LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-04-2007, 05:25 AM   #1
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 360

Rep: Reputation: 38
Post Trojans, viruses, worms | How vulnerable is Linux


The popularity of Linux has been mounted and is mounting by the participation of thousands of individuals and groups writing software according to the needs. Many such software are available on sites owned by individuals. Since many Linux users are not comfortable with installing programs in Linux, they tend to follows directions in such sites blindly (often using root account for installations). So, it is possible to fool Linux users into installing trojans, viruses, etc. In this context, how vulnerable is a Linux box to malicious code?
 
Old 03-04-2007, 06:40 AM   #2
Jaqui
Member
 
Registered: Jan 2006
Location: Vancouver BC
Distribution: LFS, SLak, Gentoo, Debian
Posts: 291

Rep: Reputation: 36
Currently, the only malware that any Unix like operating system is vulnerable to is a rootkit.

any software not installed as root is only available to the particular user that installed it, so installing software for multiuser systems has to be done as root.
is this a serious security risk? not really.
the only software that runs wth complete system access is the shell and kernel. everything else is run with a limited permissions account.

the modularity of the system and the granularity of the permissions both contribute to making any unix or unix like os extremely difficult to exploit with viral type code.
an exploit has to affect the majority of systems and be embedded to the point of extreme difficulty in patching it completely without breaking the system in order for malware to be effective, because the base system is the only guaranteed code for most systems, that code is under the highest level of scrutiny for exploitable bugs, making it more secure as time passes.

a rootkit is software the user is tricked into installing that essentially steals the root password then sends it to someone. It's generally recommended to install chrootkit when installing the os, so that all software installed afterwards is checked for rootkit coding, and all active processes are checked for rootkit activity.

true malware isn't possible with the multiuser operating systems because of the permissions, and system design are designed to inhibit that type of risk.

yes, end users can be fooled into installing some malicious software, but that's usually how malware starts getting onto even windows systems.
 
Old 03-04-2007, 08:05 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
a rootkit is software the user is tricked into installing that essentially steals the root password then sends it to someone.
I believe you're thinking if a trojan here. A rootkit is basically a toolkit installed by an attacker who has already compromised a system (gained root) and wishes to hide their presence from the system admin and other users. They exist in a wide variety of forms such as fake (trojan) binaries, malicious kernel modules, code for patching kernel memory. Trojans (like their name suggests) are malware that poses as a legitimate piece of software but has malicious code installed (e.g. an sshd binary with a backdoor installed).

There are viruses for linux. They are in the wild. However, they are exceedingly rare and Jaqui's description of how Unix permissions contribute to their rarity is accurate. Though to be fair much of the success of widows viruses is due to users running as admin.

@the_gripmaster: To address your original question, only install software from sites that you trust. You *are* taking a risk every time that you install programs from someone's site. Not only that they haven't put backdoors in the program but also that they've secured their site so that someone hasn't cracked their system and replaced the software with malicious versions. This last part is why things like MD5 sums and GPG signatures should be validated before installing. Ideally learn C and thoroughly review every line of source code before compiling
 
Old 03-04-2007, 08:43 AM   #4
Emerson
Senior Member
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~
Posts: 3,177

Rep: Reputation: Disabled
Quote:
Originally Posted by Capt_Caveman
Ideally learn C and thoroughly review every line of source code before compiling
I could never install x264 then.

 
Old 03-04-2007, 11:31 AM   #5
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 360

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by Capt_Caveman
@the_gripmaster: To address your original question, only install software from sites that you trust. You *are* taking a risk every time that you install programs from someone's site. Not only that they haven't put backdoors in the program but also that they've secured their site so that someone hasn't cracked their system and replaced the software with malicious versions. This last part is why things like MD5 sums and GPG signatures should be validated before installing. Ideally learn C and thoroughly review every line of source code before compiling
That is the fact I was stressing. It is kind of a myth that Linux viruses do not exist. This myth and the increasing popularity of Linux will likely encourage malicious code writers to compromise the security of Linux users.

However, even if someone is a C/C++ expert, reading through the thousands of line of code , say x264, doesn't always seem feasible.
 
Old 03-04-2007, 11:46 AM   #6
2damncommon
Senior Member
 
Registered: Feb 2003
Location: Calif, USA
Distribution: Debian Wheezy
Posts: 2,838

Rep: Reputation: 48
Quote:
So, it is possible to fool Linux users into installing trojans, viruses, etc. In this context, how vulnerable is a Linux box to malicious code?
I am surprised you continue to ask once you have identified the weakest link as people but want to blame the software.
Companies often put signs on the road to draw your business. How vulnerable is your car to this?
 
Old 03-04-2007, 12:00 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally Posted by the_gripmaster
That is the fact I was stressing. It is kind of a myth that Linux viruses do not exist. This myth and the increasing popularity of Linux will likely encourage malicious code writers to compromise the security of Linux users.
I think this myth is really perpetuated because they really are that rare, so in most circumstances a linux user will never be infected with one ever. The one exception is that they do tend to be more common in cracking tools, so you need to be careful when testing anything of questionable origin.

Quote:
However, even if someone is a C/C++ expert, reading through the thousands of line of code , say x264, doesn't always seem feasible.
That was meant as a more tongue-in-cheek answer, but to some extent it is true. People have identified malicious code that way. That is one of the benefits of Open Source software. If say you don't trust Redhat, you could theoretically sit down and analyze every single line of code, with Windows that isn't an option.

You're right though, that really isn't a realistic option for anyone who has a busy schedule. Plus intentionally obfuscating malicious code would make it hard to detect, even by experienced programmers. Which is why it's a good idea to take some proactive measure that *could* detect malicious activity on your system. Things like SELinux, integrity checking software like Tripwire/AIDE, and rootkit scanners like Rkhunter/chkrootkit will give you an advantage in detecting something like that. For viruses, there are now a bunch of AV packages for linux, like ClamAV, Panda, Kaspersky, etc. As a general rule of thumb though, I would recommend only installing software from sites/repositories that you trust and always verify the MD5 sums and signatures.
 
Old 03-05-2007, 12:31 PM   #8
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 360

Original Poster
Rep: Reputation: 38
Thanks for your input people, especially Capt_Caveman
 
Old 03-07-2007, 10:23 AM   #9
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
There is one other point pertaining to Linux malware that no one has brought up.

Aside from the fact that Microsoft encourages people to run Windows as Administrator, the dominant microsoft environment consists of Windows/IE/Outlook Express. This leads to a monoculture, where everyone is running the same thing and therefore has the same vulnerabilities. Thus, the job of the virus writer is greatly simplified; if MY box is vulnerable, the odds are that YOUR box is vulnerable the same way. Thus, the spread of a virus is greatly simplified; finding other machines to infect is trivial.

*nix isn't a monoculture. It is quite heterogeneous. This means that MY box may be vulnerable to a specific attack, but YOUR box probably isn't. Given the wide variety of Linux distros, and the wide number of choices for everything on Linux (consider the number of email clients, for instance) then the liklihood that a virus which has infected MY box can find another box to infect - one on which it actually works - is vastly reduced compared to Windows .

This enormously complicates the job of the virus writer, and is a major factor (aside from the permissions issue) that will probably prevent Linux/Unix malware from EVER being anything like the epidemic that it is in Windows.
 
Old 03-07-2007, 10:41 AM   #10
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 360

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by jiml8
*nix isn't a monoculture. It is quite heterogeneous.
Yes, good point.
 
Old 03-08-2007, 05:45 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
*nix isn't a monoculture. It is quite heterogeneous. This means that MY box may be vulnerable to a specific attack, but YOUR box probably isn't. Given the wide variety of Linux distros, and the wide number of choices for everything on Linux (consider the number of email clients, for instance) then the liklihood that a virus which has infected MY box can find another box to infect - one on which it actually works - is vastly reduced compared to Windows .

First of all I think most people are misguided when comparing virus and malware vulnerability because they stick to the Richmond definitions of those. While *NIX don't show the "Richmond approved ;-p" type of malware, in essence we are not free of malware in the wider sense of the word. Using the same argument of monoculture you only have to look at the grave and recurring flaws in PHP-based applications year after year to see that avenue remains wide open.
 
Old 03-08-2007, 08:11 AM   #12
Jaqui
Member
 
Registered: Jan 2006
Location: Vancouver BC
Distribution: LFS, SLak, Gentoo, Debian
Posts: 291

Rep: Reputation: 36
Quote:
Originally Posted by unSpawn
First of all I think most people are misguided when comparing virus and malware vulnerability because they stick to the Richmond definitions of those. While *NIX don't show the "Richmond approved ;-p" type of malware, in essence we are not free of malware in the wider sense of the word. Using the same argument of monoculture you only have to look at the grave and recurring flaws in PHP-based applications year after year to see that avenue remains wide open.
Richmond? nope, MS head office is in Redmond.
[ Richmond is 15 minutes from me, Redmond is 4 hours ]

Don't blame the os itself for both badly crafted websites and badly written scripting language exploits. PHP vulnerabilities are not os vulnerabilities, most often they are site exploitable vulnerabilities. [ cross site scripting and sql injection being the two most common issues with php, both of which are bad site scripting, not the language itself. ]

PHP's biggest issue is the ease of use for throwing together websites, people forget to check that the functions they are using don't have flaws.
[ I take a bit longer and code my own functions, diable sql parsing of variable content supplied by site visitors. ( treat all user supplied content as plain text, with no code execution ) but even then, I can't guarantee I didn't make a mistake. ]
 
Old 03-08-2007, 08:49 AM   #13
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 476
Blog Entries: 116

Rep: Reputation: 74
Quote:
Originally Posted by Jaqui
PHP's biggest issue is the ease of use for throwing together websites, people forget to check that the functions they are using don't have flaws.
Indeed.

I work for a company whose main product is a PHP based web app aimed at government and special interest groups working against homelessness. PHP, when used properly, can be as secure as any other language or program out there. (Think about it...PHP has a long list of string functions that allow the coder to ensure that special characters are escaped properly for various databases, and even generic functions that perform similar tasks in case the database backend isn't supported directly). Most novice coders aren't aware that sql injection attacks exist, and therefore don't know to make use of these functions. And to top it off, sql injection attacks aren't the only form of attack that the coder needs to be aware of when working with (for instance) PHP. If you're writing the code yourself, BE INFORMED of the dangers, and stay on top of it. If you aren't writing the code yourself, test it and audit, audit, audit.
 
Old 03-08-2007, 10:43 AM   #14
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
That there are security issues with PHP scripts doesn't reflect on PHP or on the platforms that host it; it merely reflects the popularity of PHP and the fact that many of the people programming PHP scripts are amateurs.

Similar security issues can occur with any language that puts up websites, including C or C++ CGIs, perl, asp, and whatever else.

The basic rule is that you have to validate everything that the user submits to make sure it is appropriate. The amateur programmer violates this rule at his peril. This rule for websites is similar to the programming rule that microsoft historically didn't obey that says you have to check all your buffers to make sure the boundaries are honored. That boundaries are not checked or are not checked correctly is not a deficiency of the programming language, it is a deficiency of the programmer.
 
Old 03-08-2007, 03:24 PM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Richmond? nope, MS head office is in Redmond.
Thanks for the correction. Shows the amount mindshare they are granted in my world.


Don't blame the os itself for both badly crafted websites and badly written scripting language exploits.
While my choice of PHP may be an unlucky one (as the myriad of WAMP servers around proves) that's not what I'm saying and that doesn't address the point I'm trying to make. The point I'm trying to make is that people should not keep using a Mockerysoft-centric view of all malicious when comparing the Redmond POS with *NIX. *NIX has it's own share of trouble ranging from lack of knowledge, remotely exploitable kernel flaws, rootkits and trojans to worms, autorooters, bots and piggybacking spam servers. (And IIRC only two of the ten GNU/Linux viruses can be found ITW the rest are PoCs, and the fact an AV scanner labels something a "virus" doesn't mean it's a true "Linux targetting virus". It's more likely they just don't care to label it better (money). )
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
trojans and viruses bondoq Linux - Networking 4 07-11-2006 05:12 PM
worms 2 in linux? toaster.waffle Linux - Games 3 03-01-2006 06:00 PM
Linux to kill windoze viruses, worms, trojans, spywares, etc. carboncopy Linux - Software 4 03-04-2005 09:09 AM
Is Mandrake vulnerable to viruses, worms, and spyware? wardialer Linux - Security 5 10-05-2004 11:59 PM
Viruses, Worms and Linux programmershous Linux - General 2 03-15-2004 09:33 AM


All times are GMT -5. The time now is 03:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration