Home > About > Articles
Linux a Virus Target?
In an article
on vnunet.com, two executives of anti-virus firms opined that Linux
would be the next virus target. Here are excerpts from the article:
"Of course we will see more and more attacks on Windows, but Linux
will be a target because its use is becoming more widespread," said
Raimond Genes, European president for antivirus at Trend Micro. "It is
a stable OS, but it's not a secure OS."
Jack Clarke, European product manager at McAfee, said: "In fact
it's probably easier to write a virus for Linux because it's open
source and the code is available. So we will be seeing more Linux
viruses as the OS becomes more common and popular."
I will be charitable and call these statements "myths" or
"misperceptions" rather than other nastier but perhaps more accurate
terms. Let's examine and debunk the myths.
Myth: Widespread use equals widespread abuse
This myth goes as follows: Product X (Windows, Outlook, whatever) has more
security problems because it is far more widely used than Product Y
(Linux, Mutt, whatever).
In fact, the Apache Web server is far more widely used than
Microsoft's IIS (Source: Netcraft), but has suffered
far fewer security problems (Source: defacement archives).
Update: I have had several comments saying that
reveals that Windows computers account for about 50% of Web
servers, but that Apache runs more web sites. Some people claim
that under this metric, therefore, IIS is more widely used than Apache.
Even if I accept these figures, the fact is that the defacement archives
show Windows defacements outnumbering non-Windows defacements 62 to 38.
From this, I still conclude that the number of vulnerabilities in a piece
of software does not necessarily correlate with its popularity.
Myth: Linux is not a secure OS
In fact, no commodity OS is "secure". Security is a process, not a
product, as dozens of security experts keep reminding us. Linux does,
however, have important security enhancements compared to consumer-level
Windows operating systems: File permissions and separate user accounts
can greatly mitigate the damage caused by malicious software. If all of
the security features built-into Linux are properly configured and enabled,
Linux is a highly secure system.
For those who need even more security, the U.S. National Security
Agency provides a Security
Enhanced Linux distribution which contains advanced security
features beyond anything found in Microsoft operating systems.
Myth: It is easier to write viruses if you have the OS source code
I would suggest just the opposite: If source code is widely-available, many
organizations with an interest in security (such as the NSA, for example)
can audit the code, correct security problems, and feed these corrections
back to the main code tree.
Why is it that tens of thousands of viruses exist for closed-source systems
like Windows (with several of them actively propagating around the Internet
as you read this), while only a handful of pathetic "proof-of-concept" viruses
have been written for Linux, and none has propagated to any extent?
Why is it that open-source Apache has a far better security record than
Why Linux viruses are unlikely
In order for an e-mail virus to propagate, it must be able to:
- Enter the target machine
- Execute on the target machine
- Propagate itself
Linux makes steps 2 and 3 very difficult.
Social Engineering to Enable Execution
Under Windows, a file is marked as "executable" based on its filename
extension (.exe, .com, .scr, etc.) Encoding metadata (like file type)
into the file name is a very bad idea and has horrendous security consequences.
Encoding metadata in this way allows for the simple-minded social-engineering
attacks we see on windows: "Click here for a cool screensaver!!!"
Such an attack under Linux would go like this: "Save this file; open
up a shell; enable execute permissions on the file by typing 'chmod a+x filename', and then run it by typing './filename'."
Obviously, the Linux permissions system makes such a social-engineering
attack very difficult.
Software Flaws to Enable Execution
Another means by which viruses can execute are by exploiting bugs in
e-mail client software. Both Outlook and the various Linux mail
clients have had their share of bugs, and this is indeed a risk, even
on Linux. However, because of the overwhelming uniformity of Windows
desktops, a virus which exploits a software bug in Outlook is far more
likely to propagate than one which exploits a software bug on a Linux
e-mail client. This is simply because of the huge array of Linux
e-mail clients in use. At any given time, only a small portion of all
Linux users are vulnerable to e-mail client bugs.
To propagate itself, an e-mail virus must re-mail itself to others.
On Windows/Outlook, this is simple, because there is a uniform, well-known
interface for obtaining address lists and sending e-mail. On Linux,
this is harder. There is no uniform way for a virus to read your address
book, so a Linux virus would have to work harder to propagate itself.
Linux in the Future
There is a trend under Linux to build complex, rich desktop environments
which allow rich interaction between programs. These environments could,
if not designed correctly, increase the chances for viruses to execute
and propagate. So far, however, the designers of these environments seem
to be following sensible design and security procedures. No-one, for
example, has built a Linux e-mail client which automatically executes
an attachment with just one mouse click.
Challenge to Anti-Virus Companies is Over
My anti-virus challenge, which had been running since 5 December 2001,
is now (7 May 2002) over. No-one managed to meet the challenge,
although one person came close.
There were five entries in the anti-virus challenge:
Permission is hereby granted for anyone to reproduce this article
- You include the text: "Copyright © 2001 David F. Skoll" at the bottom
of the article.
- You provide a link back to the original article at http://www.roaringpenguin.com/about/articles/anti-virus.php
- You may not make any changes to the article, other than to reformat
it or accurately translate it into another language.
David F. Skoll