Viruses are, by definition, malicious pieces of code that replicate themselves. They can do this through a variety of methods, including “infecting” other executable files or spreading macros and other forms of executable content (e.g. JPEGs). Viruses are most commonly spread by users sharing files, which is especially easy with email, and with such a wide variety of content being available on Web and FTP servers.
Most viruses do not really gain the author anything – they simply damage data and computer systems. Very few do anything, like stealing passwords or implementing backdoors (although this is changing, especially with distributed denial of service tools becoming very popular). Currently, the most common viruses are mostly macro viruses for Microsoft Office products like Word, Excel, and Access, for a number of reasons:
-
Poor security controls on macros (you can turn them off, but many macro viruses re-enable macro support when run).
-
File types such as DOC and XLS are commonly emailed around between people, so it isn’t too suspicious to receive them via email.
-
Almost all Windows computers have MS Office installed.
-
It is remarkably easy to write these macro viruses, and even easier to modify them.
Currently, there are no universal office suites for Linux, although Star Office is starting to gain ground (especially now that it is open source and free, as in free beer). StarOffice supports Java and JavaScript, which as we all know are ripe targets for attackers. The default is to install Java and JavaScript support for StarOffice. However, most Linux machines have no StarOffice-accessible Java installed (i.e. Netscape doesn’t count). But, you can insert JavaScript code into documents, so there is definitely the potential for macro-like viruses for StarOffice.
There are other infection vectors for Linux. As with Windows, many users download third-party applications and install them (usually as root). It is trivial to create what looks like a legitimate program (“DVD ripper and VCD encoder for Linux version 2.34”). Many users will install it, and when it fails to work as expected, they may uninstall it or forget about it. Meanwhile, the virus payload has been delivered. Even legitimate programs can be subverted, and even though the most popular packaging format (RPM) supports digital signatures, very few users bother to check them. Software on popular sites has been Trojaned in past, and even though the PGP signature attached was completely bogus, it’s usually downloaded by more than a few people before anyone actually checks it and alerts the site.
There is some good news (not a whole lot though). If a user runs a program as a normal user account, chances are it cannot write to system binaries. This significantly decreases the effectiveness of viruses delivered via email or other data sources, since they can only modify a user’s files and not infect the system. The reason this is so effective in Windows is that default file permissions in NT are “everybody – full control” (and many sites do not tighten this), and of course Windows 9x has no file permissions. The flip side of this is that most Linux machines have at least one (or many) local root exploits. Examples include Perl, mail, Sendmail, the Linux kernel itself, and much more. Unless an administrator keeps the machines up-to-date, a sophisticated virus could exploit a weakness and modify system files, or install Trojans and backdoors. Unfortunately, most machines are not kept up-to-date very well, and even if they are, there is a window of opportunity between vulnerabilities being reported and vendor upgrades being issued (although Linux has some of the lowest averages, in some cases ,<24 hours). This makes writing an effective virus for Linux harder than – but not much harder than – writing any old virus for Linux.
The best defenses against Linux viruses are as follows:
Do not run software or other executable content from untrusted sources. This includes Java and JavaScript in Web pages and documents, rpm’s and dpkg’s from unknown sites, and compiling and installing untrusted source code.
If possible, check the GnuPG or PGP signature on the RPM file, or the detached signature for tarballs and dpkg. You must get the GnuPG/PGP securely. Using a public keyserver is not terribly secure. Copying them off of a vendor’s CD-ROM (such as SuSE) is an example of how to do it securely. Use “
rpm |
Download software from official sites or official mirror sites. While it’s nice that people mirror software and make it available, there is an issue of trust. And since most people do not check package signatures, it is too easy for attackers to set up a site and merrily let people download software.
Make regular backups, preferably several copies, and store them on write-protected media.
Acquire an antivirus scanner and use it properly (more on this in the next article).
Essentially, it boils down to normal “best practices” – keeping software up-to-date, not running untrusted code, and so forth. As time goes on and Linux starts to make more well-paved inroads to the desktop platform market, it will become a more and more popular target for viruses. Currently there are design decisions that will affect the long-term effects of viruses on Linux. Already network clients such as Xchat (an IRC client) have been found to improperly handle URLs that users click. While not a virus problem per se, this weakness is indicative of forthcoming problems (and new vectors for infection). As with Windows, the tight integration of WWW content into other programs will lead to problems as Java and Javascript vulnerabilities (among others) come into play.
SecurityPortal is the world’s foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
http://www.SecurityPortal.com
The Focal Point for Security on the Net ™