[conspire] linux antivirus?

Rick Moen rick at linuxmafia.com
Thu Sep 11 00:16:44 PDT 2003

Greetings, O Blue Boar, and welcome to CABAL.

Quoting Blue Boar (BlueBoar at thievco.com):

> Why don't you discuss RST.A, RST.B, and OSF?  Those are the most 
> "successful" Linux viruses I've seen in the wild.

There's the verbosity problem, for starters.  

The only places in those four essays where I've discussed specific
pieces of Linux malware were (1) bliss (to make the point that Linux
viruses are nothing new) and the seven worms in
http://linuxmafia.com/~rick/faq/#virus3 (to make the point that those
are not themselves problems, but rather an aftereffect of a larger

Refreshing my memory of the ones you mention:

RST.A:  ELF infector.  Propagates by... well, it doesn't propagate.  You
have to be dumb enough to manually run an unknown binary from an
untrustworthy source.  Doing so would of course have no effect on system 
binaries except those in ~/bin, because you would never in a million
years -- even if you were stupid enough to run an unknown binary from an
untrustworthy source -- be so mindblowingly stupid as to do so as a
privileged (e.g., root) user.

Er, correct?  (Clouds are starting to gather over the discussion, at
this point.)

I mean anyone who commits those consecutively and additively stupid
steps is doing the equivalent of aiming a .45 at his foot and firing
repeatedly.  (The process also creates a backdoor on a high-numbered UDP
port, but that's not very relevant.)

RST.B:  ELF infector.  See remarks about RST.A.

OSF (aka OSF.8759):  ELF infector.  See remarks about RST.A.

Additionally to the above, I suspect that "successful" basically means
that a friend-of-a-friend once claimed that someone, somewhere, got
tricked in some very contrived set of circumstances, into running a
copy.  There is a long history of claims propagated by the antivirus
industry of "Linux viruses in the wild" that turn out, upon examination,
to have been cooked-up scenarios in the "wild" corner of some antiviral 
company's research lab.

I mean who the _fsck_ would run such stuff, and do so as root?  Maybe
some real moron gamer who hangs out on irc while running as root, gets
DCC'd some R4D K00L filez from another net.random, and like a blithering
idiot _runs them_?

We'll return to the matter of unbelievably stupid use of the root
account, below.  (You know it's coming, right?)

> >o  Don't the rise of Linux worms like Ramen, 1i0n, Red Worm, Adore,
> >    Cheese, lpdw0rm, and Slapper show that Linux now has a virus problem?
> You state at one point "cannot take over (infect) the local machine (or any 
> other): It lacks permission to do so. Nor can the other Linux/Unix viruses 
> / worms / trojan horses thus far known."
> The worms most certainly do so, that's the definition of a worm.

This is not exactly an accurate characterisation:  What they do is run a
canned remote exploit against some notoriously vulnerable, obsolete
version of a (usually overfeatured) network daemon -- usually BIND8,
wu-ftpd, rpc.statd, or lpd.  They do _not_ first come into the system
and then grind away at escalating authority via the equivalent of
running the "crack" utility, or searching the system from inside for
vulnerable privileged libs, or such.

Please note that I address that matter comprehensively in
http://linuxmafia.com/~rick/faq/#virus3 .

> I've personally tracked (at peak) thousands of infected linux machines
> for the three variants of lion and lpdw0rm.  Most of them get root by
> popping a root service, too.

1i0n ("lion") would have been around early 2001, and was an exploit
against the security basket-case BIND8 codebase.  BIND8 was well known
to be obsolete and untenable for future development, and so was being
limped along with patches as needed, until it could be abandoned.  
The from-scratch rewrite, BIND9, was released around October 2000, so 
I can understand admins still shying away from BIND9 versions in early
2001, until it had a track record.  _However_, what I cannot understand
is admining BIND8 at that extremely late date in its notoriously bad 
product history and not be aware of the need to be on some relevant
security-alert mailing list and act accordingly.

What I'm saying is that those thousands of Linux machines' sysadmins
were asleep at the wheel.  They therefore had much bigger problems than
"worms" -- like ineptitude.

Aside:  Unmaintained Red Hat boxes, right?  Thought so.

> I'm of the opinion that the market dominance thing is a valid argument, but 
> that's just my opinion.

At the risk of reiterating the point in
http://linuxmafia.com/~rick/faq/#virus4, where's that 1% Linux "virus"
traffic?  It's not there.  Not even 1%.  Not .01%.  Not .001%.  Absent.
On the other hand, SoBig.F _tripled_ the volume of incoming SMTP on my
quite busy mail server.  It hasn't gone down yet.

> It's only anyone's opinion until Linux is running on 90%+ of the
> desktops.  

No, it's not.  If market dominance were even a minor factor, then there
would be _some_ ongoing blitz of Internet virus traffic specific to Linux
servers and Linux scientific workstations.  But it's not there at all.

> Most of the people I know who use Linux as a desktop OS run as root....

I hope you warn them at all possible opportunities that they need to
shed the habit.

> I do. 

Whoops.  I'm sorry, but that's being Darwin's client.  It's something
people do who haven't yet figured out chmod, chgrp, the sgid bit, adding
yourself to necessary groups (but not those _not_ necessary), and
judicious use of sudo and "su -" (or "ssh -X root at localhost").

I mean, the very thought of running Web browsers and window managers,
let alone GNOME or KDE, with root authority is utterly ghastly.  I mean,
I barely trust myself with "mv" and "chown" at a root _shell prompt_,
and that's without help from buggy graphical cruft.

>  I also run my windows boxes as administrator.  

I'll be blunt:  That's equally stupid.  (You _did_ know I was going to
say that, I hope?)

> I don't get infected because I know what I'm doing, I know what
> malicious code looks like, and I know what risky behaviour is.  

Never mind being "infected", what about buggy software going haywire
with root or administrator authority?  What about mistakenly moving some
entire directory of crucial files with a careless swip of your mouse?
Wielding maximum permissions all the time is foolish.

> The problem is ignorant users.  When all the ignorant users move to
> Linux, they will bring the malicious code problems with them.

Not really.  Consider the MUA matter.  We have 115 of them now 
(http://linuxmafia.com/~rick/linux-info/muas.html), including a
number that successfully cater to the traditional "desktop" crowd
(Evolution, KMail, Balsa, Sylpheed).  On every single one of the 115,
what happens if you mail them executable attachments?  Do they autorun
them on your behalf?  Nope.  

How _do_ you run them?  Well, first you save them to /tmp.  Then you can
run them.  No, wait!  That's not true:  The file gets saved with 644
permissions.  So, first you have to turn on the executable bit, _then_
you can run them.

Here's another for-instance:  Hey, everybody knows that Lindows OS is a
security disaster because you always are running with root authority,
right?  They got flamed enough for that.  Well, that actually wasn't
exactly the case:  In Lindows OS 1.0 only, the installation default
included a kdm option to autologin as the a particular user, and it was
made easy to select that option and make the user be root.  Contrary to 
rumour, the security model and separation of privileged from
non-privileged EUIDs had _not_ been erased:  Regular Linux security was 
still in place and users were perfectly able to use non-root privilege,
by default or at will.

However, even _that_ created so much controversy that version 1.1 made
configuring the box during setup to autologin as root nearly impossible,
just to placate the critics.

The point is that the security model is deeply ingrained in both the
software architecture and the culture.  It can be sabotaged, but hardly
anyone can do so completely unconsciously.

(Can you tell me with a straight face that you had not the least notion
that it's considered reckless to do everything as root, and that you
aren't ignoring such advice quite deliberately?  A few people might be
able to honestly do so -- _if_ they've completely ignored all
documentation and glued their eyes and ears shut.)

> You can have all the security measures you like (NT4/2K/XP/2K3 
> have them) but ignorant users don't use them.

1.  NT4/W2K/XP/W2Kw/SP3 do _not_ entirely have them:  The NT (and
successor) security model is notoriously porous, with excessive
privilege available far too easily to processes.  Making separation of
privilege actually _usable_ was primitive for a long time.  (The 
"Run As" context menu option is new.)  Full system privilege is needed 
way more extensively than it should be.

In light of which, it's no wonder that people develop bad habits and
need to be weaned from them.

2.  As illustrated in the MUA example, the culture and architecture
_on Unix_ effectively give naive users a default barrier against
shooting themselves in the foot that they _can_ override, but only
through willful disabling that _should_ put people of modest
intelligence on notice of doing something reckless.

3.  There's no reason why truly naive users (at least, in a company or
institutional context) need to have root access on their machines in the
first place.  That's what sysadmins are for.

Heh.  Some of the above is in those Web essays.  Generally speaking, I
write those things to _avoid_ having to revisit the same points any

May those that love us love us; and those that don't love us, may
God turn their hearts; and if he doesn't turn their hearts, may
he turn their ankles so we'll know them by their limping.

More information about the conspire mailing list