[conspire] linux antivirus?

[Rick Moen]

Quoting Tom Macke (macke at scripps.edu):

> Our head IT guy just asked me if I knew of any linux "antivirus" package
> that we could get.  I think I saw that there was recently a linux virus,
> but just figured that that solution was keep the patches current.  Any
> suggestions?

OK, I also promised to address case #2, which was:

2.  Quarantining and scrubbing of other files on Linux to protect
against Linux malware.

I also said:

   I'll probably get to case #2 later, because that's where discussion 
   tends to become endless and branch out in lots and lots of 
   directions.  Why?  Because the short form of the answer is "There'd 
   be no point.  Linux malware may be easy to create but it's in 
   practice impossible to propagate, because of cautionary mechanisms 
   that are enforced by Linux architecture and culture.  Any attempt 
   at an 'antiviral' package would be a huge system threat in itself, 
   and would tend to give wielders of root-user access a false sense 
   of security, since that privilege is already a much bigger threat 
   to the system than malware (viruses, etc.) is.

I have four consecutive essays on the "Linux virus" topic, readable
starting at:

http://linuxmafia.com/~rick/faq/#virus

They address:

o  Should I get anti-virus software for my Linux box? 
o  But didn't security expert Simson L. Garfinkel say that all Linux
   systems need to run virus checkers?
o  Don't the rise of Linux worms like Ramen, 1i0n, Red Worm, Adore,
   Cheese, lpdw0rm, and Slapper show that Linux now has a virus problem? 
o  Isn't Microsoft Corporation's market dominance, making Linux an
   insignificant target, the only reason it doesn't have a virus problem? 

The essays are... sort of badly organised, and aren't the way I'd
approach the matter today, but they weren't written as a whole, but
rather started from one or two observations and then grew additional
material and sub-points the way a dog gets fleas.

Nonetheless, somewhere in that lengthy mess are my answers to pretty
much all of the debate points about Linux viruses (and mainly the
native-Linux variety contemplated in case #2, as opposed to other-OS 
viruses transiting through Linux in Samba shares, NFS shares,
mailspools, etc.


Note:  I'm certainly not saying that software vulnerabilities don't
create threats.  I don't deny that you can easily create a Linux virus.
In fact, to save the trouble, here's one you can download:
http://math-www.uni-paderborn.de/~axel/bliss/bliss.txt
Do "uudecode" and then gunzip to unpack it.  Name it "bliss".  Last,
don't forget to chmod u+x the thing, to make it executable.

Isn't it cute?  It's a gen-u-ine Linux virus, coded as an i386 ELF
binary.  No fooling.  But are you frightened?  I mean, there's a real,
Linux virus, right there on your Linux computer's hard drive.  It's even
executable!  It's going to run and then spread everywhere, right?

Well, no.  It's just sitting there -- which is what _even_ a mean, nasty
piece of malware does if you've somehow contrived to put it on a Linux
box, unless and until you make it executable and run it.  And what
happens if you run it?  It can do stuff -- potentially, whatever the
user it runs as can do.  If you run it with your user authority, it can
do any damage that you yourself could do.  But why would you run it?

A point:  By and large, processes don't run themselves.

That key observation tends to get lost on MS-Windows users, because,
from their perspective, it (often) seems that things just happen without
anyone being in charge.  The notion of malware not being able to do
anything because you _don't run it_ doesn't occur to them.

In fact, MS-Windows can be (pretty much) safe from viruses in about the
same way, like this:

1.  Don't run untrustworthy software.
2.  Don't run software that autoruns untrustworthy software on your behalf.
3.  Have recovery plans for when sundry mishaps happen. 

For many years when I ran MS-Windows, that was my _sole_ antivirus
protection, and it worked.  Rule #2 meant no MS-Internet Explorer,
MS-Outlook Express, or MS-Outlook, since those have a dismal history of
autorunning "active content" from random locations on the Internet
against all common sense.  

It also meant that MS-Word and MS-Excel were liabilities on account of
the AutoOpen macro feature, which was/is the key design error in them
that made possible the entire category of VBA macro viruses.  Prior to
Word/Excel 97 or so, you quasi-fixed this design error by downloading
scanprot.dot for Word and xlscan.xls (I think) for Excel, which
installed _protective_ macros in (respectively) the normal.dot and
personal.xls global-defaults files, so that Word and Excel no longer 
auto-ran document macros (let alone without telling you) just because
you've opened the document.  _Only_ after installing those protections
did I consider Word/Excel safe to use.

You're probably seeing a running theme, here:  programs auto-running
stuff that nobody in his right mind would trust, without even consulting
the user.  Unacceptable.  And yet, this is what _most_ MS-Windows users 
accept daily, without a second thought.

(MS-Windows software references above date to the Win95/Office95 days,
but the same principles still apply.)

And doesn't this also happen on Linux, you might ask?  Not really.  It
could, but the large and active technically aware portion of the
community would apply a cluestick to the programmer until he fixed it.
For example, you cannot find among the 115-odd e-mail clients for Linux
even _one_ that automatically executes "attachments" received in the
mail.

Software is designed to not require excessive system authority to
operate.  Generally, on account of how the system is designed, it's
difficult to get in trouble from malware even if you're dumb enough to
over-use the root-user account -- or, at least, malware is the least of
such users' worries, as they themselves are far more likely to cause
system damage.

The areas where problems or potential problems occasionally crop up
include /etc/mailcap and mime.types entries, which sometimes prove to be
insufficiently paranoid about what is allowed to handle received files
and with what runtime options.  But the point is that such matters are
heavily scrutinised and tweaked, usually far in advance of even
theoretical exploits.

I'm deliberately _not_ replicating what's in my four rambling virus
essays, so I'd appreciate it if people would slog through those before
begging to differ with the above.  (Sorry about their length.)

-- 
Cheers,                              "Azathoth need not be present to win."
Rick Moen                                       -- Charles O. Baucum, Jr.
rick at linuxmafia.com