Announcement

Collapse
No announcement yet.

Linux viruses -- everything you need to know!

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Linux viruses -- everything you need to know!

    Linux expert Rick Moen upgraded his authoritative piece on viruses and Trojans in Linux two days ago.

    IT SHOULD BE A MUST READ FOR ALL LINUX USERS ... ESPECIALLY NEWBIES...

    One sentence summary: You aren't in Windows any more, Todo...

    *
    V. In Summary:

    There are real threats to Linux security. If you spend time looking for "Linux viruses" — which, by and large, can come at your system only if you get behind them and push — you might miss the real threats and not do something useful like studying your security profile and other measures.

    And yes, some "virus" author could in principle, some day, in the very worst-case scenario — if he/she were able to find a remotely exploitable Linux kernel network-code flaw unknown to everyone else — unleash a devastating and rapid, automated, surprise attack that clobbers (compromises) within one hour a large percentage of, say, worldwide Internet-connected i386 Linux servers' TCP/IP stacks, and thus gains root control.

    This would force all afflicted systems to be offline for a day to await the necessary patch and be rebuilt. That would be very annoying — but would hardly be unrecoverable. Moreover, I'll give very long odds against this or less-central failures happening, too — and lower ones for the same threat against practically every other OS.

    Why? Some of the reasons were articulated nicely in (separate) analyses by Nick Petreley, Eric Raymond, and Karsten M. Self:
    o System was designed for multiuser and networked operation from the ground up.
    o System was designed to distrust and not rely (in the general case) on remote procedure calls (RPCs), especially not between hosts.
    o System is profoundly modular, with the simplest, most generic possible interactions (often via pipes or textual interchange — even if then layered over sockets, etc.) between components (which can thus be individually changed, patched, upgraded, removed, or disabled as desired — without, in general, large interdependency consequences or cascade failures). Within that modular framework, functional substitutes exist and can be swapped in for almost all common security-relevant codebases. (E.g., if OpenSSH is having security problems, I can easily sidestep to LSH or any of several other SSH daemons. Ditto Web servers, ftp daemons, mail servers, etc. If need be, I can even change kernels.)
    o System doesn't give software excessive privilege or easy paths to escalation. Components run with high privilege are kept as small and carefully checked as possible. Interacting components seldom even run as the same effective user ID, and thus are in a poor position to subvert one another's resources.
    o As a result of the above, system state is highly transparent, lending itself to effective scrutiny and management via simple, well-understood tools (including ps, netstat, lsof, lslk, fuser, etc.).

    For details, please see Petreley, Raymond, and Self's more-comprehensive write-ups.

    Last modified: 2010-03-02
    rick@linuxmafia.com

    Copyright (C) 1995-2010 by Rick Moen. Verbatim copying, distribution, and display of this entire article (page) are permitted in any medium, provided this notice is preserved.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    Re: Linux viruses -- everything you need to know!

    I don't run any form of antivirus while in Linux, but I will say, it is not hard to write code that will act very 'virus like' for Gnome/KDE. And it DOESN'T require root access to do some pretty hefty damage to an average user. Users just need to be aware that just because they are in a Linux enviroment, doesn't mean you can open any attachment that comes along.

    mm0

    Dell Inspiron 1720 Laptop<br />Intel T9300 Core2Duo Processor @ 2.5Ghz<br />4 GB Ram | 1920 X 1200 Resolution<br />2 X 160 GB SATA HD Internal<br />Nvidia GeForce 8600M Graphics Adapter<br />Using Kubuntu 9.10

    Comment


      #3
      Re: Linux viruses -- everything you need to know!

      It says all i386 systems running a Linux kernel could be affected. So does that mean anyone running i686 and 64-bit kernels would be safe? I think with advancement of processors, the threat of viruses decrease as well as increase in some cases. I don't run anti-virus as well, but a user would be quite idiotic to open any attachment (and enter admin password) that he/she gets.
      AMD 64 Turon X-2, 4GB RAM, Kubuntu 12.04 LTS 64bit

      Comment


        #4
        Re: Linux viruses -- everything you need to know!

        I agree with Rick:
        Should I get anti-virus software for my Linux box?

        The problem with answering this question is that those asking it know only OSes where viruses, trojan-horse programs, worms, nasty Javascripts, ActiveX controls with destructive payloads, and ordinary misbehaved applications are a constant threat to their computing. Therefore, they refuse to believe Linux could be different, no matter what they hear.

        And yet it is.

        Here's the short version of the answer: No.
        If you simply never run untrusted executables while logged in as the root user (or equivalent), all the "virus checkers" in the world will be at best superfluous; at worst, downright harmful. "Hostile" executables (including viruses) are almost unfindable in the Linux world — and no real threat to it — because they lack root-user authority, and because Linux admins are seldom stupid enough to run untrusted executables as root, and because Linux users' sources for privileged executables enjoy paranoid-grade scrutiny (such that any unauthorised changes would be detected and remedied).

        Here's the long version: Still no. Any program on a Linux box, viruses included, can only do what the user who ran it can do. Real users aren't allowed to hurt the system (only the root user can), so neither can programs they run.
        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
        – John F. Kennedy, February 26, 1962.

        Comment


          #5
          Re: Linux viruses -- everything you need to know!

          Originally posted by thriller
          It says all i386 systems running a Linux kernel could be affected. So does that mean anyone running i686 and 64-bit kernels would be safe? I think with advancement of processors, the threat of viruses decrease as well as increase in some cases. I don't run anti-virus as well, but a user would be quite idiotic to open any attachment (and enter admin password) that he/she gets.
          Please read the ENTIRE article!

          Security has nothing to do with hardware. An i386 system or an i686 or a 64bit Linux system are equally, and VERY, safe. The reason is well explained in Rick's article.

          Don't run as root, don't download unknown apps, or from unknown sources, don't give execute permissions to alien binaries. IOW, don't be stupid. Besides, an AV application can be just as susceptible to being infected as any other application, and it is usually given root permission.

          I don't run AV software. I used to run it for the benefit of my Windows using friends so that any email I forwarded on to them wouldn't infect their computers, but almost all of my friends now run Linux. The rest will just have to take their chances -- which is 100% that they WILL get infected. THEN they'll ask me to "fix" their system. They KNOW what my fix is -- replace Windows with Kubuntu. 8)
          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
          – John F. Kennedy, February 26, 1962.

          Comment


            #6
            Re: Linux viruses -- everything you need to know!

            who says it needs you to enter your password to do damage? it only needs a password to infect to root file sysem. Think of all the damage that can be done to a home directory. including autostart, emailing, etc. also, all you have to do is get someone to open a .desktop file to get a bash script to run.
            Dell Inspiron 1720 Laptop<br />Intel T9300 Core2Duo Processor @ 2.5Ghz<br />4 GB Ram | 1920 X 1200 Resolution<br />2 X 160 GB SATA HD Internal<br />Nvidia GeForce 8600M Graphics Adapter<br />Using Kubuntu 9.10

            Comment


              #7
              Re: Linux viruses -- everything you need to know!

              The worst thing that ever infected my Kubuntu system was strigi ...

              Comment


                #8
                Re: Linux viruses -- everything you need to know!

                hahahahaha! no kidding.
                Dell Inspiron 1720 Laptop<br />Intel T9300 Core2Duo Processor @ 2.5Ghz<br />4 GB Ram | 1920 X 1200 Resolution<br />2 X 160 GB SATA HD Internal<br />Nvidia GeForce 8600M Graphics Adapter<br />Using Kubuntu 9.10

                Comment


                  #9
                  Re: Linux viruses -- everything you need to know!

                  Originally posted by dibl
                  The worst thing that ever infected my Kubuntu system was strigi ...
                  Yeah, I haven't used the thing since it never worked on Hardy 8.04. I think KFind is still on the system, but why bother. The find, locate, and grep commands work better than any GUI file finder I've ever used.

                  Makes me wonder though, is Strigi still useless junk on Lucid 10.04?
                  Welcome newbies!
                  Verify the ISO
                  Kubuntu's documentation

                  Comment


                    #10
                    Re: Linux viruses -- everything you need to know!

                    Originally posted by muzicman0
                    who says it needs you to enter your password to do damage? it only needs a password to infect to root file sysem. Think of all the damage that can be done to a home directory. including autostart, emailing, etc. also, all you have to do is get someone to open a .desktop file to get a bash script to run.
                    "a password"? What password would allow doing damage to the root file system EXCEPT the root password? None. If you choose an adequate root password chances of privilege escalation are next to none. IF it were otherwise, you'd be reading about bot farms made of millions of Linux computers, but you don't.

                    However, you are right about damage to the home account. IF you download an infected binary (shame on you for visiting that malware site anyway or installing alien software!) and run it as you, it can ONLY do what you can do -- the worst being to delete your own home account. Big deal. You do make regular backups of your home account, don't you? Then just delete yourself as a user, delete what the malware didn't delete of your home account, recreate your home account, and reboot. Restore from your backup.

                    As far as the *.desktop email attachment is concerned, that attack vector was valid only on a few distros when it was first demonstrated and I doubt that it is valid on any now. For it to work now you would have to detach it and save it in your desktop directory, save the binary that it is supposed to "exec", then click on it. Three actions that, if you were to do it, would demonstrate that you are not being very smart about your admin duties.

                    BTW, in eleven years of using Linux I have yet to encounter ANY Linux virus, Trojan or other malware, let alone be infected. I used to play with Windows viruses using WINE just to see what they'd do. After they did their damage I'd investigate the "C:" directory and explore what was left and do an analysis of the code and/or script the virus left behind. Then, I'd delete WINE and reinstall it. Got boring after awhile because there are only about 8 or so attack vectors for Windows, and the millions of viruses out there are just variations of those eight. Download a virus source, change the name of a variable slightly, recompile, and PRESTO! You have a "new" Windows virus which completely fools the signature datafile of all the AV products for several weeks or more.
                    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                    – John F. Kennedy, February 26, 1962.

                    Comment


                      #11
                      Re: Linux viruses -- everything you need to know!

                      Running Windows Viruses With Wine
                      Welcome newbies!
                      Verify the ISO
                      Kubuntu's documentation

                      Comment


                        #12
                        Re: Linux viruses -- everything you need to know!

                        I've been using Linux for 6 years, in all these years I haven't heard of any credible report of actively spreading Linux viruses. I can't say that about Windows, last time I checked there were about 250,000 pieces of malware (and that might tell you that I looked up that info couple of years back).

                        No, Linux is not secure (no computer program that is longer than 10 lines is free of bugs), but yes, there's a big difference.

                        all you have to do is get someone to open a .desktop file to get a bash script to run.
                        That's why in KDE4 new .desktop files have a attention mark and you are asked if you are sure you want to run them. If you say "yes" you are on your own

                        Comment


                          #13
                          Re: Linux viruses -- everything you need to know!

                          The only virus that has ever infected my linux machine is me. I start playing around and changing things and break my machine. But how else will I learn?

                          Comment


                            #14
                            Re: Linux viruses -- everything you need to know!

                            Originally posted by Detonate
                            I start playing around and changing things and break my machine.
                            That kind of experimenting is why we have virtual machines. Install Kubuntu in a VM make a snapshot. Then do your experimenting, and if you hose something you can just restore the snapshot. After each system update or software installation, update the snapshot.
                            Welcome newbies!
                            Verify the ISO
                            Kubuntu's documentation

                            Comment


                              #15
                              Re: Linux viruses -- everything you need to know!

                              I know I'm going to get flamed for this, but I think it still needs to be said:

                              If you are running Linux, even just on a laptop that is used only by yourself, you aren't just a user anymore. You are now a system administrator, and that means that the security and reliability of your system is in your hands, and not someone else's. You still have to act responsibly, making sure all security updates are installed, thinking twice (or more) about what you download and where you download it from, checking package integrity before installing it, and learning what the software does and how it does it. And while viruses are rare, rootkits are still possible, and you should (in my opinion) know how to use, and be running a firewall, rkhunter, and maybe debsecan if you are really paranoid or cautious. Right, this isn't windows any more, and you can't expect somebody else to watch over your system for you -- it's your job.
                              We only have to look at ourselves to see how intelligent life might develop into something we wouldn't want to meet. -- Stephen Hawking

                              Comment

                              Working...
                              X