10-04-2003, 02:09 AM | #1 (permalink) |
Sexy eh?
Location: Sweden
|
Linux vs. Windows Viruses
Found this today, thought it was a verry interesting read.
Quoted from: http://www.securityfocus.com/columnists/188 <hr> To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it. By Scott Granneman Oct 02 2003 10:59AM PT We've all heard it many times when a new Microsoft virus comes out. In fact, I've heard it a couple of times this week already. Someone on a mailing list or discussion forum complains about the latest in a long line of Microsoft email viruses or worms and recommends others consider Mac OS X or Linux as a somewhat safer computing platform. In response, another person named, oh, let's call him "Bill," says, basically, "How ridiculous! The only reason Microsoft software is the target of so many viruses is because it is so widely used! Why, if Linux or Mac OS X was as popular as Windows, there would be just as many viruses written for those platforms!" Of course, it's not just "regular folks" on mailing lists who share this opinion. Businesspeople have expressed similar attitudes ... including ones who work for anti-virus companies. Jack Clarke, European product manager at McAfee, said, "So we will be seeing more Linux viruses as the OS becomes more common and popular." Mr. Clarke is wrong. Sure, there are Linux viruses. But let's compare the numbers. According to Dr. Nic Peeling and Dr Julian Satchell's Analysis of the Impact of Open Source Software (note: the link is to a 135 kb PDF file): "There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux. Most of the Windows viruses are not important, but many hundreds have caused widespread damage. Two or three of the Macintosh viruses were widespread enough to be of importance. None of the Unix or Linux viruses became widespread - most were confined to the laboratory." Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email! So there are far fewer viruses for Mac OS X and Linux. It's true that those two operating systems do not have monopoly numbers, though in some industries they have substantial numbers of users. But even if Linux becomes the dominant desktop computing platform, and Mac OS X continues its growth in businesses and homes, these Unix-based OS's will never experience all of the problems we're seeing now with email-borne viruses and worms in the Microsoft world. Why? Why are Linux and Mac OS X safer? First, look at the two factors that cause email viruses and worms to propagate: social engineering, and poorly designed software. Social engineering is the art of conning someone into doing something they shouldn't do, or revealing something that should be kept secret. Virus writers use social engineering to convince people to do stupid things, like open attachments that carry viruses and worms. Poorly designed software makes it easier for social engineering to take place, but such software can also subvert the efforts of a knowledgable, security-minded individual or organization. Together, the two factors can turn a single virus incident into a widespread disaster. Let's look further at social engineering. Windows software is either executable or not, depending on the file extension. So if a file ends with ".exe" or ".scr", it can be run as a program (yes, of course, if you change a text file's extension from ".txt" to ".exe", nothing will happen, because it's not magically an executable; I'm talking about real executable programs). It's easy to run executables in the Windows world, and users who get an email with a subject line like "Check out this wicked screensaver!" and an attachment, too often click on it without thinking first, and bang! we're off to the races and a new worm has taken over their systems. Even worse, Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email! Don't believe me? Take a look at Microsoft Security Bulletins MS99-032, MS00-043, MS01-015, MS01-020, MS02-068, or MS03-023, for instance. Notice that's at least one for the last five years. And though Microsoft's latest versions of Outlook block most executable attachments by default, it's still possible to override those protections. This sort of social engineering, so easy to accomplish in Windows, requires far more steps and far greater effort on the part of the Linux user. Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable. Even as less sophisticated users begin to migrate to Linux, they may not understand exactly why they can't just execute attachments, but they will still have to go through the steps. As Martha Stewart would say, this is a good thing. Further, due to the strong community around Linux, new users will receive education and encouragement in areas such as email security that are currently lacking in the Windows world, which should help to alleviate any concerns on the part of newbies. Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that's about it. So the above steps now become the following: read, save, become root, give executable permissions, run. The more steps, the less likely a virus infection becomes, and certainly the less likely a catastrophically spreading virus becomes. And since Linux users are taught from the get-go to never run as root, and since Mac OS X doesn't even allow users to use the root account unless they first enable the option, it's obvious the likelihood of email-driven viruses and worms lessens on those platforms. Unfortunately, running as root (or Administrator) is common in the Windows world. In fact, Microsoft is still engaging in this risky behavior. Windows XP, supposed Microsoft's most secure desktop operating system, automatically makes the first named user of the system an Administrator, with the power to do anything he wants to the computer. The reasons for this decision boggle the mind. With all the lost money and productivity over the last decade caused by countless Microsoft-borne viruses and worms, you'd think the company could have changed its procedures in this area, but no. Even if the OS has been set up correctly, with an Administrator account and a non-privileged user account, things are still not copasetic. On a Windows system, programs installed by a non-Administrative user can still add DLLs and other system files that can be run at a level of permission that damages the system itself. Even worse, the collection of files on a Windows system - the operating system, the applications, and the user data - can't be kept apart from each other. Things are intermingled to a degree that makes it unlikely that they will ever be satisfactorily sorted out in any sensibly secure fashion. The final reason why social engineering is easier in the Windows world is also an illustration of the dangers inherent in any monoculture, whether biological or technological. In the same way that genetic diversity in a population of living creatures is desirable because it reduces the likelihood that an illness - like a virus - will utterly wipe out every animal or plant, diversity in computing environments helps to protect the users of those devices. Linux runs on many architectures, not just Intel, and there are many versions of Linux, many packaging systems, and many shells. But most obvious to the end user, Linux mail clients and address books are far from standardized. KMail, Mozilla Mail, Evolution, pine, mutt, emacs ... the list goes on. It's simply not like the Windows world, in which Microsoft's email programs - Outlook and Outlook Express - dominate. In the Windows world, a virus writer knows how the monoculture operates, so he can target his virus, secure in the knowledge that millions of systems have the same vulnerability. A virus targeted to a specific vulnerability in Evolution, on the other hand, might affect some people, but not everyone using Linux. The growth of the Microsoft monoculture in computing is a dangerous thing for users of Microsoft products, but also for all computing users, who suffer the consequences of disasters in that environment, such as wasted network resources, dangers to national security, and lost productivity (note: the link is to a 880 kb PDF file). Now that we've looked at the social engineering side of things, let's examine software design for reasons why Linux (and Mac OS X) is better designed than Microsoft when it comes to email security. Microsoft continually links together its software, often not for technical reasons, but instead for marketing or business development reasons (see the previous link for corroboration). For instance, Outlook Express and Outlook both use the consistently-buggy Internet Explorer to view HTML-based emails. As a result, a hole in IE affects OE. Linux email readers don't indulge in such behavior, with two exceptions: Mozilla Mail uses the Gecko engine that powers Mozilla to view HTML-based email, while KMail relies on the KHTML engine that the Konqueror browser uses. Fortunately, both Mozilla and the KDE Project have excellent records when it comes to security. Further, the email programs themselves are designed to act in a more secure manner. The default behavior of the email program I prefer - KMail - is to not load external references in messages, such as pictures and Web bugs, and to not display HTML. When an HTML-based email shows up in my Inbox, I see only the HTML code, and a message appears at the top of the email: "This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here." But even after I activate the HTML, certain dynamic elements that can be introduced in an HTML-based email - like Java, Javascript, plugins and even the "refresh" META tag - do not display, and cannot even be enabled in KMail. Finally, if there is an attachment, it does not automatically run ... ever. Instead, I have to click it, and when I do, I get a dialog box offering me three options: "Save As ..." (the default), "Open With ...", and "Cancel". If I have mapped a file type to a specific program - for instance, I have associated PDFs with the PS/PDF Viewer, then "Open With ..." instead says "Open", and if I choose "Open", then the file opens in the PS/PDF Viewer. However, in either case, the dialog box always contains a warning advising the user that attachments can compromise security. This is all good, very good. For all these reasons, even if a few individuals got infected with a virus due to extremely foolish behavior, it's unlikely the virus would spread to other machines. Unlike Sobig.F, which is the fastest spreading virus ever, a Linux-based Virus would fizzle out quickly. Windows is an inviting petri dish for viruses and worms, while Linux is a hostile environment for such nasties. Some caveats There is one Linux distribution that is ignoring many years of common sense, good design, and an awareness of secure operating environments in favor of a Microsoft-like deprecation of security before the nebulous term "ease of use": Lindows. By default, Lindows runs the user of the system as root (and it even encourages the user to forgo setting up a root password during installation by labeling it as "optional"!), an unbelievably shortsighted decision that results in a Linux box with the same security as a Windows 9.x machine. If you go to the Lindows Web site, they state that it is possible to add other, non-privileged users, but nowhere in the operating system do they advocate adding these other users. Yet they claim their distribution of Linux is secure! In an effort to emulate Microsoft and make things "easy", they have compromised the security of their users, an unforgivable action. No one in the field of security, or even IT, can recommend Lindows while such a blatant disregard for security is the norm for the OS. Yet some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance, may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel, that contain and propagate viruses. Linux mail servers should run AV software in order to neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express users. Security is, as we all know, a process, not a product. So when you use Linux, you're not using a perfectly safe OS. There is no such thing. But Linux and Mac OS X establish a more secure footing than Microsoft Windows, one that makes it far harder for viruses to take hold in the first place, but if one does take hold, harder to damage the system, but if one succeeds in damaging the system, harder to spread to other machines and repeat the process. When it comes to email-borne viruses and worms, Linux may not be completely immune - after all, nothing is immune to human gullibility and stupidity - but it is much more resistant. To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it. I know which one I'll trust. How about you? <hr> What do you think of this? Is he right?
__________________
Life is shit, Death is even worse, So what's the point of killing yourself? /Ignatius Camryn Paladine |
10-04-2003, 08:14 AM | #4 (permalink) |
Junkie
Location: RI
|
I think the main point is that each part is linux computer is sectioned off. I don't remember where, but I saw a map of a linux kernel and stuff and the basic OS. Sure, you can damage one or two things, but damaging those two things won't be as catastrophic as it would be on a Windows computer...
|
10-04-2003, 09:00 AM | #6 (permalink) |
Human
Administrator
Location: Chicago
|
Fallon's pretty much got it right. So many things are secluded from one another it's pretty hard to do a whole lot of damage.
Let's just hope Lindows doesn't gain so much ground that it destroys all these benefits of working with Linux.
__________________
Le temps détruit tout "Musicians are the carriers and communicators of spirit in the most immediate sense." - Kurt Elling |
10-04-2003, 12:09 PM | #9 (permalink) |
Junkie
Location: North Hollywood
|
i hate to burst anyones bubble but the linux kernels "safe" system is as strong as its weakest point, all you have to do is find a ring mode 0, or kernel mode leak and you've got total access to everything, lots of people install the latest greatest driver looking for performance, and given the distribution model for most open source stuff, it'd be easy to slip in a compromise.
Its exactly the same as windows, or any other OS, windows has a protected mode too, a lot of the viruses use user mode compromises to get around. Attitudes like this is what will allow the virus writers to get in and dominate, since no one will install virus checkers believing their system is 'virus proof' or close to it. Its the same as a secure computer, there is no such thing (at least one thats useable) one teeny buffer overflow or such can exploit the whole system, and as for it being cross platform, doesn't matter a clever exploit in one of *nixs myriad of services such as bind etc can be crafted to infect lots of different systems.. There are many many many holes in an OS. Remember the first big killer worm was *nix based. Big security holes exist, its just when they are found and how bad they are, they pop up all the time. Even java has problems and its a sandbox model, which is meant to be ultra safe. The kernel or 'sectioned off ' part is also protected in windows, but its rarely a kernel mode security hole thats required to propogate a virus, hell you can do it with an autoexec.bat perhaps the author needs to read up on the bind, lpr exploits or the rootkits available for linux. |
10-04-2003, 12:48 PM | #10 (permalink) |
Quadrature Amplitude Modulator
Location: Denver
|
The whole problem would go away if people would just realize that computers are not just another appliance. It is worth learning a few things about them before using them.
__________________
"There are finer fish in the sea than have ever been caught." -- Irish proverb |
10-04-2003, 05:19 PM | #11 (permalink) |
Registered User
Location: Madison WI
|
I'm learning by using, and it's a little scary. Having OSX helps one learn in a relatively safe situation. I bet I would learn faster on Windows because I would have to.. So far I'M the only virus my computer has had mess things up!
|
10-05-2003, 01:45 PM | #12 (permalink) |
Stop. Think. Question.
Location: Redondo Beach, CA
|
The "monoculture" and security articles have dominated the IT news last week. I think the points made about Windows are accurate.
What the article doesn't speak to is the virus writer. How many of those 40,000 Windows viruses are actually "well written" programs? I get the feeling that many of the Windows viruses, especially the macro viruses, are propogated by script kiddies. As long as there's a kid with a misanthropic attitude and loads of free-time, easy-to-write viruses will continue. Linx may be easier to use today, but is it any easier to write programs for? Since there is no Visual Basic for Applications in Linux, there is no easy way to write viruses, thus why would the script kiddies bother? They'd actually have to _know_ something about C and the Linux kernel. That would be too much bother and wouldn't leave enough time for l33t and fragging noobs.
__________________
How you do anything is how you do everything. Last edited by rubicon; 10-05-2003 at 01:48 PM.. |
10-05-2003, 02:18 PM | #13 (permalink) |
paranoid
Location: The Netherlands
|
The author of the article pretty much has it right.
Linux and Mac don't have nearly the attractiveness windows machines have when it comes to writing virusses. Also, particularly Linux, they are very diverse in setups, installed packages, and versions. This makes a successfull infection a lot less likely to spread very far very quickly. A user above mentioned that exploits in the kernel may still be found: this is true, and not any less than with MS windows or other OS software, the matter-of-fact is however that Linux and other opensource software have a far greater mean response-time to security breaches than MS. (honestly: I do not have figures to back this up). Education and diversity are keywords IMHO... My little security tip for today: protect your network of X-machines by a Y-firewall. I run Windows 2000 but my network is routed through a linux firewall... I never had any risk of getting the sobig.F worm or the like because of this setup. To get to my machine, manual labor has to be done or a dual-os worm has to spread... (this is not an invitation to crack my firewall or such... I know very well it can be done, and probably quite easily, it does not need to be proven, thank you )
__________________
"Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. " - Murphy MacManus (Boondock Saints) |
Tags |
linux, viruses, windows |
|
|