virus in unix
25/Jan/2009 @ 14:19 Software

This article was written by Paulo Laureano Santos.
To whom I thank for allowing me to publish it in my blog.
Please, read also the note following the article.

A recurrent question that many, many people – namely non-UNIX users – pose is why there are no viruses for Linux.

This small article, intends to shed some light on the subject and reveals that no, Linux/UNIX systems are not necessarily immune to viruses.

User space: most viruses wouldn’t be able to hide from the eye of a conscious administrator (whether at the filesystem level or running processes), but could be able to replicate themselves using services to which the user has access to (shared disks, remote areas accessible through FTP, NFS, SSH, etc.). There is no technical reason to prevent such a virus from being written. No, you don’t need a “proof of concept” to know this, so don’t bother.

Assuming a properly configured computer, with no known local vulnerabilities which would allow it to scale privileges (and this in UNIX means user/group 0) it is hard for a virus to invade the kernel space where it could do greater damage and stay hidden from the administrator for a longer period of time. Unfortunately, I don’t know a single UNIX system that doesn’t have local vulnerabilities in its default install. Even OpenBSD is not immune from that kind of hazard and it stands for the past five years without any known remote vulnerabilities in the default out-of-the-box installation. And this by itself means nothing since local administrators will have to change the default setup in order for the server to do anything remotely useful.

Assuming (once more) that a common security problem is a reality in a significant group of systems (whether through a common daemon or a distribution), this would allow a virus to scale its privileges to root level, and then nothing prevents its longevity and replication capabilities to be similar to the ones found on Windows viruses. UNIX is less vulnerable (in particular because it uses an “all or nothing” security approach than Windows), but it’s not immune.

Long before Code Red, we had worms using remote vulnerabilities of BIND or Sendmail both typically running with root privileges.

Assuming (again) that a UNIX worm or a virus scale to root it potentially has a greater stealth capability in UNIX than in Windows… the potential to be a kernel module or to insert itself in the kernel source code (which inevitably will be compiled in active systems with maintenance, if nothing else to apply security patches). These areas are off limits for Windows viruses.

The greatest UNIX defense is the differences amongst them. The difficulty in creating replication methods that targets the UNIX universe (a universal buffer overflow is explored in different ways in different systems, when it is at all, even assuming the universality of its existence), in having vulnerable systems with identical configurations (i. e., a vulnerable named can run in various setups; chrooted, suid to bind to the port).
The difficulty resides in creating replication methods that targets the UNIX universe (an universal buffer overflow is exploitable in different ways for different systems, when it’s exploitable at all, even assuming the universality of its existence), having vulnerable systems with identical configurations (i. e., a vulnerable “named” can run in various setups; chrooted, as root or with user privileges suid-root just to bind to port 53).

In short: the potential for the existence of UNIX viruses is real. The complexity and plurality of its flavors doesn’t help virus writers though. The versatility of systems will play in favor of the virus creator once the privileges had been scaled. Someone that gains access to the cvs/source of a big project that when executed (almost all daemons) has root privileges, or the kernel source tree, may surprise everybody if it inserts the virus code at that level, before being released to the world. If not detected on before release time, and the distribution comes out, both the signature and CRC will be correct.

Paulo Laureano Santos.

Digg this.

[Note]: This article is based on and adapted from a original text comment placed on a portuguese web forum by the same author (Paulo Laureano Santos) and translated by myself (Mário Gamito). He has kindly done so – back in 2002 – as both per my request and under his own terms.
The translation process can affect the original text and/or the sense of the author’s meanings, although I’ve done my best to prevent this from happening. And at the same time, trying to stay as close as I possibly could to the original. Meaning the later, the author’s writing style.

The views and opinions herein expressed are those of the author’s and do or do not necessarily reflect mine’s.
I’m publishing them here and now just for the sake of the debate (to whom it may interest).

-MG
rss 5 pás de carvão
  1. 25/Jan/2009 | 14:46

    About the svn intrusion, its has hapened in the pass and it was detectted, it wasent proven badware bt then again it was not proven it was not and it was removed… we normaly trust the many eyes at the code thing for that…
    And I can assure you that there are many eyes loking at it just yesterday i had an emil from the debian people about a single file that had a remote reference to a CC licence there, it was so obscure I dint heven rememer that I comited such a thing…


    A usar Konqueror Konqueror 4.1 em Linux Linux
  2. 25/Jan/2009 | 15:37

    A minha opinião é que se o Linux no desktop começar a ter o sucesso
    que,por exemplo, o mac agora está a ter os vírus vão começar a aparecer.
    O mac já está a sofrer com isso, ainda agora com o download do iWork
    09 nos sites de torrent pode vir um trojan junto.
    Penso que a grande vantagem do Linux é que o software que se instala
    geralmente vem de fontes seguras, não é preciso ir a sites de
    torents,etc.
    Numa situação em que a Adobe,etc colocasse o seu software disponível
    para Linux, a pagar claro, que de certeza que não o vão oferecer iam
    começar a aparecer pacotes deb,etc nos sites de pirataria. Se isso
    vier a acontecer não vejo grande dificuldade em colocar no meio dessa
    instalação, para a qual temos de elevar o user a root, um
    trojan,comandos maliciosos,etc.


    A usar Mozilla Firefox Mozilla Firefox 3.0.5 em Mac OS Mac OS X
  3. 25/Jan/2009 | 18:57

    Embora seja de facto possível a criação de vírus para Linux (existem alguns em lab.), no artigo é referido o que eu considero o melhor método de evitar a propagação de tais bichos: a diversidade existente no Linux. Cada distro e cada versão da mesma traz (ou é frequente trazer) configurações e programas distintos com versões diferentes de caso para caso. Aliás, atrevo-me a dizer que não deve haver dois sistemas Linux (de users privados, não estou a falar de redes empresariais) configurados de modo exactamente igual…


    A usar Debian IceWeasel Debian IceWeasel 2.0.0.14 em Debian GNU/Linux Debian GNU/Linux
  4. 25/Jan/2009 | 19:52

    Pedro,

    E o que impede a uma aplicação de se adaptar? Verificar configurações? etc?

    Não concordo com o que disseste porque a base é sempre igual em todos!

    Hugz,
    Luís


    A usar Mozilla Firefox Mozilla Firefox 3.0.5 em Windows Windows XP
  5. 25/Jan/2009 | 22:21

    Luis,

    Claro que é possível, apenas torna as coisas muito mais difíceis… ou seja, não deverá ser fácil implementar os “virus engines” que tornam qq puto com tempo livre a mais em autor de vírus… apenas isso.


    A usar Debian IceWeasel Debian IceWeasel 2.0.0.14 em Debian GNU/Linux Debian GNU/Linux
atira-lhe uma pá de carvão

Nota: Todos os comentários são moderados.