[wellylug] Viruses and Linux

Michael Dittmer michael.dittmer at paradise.net.nz
Mon Aug 16 22:58:34 NZST 2004


Thanks all for your ideas / links and help.

I will write up the report for my client using the data you all provided.

I guess if they like my report I will be able to add one more nail to the MS
coffin with another Linux server in a small / medium business.

Kind Regards

Michael

-----Original Message-----
From: wellylug-admin at lists.naos.co.nz
[mailto:wellylug-admin at lists.naos.co.nz] On Behalf Of Richard
Sent: Monday, August 16, 2004 10:46 PM
To: wellylug at lists.naos.co.nz
Subject: Re: [wellylug] Viruses and Linux

> >Hi All...
> >
> >I have a client that is looking at Linux on a server and is worried about
> >viruses (comes from using Windows).
> >
> >Can anyone point me to a website that explains it in everyday (newbie)
> >language why linux doesn't have / get viruses. I have explained it to my
> >client myslef, they they want to see it in writing (not just the opinion
of
> >a consultant).
> >
> >Thanks
> >
> >Michael
> >
> >
> > 
> >
> Check out
> 
> http://linuxmafia.com/~rick/faq/index.php?page=virus
> 
> Not sure who Rick is but he makes a good case IMHO on why Linux is not 
> plagued by viruses. He does so in an easy to understand way and (here's 
> the best bit) from the perspective of a windoze non-believer.

Note that I don't at all disagree with the above link, however there is an
important cavet that we as a community are cheerfully ignoring, for a
variety of
pretty harmless reasons.

The key issue relates to the common desktop environment, and the place of
the
non-root user account within it.

For most desktop machines, there are only two accounts, root, and the user
who
runs on it. Rightly enough, educated users do very little with the root
account
other than apt-get install <whatever> (*smirk*), and rightly enough the
above
link states that, under such a situation, the potential for a virus to
infiltrate the machine is so severely limited as to be pointless.

But what does it mean to infiltrate a machine? Let us take some typical
virus
tasks:

1. infect something, providing a hook to go resident at startup
2. infect a file that will be transfered to another system, to provide a
vector
   for infecting another machine
3. infect a file on a remotely mounted filesystem in order to infect other
   systems using the same filesystem.

Can anyone spot any there that you can't do as a regular user? if I want to
access the media share for the flat, I mount it as my user, not as root. If
I'm
sending a file to a friend, I send it from my user account, and almost every
time I start this box up, I log in as me, and my .bashrc, .xinitrc etc all
run
and execute whatever is in it. Might as well call them autoexec.bat and be
done
with it.

So what are the differences that make Linux more resistant to viruses?

1. Despite claims to the contrary, the simple fact is that we are NOT the #1
desktop operating system in the world. In a server sense, all the benefits
claimed of a reliable root account really do come into play.

2. The executable bit. Windows suffers from an overload of the double-click
operation, it means both "to open a data file" and "to execute an
application".
Linux in it's current incarnation does not have this issue. Even in heavily
GUI
environments, we do not double-click on icons to execute software, we
generally
select from menus or type "foo" in the shell. To view data in a shell we
execute
something first.

It is difficult therefore for stuff that is actually an application to
masquerade as data

3. Building on that, data types determined by the first few bytes of the
file,
rather than the filename extension. Nautilus would provide me with an
"executable" icon even if the file ended in .jpg. Windows is also moving
that
way now, with things like real-time thumbnailing in directory listings. *

4. Lack of homogenous environment. A virus infection on one machine is not a
virus infection. Computer viruses require a sizable pool of systems upon
which
they can run, and a reasonable locality of those systems in order to spread
effectively. The current linux environment is actively virus-hostile if only
because even where you do find a few linux desktops that actually talk to
each
other in a meaningful way (aside from email), their user environments are
often
quite different. Imagine yourself a virus writer, trying to work out where
to
hide his virus file on a large number of systems, as a user. Do I have a
single
directory in my /home dir which everyone here is guarranteed to have? I
doubt
it.

The other effect of the lack of homogenous environment is in the system
libraries etc. We (the linux community) simply don't email executables
around.
It's just not done because it's plain unreliable, even when it doesn't
twinge
our security-paranoia. If I pick a random exec off my system and post it to
the
list, A) I'd have to tell you guys to x-bit it when it arrived at your end,
and
B) it probably wouldn't run anyway, because I run debian-unstable updated
some
random number of days ago and half of my libraries are wacked out versions
that
others of you just don't have.

Scripting tools such as perl provide a more reliable platform to write
against,
at the cost of flexibility (marginally harder to "infect" an executable with
a
perl script).


In the end, Linux is just so much harder to write viruses for that nobody is
likely to make the effort, and even if they did the chances of it managing
to
infect a noticable number of machines is limited. We're a much better target
for security-exploitiing worms than we are for file-infecting viruses.

One day, this may change, but the focus of the community on continually
advancing security tools, and our willingness to learn from Microsofts
mistakes
(you don't see many people jumping up and down asking for thunderbird to
execute
scripts in email automatically..) will keep us ahead for quite some time to
come.

As always, diversity remains a much greater strength for us than the
mass-production benefits of homogenity. Sure, we lose out on some vendor
support
but trust in your computing platform should not be sold lightly.



* This only works in concert with the other aspects. It would be trivial
enough
 to create an application that had an icon that made it appear to be a
 picture...but only under the right theme, and only under Nautilus *or*
 kdesktop, etc etc. Diversity works for us again.

-- 
Richard Clark,
Analysis and Design,
Red Spider Ltd.
(+64) 021 478 219




More information about the wellylug mailing list