| Linux a Virus Target? |
A guest column by David F. Skoll (Dec. 4, 2001)
David F. Skoll of Roaring Penguin Software has written a response to recent claims by some virus software company executives that Linux is going to increasingly become susceptable to viruses due to its growing popularity and the openness of its source code. Skoll attempts to "debunk the myths" and point out some of the fundamental reasons why Linux is less prone to viruses than Windows, and how it can be kept that way. Skoll also puts his money where his mouth is, and offers a $2000 Canadian reward to the first person that can successfully infect his machine with an e-mail borne virus.
Linux a Virus Target?
In an article on vnunet.com, two executives of anti-virus firms opined that Linux would be the next virus target. Here are excerpts from the article: "Of course we will see more and more attacks on Windows, but Linux will be a target because its use is becoming more widespread," said
Raimond Genes, European president for antivirus at Trend Micro. "It is a stable OS, but it's not a secure OS."
Jack Clarke, European product manager at McAfee, said: "In fact it's probably easier to write a virus for Linux because it's open source and the code is available. So we will be seeing more Linux viruses as the OS becomes more common and popular." I will be charitable and call these statements "myths" or "misperceptions" rather than other nastier but perhaps more accurate terms. Let's examine and debunk the myths.
Myth: Widespread use equals widespread abuse
This myth goes as follows: Product X (Windows, Outlook, whatever) has more security problems because it is far more widely used than Product Y (Linux, Mutt, whatever).
In fact, the Apache Web server is far more widely used than Microsoft's IIS (Source: Netcraft), but has suffered far fewer security problems (Source: defacement archives).
Myth: Linux is not a secure OS
In fact, no commodity OS is "secure". Security is a process, not a product, as dozens of security experts keep reminding us. Linux does, however, have important security enhancements compared to consumer-level Windows operating systems: File permissions and separate user accounts can greatly mitigate the damage caused by malicious software. If all of the security features built-into Linux are properly configured and enabled,
Linux is a highly secure system.
For those who need even more security, the U.S. National Security Agency provides a Security Enhanced Linux distribution which contains advanced security features beyond anything found in Microsoft operating systems.
Myth: It is easier to write viruses if you have the OS source code
I would suggest just the opposite: If source code is widely-available, many organizations with an interest in security (such as the NSA, for example) can audit the code, correct security problems, and feed these problems
back to the main code tree.
Why is it that tens of thousands of viruses exist for closed-source systems like Windows (with several of them actively propagating around the Internet as you read this), while only a handful of pathetic "proof-of-concept" viruses have been written for Linux, and none has propagated to any extent?
Why is it that open-source Apache has a far better security record than closed-source IIS?
Why Linux viruses are unlikely
In order for an e-mail virus to propagate, it must be able to: - Enter the target machine
- Execute on the target machine
- Propagate itself
Linux makes steps 2 and 3 very difficult.
Social Engineering to Enable Execution
Under Windows, a file is marked as "executable" based on its filename extension (.exe, .com, .scr, etc.) Encoding metadata (like file type) into the file name is a very bad idea and has horrendous security consequences. Encoding metadata in this way allows for the simple-minded social-engineering attacks we see on windows: "Click here for a cool screensaver!!!"
Such an attack under Linux would go like this: "Save this file; open up a shell; enable execute permissions on the file by typing 'chmod a+x filename', and then run it by typing './filename'."
Obviously, the Linux permissions system makes such a social-engineering attack very difficult.
Software Flaws to Enable Execution
Another means by which viruses can execute are by exploiting bugs in e-mail client software. Both Outlook and the various Linux mail clients have had their share of bugs, and this is indeed a risk, even on Linux. However, because of the overwhelming uniformity of Windows desktops, a virus which exploits a software bug in Outlook is far more likely to propagate than one which exploits a software bug on a Linux e-mail client. This is simply because of the huge array of Linux e-mail clients in use. At any given time, only a small portion of all Linux users are vulnerable to e-mail client bugs.
Virus Propagation
To propagate itself, an e-mail virus must re-mail itself to others. On Windows/Outlook, this is simple, because there is a uniform, well-known interface for obtaining address lists and sending e-mail. On Linux, this is harder. There is no uniform way for a virus to read your address book, so a Linux virus would have to work harder to propagate itself.
Linux in the Future
There is a trend under Linux to build complex, rich desktop environments which allow rich interaction between programs. These environments could, if not designed correctly, increase the chances for viruses to execute
and propagate. So far, however, the designers of these environments seem to be following sensible design and security procedures. No-one, for example, has built a Linux e-mail client which automatically executes an attachment with just one mouse click.
Challenge to Anti-Virus Companies
I firmly believe that it is in the anti-virus companies' interest for people to continue using insecure software. After all, obtaining millions of dollars of anti-virus revenue depends on keeping people in a constant state of anxiety and unease.
Secure desktop software could eliminate the entire anti-virus industry. Even simple (and free) products like MIMEDefang can eliminate large classes of e-mail viruses without the need to constantly update signature files.
I therefore issue the following challenges to anti-virus companies: - If you have the courage and decency to do so, release products which block executable e-mail attachments, similar to the example filter supplied
with MIMEDefang. Several MIMEDefang installations blocked the "goner" virus even though it came out after the MIMEDefang software was installed. Do not force your customers to scramble for signature updates each time
a new virus appears. Of course, this will hurt your revenue stream, but you should be more interested in the security of your clients, rather than the size of their wallets . . . right?
- I challenge any anti-virus company to infect my desktop Linux machine with an e-mail borne virus. I will offer a prize of $2000 Canadian to the first person to successfully infect my machine with an e-mail borne virus. Sucessful infection means:
- The virus must enter my machine via e-mail.
- It must create a file called "/etc/VIRUS-WAS-HERE" on my machine.
- It must e-mail a message from my desktop machine (shishi.roaringpenguin.com) with the subject "I GET THE PRIZE" to the e-mail address "dfs@roaringpenguin.com", with a copy to "postmaster@roaringpenguin.com"
- Until someone manages to win the prize, I expect Raimond Genes and Jack Clarke to retract their statements.
Copyright © 2001 by Roaring Penguin Software Inc. Reproduced here with permission.
Talk back! Do you have comments or questions on this article? talkback here
(Click here for further information)
|
|
|
Approaching the Linux Desktop
The purpose of this paper is to help organizations evaluate the Linux desktop against their own enterprise needs and discover what benefits the Linux desktop might bring to their organizations.
Migrating To Linux: Application Challenges and Solutions
Several solutions exist to help organizations migrate in an orderly fashion from Windows to Linux desktops. This paper establishes the characteristics of an ideal cross-platform solution and reviews these alternatives in light of this ideal standard. The paper takes a closer look at the pros and cons of various solutions and outlines the business benefits that can be achieved.
Linux Advantages: Publicly Available Information on Linux Software
This paper offers a brief summary of readily-available Linux information to help businesses sort out this widely misunderstood operating system.
Top 5 Strategies for Managing Linux
Despite continuous evolution in the manageability of Linux, a 2006 survey cited manageability concerns as a top reason why organizations are hesitating to adopt Linux. Levanta believes Linux can be as manageable, if not more so, than other operating systems by following key strategies. These strategic recommendations were developed from experiences in numerous customer environments, both large and small.
Why Choose Novell for Linux?
This paper outlines the benefits of switching to the Linux platform and choosing Novell as a high-performance, enterprise solution.
Enterprise Linux Selection Guide
Considering moving your enterprise to the Linux operating system? Since there are so many similar versions, choosing the right one can be tough. This paper offers a clear process to help you make an informed decision and get the features, support, and cost that are right for your business and technical needs.
Overcoming Challenges in Managing Linux
Levanta has created a new administration model with innovative technology that breaks down the barriers to making the most of Linux systems. This paper will provide an in-depth look at the workings of Levanta’s product, the first Linux appliance of its kind.
SUSE Linux Enterprise 10 for Retail Businesses
Discover why major retailers have switched to SUSE Linux Enterprise Desktop in the back office. SUSE Linux Enterprise Desktop 10 is a low-cost desktop that offers a complete set of productivity applications and interoperates seamlessly with the other Windows, Macintosh and UNIX desktops in your store.
Moving to a Linux Desktop
Migrating from Windows to Linux on the desktop can be a substantial undertaking because it has the potential for touching -- and perhaps disrupting -- every user in your organization. Unlike a data center (server and infrastructure) migration that is largely transparent to users, the cultural and administrative transitions and environment readiness required to support a Linux desktop migration are extensive.
Seven Good Reasons to Exchange Exchange
This paper describes seven compelling reasons why you should switch from Exchange to Scalix.
|
|
|
|
|
news feed
