Trojans, viruses, worms | How vulnerable is Linux
The popularity of Linux has been mounted and is mounting by the participation of thousands of individuals and groups writing software according to the needs. Many such software are available on sites owned by individuals. Since many Linux users are not comfortable with installing programs in Linux, they tend to follows directions in such sites blindly (often using root account for installations). So, it is possible to fool Linux users into installing trojans, viruses, etc. In this context, how vulnerable is a Linux box to malicious code?
|
Currently, the only malware that any Unix like operating system is vulnerable to is a rootkit.
any software not installed as root is only available to the particular user that installed it, so installing software for multiuser systems has to be done as root. is this a serious security risk? not really. the only software that runs wth complete system access is the shell and kernel. everything else is run with a limited permissions account. the modularity of the system and the granularity of the permissions both contribute to making any unix or unix like os extremely difficult to exploit with viral type code. an exploit has to affect the majority of systems and be embedded to the point of extreme difficulty in patching it completely without breaking the system in order for malware to be effective, because the base system is the only guaranteed code for most systems, that code is under the highest level of scrutiny for exploitable bugs, making it more secure as time passes. a rootkit is software the user is tricked into installing that essentially steals the root password then sends it to someone. It's generally recommended to install chrootkit when installing the os, so that all software installed afterwards is checked for rootkit coding, and all active processes are checked for rootkit activity. true malware isn't possible with the multiuser operating systems because of the permissions, and system design are designed to inhibit that type of risk. yes, end users can be fooled into installing some malicious software, but that's usually how malware starts getting onto even windows systems. |
Quote:
There are viruses for linux. They are in the wild. However, they are exceedingly rare and Jaqui's description of how Unix permissions contribute to their rarity is accurate. Though to be fair much of the success of widows viruses is due to users running as admin. @the_gripmaster: To address your original question, only install software from sites that you trust. You *are* taking a risk every time that you install programs from someone's site. Not only that they haven't put backdoors in the program but also that they've secured their site so that someone hasn't cracked their system and replaced the software with malicious versions. This last part is why things like MD5 sums and GPG signatures should be validated before installing. Ideally learn C and thoroughly review every line of source code before compiling ;) |
Quote:
:p |
Quote:
However, even if someone is a C/C++ expert, reading through the thousands of line of code :scratch:, say x264, doesn't always seem feasible. |
Quote:
Companies often put signs on the road to draw your business. How vulnerable is your car to this? |
Quote:
Quote:
You're right though, that really isn't a realistic option for anyone who has a busy schedule. Plus intentionally obfuscating malicious code would make it hard to detect, even by experienced programmers. Which is why it's a good idea to take some proactive measure that *could* detect malicious activity on your system. Things like SELinux, integrity checking software like Tripwire/AIDE, and rootkit scanners like Rkhunter/chkrootkit will give you an advantage in detecting something like that. For viruses, there are now a bunch of AV packages for linux, like ClamAV, Panda, Kaspersky, etc. As a general rule of thumb though, I would recommend only installing software from sites/repositories that you trust and always verify the MD5 sums and signatures. |
Thanks for your input people, especially Capt_Caveman
|
There is one other point pertaining to Linux malware that no one has brought up.
Aside from the fact that Microsoft encourages people to run Windows as Administrator, the dominant microsoft environment consists of Windows/IE/Outlook Express. This leads to a monoculture, where everyone is running the same thing and therefore has the same vulnerabilities. Thus, the job of the virus writer is greatly simplified; if MY box is vulnerable, the odds are that YOUR box is vulnerable the same way. Thus, the spread of a virus is greatly simplified; finding other machines to infect is trivial. *nix isn't a monoculture. It is quite heterogeneous. This means that MY box may be vulnerable to a specific attack, but YOUR box probably isn't. Given the wide variety of Linux distros, and the wide number of choices for everything on Linux (consider the number of email clients, for instance) then the liklihood that a virus which has infected MY box can find another box to infect - one on which it actually works - is vastly reduced compared to Windows . This enormously complicates the job of the virus writer, and is a major factor (aside from the permissions issue) that will probably prevent Linux/Unix malware from EVER being anything like the epidemic that it is in Windows. |
Quote:
|
*nix isn't a monoculture. It is quite heterogeneous. This means that MY box may be vulnerable to a specific attack, but YOUR box probably isn't. Given the wide variety of Linux distros, and the wide number of choices for everything on Linux (consider the number of email clients, for instance) then the liklihood that a virus which has infected MY box can find another box to infect - one on which it actually works - is vastly reduced compared to Windows .
First of all I think most people are misguided when comparing virus and malware vulnerability because they stick to the Richmond definitions of those. While *NIX don't show the "Richmond approved ;-p" type of malware, in essence we are not free of malware in the wider sense of the word. Using the same argument of monoculture you only have to look at the grave and recurring flaws in PHP-based applications year after year to see that avenue remains wide open. |
Quote:
[ Richmond is 15 minutes from me, Redmond is 4 hours ] Don't blame the os itself for both badly crafted websites and badly written scripting language exploits. PHP vulnerabilities are not os vulnerabilities, most often they are site exploitable vulnerabilities. [ cross site scripting and sql injection being the two most common issues with php, both of which are bad site scripting, not the language itself. ] PHP's biggest issue is the ease of use for throwing together websites, people forget to check that the functions they are using don't have flaws. [ I take a bit longer and code my own functions, diable sql parsing of variable content supplied by site visitors. ( treat all user supplied content as plain text, with no code execution ) but even then, I can't guarantee I didn't make a mistake. ] |
Quote:
I work for a company whose main product is a PHP based web app aimed at government and special interest groups working against homelessness. PHP, when used properly, can be as secure as any other language or program out there. (Think about it...PHP has a long list of string functions that allow the coder to ensure that special characters are escaped properly for various databases, and even generic functions that perform similar tasks in case the database backend isn't supported directly). Most novice coders aren't aware that sql injection attacks exist, and therefore don't know to make use of these functions. And to top it off, sql injection attacks aren't the only form of attack that the coder needs to be aware of when working with (for instance) PHP. If you're writing the code yourself, BE INFORMED of the dangers, and stay on top of it. If you aren't writing the code yourself, test it and audit, audit, audit. |
That there are security issues with PHP scripts doesn't reflect on PHP or on the platforms that host it; it merely reflects the popularity of PHP and the fact that many of the people programming PHP scripts are amateurs.
Similar security issues can occur with any language that puts up websites, including C or C++ CGIs, perl, asp, and whatever else. The basic rule is that you have to validate everything that the user submits to make sure it is appropriate. The amateur programmer violates this rule at his peril. This rule for websites is similar to the programming rule that microsoft historically didn't obey that says you have to check all your buffers to make sure the boundaries are honored. That boundaries are not checked or are not checked correctly is not a deficiency of the programming language, it is a deficiency of the programmer. |
Richmond? nope, MS head office is in Redmond.
Thanks for the correction. Shows the amount mindshare they are granted in my world. Don't blame the os itself for both badly crafted websites and badly written scripting language exploits. While my choice of PHP may be an unlucky one (as the myriad of WAMP servers around proves) that's not what I'm saying and that doesn't address the point I'm trying to make. The point I'm trying to make is that people should not keep using a Mockerysoft-centric view of all malicious when comparing the Redmond POS with *NIX. *NIX has it's own share of trouble ranging from lack of knowledge, remotely exploitable kernel flaws, rootkits and trojans to worms, autorooters, bots and piggybacking spam servers. (And IIRC only two of the ten GNU/Linux viruses can be found ITW the rest are PoCs, and the fact an AV scanner labels something a "virus" doesn't mean it's a true "Linux targetting virus". It's more likely they just don't care to label it better (money). ) |
All times are GMT -5. The time now is 07:03 AM. |