[conspire] linux antivirus?

Blue Boar BlueBoar at thievco.com
Thu Sep 11 18:29:26 PDT 2003

Rick Moen wrote:
 >Greetings, O Blue Boar, and welcome to CABAL.

Thank you.  Apologies for introducing myself by disagreeing with you. 
Sometimes it's things like that that prompt one to delurk. :)

>>Why don't you discuss RST.A, RST.B, and OSF?  Those are the most 
>>"successful" Linux viruses I've seen in the wild.
> There's the verbosity problem, for starters.  
> The only places in those four essays where I've discussed specific
> pieces of Linux malware were (1) bliss (to make the point that Linux
> viruses are nothing new) and the seven worms in
> http://linuxmafia.com/~rick/faq/#virus3 (to make the point that those
> are not themselves problems, but rather an aftereffect of a larger
> problem).

I mean "why don't you discuss them, since they are the examples of
'successful' linux viruses in the wild" not "your linux virus list is 

> Refreshing my memory of the ones you mention:

Yes, they are just plain binary infectors, your classic virus (with
backdoors too, but that's not particularly relevent here.)

> Additionally to the above, I suspect that "successful" basically means
> that a friend-of-a-friend once claimed that someone, somewhere, got
> tricked in some very contrived set of circumstances, into running a
> copy.  There is a long history of claims propagated by the antivirus
> industry of "Linux viruses in the wild" that turn out, upon examination,
> to have been cooked-up scenarios in the "wild" corner of some antiviral 
> company's research lab.

No, it means that I personally was in contact with a number of people who
were infected in the wild, and at one point had access to the central
control mechanism which gave me an idea of how many infected hosts there
were.  I also happened to have disassembled each so I have some idea how
they work, and I got to help name OSF.  I obtained copies of all three from
people who fell for it, and got themselves infected.

If you're curious, the bait was that they were attached to (in some cases
apparant) 0-day exploits that required root to run.  They would still
infect your files if you didn't run them as root.  So, at least some people
who have at least a passing familiarity with security concepts got
themselves infected by doing something risky.

> I mean who the _fsck_ would run such stuff, and do so as root?  Maybe
> some real moron gamer who hangs out on irc while running as root, gets
> DCC'd some R4D K00L filez from another net.random, and like a blithering
> idiot _runs them_?

Yes, that's about right.

> This is not exactly an accurate characterisation:  What they do is run a
> canned remote exploit against some notoriously vulnerable, obsolete
> version of a (usually overfeatured) network daemon -- usually BIND8,
> wu-ftpd, rpc.statd, or lpd.

So what about that makes them not worms that spread between hosts?

> They do _not_ first come into the system
> and then grind away at escalating authority via the equivalent of
> running the "crack" utility, or searching the system from inside for
> vulnerable privileged libs, or such.

So?  Generally speaking, worms don't do that.  (Off the top of my head, the
Morris worm is the only one I know that acts like that.)

> Please note that I address that matter comprehensively in
> http://linuxmafia.com/~rick/faq/#virus3 .

If I thought you had explained it there to my satisfaction, I wouldn't have
asked. :)

Seriously, you make the claim that worms don't spread between Linux hosts,
then you define worm, and use examples of worms that spread between Linux
hosts.  Are we having a terminology problems?

> 1i0n ("lion") would have been around early 2001, and was an exploit
> against the security basket-case BIND8 codebase.  BIND8 was well known
> to be obsolete and untenable for future development, and so was being
> limped along with patches as needed, until it could be abandoned.  
> The from-scratch rewrite, BIND9, was released around October 2000, so 
> I can understand admins still shying away from BIND9 versions in early
> 2001, until it had a track record.  _However_, what I cannot understand
> is admining BIND8 at that extremely late date in its notoriously bad 
> product history and not be aware of the need to be on some relevant
> security-alert mailing list and act accordingly.
> What I'm saying is that those thousands of Linux machines' sysadmins
> were asleep at the wheel.  They therefore had much bigger problems than
> "worms" -- like ineptitude.

The vulns those worms used were all between 6 and 12 months old at the time
the worm was launched.  Yes, the boxes were running unmanned.. that's the
point.  As you have more Linux boxes that are not admined properly, the
more successful Linux malicious code will be.

That's what enables Windows malicious code to spread, too.  Bad
administration.  What's the difference?  (I will grant you that there are
_more_ options to run the bad program on Windows, but they are not
non-existent on Linux, and many worms don't need that to begin with.)

> Aside:  Unmaintained Red Hat boxes, right?  Thought so.

The majority of them, a few SuSe, too.

> At the risk of reiterating the point in
> http://linuxmafia.com/~rick/faq/#virus4, where's that 1% Linux "virus"
> traffic?  It's not there.  Not even 1%.  Not .01%.  Not .001%.  Absent.
> On the other hand, SoBig.F _tripled_ the volume of incoming SMTP on my
> quite busy mail server.  It hasn't gone down yet.

I used to work at SecurityFocus, on the DeepSite (nee ARIS) project, which
tracked network attacks world-wide.  At peak, some Linux worms would
account for 15% of the attack traffic for the day.  Where do you think the
LPR probes come from?

4, 2003-07-13 10:30:24, 2003022, TCP_Probe_Lpr,,
,, , port=515&reason=RSTsent, 1, B, 1425, 515, 0x148006
4, 2003-07-17 02:35:15, 2003022, TCP_Probe_Lpr,, DNS
     ,, , port=515&reason=RSTsent, 2, B, 4786, 515, 0x148006
4, 2003-07-30 21:05:12, 2003022, TCP_Probe_Lpr,, ,,
  , port=515&reason=RSTsent, 1, B, 1195, 515, 0x148006
4, 2003-08-07 23:16:26, 2003022, TCP_Probe_Lpr,, ,, ,
  port=515&reason=RSTsent, 1, B, 1718, 515, 0x148006
4, 2003-08-23 19:39:17, 2003022, TCP_Probe_Lpr,, holly,
.58, , port=515&reason=RSTsent, 2, B, 63471, 515, 0x148006
4, 2003-08-23 19:52:52, 2003022, TCP_Probe_Lpr,, holly,
.58, , port=515&reason=RSTsent, 1, B, 37242, 515, 0x148006
4, 2003-08-23 23:30:19, 2003022, TCP_Probe_Lpr,, holly,
.58, , port=515&reason=RSTsent, 1, B, 47198, 515, 0x148006

I still get 'em, it's around 1% of my attack traffic.  Not all of those 
probes will be worms, but about half probably are.

> No, it's not.  If market dominance were even a minor factor, then there
> would be _some_ ongoing blitz of Internet virus traffic specific to Linux
> servers and Linux scientific workstations.  But it's not there at all.

You say there's not a "blitz".... do you mean to say there's not enough 
(implying perhaps that the Linux worm traffic is too low for the number of 
Linux hosts?) or do you mean to say that there is none at all.  There 
certainly is some... if you've never seen it, you're not measuring right.

>>Most of the people I know who use Linux as a desktop OS run as root....
> I hope you warn them at all possible opportunities that they need to
> shed the habit.

I warn people when it's appropriate.  Again, the point is that people do 
it, and more people will do it as there are more Linux users.  In most 
situations, it's not a good idea, but it's not the people who have a clue 
that are infecting themselves anyway.

> Whoops.  I'm sorry, but that's being Darwin's client.  It's something
> people do who haven't yet figured out chmod, chgrp, the sgid bit, adding
> yourself to necessary groups (but not those _not_ necessary), and
> judicious use of sudo and "su -" (or "ssh -X root at localhost").

I have them figured out just fine, and for my desktop usage, they are not 
useful.  I could go into the reasons why, but it's not particularly 
relevent.  The point is, I do.. and so do tons of other people.  In my 
case, I won't be infecting myself on accident, since I allow for no 
opportunity for malicious code to run unsupervised.  (I will occasionally 
run some on a virtual machine in controlled conditions.)

> Never mind being "infected", 

I thought we were talking about malicious code?

> what about buggy software going haywire
> with root or administrator authority?  What about mistakenly moving some
> entire directory of crucial files with a careless swip of your mouse?
> Wielding maximum permissions all the time is foolish.

In the ten years or so that I've been dealing with OSes that have 
permissions, I think I've shot myself in the foot twice.. and I might have 
needed to be root for what I was trying to do at the time, can't remember. 
  It may or may not have saved me some trouble.  Compared to the vast 
majority of the time that I need to have privs for what I'm doing, it's 
just not worth the time to switch back and forth.

This is for my personal boxes, mind you.  On actual multiusers boxes with 
multiple users, everyone is using a regular account and su.

Before the OSes with privs, I ran OSes without, so it didn't come up. :)

> Not really.  Consider the MUA matter.  We have 115 of them now 
> (http://linuxmafia.com/~rick/linux-info/muas.html), including a
> number that successfully cater to the traditional "desktop" crowd
> (Evolution, KMail, Balsa, Sylpheed).  On every single one of the 115,
> what happens if you mail them executable attachments?  Do they autorun
> them on your behalf?  Nope.  

Depends what you mean by "autorun".  None of the Windows MUAs run 
attachments without your help, or without taking advantage of a bug.  Or, 
if you count bugs, every MUA has them, some of them are good for running 
code on the client.  Or, if you want to consider rendering HTML, doing 
something with PGP, etc... then yes, some Linux MUAs do "autorun".

Are there no Linux MUAs that allow users to launch attachments if they 
choose?  Do you think the bad users will not require such feature when they 
switch to Linux?  You think MS is just creating these features for the 
extra risk, and no one actually wants or uses them?

> The point is that the security model is deeply ingrained in both the
> software architecture and the culture.  It can be sabotaged, but hardly
> anyone can do so completely unconsciously.

So... you think that users get smarter when they switch to Linux?  (To be 
fair, the current set are probably much better informed about computer 
stuff, but you know that's not the set I'm talking about.  The ones we have 
now are largely self-selected, and had to install it themselves.)  You 
think that the open-source developers are going to refuse to write the 
stupid features that the bad users want?

> (Can you tell me with a straight face that you had not the least notion
> that it's considered reckless to do everything as root, and that you
> aren't ignoring such advice quite deliberately?  A few people might be
> able to honestly do so -- _if_ they've completely ignored all
> documentation and glued their eyes and ears shut.)

I mention it two illustrate two points: Some people (with clue) don't need 
any help keeping themselves free from infection, no matter what privs they 
run with.  No, they don't need any anti-virus software (I couldn't use it 
if I wanted, it starts trying to eat my collection!); some people run with 
all the privs, whether it's a good idea or not.  If the person doing so 
also has no clue, then they will be shooting themselves in the foot much 
more often.

> 1.  NT4/W2K/XP/W2Kw/SP3 do _not_ entirely have them:  The NT (and
> successor) security model is notoriously porous, with excessive
> privilege available far too easily to processes.  Making separation of
> privilege actually _usable_ was primitive for a long time.  (The 
> "Run As" context menu option is new.)  Full system privilege is needed 
> way more extensively than it should be.

What does that have to do with anything in the context of regular users and 
malicious code?  It's not like a user in just the everyone group is going 
to accidentally find themselves with admin rights moments before they click 
on hotsex.exe.  If your claim is true (and I don't neccessarily care to 
refute it) then that means it's easier to use an exploit to get privs, is 
all.  Sure, a virus can do that, could do so on Linux too.  Lots of local 
exploits to be had there.

Again, the point is that the feature is there, bad users don't use it.  If 
they were to run Linux, they would do the same.

Oh, and don't forget that malicious code doesn't neccessarily need to be 
root.  A worm running as "nobody" will spread just the same.

> 2.  As illustrated in the MUA example, the culture and architecture
> _on Unix_ effectively give naive users a default barrier against
> shooting themselves in the foot that they _can_ override, but only
> through willful disabling that _should_ put people of modest
> intelligence on notice of doing something reckless.

On Win2K, who gave all the corporate users admin privs on their own box? 
The IT department.  Why?  They needed admin to do some small portion of 
their job.  So, rather than educate the users, or make them live with it, 
etc... they all get admin.  Have the IT department roll out desktop Linux. 
  What do you think will happen?

> 3.  There's no reason why truly naive users (at least, in a company or
> institutional context) need to have root access on their machines in the
> first place.  That's what sysadmins are for.

So Joe salesguy takes his Linux laptop to a client site, and plugs into 
their network.  Doesn't work, he needs to change the network config.  So, 
he just calls his sysadmin to log in remotely... umm... he calls him and 
asks for the root password...  He has the client IT guy boot from CD, and 
change the root password to something the salesguy now knows?  Or maybe 
he's at a conference, and he needs to use his laptop to run a spiffypointix 
presentation... which isn't installed.  That's OK, we can download it.. oh, 
it runs in frame buffer mode, need root...

Or every mom on her home machine needs to run up2date to grab the latest 
kernel because it's got a remote hole and there's a worm out...  (If you 
can tell me how to upgrade my kernel without full privs, I'll be impressed.)

You see my point?  When/if Linux is the default home desktop, everyone is 
their own sysadmin.  Whether they are qualified or not.

> Heh.  Some of the above is in those Web essays.  Generally speaking, I
> write those things to _avoid_ having to revisit the same points any
> more.

I've read them.  If I thought the points I asked about were little more 
than "it is because I say it is", I wouldn't have challenged those 
particular ones.

However, now that you've taken the time to elaborate on some of your 
points, I think I have a better understanding of your position.

-You think that none of the Linux viruses have survived/spread in the wild.
-You think that Linux users run with privs A Whole Lot Less Often.
-You think that Linux MUAs make it harder to run attachments.
-You think that few Linux network services run as root.
-You think that for malicious code to be effective on Linux, it must get root.
-You think that Linux worms have not been effective/compromised many hosts.
-You think that malicious code authors do not (primarily) target platforms 
based on popularity.
-You think that the general diversity of Linux will help with the malicious 
code problem.
-Finally, you think all of the above would still hold true even if Linux 
had 100 times as many users, and filled all the roles that Windows does 
now.  You think all the malicious code authors will give up because Linux 
is too hard.

Please take those as questions, not me trying to put words in your mouth. 
Please point out where I've misinterpreted your stance (and try to ignore 
any sarcasm I've slipped in.)

So, back to the original question (does Linux need AV?) that was asked, and 
my opinion on the subject:

No, right now, Linux does not need AV to protect itself.  By all means use 
a Linux AV package that is designed to help the Windows files going by. 
Linux does not need it now because: 1) there is not enough Linux malicious 
code yet to warrant it, 2) the current user base (for the most part) ain't 
falling for no bananna in the tailpipe.

This may change in the future.  If Linux ever becomes popular enough that 
the majority of the Vx authors write Linux code AND you've moved all your 
non-tehcnical users onto Linux desktops, then you'll probably want some 
Linux AV to protect them from themselves.  This presumes, of course, that 
you think AV software is useful at all for those same users running Windows 
right now.

Assertions that I use to support my position:

-Malicious code authors primarily target the most popular platform.
-Linux viruses & worms have already been spreading to a degree.
-Holes exist on various bits of Linux software that will help enable 
malicious code to spread
-In general, Linux users/admins are nearly as bad as Windows users about 
not patching.
-Features exist or will exists in MUAs to allow Users Who Want To Do Bad 
Things to do Bad Things.
-Clueless Linux users run with Too High Privs.
-Clueless Linux users will run mystery binaries just as much as cluess 
Windows users.
-Linux viruses and worms don't neccessarily need root to do their thing.
-Clueful Windows users don't need AV either, they're not the problem.  It's 
clueless users, platform independent, that help malicious code spread.

So, any arguments based around "but the user would have to be stupid to..." 
doesn't help your position in my mind.


More information about the conspire mailing list