COMMENTARY    

The Coming Linux Plague

A pox on the penguin? Ready or not, Linux viruses are coming, and no one is inoculated.
By

On the first day of this month, I got an e-mail from my network administrator imploring me to install the new virus DAT files that she had downloaded from the McAfee website. Viruses are the scourge of the PC world. My Linux box, on the other hand, is virus free. Many Linux boosters believe that the lack of worms and viruses is inherent in the design of the UNIX operating system. I disagree. The correct question to ask when pondering the lack of viruses on the Linux platform is not "why aren't there any?" but instead "what's taking them so long?"

After all, it's not too terribly hard to write a virus for any computer operating system. A Linux virus could spread by patching itself into the system kernel, by modifying a commonly used program like "ls" or "emacs," or simply by installing itself as a program in a standard program directory and then modifying each user's startup files so that that the virus will automatically execute when a person logs in. Hackers have used these techniques for nearly two decades to break into Unix-based systems; it's unreasonable to think that they couldn't be automated by even a mediocre virus programmer.

Of course, to modify the kernel or an application program, the virus needs to be running as system administrator "root" account. Unfortunately, that's not as hard as it sounds.Most system administrators are incredibly promiscuous with the root account: they will download software from the Internet, compile it, and install it --- all as as root. And these days, with more and more Linux programs being distributed as binary RPMs, many system administrators don't even have the source-code for the programs that they are installing.
Linux desperately needs credible anti-virus software to stave off the coming epidemic

Since many Linux computers reside on the Internet, there's another exciting way that a virus could propagated: by exploiting security holes in network servers and obtaining root remotely. This so-called "remote-to-root" transition is actually how the Morris Worm propagated throughout the Internet back in November 1988. Ten years later, ZDNet reported that a similar worm was attacking Redhat 5.0 systems through a well-publicized vulnerability in the IMAP server.

A Linux Flu-Shot

No, what's stopped the spread of viruses on the Linux platform isn't technology, but the lack of interest from the virus writers. Why write a Linux virus when the same skills will let you bring up a new web-site and become a millionaire in just a few weeks? But if the economy goes south, we're likely to see a suddenly bloom of viruses from out-of-work overachievers.

Linux (and the other versions of Unix) desperately needs credible anti-virus software to stave off the coming epidemic before it happens. Think of it as a flu-shot.

Already, there are several companies that are selling anti-virus products for the Linux operating system. F-Secure, for instance, sells an anti-virus system that will scan for the half-dozen or so known Linux viruses as well as Word Macro viruses, windows viruses, and DOS viruses --- just the thing for a dual-boot system. Sophos sells a scanner as well. But , alas, these products are simply scanners ---they will tell you if you are infected, but they don't do much to stop an infection that's underway.

What's needed instead is an anti-virus package that will intercept and stop viruses dead in their tracks. Such an anti-virus package would detect and stop attempts to modify the kernel, to modify programs, or to make hostile connections to remote systems. Let's just hope that this kind of anti-virus software becomes common in the Linux world before flu season comes.



Simson L. Garfinkel is a freelance writer and the author of six books, mostly about computer security. Garfinkel writes a weekly column called "Simson Says" that appears in The Boston Globe (both print and online). The column specializes in information that's useful to ordinary computer users. Garfinkel is a frequent contributor to Wired magazine. His articles have appeared in more than 50 publications including ComputerWorld, Forbes, The New York Times, and Technology Review. Garfinkel lives in Cambridge and on Martha's Vineyard, where he is the founder and part-owner of Vineyard.NET, the Vineyard's premiere Internet Service Provider.



Sign-up Your Account Personalize About Us Home Advertise Privacy Statement
Copyright 1999-2000 Security-Focus.com