Section 8.8 Viruses and Linux | Real World Linux Security Prentice Hall Ptr Open Source Technology Series

8.8 Viruses and Linux

graphics/threedangerlevel.gif

A computer virus, like a biological virus, is a short piece of code that the virus tricks the host into obeying instead of the host's own instructions. Of course a computer virus has computer code rather than DNA code, but that is an implementation detail. Viruses seem to be running rampant in the Windows world and there are several reasons for this. One reason certainly is that because it is the dominant operating system a virus writer will get the most "bang for his buck" just as someone writing an application will.

Another reason is that there is no "genetic diversity" in, say, Windows 95. Every instance of both the software and the hardware is essentially identical. As every farmer knows, if all of one's animals or crops are genetically very similar, a particular virus will devastate it. Even in Linux, there are lots of different versions of both the kernel and the various utilities that might serve as entry point. In Linux there are many ways that a SysAdmin may customize her system that will block attacks, regardless of whether her customizations had that as her goal.

Certainly, many of the "stack smashing" exploits are specific to a single hardware platform and will be foiled by Linux on Sparcs, PowerPCs, StrongARMs, Alphas, and even the odd mainframe. Many of the Windows viruses rely on Windows software trusting externally generated data. The classic case is that of an e-mail attachment that consists of an executable file or a Word document with evil macros.

With the Internet, this trust is just plain wrong behavior. One of the foundations of security is that you do not trust a message from someone unless you trust him, both his integrity and his judgment. Windows was designed for corporate networks completely isolated from the Internet.

In fairness to Microsoft, most of the companies that were Microsoft's target market in the mid 1990s did not connect their PC networks to the Internet. In contradiction to this, Linux was developed by thousands of programmers coordinating with one another over the Internet, so Internet security was a major design criterion of Linux. Many firewall companies are getting rich filtering these viruses out at their clients' interface to the Internet. For the same reasons that Windows is so vulnerable to viruses, Linux is almost completely immune. Most Linux programs are carefully designed to be secure, the mail readers and forwarders especially so. Much of this is owed to UNIX's trial-by-fire in the world's universities.

I believe that the most likely avenues for viruses to infect Linux are the following:

Certain data types processed by Netscape. Netscape is capable of processing shell scripts (by executing them) and extracting tar files that could scribble on important files such as .rhosts and .profile. It also can process other dangerous types such as Perl and Tcl scripts. Check your users' Netscape preferences. This is discussed in "Important Netscape Preferences" on page 262.
Multimedia attachments processed by various mail viewing programs. This risk is not limited to Netscape. Study your /etc/mailcap file and see "/etc/mailcap" on page 136 for guidance.
Windows-oriented viruses processed by Linux programs that emulate Windows, such as Star Office, VMware, DOSemu, and wine, will probably emulate the Windows security model.
Viruses that take advantage of security bugs.

Top