Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [News] Why Linux is Resistant to Viruses

In comp.os.linux.advocacy, Roy Schestowitz
<newsgroups@xxxxxxxxxxxxxxx>
 wrote
on Thu, 10 Aug 2006 16:04:37 +0100
<37272486.RsqZ0CMyUL@xxxxxxxxxxxxxxx>:
> The short life and hard times of a Linux virus
>
> ,----[ Quote ]
> | For a Linux binary virus to infect executables, those executables must
> | be writable by the user activating the virus. That is not likely to be
> | the case. Chances are, the programs are owned by root and the user is
> | running from a non-privileged account. Further, the less experienced
> | the user, the lower the likelihood that he actually owns any
> | executable programs. Therefore, the users who are the least savvy about
> | such hazards are also the ones with the least fertile home directories
> | for viruses.
> | 
> | [...]
> `----
>
>                                         http://librenix.com/?inode=21

I will note here that none of this is all that original;
UNIX(tm), for all of the trollish complaints about it being
"old technology", had and has similar defenses against
malware.  In a way, that's a good thing.  Linux isn't doing
anything really new here; we know it will work because
it's been working in most commercial Unixes for decades.

I should chastise the author, however, for not mentioning Li0n.
However, it didn't get all that far, if it got out at all.
One might make a case that that was an Apache virus, though,
not a Linux one.  So OK, maybe a few floggings with a wet noodle...

The above article links to

http://freshmeat.net/news/2000/06/10/960695940.html

which is subtitled "Why Linux is Not Immune to
ILOVEYOU-style Worms".  And it's true; Linux wouldn't
even *notice* ILOVEYOU-style worms, for to Linux, such
a worm is a series of data, passing through an opened
file descriptor.  ILOVEYOU-style worms propagate through
a different vector: the emailer.

In this case, however, there's some resistance, as all
of the Linux emailers I know about -- Evolution, mailx,
balsa, pine -- do not allow the user to doubleclick and
run a script directly from the emailer (mailx doesn't
even know what doubleclick *is*; I don't think pine
does, either).  Instead, one has to download the script,
explicitly set a bit executable (or run a script using
the right interpreter, e.g. 'bash scriptfile'), and then
watch the malware try to propagate.

Inconvenient, to be sure -- especially for the worm. :-)

And even then, the malware might have a difficult time of
it, as there's no standard place for the worm to find its
next set of victims.  A sophisticated worm might look in
multiple places, of course.

I'm not sure regarding the "document" model.  At this point
I think a far more sensible method would be a type-app
association; the type would be deduced by libmagic,
which virtually eliminates issues such as
"AnnaK.jpg                 .exe"-type extension hiding.
Any vulnerabilities exploited by worms would be those of
the app (e.g., one might contemplate trying to exploit
a buffer-overflow in a PDF viewer) and quickly fixable
once found.

-- 
#191, ewill3@xxxxxxxxxxxxx
Windows Vista.  Because it's time to refresh your hardware.  Trust us.

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index