 The Answer Guy
	The Answer Guy
	 
 Virus Protection for Linux: A Non-Issue ... But....
Virus Protection for Linux: A Non-Issue ... But....From muzician on Thu, 23 Sep 1999
Subject: Re: virus protection I cant find any references to that. I am installing 6.0 for the first time, and need to know what to do.
Basically viruses are a non-issue for Linux and other forms of UNIX. While it is technically possible to create them, the multi-user design of UNIX-like systems coupled with the widespread practices that separate "normal use" (access to applications, and user data) from "administration" (use by 'root' user) make the OS very hostile to virus propagation.
You can write a virus, but it won't spread.
This is one of the benefits to the convention of logging in as a "normal user" for most of your Linux work and reserving the "root" account for upgrading and installing software. Another benefit is that it limits the damage you'll do with a careless user command.
This is not to say that Linux and UNIX are immune to viruses, trojan horses and other forms of hostile code. Far from it. There are many programs that run with "root" privileges on a typical installation. Any of these might be "tricked" into acting on an attackers behalf. They can be subverted, which leads to the compromise of the whole system's security.
Any program that can be "tricked" (subverted) into running foreign code, or otherwise compromise the user's and system administrator's intentions has a bug. When we find these bugs we fix them.
Finding the ways in which such programs can be commandeered by hostile users, and by anonymous attackers over networking connections is an ongoing effort by thousands of programmers throughout the open source community. There is nothing Linux specific about these efforts. OpenBSD (http://www.openbsd.org) is most renowned for it's accomplishment of a comprehensive audit of its own code. Some of that code is being re-ported to Linux (for example the BSDish FTP daemon that's included with some distributions).
Linux and UNIX code auditors tend to focus on programs that are run "SUID" (with the effective permissions of the program's owner, rather than those of the owner of the executing process) and with "daemons" (programs that act as "servers" for network protocols and provide other local services). These are the most obvious cases where programs are an interface between "security contexts."
For a cracker (any anonymous attacker of your systems) the "mother lode" is a network process that runs as 'root' and has a remotely exploitable bug (often a buffer overflow, a particular sort of bug where an expected input is filled with an excessively long response which contains some hostile code). Finding one of these allows a cracker to remotely assume control of a whole system.
These sorts of bugs are not specific to Linux, or UNIX. They're possible under NT and most other operating systems as well. They are commonly detected on UNIX systems and quickly fixed (and occassionally re-introduced in future versions and new programs). It is believed that there are about as many exploitable bugs in NT and MacOS servers as there have been in Linux and UNIX. They usually show up as "hangs" or "abends" (abnormal ends) in the services or on those systems, rather than complete, interactive exploitation.
(The reasons for this have to do with the rather poor remote administration features and somewhat more complicated programming models of these other systems). So on the surface NT and MacOS seem to "failsafe" (die without giving the attacker access) --- although this is probably an illusion, waiting to be dispelled by the next generation of crackers).
Again, these are NOT viruses. However, they have similar results, someone runs code on your system that you didn't approve and don't want.
So these vulnerabilities (especially buffer overflows in network daemons like popd, imapd, mountd, ftpd, etc) are the greatest risk to the security of your system. That's why companies put up firewalls. That's why sysadmins tell you not to leave "ports open" (these services available) on your systems, or to use TCP Wrappers (pre-installed on every major Linux distribution) to limit the networks and systems that can access those services that you REALLY need.
I mentioned that security auditors focus on SUID progams and networking daemons. This is a matter of priorities as those are the most "attractive" points for an attacker to probe. However, we have to be aware that security auditing and robust code is necessary ANY TIME A PROGRAM ACTS AS AN INTERFACE BETWEEN/AMONG DIFFERENT SECURITY CONTEXTS.
We must be concerned about bugs IN ANY CODE THAT PROCESSES UNTRUSTED DATA.
(I'm shouting about this since it is a point that is often overlooked, even by some of the most respected programmers that I know).
For example, when you sent me e-mail. Your mail comes from one security context (the outside world, from a complete stranger). My mail user agent (MUA) acts as an interface between you data and me. If there's a bug in my mailer (or the editor that my mailer invokes when I want to respond) then you might be able to craft a piece of e-mail that will crash my program, and possibly even subvert it.
Such a "black widow" would be very hard to write for any UNIX mailer (though the addition of MIME handling features did introduce some such bugs in some mailers). It would also be limited in its effect. It probably could only affect one mailer under one operating system. It might not propagate through POP servers and/or through certain POP clients (like 'fetchmail').
There are dozens of common MUAs (mailers) used by UNIX and Linux people. So any such bug is likely to only hurt a few of them (and not propagate from them to others). Likewise for many other classes of programs.
The worst security risks are incurred by "monocultures" (a term borrowed from agriculture). If we all grow the same strains of the same crops, one blight and we all starve. If a few of us grow one strain, others grow a different crop, etc --- then the damaged is limited and the blight doesn't spread as far or as fast (since the various fields of any one crop/strain are separated by buffer zones).
When you think about the effects of Melissa, and WinExplorere.zip and the many other MS Windows macro viruses you see the inherent risks in monoculture. (You also see that Microsoft added features to their office suite and mail client which make it easy to write trojans and worms).
Computer systems and networks exhibit similar characteristics in the face of hostile programmers.
(In other words diversity is good. Some of us should run FreeBSD, Solaris, and some completely non-UNIX operating systems that aren't even C derived. Some of us should run Linux on x86, while others use Alphas, PowerPCs, etc. Uniformity has some short-term cost and training benefits --- but that way lies great danger!).
How bad is this danger?
Well, I've been running an experiment. I administer a system (a web server for a small literary organization, a non-profit) which is exposed to the Internet and gets very little administrative attention. I tend not to upgrade it until I have to. It's been cracked twice in three years. It probably hasn't been cracked on other occasions since I actually do have a sneaky trick up my sleeve that allows me to detect and recover from the garden variety "script kiddie" attacks fairly quickly (and remotely). I do say "probably" since anyone that asserts that he or she has "never" been cracked or that he or she is "sure" that they are secure is really a bit foolish. You can have a very high degree of confidence --- but certaintly in this case is a sin.
That is on a box which is effectively "wide open." With a modicum of configuration (not running inetd, limiting access to any services you must run, updating your packages as bug fixes are announced, etc) you can limit your chances of being compromised to very low values. Read the Linux Security HOWTO and with about five percent of the effort described there you'll eliminate well over ninety percent of the risk.
Note: Symantec is apparently shipping an anti-virus for Linux. I've heard that Trend is also testing one. I guess these are designed to catch the two strains of viruses that have been heard of for Linux. I also gather that they will scan your system for MS-DOS and Windows macro viruses (well over 10,000 of those). This is to protect the clients that might be using your Linux system as an FTP, Samba, or NFS server, and to save you from the infection on your "other OS" on those multi-boot systems.
Personally I suggested to Symantec (back when I worked there) that the best Linux product they could release would be a simple terminal to the PCAnywhere package. Let me use a window on my Linux system to remotely manage any MS Windows PC's that I have to deal with.
They didn't listen, and now we don't need it. VNC (*) seems to do the job well enough, and we may stomp out most of MS Windows before Symantec could code up a new PC Anywhere client.
- (Apparently ORL got aquired, so VNC is now at: http://www.uk.research.att.com/vnc) There are also a couple of packages for UNIX (some with Linux ports) that will scan your mail for embedded PC/MS-DOS viruses as it's relayed through your mail server. This can help catch many macro viruses (though the things are so easy to write that the anti-virus software companies will always be a reactive coping mechanism rather than a true solution).
Remember, a virus is just a bit of programming code. It does things that most recipients don't want --- but nothing short of a brilliant AI (artificial intelligence) can be relied upon to distinguish a virus from any other (benign) program. "Heuristic" virus scanners have been written --- they haven't fared significantly better than the traditional reactive signature scanners.
(I used to work for Symantec, and for McAfee. I've read, heard, and dealt with far more about PC and Mac viruses than I can possibly type here).
Summary: Don't worry about viruses on your Linux box. They aren't a problem. As for the security concerns, just lock down those stray networking services and don't give accounts out on your system to people you don't trust. If all you do is add the following to your /etc/hosts.deny:
ALL:ALL
... you've done plenty to secure your home system from the occasional portscan attack through your dial-up ISP connection.
If you read the Security HOWTO (*) by Kevin Fenzi and Dave Wreski and follow most of their suggestions then you'll probably never have a problem. Under Linux you can keep your system as wide-open or just about as locked down as you like.
| ![[ Answer Guy Current Index ]](../../gx/dennis/answernew.gif)  | ![[ Index of Past Answers ]](../../gx/dennis/answertoc.gif) |  | 1 | 2 | 3 | 5 | ||
| 5 | 6 | 7 | 8 | 9 | ||||
| 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 
| 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 
| 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 
| 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 
| 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 
| 55 | 56 | 57 | ||||||