Firewall and/or anti-virus

GreyGeek GreyGeek at earthlink.net
Mon Apr 6 17:21:10 UTC 2009 

Antonio Augusto (Mancha) wrote:
> ....
>
> But I think some things need to be made clearer: for starts its not
> IMPOSSIBLE to one write a virus that attacks Linux, it just isn't as
> widespreed as Windows virus are, 


True, it is not impossible to write a virus that attacks Linux, but it 
is MUCH harder.

The hacker's problem is that the security protocol for Linux is superior 
to that of Windows.   A Windows executable is determined by the 
extension of the file (exe, com, bat), not a bit setting on the its HD 
image AND the file type,  like Linux does.   Linux does not implement an 
"ActiveX" type component which automatically executes an email 
attachment like Windows does.   Linux executes SAVED FILES that are 
either a special shell script or an ELF binary, both of which have to 
have their execute permissions set in order to be run.   To run a viral 
attachment the *USER* has to first save the first as a file, then set 
the execution bit, then run it.  Three manual operations requiring the 
cooperation of the user.    Buffer overflows are another matter.

THAT is why, in the last 15 years there have been less than a dozen 
Linux viruses or Trojans found in the wild, and the most recent, 5 years 
ago, infected only a handful of computers in Easter Europe because they 
were running copies of a commercial Linux distro which sets the user up 
to run as root in order to make it "behave" more like Windows.  

> simply because Linux is not as
> popular as Windows. 

> When Linux becomes a mainstream OS with everyone using it you bet crackers you start trying to find ways to write virus
> to it.
> \
>   
I've heard that argument repeated many times but I don't believe it. 

Contrary to "reports" by a firm whose business model is marketing 
rebrandable Windows executables, the Linux desktop market share is 
around 8 to 10%, not 0.8 to 1.0%.  In 2004  CNET, ZDNET, Gartners and 
IDF has reports putting the Linux desktop market share at 4%, with 
predictions that it would be 8% by 2008.  IF, instead, it HAD decreased 
to 0.8% I doubt that DELL and PC OEMS would have wasted their time 
offering Linux preinstalled on some of their offerings.  The Netbook 
OEMs wouldn't have bothered preinstalling Linux on their stuff either.

If it were a matter of simple 'popularity' then viruses would appear in 
proportion to that ratio of popularity, not some arbitrary threshold, 
but they don't.  Linux is approaching 30% in some market shares and in 
some countries 100% has been mandated,  but despite that Linux viruses 
are rare.  Most Linux servers are compromised because of *manual* 
attacks by hackers, one on one.    They can't build a Linux bot farm one 
at a time, and automatically executing Linux email viruses do not 
exist.    By many measures the Apple Mac has risen in popularity to 
between 10-12% of the desktop market share.  It's vulnerabilities have 
increased slightly, probably more a result of their proprietary model 
not their market share, but the percentage of Mac viruses found in the 
wild is no where near their markets hare percentage.   As Linus Torvolds 
said, "To a thousand eyes, all bugs are shallow".  

 Most Linux virus counts are forged by AV houses trying to sell Linux AV 
products.  They take supposedly "cross platform" malware like the jpeg 
stuff and rename them to include "linux" in their name, but they are 
still just Windows infectants.

> Virus, worms and all that stuff are based on bugs found on the OS,
> that is: by errors of human beings. And guess what, the same way a
> person writes a program with bugs in Windows, some one can write a
> program with bugs in Linux. And it has been done before and A LOT.
>   

> What do you think are all those updates that Kubuntu keeps telling you
> to install? Bugs being fixed, and if you don't install these updates,
> usually, you are as vulnerable as any Windows user.
>   
A program defect is *NOT* necessarily an remotely exploitable defect,  
so an update to fix a gui button which doesn't work to design specs 
isn't the same as fixing a switch parameter of a utility, or a gui 
textbox, which allows a buffer overflow.    Defects and bugs do *not* 
equate on either platform.  I would wager that the *VAST majority* of 
updates on Jaunty are to fix performance issues not security holes 
("bugs"). 

So, NO, a Linux user is NOT "as vulnerable as any Windows user".  

Microsoft's money distorts the news.  You should read page 53 of the 
PX03096.pdf from the Comes vs Microsoft lawsuit, section 8 entitled "The 
Slog".  I've posted it in another msg on this list.  Microsoft's market 
share is eroding steadily, more so recently because  of the economic 
climate, but Linux viruses are not on the rise.  In fact, they haven't 
been seen in 5 years.   IF there HAD been a Linux virus outbreak you can 
rest assured that Microsoft would make sure it hit ALL the front pages 
and remain there for months.
> Also, even in the case of a Linux virus it wouldn't spreed as long as
> their windows counterpart, and the reson is simple: on Windows, you
> usually run as Administrator but on Linux, you usually runs as a
> normal user, which has even less permissions than a regular user on
> Windows :)So yeah, in this side you are a lot safer than you would be on Windows.
That assumes what you are trying to prove: that Linux is as easily 
infected by a virus as Windows is.
> BUUT... as said, in the even of a Virus your personal files (that, in
> the end, as a personal user, is what matter) would be at danger. So
> yeah, if you get a Linux virus you are as screwed as on Windows.
>   
Actually, since most hackers are not script kiddies, but professional 
thieves (and this may seem strange at first) you could be *better* 
protected by being hijacked by a hacker!  Why?  Because while hackers 
can spam a single viral email and gather in several *thousand* Windows 
PCs as zombies into their bot farm, they prefer to use Linux as the bot 
farm controller *because* it is secure from normal viral routes of 
infection and from less skilled manual hackers.  But, they have to 
manually hack into the Linux box to compromise it and that is not easy 
and it is very dangerous - i.e. is is easier to get caught.  Once in, 
they will block the routes they took to get in and other routes that 
might be exposed, thus making the Linux box *more* secure than it was 
before.  Now, from the relative safety of their IRC channel, they send a 
quick *single* msg to their Linux controller with a command that tells 
the Linux box to relay the contained targeting information to the 
thousands of IP addresses of the Windows zombies.   In the stream of IRC 
channel chatter one would hardly notice that one line.  The Linux user 
might notice a flurry of Internet activity on their Internet connection, 
and things may slow down for a few minutes as 50,000 Windows boxes are 
contacted and attack information is relayed to them, but it will return 
to "normal" until the next command from the hacker.  After the hacker is 
finished using the box he may plunder it for personal  or CC 
information.  That is what you mean when you say the Linux user is as 
screwed as the Windows users, and if that happens you are correct.  But, 
relative to its market share, *very few* Linux boxes are being hijacked 
because very few are needed.

> ...
>
> Hope this helps you a bit. At the end it does not hurts to be carefull
> with what you do around the net :)
>
>
>   
Exactly!  Being careful includes *not* installing foreign applications, 
i.e., ones *not* in the repository. 

The best way to get infected running Linux is to install a foreign 
binary app *or* one you compiled from a tar file downloaded from an 
unvetted source.  Those two routes are the *sure* way to get infected.

GG

More information about the kubuntu-users mailing list