I have a mate who works as a programmer/researcher for symantec nz, I had occasion to ask about windows/linux cross contamination recently... the reply was good enough I figured it was worth sharing.
Note: this should not be treated as official symantec opinion - just an off-the-top-of-my-head from someone immersed in the feild. There are probably many others on this forum in a similar position, perhaps they'd like to comment?
SB: What sort of potential is there for linux/windows cross contamination?
Hybrid viruses have been created:
http://vil.nai.com/vil/content/v_99060.htm is one example. Although the
Windows and Linux file formats are different, they aren't *that*
different, at least if they are running on the same machine architecture
(x86 or x64).
The rising capability of Win32 platform emulators like Wine has meant
that they can also host Windows viruses and other malware on Linux,
although it generally won't spread out beyond the emulated subsystem.
Those emulators are quite incredibly faithful recreations of the Win32
API programming environment.
The Wine case is the one that does introduce real risks of
cross-transmission; it means that a hybrid attack like the one above
could enter via a PE file but modify native ELF binaries and thus
"escape" the platform emulation.
SB: But wouldn't the user need to have formally activated it by some action (opening an attachment, running a script)?
Normally, yes, although people do seem to do that kind of thing :-P
Another thing to consider is the use of things like Samba file sharing;
some Windows viruses go looking for network shares to infect; although
secure file sharing is possible, it's simply so easy and convenient to
create an open share, especially in a home networking environment.
Plus of course there are always worms that attack via buffer overflows
and the like. Usually those are sensitive to stack and memory layout and
so not cross-platform, but they can strike really any system. The one
most worthy of study is the Witty worm, which is an amazing piece of
malware
http://www.icsi.berkeley.edu/~nweaver/login_witty.txt - it's a
sobering paper.
SB:Many linux users are smug about the lack of threat to and by their system... is this justified?
Well, to be fair they have some good reason to. The single most
important thing about Linux in the past is that just about everyone
recompiled everything from source. That's less true nowadays, and with
current Linux their greatest real defense is that out of the box people
are installed without administrative privileges (this is also true of
MacOS X, by the way). Vista will be introducing exactly this for
Windows, and it'll be a big help (although it'll be a long transition
process, and painful for ISVs).
The fact that so many users are now installing binary Debian packages
rather than compiling from source - particularly true of distributions
like Ubuntu - mean that they are worth keeping an eye on. Although they
do have pretty good quality procedures, if a piece of hybrid malware was
able to *launch* via tainted submissions to one of those binary package
repositories it could get pretty far, pretty fast. People doing those
package installations routinely grant elevated privileges to the package
installers.
Although I wouldn't expect that to come from the major distribution
repositories, it shows that the Linux community is extending into the
kind of point-and-click mass-market environment where people can be
socially engineered into doing things to themselves.
