outlook Express. This leads to a monoculture, where everyone is running the same thing and therefore has the same vulnerabilities. Thus, the job of the virus writer is greatly simplified; if MY box is vulnerable, the odds are that YOUR box is vulnerable the same way. Thus, the spread of a virus is greatly simplified; finding other machines to infect is trivial.

*nix isn't a monoculture. It is quite heterogeneous. This means that MY box may be vulnerable to a specific attack, but YOUR box probably isn't. Given the wide variety of Linux distros, and the wide number of choices for everything on Linux (consider the number of email clients, for instance) then the liklihood that a virus which has infected MY box can find another box to infect - one on which it actually works - is vastly reduced compared to Windows .

This enormously complicates the job of the virus writer, and is a major factor (aside from the permissions issue) that will probably prevent Linux/Unix malware from EVER being anything like the epidemic that it is in Windows.

the_gripmaster 03-07-2007 10:41 AM

Quote:

Originally Posted by jiml8
*nix isn't a monoculture. It is quite heterogeneous.

Yes, good point.

unSpawn 03-08-2007 05:45 AM

*nix isn't a monoculture. It is quite heterogeneous. This means that MY box may be vulnerable to a specific attack, but YOUR box probably isn't. Given the wide variety of Linux distros, and the wide number of choices for everything on Linux (consider the number of email clients, for instance) then the liklihood that a virus which has infected MY box can find another box to infect - one on which it actually works - is vastly reduced compared to Windows .

First of all I think most people are misguided when comparing virus and malware vulnerability because they stick to the Richmond definitions of those. While *NIX don't show the "Richmond approved ;-p" type of malware, in essence we are not free of malware in the wider sense of the word. Using the same argument of monoculture you only have to look at the grave and recurring flaws in PHP-based applications year after year to see that avenue remains wide open.

Jaqui 03-08-2007 08:11 AM

Quote:

Originally Posted by unSpawn
First of all I think most people are misguided when comparing virus and malware vulnerability because they stick to the Richmond definitions of those. While *NIX don't show the "Richmond approved ;-p" type of malware, in essence we are not free of malware in the wider sense of the word. Using the same argument of monoculture you only have to look at the grave and recurring flaws in PHP-based applications year after year to see that avenue remains wide open.

Richmond? nope, MS head office is in Redmond. ;)
[ Richmond is 15 minutes from me, Redmond is 4 hours ]

Don't blame the os itself for both badly crafted websites and badly written scripting language exploits. PHP vulnerabilities are not os vulnerabilities, most often they are site exploitable vulnerabilities. [ cross site scripting and sql injection being the two most common issues with php, both of which are bad site scripting, not the language itself. ]

PHP's biggest issue is the ease of use for throwing together websites, people forget to check that the functions they are using don't have flaws.
[ I take a bit longer and code my own functions, diable sql parsing of variable content supplied by site visitors. ( treat all user supplied content as plain text, with no code execution ) but even then, I can't guarantee I didn't make a mistake. ]

rocket357 03-08-2007 08:49 AM

Quote:

Originally Posted by Jaqui
PHP's biggest issue is the ease of use for throwing together websites, people forget to check that the functions they are using don't have flaws.

Indeed.

I work for a company whose main product is a PHP based web app aimed at government and special interest groups working against homelessness. PHP, when used properly, can be as secure as any other language or program out there. (Think about it...PHP has a long list of string functions that allow the coder to ensure that special characters are escaped properly for various databases, and even generic functions that perform similar tasks in case the database backend isn't supported directly). Most novice coders aren't aware that sql injection attacks exist, and therefore don't know to make use of these functions. And to top it off, sql injection attacks aren't the only form of attack that the coder needs to be aware of when working with (for instance) PHP. If you're writing the code yourself, BE INFORMED of the dangers, and stay on top of it. If you aren't writing the code yourself, test it and audit, audit, audit.

jiml8 03-08-2007 10:43 AM

That there are security issues with PHP scripts doesn't reflect on PHP or on the platforms that host it; it merely reflects the popularity of PHP and the fact that many of the people programming PHP scripts are amateurs.

Similar security issues can occur with any language that puts up websites, including C or C++ CGIs, perl, asp, and whatever else.

The basic rule is that you have to validate everything that the user submits to make sure it is appropriate. The amateur programmer violates this rule at his peril. This rule for websites is similar to the programming rule that microsoft historically didn't obey that says you have to check all your buffers to make sure the boundaries are honored. That boundaries are not checked or are not checked correctly is not a deficiency of the programming language, it is a deficiency of the programmer.

unSpawn 03-08-2007 03:24 PM

Richmond? nope, MS head office is in Redmond.
Thanks for the correction. Shows the amount mindshare they are granted in my world.


Don't blame the os itself for both badly crafted websites and badly written scripting language exploits.
While my choice of PHP may be an unlucky one (as the myriad of WAMP servers around proves) that's not what I'm saying and that doesn't address the point I'm trying to make. The point I'm trying to make is that people should not keep using a Mockerysoft-centric view of all malicious when comparing the Redmond POS with *NIX. *NIX has it's own share of trouble ranging from lack of knowledge, remotely exploitable kernel flaws, rootkits and trojans to worms, autorooters, bots and piggybacking spam servers. (And IIRC only two of the ten GNU/Linux viruses can be found ITW the rest are PoCs, and the fact an AV scanner labels something a "virus" doesn't mean it's a true "Linux targetting virus". It's more likely they just don't care to label it better (money). )


All times are GMT -5. The time now is 03:19 AM.