I’ve been meaning to write something about Linux viruses for some time, prompted by a note from Ade on how the virus threat on Linux has the potential to be a big one. I’ve finally writtenup my thoughts on the Linux virus threat for the Wolves LUG mailing list. It’s more of a primer on the subject, designed to be shown to people who say “Linux is invulnerable to viruses, because users don’t have root privileges!“, rather than a set of suggested solutions, but I can think of one solution (as said in the primer): I’d like to see the Linux distributions include AV software as standard (even if, right now, it has nothing to scan for).
This would require some work. For a start, it should be scanning, even if it has nothing to compare the scans against but the EICAR test file, and freshclam should be running to make sure that virus definitions are always up to date. Secondly, ClamAV needs to be able to scan stuff as it’s written to disc, rather than only doing on-demand scanning as it does now. Nevertheless, having it on and scanning inbound emails all the time and the filesystem regularly would leave us in a very strong position if (and when) the Linux viruses come to town.
When? I don’t buy it. We don’t have Outlook Express on Linux. We don’t have programs that execute anything from incoming emails.
Maybe there could be a couple. Say, a buffer overflow bug in OOo, so that people could get infected if they open a seemingly innocuous document. There’s a few other instances. But why update the virus definition when you could just update the application? On Linux the applications are being updated as soon as holes are found, long before there’s any exploits to search for. Once there’s an exploit to search for it’s too late, it means someone has been infected.
Sure, not everyone updates their applications. Let’s work on that instead.
Posted by Ian Bicking on December 6th, 2004.
I think that the initial problem is unlikely to be viruses, but rather exploits and open services. We need to ensure that new Linux users are either forced to or learn to ensure that unnecessary services are shut down, and that software is regularly updated.
However, I’m glad to see ClamAV getting some press, as I do think it is vital to be able to say to people “No, there aren’t any Linux viruses, but Yes, we can provide you with free virus protection”
Posted by mrben on December 7th, 2004.
Ian: not so. We don’t have programs that intentionally execute viruses from incoming emails, but then neither has Microsoft for quite a while. They do have buffer overflows in the MIME parser for mails, and buffer overflows in the JPEG displayer, and formatstring errors in the MIME parser, and so on: Linux is not invulnerable to these errors.
Updating the application is not the best solution, especially for something as big and complex as OOo. If they come up with a patch, it goes into CVS, but there’s no immediate release: the Debian security team, say, will backport that patch to their current version of OOo, but in a large environment you’ll have to download that patched version and test it to make sure that the patch hasn’t broken any of your other applications or things that rely on OOo…and all the time you’re doing that, your users might be downloading viral documents. I’m generally in agreement that people need to update their applications more, but a virus checker can be set to download and test for new viral definitions automatically—applications cannot. Well, they can, but who do you know who runs
apt-get updateout of a cron job? Not many people, i bet.Posted by sil on December 7th, 2004.
Even though there is no OE on linux there is still the potential for emails to socially engineer the user to open malicious attachments, correct?
The lack of a virus checker is a real problem to me – sure users don’t run as root, but it still doesnt stop a virus from taking out the home directory – which contains items far more valuable to me than the underlying OS.
Posted by Adrian on December 7th, 2004.
Adrian: I entirely agree. Generally, Linux mail cients don’t allow stuff to be run directly from an email, but then neither do Windows ones any more. I also agree on the home directory thing: the essay I linked to from the post goes into this ina bit more detail.
Posted by sil on December 7th, 2004.
New article over at Newsforge on this very topic – see http://www.newsforge.com/article.pl?sid=04/12/01/2329229
Oh, and I do run apt-get update in a cronjob via cron-apt; I also apt-get upgrade on a daily basis (cron-apt downloads the packages, and then I install manually later in the day)
Posted by mrben on December 8th, 2004.
mrben: you are, if anything, proving my point about apt. Why don’t you upgrade in the same cron job, rather than doing it manually later? Because you don’t trust it to not run amok one day and automatedly destroy your system, right? That’s why we can’t have automated upgrades for applications, as discussed above.
Posted by sil on December 8th, 2004.
Actually, it’s because I’m not sure what would happen when apt-get starts asking questions…….
If I can work out how to get it to install the stuff which doesn’t ask questions, and then ask me the questions later, then I might.
Generally, I’ve only had problems with a couple of packages in Debian, and these have always resolved themselves within a couple of days.
Posted by mrben on December 9th, 2004.
mrben: You are supposed to be able to do this by setting your debconf questions level to “critical”: you will only be asked questions that are above your setting, so you won’t be asking questions. The problem with doing this is that some packages (not many, but some) still don’t use debconf for configuration. I also don’t know how the “this file has been changed; do you want to keep your version or install the pacakge maintainer’s version” question works in a non-interactive install. Take a look at the FAI guys; they’ve thought about stuff like this.
Posted by sil on December 9th, 2004.
Nice to see that we are at least thinking about this now. It really worries me that we might end up with egg on our faces.
I agree with the post about email clients being more secure now, and as Aq says, they are in windows now but –
“theres no patch for stupid users”
Its a bit of a harsh quote but not to far from the point.
Built in AV would be cool (even if there is liitle to look for at the moment). As more people start using Linux desktops, so the number of “less technical” users increase – and therefore so does the risk.
Also it would be nice to see something along the lines of Microsofts SUS, that can centrally manage patches – and yes I do realise you can do this with a script but I mean something with a nice GUI
Posted by Ade on December 9th, 2004.
Centrally managing patches would be pretty easily done, it’s just that it hasn’t really been done yet, as you mention. Something that pretty much anyone with some coding skill could hack together, I’d have thought, that, and it’d be a really useful contribution…
Posted by sil on December 10th, 2004.
I think there is another problem we may not have considered.
As seasoned Debian users ( ;) ) we’re used to the concept of ‘stable‘,‘testing’ and ‘unstable’ – we understand that bleeding-edge software is often unstable, and we know that if we want a solid box, we run it on Stable. But this mindset is something that needs to be taught to new users, along with a number of other concepts that will be alien to them, as Windows users.
I suspect that a number of us only ever install software that is available in apt, and wait for newer software to hit unstable before we try it. We might (might) add some extra sources to the list, but probably not many.
The main problem is never likely to be Linux itself, or the software it has, but rather the attitude of the users. We are only now approaching a point where there are an increasing number of non-technical users – the biggest test of Linux is not whether or not it will remain secure, but whether or not we can educate users sufficiently to take advantage of the software.
Ooops – I’m rambling……
Posted by mrben on December 10th, 2004.
FYI
Now available from a Debian repository near you is the Aegis virus scanner.
http://jodrell.net/projects/aegis
(On Debian it’s in as aegis-virus-scanner)
Posted by mrben on December 13th, 2004.
FYI
Now available from a Debian repository near you is the Aegis virus scanner.
http://jodrell.net/projects/aegis
(On Debian it’s in as aegis-virus-scanner)
Posted by mrben on December 13th, 2004.