Viruses under Linux

Co-authored by Atul Chitnis and Raj Mathur

Updated 29-Mar-2001 20:30:00 : You can read a postmortem of the Winux virus here

The media reports that there is a new virus loose in the wild. Dubbed W32.Winux (or just Winux) by the company that first identified it, the virus has a feature hitherto not found in any other: it infects both Windows and Linux files.

While this is certainly a new direction in the virus community (a platform-independent or at least multi-platform virus), it is difficult to see what impact the virus will have on systems running Linux and the Linux community apart from the novelty.

Linux (as all Unixen) has been quite impervious to large-scale virus and trojan infections due to its well-partitioned user/administrator-level permission architecture. In essence, a virus received or propagated by a Linux user cannot infect system files; nor can it affect files and programs belonging to another user.

That is not to say that Linux systems cannot be infected by virii at all. Poorly-configured or mismanaged Linux systems are at risk of being attacked by virii and worms too, just as a nice and stable Mercedes Benz car can overturn if driven by someone who doesn’t know what he is doing (or even has a license).

We have seen examples of this recently in the propagation of the Lion and Ramen worms, both of which propagate over the Internet and attack Linux systems running out-of-date software.

However, as stated earlier, the opportunities for subverting Linux are significantly fewer than for subverting Windows: in order to subvert Linux, the writer must be able to successfully attack executables which run with system privileges, which make up only a small subset of all Linux executables.

In fact, to be able to write to any file at all, the virus/trojan needs to have the requisite permissions to do so. Unlike in the Windows world, users by default have permission to write only to their own files and directories.

A simple example will help illustrate this:

On a standard Windows 9x system, the command "deltree c:\*.* /y" will delete the entire hard disk if the user/owner executes this command.

Try this under Linux (or any other Unix) by using the equivalent command "rm -rf /", and all that will happen is that the user’s own files will be deleted. No files belonging to other users, nor any system files, will be affected by this command.

Linux/Unix detractors will quickly jump to point out that if the same command is run as superuser (“root”) then the hard disk is toast.

But this is exactly where Linux/Unix differ from Windows.

By default, one logs into a Linux/Unix system as a normal user (with very few privileges), and only becomes superuser when the need arises for system management. In fact, normal users do not usually log in as a superuser for an entirely different reason – they don’t even have the superuser password.

This is completely opposed to how a Windows user operates. Users are used to having (what they call) “complete control” over their systems, by either being the only user (and hence the super user) on the system, or simply logging in as Administrator to avoid the hassles of having to deal with permissions.

Virus developers have made little (if any) headway in the Linux/Unix world, and definitely not for the lack of trying – there is far more to gain in breaking into a big Unix server than into a small Windows workstation!

Unlike the environment they are used to (Windows/DOS) where infecting the system is almost child’s play, it is near impossible to do anything to a Linux/Unix machine unless you have special privileges – which you almost certainly do not have. This is by design, and has protected Unix (and Unix-like) machines since 1970.

In fact, “computer viruses” themselves came into existence for a very simple reason – an environment in which they could flourish came into existence.

The latest offering – the “Winux” virus – can, in fact, do little (if any) damage. Even its mode of introduction into a system is hilarious – you have to make the Linux executable available under Windows first, execute the virus on that system, then copy the infected files back to Linux.

Granted – one could introduce a pre-infected file. But to what end? The infected file must be given execute permissions, then run in a directory that contains other executables which it needs to have write-access to (a rare occurance). If any files are damaged at all, it will be the user’s own files.

Does this mean that Winux is not a threat at all?

Not at all – it is a harbinger of future attempts to introduce virii into a Lnux/Unix system. We are very likely going to see many more attempts to violate Linux/UNix system security, now that Linux is mainstream and is seeing wholesale adoption across the world (and especially in countries like India where Linux makes a lot of sense).

The rate of success, however, depends on the way the syste, is set up and administered. By default, a newly installed Linux system is immune to such attacks. That it remains so is up to the administrator.

As a Linux user or system administrator, there are a number of things one can do to ensure that one stays on top of the crackers. Some of them:

  • Follow the golden rule – never work as root. New users who come from the Windows world will find this strange, but seasoned administrators and Unix users will know the value of this simple rule.
  • Know where you are getting your programs from. Do not introduce a program into a Linux environment without knowing for sure that it is safe.
  • Use security tools – that’s what they are there for. A simple tool like TripWire or AIDE would render any kind of virus or trojan harmless because it would be detected long before it could do any damage.
  • Subscribe to your distribution vendors’ security newsletter. Most Linux vendors send out security-related information on a regular basis. The newsletters are low-volume and worth their weight in gold.
  • Update your distribution on a regular basis. Again, most distributions have automated methods of doing that (apt-get in Debian, up2date in Redhat, etc.)
  • Subscribe to your local LUG mailing lists. In India, Linux India and your regional Linux User Group (such as Linux Delhi, Linux Bangalore, etc. – check the Linux India website) mailing lists carry security information related to Linux on a regular basis, often even before vendor fixes have been released.

There are various resources for the security-conscious Linux user, including distributions and programs which harden (i.e. make more secure) existing Linux installations, Security-HOWTO documents, security-enhanced kernels and distributions, etc.

None of these, however, are a substitute for awareness and proactive information-gathering. “Ownership” of a system brings with it responsibilities – understand them, or let someone else handle the system administration.

Security is not a goal, but a process. It is your job to stay abreast of things. Saying “I secured my system yesterday” is like saying “I looked left and right before I crossed the road yesterday, so I don’t have to do it today”.


Raj Mathur is a security specialist with Kandalaya, New Delhi, India.
Atul Chitnis is a technology consultant in Bangalore, India.

Comments are closed.