FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


A Computer Virus on Linux (informed discussions only please)





Fire Boar
Carrying on from an interesting side-discussion on this topic, I thought it would be a good idea to bring this into its own thread so it can be discussed properly. This is largely in response to reply #12 in that topic by moofang.

Here is what I know about vira, and their prospects on the Linux operating system.

Certainly, a virus could in THEORY be written for Linux. However, it would have a MUCH tougher job doing what it wants to do. That, in essence, is what makes Linux secure. Not its lack of use on home PCs.

Think for a moment. Viruses are big business. Which, therefore, is a better target for a virus? Is it some random person's home desktop running Windows, or is it the big banks with valuable financial information stored securely on Linux servers? The banks, clearly. Yet there still exist virtually no vira for Linux. Why would that be?

The reason is that finding a flaw in Linux that allows the virus to get in is so difficult. With thousands of kernel developers, all having full access to the source, any security problems are exposed almost immediately! Of course, occasionally one is discovered, and a Linux virus becomes feasible... until the next kernel release in which the hole is fixed, a few weeks later, and everyone updates.

Here are some more reasons, aside from the kernel, that Linux is a very hostile environment for a virus, and that vira for Linux users are nothing more than interesting conversation and something that happens to other people.

First of all, let's take a look at how vira infect your system. They run a program that infects (generally by wrapping around the file) one or more executables. These are either targeted system files, or just anything it can get its hands on. A clever Linux virus might look for a script with "sudo", "gksu", "gksudo", "kdesu" or "kdesudo" in it somewhere, and insert a line underneath it that performs another sudo command, forked off into another process. Because of the 5 minute ticket that sudo provides, this would cause the script to behave normally and additionally, in the background, access your system files.

This seems to be the most likely way that a virus can work. But there is a problem. See, the sudo commands can only be done via a script. If a script is tampered with, the virus code is in broad daylight. One need only look at the script for warning signs to go off. Besides, all scripts that aren't written by the user are generally owned by root in the first place. Which brings us to the next point.

To infect a file, the virus needs write access. In a typical Windows setup, every user can by default write to almost all files on the system. Not so in a Linux system - unless the user is deliberately flamboyant about accounts, they will be running as an unprivileged user, who can only access certain things and needs to elevate each time they need to do administrative things. This means that applications only ever require root execution if absolutely necessary, in other words, they are designed with security in mind. If the virus cannot gain the root access it needs, there is very little it can do.

Viruses survive by being stealthy, but they also have to be executed. You might download a file, and try to open it. Say it was a jpeg file which wanted to be executed (yes, such things can exist). The thing is, files by default on Linux are set to 644 access, that is, "Owner can read and write, everyone else can only read. Nobody can execute.". This can be changed manually by the user, but for an image? Why would anyone need to execute an image? On Windows, if an executable file is clicked, it will be run, no questions asked.

Therefore, say you download a Linux virus in an email. Being stupid, you click "open" instead of "save". Suddenly you find that it throws an error, because it can't be opened, because you don't have permission to execute the newly received file until you tell the operating system you want that permission. When installing a program, permissions are changed automatically, but just downloading a binary executable requires you to change its permissions before being able to execute it.
moofang
You are accurate in your description of Linux's robust security framework of course Smile All I was trying to say is that not even Linux can be 100% safe from malware (I did not limit it to viruses either). As you have described, its a tough and thankless job to write a virus for linux, but its not an impossible task, and it has been done before. And when we talk of malware in general, its really not that hard to create software that would wreak mischief even in linux, as long as you can entice users into actually downloading it Wink

Anway, I think you made good arguments in general, but here are a few things I'm not so in agreement with.

Fire Boar wrote:
Think for a moment. Viruses are big business. Which, therefore, is a better target for a virus? Is it some random person's home desktop running Windows, or is it the big banks with valuable financial information stored securely on Linux servers? The banks, clearly. Yet there still exist virtually no vira for Linux. Why would that be?


Well, there are alot of critical and valuable information stored in windows servers too. How come they have not been torn down? Because critical servers are very very closely protected and watched. So it is clearly (grossly!) unfair to compare a home computer running windows with a critical linux server. Even if we consider the vice versa, and compare a critical windows server with a home linuxbox, I'm pretty sure the linuxbox is the easier prey, altho admittedly still a hoot tougher than a home windows system Wink

Fire Boar wrote:
But there is a problem. See, the sudo commands can only be done via a script. If a script is tampered with, the virus code is in broad daylight.


Disagree. Apart from the obvious fact that sudo can be run manually, even if your sudo is in-script, scripts almost always invoke binary programs, and can thereby potentially confer to them sudo powers in turn. So a virus can nonetheless attain root powers stealthily by infecting the right binaries.

The 5 minute limit on sudo is a hurdle of course, but if a virus can EVER get sudo powers at all, 5 minutes is all the time in the world it ever needs to infect everything it wants. After that, any sudo command you make will potentially wake a dormant virus copy.

Finally,
Fire Boar wrote:
If the virus cannot gain the root access it needs, there is very little it can do.


While this is true, if we speak of malware in general, you CAN create quite abit of mischief even without root permission, like inserting an annoying popup into your list of session startup programs Razz

To sum it up I think Linux's security does not stem entirely from its software features, but also from its community. One of the reasons I think that windows computers are so vulnerable is that microsoft only provides so much, and so windows users tend to get their peripheral software from a plethora of third parties - a good proportion of them with not-so-good intent. In contrast, virtually everything you ever need on linux is open source and developed by a healthy community - because when users find something they like, they not only download and use and forget, they get involved too, in both developing and testing and suggesting. The result is that you almost never need to hunt around potentially shady sites with closed source third party applications. As frequently touted in the previous thread, Linux is about openness and freedom Smile
Fire Boar
You make great counter-points!

Counter-point 1: This is perfectly true, and there are a lot of things you can do with both Windows and Linux servers to make them more robust. My point was that on the whole, Linux is a lot more trusted by those who really need top high security. You see more high-security Linux servers than high-security Windows servers around, especially now Linux has become as mature as it is. On the contrary, to name just one example, to get Windows Server 2008 up to the security that Debian Etch boasts out of the box takes a fair bit of effort.

Counter-point 2: True enough. But why run sudo manually on a dodgy program? I suppose there could be a mechanism for seeing if sudo has been run recently and if so, use sudo to gain root powers, infect your system as much as it pleases... yeah. That would work. Actually, it gets all the time it wants, because the 5 minutes is reset each time you use sudo.

Counter-point 3: Perfectly true, of course. But this stuff can be easily tracked down: it's limited only to your home directory.

My biggest argument for security is that if you use the repositories (which you should be doing - much easier than tarballs and slightly easier than debs) you're only ever installing software approved by the Ubuntu community, that is, found to be completely free of harmful or deceitful code. You always know what's going on in your machine with Linux because you put it there in the first place. Unless you're using something like... ah... "Ultimate Edition". *shudder*
Related topics
How Spyware Works!!!
Computer Virus Types
For very old computer: which linux distro to use?
help me with some linux configuration errors please.
if your computer not starting............
Linux softwares vs Windows software
Explorer using 99% CPU time
Virus threatens PCs running Linux or Windows OS
WHICH IS BETTER FOR GAMING
My computer has startup problems... Help please?
Windows is freer than Linux
GUI based Linux Server
Can a hijacker be a keylogger too?
Your earliest experience of having a computer virus
Reply to topic    Frihost Forum Index -> Computers -> Operating Systems

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.