Chapter 17: Local Viruses in the UNIX World

Overview

It is generally assumed that viruses do not survive in UNIX systems. This is partially true; however, you shouldn't confuse the principal impossibility of creating viruses with the absence of viruses. UNIX viruses exist, and, by the beginning of 2004, there were several dozen of them. Is this a small number? Do not draw hasty conclusions. The relative "shortage" of UNIX viruses has a subjective nature. This situation exists simply because UNIX-like systems are less widespread in the contemporary community of computer users. Because of the UNIX ideology, there are practically no idiots and practically no vandals in this world. This situation has nothing to do with the protection level of the operating system. It is naive to hope that UNIX will overcome viruses on its own, so, to avoid sharing the fate of Titanic, have all security and protection tools close at hand, carefully checking each executable file for infection. This chapter is dedicated to the topic of protecting UNIX systems.

The first virus that produced a sensation was the Morris worm. Robert Morris uploaded his worm to the Internet on November 2, 1988. The worm infected computers running under system 4 BSD UNIX. Long before this happened , in November 1983, Frederick Cohen proved the possibility of self-reproducing programs in protected operating systems by demonstrating some practical implementations for VAX computers running UNIX operating systems. It is also generally considered that he was the first to use the term "virus."

In reality, these two events didn't have anything in common. The Morris worm propagated through holes in standard software (which, by the way, remained un-patched for a long time). Cohen, on the other hand, considered the problem of self-reproducing programs in an idealized operating system, which didn't have any flaws in its security system. The presence of security holes simply increased the scale of the epidemic and made the propagation of the worm uncontrolled.

Consider the situation that exists nowadays. The popularity of UNIX-like systems grows, and they begin to attract the attention of virus writers. On the other hand, the qualifications of users and system administrators steadily become lower. All these circumstances create a favorable and friendly environment for viruses and worms. There is the risk of UNIX virus development becoming explosive at any moment. For this to occur, it is enough to make appropriate technologies available to the masses. Is the UNIX community prepared to face this danger? No! The general public opinion, found in teleconferences, and the general mood of UNIX administrators indicate that the UNIX family is considered safe and reliable; the threat presented by worms and viruses is received skeptically.

The first viruses that infected ELF files (the main format of executable files under UNIX) were registered in late 1990s, and now their population has exceeded 50 (see the virus collection at http://vx.netlux.org ). The AVP antivirus encyclopedia by Eugene Kaspersky (see http://www.avp-de.com/Encyclopedia/ ) only covers about 14 of them, which induces serious doubts in the quality of AVP.

In most cases, the system has an exceptionally democratic access level, which favors propagation of viruses. This happens sometimes because of ignorance and/or negligence and sometimes because of a necessity of the production environment. If the large number of various software products is updated on the machine (including custom software developed for the company's production needs), then privileges for the modification of executable files are vitally important; otherwise , the process of interacting with the computer will turn from joy into torture. By default, UNIX doesn't allow administrators to modify executable files, and successful propagation of viruses is possible only at the root level, which is either assigned to the infected file by an administrator, or captured by the virus on its own, by exploiting security holes in the system kernel. A qualified administrator can reduce the threat of infection to a minimum by establishing restricted access rights and installing patches in a timely manner. Furthermore, the times of total software exchange have long gone. Currently, no one copies executable files; they download them directly from the Internet. Even if a virus infects the central server, it won't propagate further and secondary cases of infection will rarely occur.

There are no longer actual file viruses, and the lack of large-scale epidemics clearly illustrates this. Nevertheless, the accumulated infection technologies didn't lose their urgency ” without them, the life of Trojans and remote administration systems would be short. Capturing control over the target computer and obtaining root privileges is the same as trying to sow seeds on hot asphalt. The virus writer must try to ensure that his creation is deeply implanted and strikes roots in the captured system, trying to infect all the executable files that it encounters there. And even in this case, he or she cannot be sure of success, because restoring the system from the backup copy allows recovery of the infected system, destroying the virus no matter how deeply it has sunk its roots.

It is generally considered that viruses infecting the source code have more chances of survival; however, in reality this is not so. Users that actually require source code are few, and developers actively use version control systems, which trace the integrity of the software code and allow multilevel rollback. Several attempts at infecting source code of the Linux operating system and Apache server were detected ; however, all of them failed miserably.

The same thing is true for viruses that dwell in interpreted scripts, such as SH, Perl, and PHP. In UNIX, scripts are omnipresent and their modification is allowed by default, which, theoretically, creates a friendly environment for spawning viruses. If users were exchanging scripts, the entire UNIX world would return to the era of early MS-DOS, when new viruses were released practically every day. Under the present conditions, however, viruses remain bound to the infected computer and cannot break loose and leave it.

However, no matter what UNIX fans might say, viruses spawn even on this platform (Fig. 17.1). Ignoring this problem means taking the position of an ostrich, which hides its head and believes that the threat doesn't exist because it doesn't see it. Do you want to be an ostrich? I hope that no one does.

Figure 17.1: Viruses spawn even on the UNIX platform

In the nearest future, avalanche-like growth of the number of new ELF viruses is expected, because every condition that favors it has been observed . Linux gains popularity, and this spike of interest didn't do any favors for this operating system. As the result of this chase after improvements, it has turned into a system with more holes than a sieve. It has been supplied with an "intuitive" and " user -friendly" graphical interface, but no one has undertaken the job of warning users that to work with the system efficiently , they must read thousands of pages of technical documentation and at least a couple of good manuals. If they don't, they won't have to wait long for infection. The more users migrate to Linux, the more virus writers will release worms intended for this platform. The same things will occur in the UNIX world as happened once to MS-DOS. By the way, no one is able to predict whether or not these viruses will be harmless, because this depends on the consciousness of their developers.