Home > Bugs & Viruses > The Virus Threat to LinuxThe Virus Threat to Linux Submitted by Jill 2003-03-28 Bugs & Viruses 44 CommentsDesktopLinux.com talks with CEO Kevin Peer of top Linux antivirus vendor Central Command to discover where vulnerabilities exist, the cost to companies, and the growing interest in Linux from virus writers. About The Author Eugenia LoliEx-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.Follow me on Twitter @EugeniaLoli 44 Comments 2003-03-28 12:16 am viruses for linux? i thought linux existed so people could get away from viruses. guess your perfect os isn’t so perfect after all is it.after decades of using windows, i’ve never had one virus. i’d be interested to hear if any linux users have had experiences with catching a virus 2003-03-28 12:47 am viruses for linux? i thought linux existed so people could get away from viruses. guess your perfect os isn’t so perfect after all is it.Who said there’s no virus on [your OS here]? Again, who said [your OS here] was perfect?Linux is less prone to virus as the system is basically built to be secure (permission rights), source code is heavily reviewed, patches are available soon after a security hole is discovered, etc. That given, it doesn’t mean Linux can be more secure or virus-free than another system. If badly administered, Linux can be even more dangerous than a Windows box.There’s very few virus on Linux, but also much less users than on the Windows side (as far as the comparaison is about). There’ll definitely be more virus and ‘nasty’ scripts as Linux will get more popular. It’s more about ‘educating’ people to update their system with security patches (windows update, urpmi, apt-get, etc.) and not open the first file receive from the internet.A good old sh script with rm -rf / as its function would be more powerful than any virus if launch as root.after decades of using windows, i’ve never had one virus. i’d be interested to hear if any linux users have had experiences with catching a virusI’ve not seen any so far, neither been attacked by any Linux worm. Though, I daily got nimda and code red virus in my apache log for months (dynamic ip). 2003-03-28 12:48 am Linux (indeed, any Unix) isn’t invulnerable. It is, however, less vulnerable – I was talking just this evening with someone who’d lost 100MB of important documents in Windows because of a virus.The difference is that a Windows virus has the additional capacity to destroy vital system files, alter settings, delete other users’ documents, or alter the registry. It could have been worse – the virus could have deleted his documents and rendered Windows unbootable. This couldn’t happen in Linux – the worst-case scenario is lost documents and preferences.The two aspects mentioned in the article are (a) loss of documents isn’t a good thing and (b) passing on macro viruses/attachments can be harmful.I know that a Linux box is often used as a mail intermediary, part of which is blocking incoming viruses before they reach vulnerable Windows machines.The loss of documents is serious, but Linux is currently in a better position than Windows – slightly more secure by default, much less critically vulnerable, and a smaller target for virus writers. I don’t know of anyone who’s ever been bitten by a Linux virus.Addendum: of course, a Linux virus has the problem of targeting different versions of glibc, for instance – Windows viruses are easier 2003-03-28 1:25 am a ‘linux virus’ that obtains user privs can do anything a user can. But since it would have to obtain root via a local or remote root exploit, it is indeed quite limited in what it can do… That is, unless you run lindows where everything runs as root. Lindows is the only dist I know of where they nag you to install anti-virus software. They even have a little applet that runs by default just to nag you about buying anti-virus software. 2003-03-28 1:25 am “This couldn’t happen in Linux – the worst-case scenario is lost documents and preferences.”Sure? Why do you think it impossible for a “virus” to get root rights? Do you believe there are no bugs in the kernel or it’s modules? 2003-03-28 1:35 am that prolly should have read “But since it would have to obtain root to do anything interesting”a user-level virus can still delete all that user’s data, fill up disks if there is no quota set, set up servers on high number ports…. Things easily noticed and dealt with, except the deletion of data. Someone could use you as an mp3/warez server if you have bandwidth and somehow dont notice it going on (in which case i have no pity for you).if a virus writer manages to get one binary to work on all linux boxes without conflicting libs without compiling their virus as a massive 10 meg plus static binary that person is indeed amazing. 2003-03-28 1:45 am It’s very hard to get root rights in Linux. Of all the bugs and stuff posted, a remote root exploit is exceedingly rare. It’s much more common on Windows, for 3 reasons:1) The user runs as root all the time. This is the kicker.2) The Windows security model is very complex and the code is very big. Big code means more bugs. There is a whole lot of stuff that runs in kernel mode, and there is a whole lot of code that has special privleges. Even though a typical Linux installation (Mozilla + KDE + GNOME + XFree86 + kernel + utilities) might be almost as large as the 30+ million lines of Windows code, a much smaller percentage of the Linux code is in a position to do any significant harm.3) Windows wasn’t designed with security as a main focus. Even Microsoft itself admitted that over the last year or two. Meanwhile, UNIX developed right along side the internet, and its security model has been developed and refined over a couple of decades. 2003-03-28 1:55 am I wonder how difficult it would be for a linux-based virus to stay in the memory (with user rights) and monitor keystrokes (in the same way as any program using hotkeys) until the user types an ‘su’ to then gain root access. 2003-03-28 2:07 am Maybe I’m just out of the loop, but I rarely hear of viruses per se on Windows, but mainly worms and trojans that depend on buffer overflows or design flaws like VB scripting without security. 2003-03-28 2:12 am after decades of using windows, i’ve never had one virus. i’d be interested to hear if any linux users have had experiences with catching a virusDecades? Decades? That’s stretching it a bit, isn’t it? I think Windows itself as an OS proper is less than a decade old?I’ve had viruses running windows, and everyone I know who runs Windows has had a virus. I don’t know anyone (personally) who has caught a Linux virus, and to date I don’t know of any that could exploit root.Viruses aren’t a big problem with Linux because most Linux distros are pretty responsible; the default installation is quite safe. As the saying goes, Thou shalt not take the name of root in vain. This is one of Microsoft’s big problems: their installations used to (and maybe still do, for all I know) set insecure options as the default, and they have resisted making them secure (“the users want those features”).As Linux grows, ill-formed users and perfidious distros who take the name of root in vain risk bringing judgement upon themselves. 2003-03-28 2:30 am … is that most users run with administrative privileges. There is no choice about this on Win9x, BUT on WinNT (incl 2K, XP), all users who actively use the system SHOULD ONLY BE MEMBERS OF THE USERS GROUP, and NOT part of the administrators group. THIS IS HOW LINUX DOES IT, and this is why Linux is more secure than Windows. Even MS say to do this in there security guidelines.If Windows users would do this, then most viruses would become annoyances more than serious threats that could wipe clean their systems. But then agian it’s all about knowledge…Chewy509…PS. About 95% of the viruses I see, are worms/trojans, the rest are VBS/Macro type viruses… 2003-03-28 2:30 am You hear this crap about the Linux virus threat all the time but it is not true. because there is no reliable transmission vector.Name a Linux virus, then describe how it infects a Linux computer.Without a vector viruses cannot take root, they cannot damage anything they are just the daydream of Antivitus software companies.Windows has a vector, Microsoft Outlook and Visual Basic.There is a huge difference between saying something is a virus and it actually being a real threat. 2003-03-28 2:42 am Richard if you actually read the article it make a LOT OF SENSE! I have been sys admin for to many years and I think the arguments are valid and verifiable. Linux can store Windows viruses (verifiable). The only real way to stop viruses from being stored on a Linux/Samba server to have active virus scanner running on the Linux server.OpenOffice and StarOffice CAN VIEW Office documents and these files can have viruses. Sure they don’t infect Linux but the person can send them to a MS Office user and potentially transmit a virus unknowingly.About Linux viruses. Do you examine the source of each application for malware before you compile and install it? I’ll be you don’t! Heck, in the very recent past Sendmail had trojanized code for download didn’t they and didn’t they do a big alert! How many people download and trusted the source code and compiled it and didn’t even know that it was bad.You arguments don’t hold water, mate. I think Linux antivirus will become needed. 2003-03-28 2:51 am Antivirus for stored windows files is not what I was talking about. AS for things like sendmail that is a trojan not a virus. There is no way for the viruses to spread, there is no mechanism. 2003-03-28 3:00 am I think you are looking the problem in a classic sense. A worm can also drop, install, or compile a virus and execute it. Think of the Morris worm, one the very first “viruses.” It trojanized the box and replicated itself. A trojan that replicated across the Internet thus became a known as a worm in later years. 2003-03-28 4:09 am .. is that most users run with administrative privileges. There is no choice about this on Win9x, BUT on WinNT (incl 2K, XP), all users who actively use the system SHOULD ONLY BE MEMBERS OF THE USERS GROUP, and NOT part of the administrators group. THIS IS HOW LINUX DOES IT, and this is why Linux is more secure than Windows.I think the way OS X does it is the best. There’s a centralized API for obtaining administrator privileges when necessary, and any application that needs root privileges calls it. When root privileges are necessary, the user is presented a popup asking for the login/password of a root user. This makes the installation of software (or running programs like KisMAC) much easier than on Linux, and handles the issue of allowing users to easily install software without having to be logged in as a system administrator all the time (such as in Windows) 2003-03-28 5:14 am I don’t know of anyone who’s gotten a virus from using *nix, but I know of several who have been ‘rooted.’Hell, if you go back and look at all the hacking tutorials that were made circa 1995 or so (before hacking Windows became a professional sport), all of them were for hacking Unix. Why do you suppose that is? 2003-03-28 5:33 am Perhaps because prior to 1995 (Isnt that when NT4 Came out?) cracking a DOS/windows box was so laughably easy, that there was little to no challenge, and therefore no temptaion to crack.Besides, in 1995, there were a lot less people on the ‘net, and a lot fewer targets, and most Windows boxes that I can remember weren’t even on the ‘net. 2003-03-28 6:12 am Basically a carrier. However if you remember all the talk about Linux being hard this and hard that, etc, etc, etc (you know the rest). Then with the average Linux user being a bit more savy than usual. Another layer of protection is added, in addition to all the rest. 2003-03-28 6:26 am When root privileges are necessary, the user is presented a popup asking for the login/password of a root user. This makes the installation of software (or running programs like KisMAC) much easier than on Linux, and handles the issue of allowing users to easily install software without having to be logged in as a system administrator all the time (such as in Windows)You can do the exact same thing in GNU/Linux. There is no need to log into root at all. KDE and GNOME ask for a root password whenever root privileges are required for a function. You can also open a console and use su or sudo to get root permissions. 2003-03-28 6:38 am You can do the exact same thing in GNU/Linux.However, as I noted, there’s a uniform API in OS X for doing so in a graphical manner. Can you say the same for every installed Linux system? I can for every OS X system, and that’s the beauty of it…The point being, of course, that diversity breeds an intercompatibility nightmare… 2003-03-28 8:26 am As a follower of the whole exploit scene, I still find local root exploits facinating and frightning. Just the other day I downloaded a new one for my RedHat 8 box and, sure enough, it obtained root access.If I wasn’t paying attention enough, I would never have known it had existed. A virus could have exploited that easily.As for Mac OS X’s was of doing things, I really believe that people just type in that password as soon as the dialog box came up. 2003-03-28 8:51 am The difference is that a Windows virus has the additional capacity to destroy vital system files, alter settings, delete other users’ documents, or alter the registry. It could have been worse – the virus could have deleted his documents and rendered Windows unbootable. This couldn’t happen in Linux – the worst-case scenario is lost documents and preferences.[i]As far as I know, you can add an attribute [i]+i to a file (immutable) so it can not be deleted by anyone. Not ever by the root himself. Linux rules! 2003-03-28 8:57 am As far as I know, you can add an attribute +i to a file (immutable) so it can not be deleted by anyone. Not ever by the root himself. Linux rules! I didn’t know that, but I bet root can change the attribute to -i. Then delete it. 2003-03-28 9:53 am Some of the reasons viruses on linux today are not a problem is because:1. Noones written them.2. There are very few (relative to Windows) linux installation, thus harder chance of spreading.3. Linux users generally know their computer and OS much better than the average Window/Mac user.All of the above can easily change.Linux becomes more adopted -> you get more “ignorant” users -> more users/installation, people start writing viruses. 2003-03-28 10:14 am Well, …A long time ago, when I used Windows, I had lots of problems such as BSODs, viruses, my computer was hacked several times, etc.I have Red Hat Linux and Slackware Linux installed and on my computer, using them daily, and never got a problem -neva eva-.n0dez 2003-03-28 12:29 pm …”i thought linux existed so people could get away from viruses. guess YOUR perfect os isn’t so perfect after all is it. ” Get over it, I’m not even going to touch this one. 2003-03-28 1:13 pm if a virus writer manages to get one binary to work on all linux boxes without conflicting libs without compiling their virus as a massive 10 meg plus static binary that person is indeed amazing.With the advances in the Mono .NET project for Linux/Unix and average users’ tendency to want files to automatically open with a designated application (I’m thinking .exe -> mono here), then soon we might have very small executable files that will run on Windows or Linux (just wait till Ximian make Mono an integral part of Gnome) and could destroy all your personal data. I bet over the next few years someone writes a .NET virus if it’s not already been done. 2003-03-28 2:44 pm //A long time ago, when I used Windows, I had lots of problems such as BSODs, viruses, my computer was hacked several times, etc. //That’s because you didn’t secure it properly. We’ve got a Win NT 4 server here thats five years old, with Internet access, and it has *NEVER* been hacked.Funny, if you know what you’re doing, ANY OS is a secure as ANY OTHER OS. 2003-03-28 3:23 pm W32.DonutDiscovered on: January 09, 2002http://securityresponse.symantec.com/avcenter/venc/data/w32.donut.h… 2003-03-28 3:56 pm Last Linux World Expo in NY, I saw lots of people hovering around antivirus software demoed at the booth near me.It’s really great idea – if you really want to put Linux as a main file server in your company, you better protect the files. How many peoples on this forum cannot lift their head above their desktop ! Simple statements like ” I never got a virus on my computer” just show how amateurish you are. Even when you half way to be a pro you will start using plurals.And why I’m wasting my breath in this preschool… 2003-03-28 4:22 pm First of all everybody should know that it is the antivirus companies that are creating the bulk of the viruses, this is how they keep themselves in business. The fact that this company is paying attention to linux means that they will have to create some viruses. I wouldn’t be suprised to see an increase in viruses for linux now. 2003-03-28 4:46 pm >>The point being, of course, that diversity breeds an >>intercompatibility nightmare…Yeah. Diversity is bad. Being locked into one vendor is good. Funny that this perspective is from an Apple user and not a Microsoft user. 2003-03-28 5:21 pm How about running anti-virus software on your Linux machine to stop it from spreading virii to Windows machines?Don’t forget, many Linux machines are file servers for Windows machines and store the virus, which doesn’t disrupt Linux function, but will infect the next Windows machine to execute the file. 2003-03-28 6:19 pm if it is needed will be given away for free under the GPL like all other things Linux. No commercial company could ever hope to write antivirus software for Linux and make a profit. 2003-03-28 6:26 pm How about we don’t and just say we did. If someone really wants their Linux systems to take over the desktop and replace the buggy virus infected proprietary Windows network what incentive do they have to clean up all those harmless little viruses? 2003-03-28 9:11 pm http://www.pcadvisor.co.uk/index.cfm?go=news.view&news=3192Warnings about Linux virus risks rebuffedby Simon EastermanSpecialists say Windows is the real security riskFriday, 28 March 2003US security firm Central Command got short shrift from UK security and Linux specialists this week after it released a statement stressing the need for virus protection on Linux systems.The statement warned that as Linux becomes more popular as a desktop operating system, inexperienced users will fall victim to the increased attention it will receive from virus writers.Steven Sundermeier, product manager at Central Command, said, “There is a huge purpose out there for virus protection for Linux systems.”However, Eddie Bleasdale, director of consultancy netproject, yesterday roundly dismissed Central Command’s advice, saying it was as good as impossible to conduct a virus attack on a Linux system or desktop. Indeed, he said he would pay £10,000 to anyone who could infect a well-configured Linux system with a virus.…….. 2003-03-28 9:16 pm Most viruses/worms are transferred over the internet nowadays, so which OS the end-user is using isn’t the main point anymore. Especially since, as others have pointed out *Nix machines pass on Windows viruses/worms. Sysadmins and ISP’s are the obvious “front lines” for stopping these things. My ISP just recently started using RAV Antivirus. They scan my e-mail as they receive it and clean or delete infected e-mails before I even download them. Of course, I’m using BeOS at home, mostly, but I wouldn’t want to forward worms to my friends and family. Or my Win2K machine at work. 2003-03-28 9:47 pm We have Vexira from Central Command on our linux file servers and linux+postfix mail server and both have stopped viruses from getting us. The linux file server is serving some 290 Windows workstations and every once in a while a virus tries to put on copy a virus to the linux file server and vexira on “linux” nabs it everytime.The mail server with Vexira is stopping about 300-500 email viruses a day. We don’t use vexira on our windows workstations yet since our license with CA is not over for another 6 months.I would absolutely say antivirus on linux is important! How else would I stop the windows viruses from being copied to the linux file server? Antivirus on linux is need and mandatory today folks!!! Vexira R_O_C_K_S on linux BTW. 2003-03-28 10:00 pm What makes you think most linux users would even install Mono?I know I sure as hell am not going to touch that thing. 2003-03-28 11:29 pm Yeah. Diversity is bad. Being locked into one vendor is good. Funny that this perspective is from an Apple user and not a Microsoft user.Well, for the record, I’m a Microsoft user as well…There’s much to be argued for UI consistency, and not much to be argued against it except “consistency is the hobgoblin of little minds…”Lack of a single vendor is why there is no centralized system for installing software on any Linux platform, and furthermore no centralized means of obtaining authorization to do so…On OS X, there is a consistent program model for obtaining authorization to carry out administrative tasks, and so the user model can quickly adjust. On Linux, there is not, and there is a large variety of means of obtaining administrator access, many of which employ very dissimilar program models. This makes the ordinarly simple task of installing software an insurmountable challenge to most anyone but technical users…And so, I once again argue that having a uniform API which provides uniform access to a single program model for obtaining administrator access is an inherently better approach to the scatterbrained methods currently employed by various programs under Linux. 2003-03-29 3:14 am Once again I am suprised at the shallow depth of understanding availble from the couch potatoes here.“i thought linux existed so people could get away from viruses.”No. Linux exists as a hobby for software artisians. The capacity of a virus depends on the sopohistication of the users.Since Linux exists as code, and if you had to you could roll your own linux from sourse, you could very well write acerfiable virus free enrionment.With windows, its not possible. Any claim that windows is virus free is not based upon first hand experence with the source code.Of course we should start this discussion of what exactly a virus is:A virus is a program that performs an unintentional copy. ( and or an unitentional deletion )Automatic software updates fall into this catageory.If you went to google, and looked for “Linux Vius Kit” I could not find *any* source code.If you went to google, and looked for “Windows Virus Kit”, and found at least 100 web pages with source code.Which OS do you feel safer with?How to prevent viruses: stop inentional copies. Use and install tripwire. ( source avaible ).ok… with those things out of the way…“Again, who said [your OS here] was perfect?”My Microwave oven does not have a virus. It never has, and never will. Its Perfect?( Actually, if your reading this thread, look very closely at CEDs comment #2. Its well thought out, and well written. )“It’s very hard to get root rights in Linux.”Ever heard of the linux worm L1on? it does it automatically^tm ( property of disney corp )“I rarely hear of viruses per se on Windows”Head in a sandbox.“Windows itself as an OS proper is less than a decade old?”Windows 1.0.3 which I ran in 1986, is 17 years old. Did you read the OS News article about the age of vindows?Windows proper is an oxymoron.“If Windows users would do this, then most viruses would become annoyances more than serious threats that could wipe clean their systems. But then agian it’s all about knowledge… ”Headlines: “According to an article published in the Register, vindows XP and 2000 users need to install a patch but NT 4.0 users are simply out of luck. According to the article:The vulnerability involves the Micro$oft’s implementation of Remote Procedure Call protocol, blah blah blah”Headlines: “Failure to Patch NT Flaw Causes Concern Users question Microsoft’s promise to support the aging version of vindows.”Get this, and take it to the bank: vindows Security is a full time job, even for vindows 2000 Server. ( vindows 2000 Server SP 2 )Also: The L1on worm, was a minor annoyance. ( Linux )Richard James wrote:“You hear this crap about the Linux virus threat all the time but it is not true. because there is no reliable transmission vector.”SIR: Australia is in posession of one virus expert.“Linux can store vindows viruses (verifiable).”That is not a linux problem. You can easily set up a system, that would continously scan samba volumes and isolate infected files.It would follow, that AppleShare IP, that can share vindows files also has this problem.“I think the way OS X does it is the best. … When root privileges are necessary, the user is presented a popup asking for the login/password of a root user.”Both KDE, and Gnome both do the same thing. ( popup the root password ), But Both do not have the overhead ofnon-dyanimc linked libraries, needing ungodly amounts of ram. secure backround tasks…etc..etc..You fail to see the significance of the Apple solition. its invisible to the user, creates a rosy cute picture, but is _total_ crap behind the scenes.“However, as I noted, there’s a uniform API in OS X for doing so in a graphical manner. Can you say the same for every installed Linux system? ”Your really Steven Jobs right? Users dont care about uniform APIs and that is not significant. and what about Mac OS 9?What about all the other Macintosh viruses that propigate by nothing more than putting a disk in a machine ( and every disk has a desktop file executable as a virus vector ).Bottom line:Average OSN poster. D+.Average OSN poster from Austraila. A+Average OSM poster Mac User. FIs there a filter that I can only read comments from Austraila? 2003-03-29 4:23 am Both KDE, and Gnome both do the same thing. ( popup the root password )So I’ll take your non-reply to the issue of software installation on Linux being in a deplorable state as a tacit concession of point. Thanks.Users dont care about uniform APIs and that is not significant.The issue comes from the programmer standpoint. I’m writing my own graphical Linux application, and it needs root privileges to do something. What am I supposed to do? Make it KDE specific? GNOME specific? Write my own code completely from scratch to do it? Or just expect the user to su and set their DISPLAY variable and xhost accordingly?This becomes especially a pesky problem with graphical installers. Perhaps the user should just log out and log back in as root every time they need to install software?Does the word “elegance’ mean anything to you? You fail to see the significance of the Apple solition. its invisible to the user, creates a rosy cute picture, but is _total_ crap behind the scenes.Do you care to substantiate that comment in *any* way?But Both do not have the overhead of non-dyanimc linked librariesUhh, what the hell are you talking about here? Static linking? OS X makes extensive use of prebinding… perhaps that’s what you’re referring to? All that does is decrease symbol resolution times so application startup occurs much facter.needing ungodly amounts of ram.256MB is all it really needs, and that’s pretty standard nowadays. It’s what’s required for the Quartz 2D renderer, which is a much more elegant solution than X.secure backround tasks…etc..etc..Such as… Netinfo? I’m not sure to what you’re referring. And how is whatever you’re referring to a bad thing?Bottom line:…Average OSM poster Mac User. FAn ad hominem argument. Classy. If you care to substantiate any of your comments I will gladly field your response. However at this point your arguments don’t seem to be at any higher a level than the people you’re insulting. 2003-03-29 2:08 pm “Linux can store vindows viruses (verifiable).”“That is not a linux problem. You can easily set up a system, that would continously scan samba volumes and isolate infected files.It would follow, that AppleShare IP, that can share vindows files also has this problem.”This is not a “linux” problem agreed but it is a practical problem for linux administrators like me who are using linux file servers. I have to have active virus defence on the linux server to keep macro and windows viruses off of our linux file server. I also get the added benefit to being able to detect any linux viruses or scripts that the av detects that built for linux.