The debate as to how strong the Linux immune system is, from a virus protection point of view, has continued nearly from the date the operating system was introduced. However, recently it has turned from heated debate to full-scale fight, with the gauntlet being thrown down by the Linux camp. The most illustrative example is the recent exchange within the columns of British IT publications and online news resources.

It is a well-known fact that nothing is absolute. Only the church claims the contrary, but that has no direct connection to information technology. Even Linux, whose 'unbeatable' virus-proof architecture receives so much praise from its devotees, cannot be absolutely immune from viruses.

Many believe that the Linux architecture leaves no chances for computer viruses to survive. However it is more than just possible that in time loopholes will be discovered, allowing malicious persons to perform their destructive activity. In its day Windows NT was proclaimed a virus-free platform, but now this has become a rather good old-fashioned fairy tale.

Let's try to tease the matter out. Hopefully, Linus Torvalds and Richard Stallman will forgive me for such a heresy but the main disadvantage, the Achilles' heel of Linux, is that it is available in open source code. This enables virus writers to integrate malicious components into Linux by modifying the kernel, modules, run-time libraries - every part of the operating system. Unlike 'closed' platforms, where this kind of activity requires months of hard work in order to disassemble the program code and hook all the system calls, in Linux it could be performed relatively easily in a couple of minutes. Thus the traditional diversity of computer fauna inherent to, say, DOS or Windows, could be increased to become a real nightmare - a new category of viruses integrating into the kernel of an operating system. It is worth mentioning that in all the years in which Windows viruses have been created, not even a single virus of this type has been discovered. With Linux this can be achieved the next day. This virus type will become prevalent on all open platforms, primarily on Linux because it is the most popular desktop operating system of this type.

The procedure of infection is quite simple. Once a virus has been started from an active process under the root account (most inexperienced Linux users use this account), it patches to the kernel or creates new modules (nowadays none of the Linux distributives have the digital signatures of its modules to prevent them from being illegally changed) and uploads them into memory. As a result, the virus is activated each time the infected computer is rebooted. The most threatening element of this is that a virus can add to the system functionality in any complexity, which may lead to devastating incidents including data or hardware loss, stealing confidential information, etc. Detection and disinfection of this type of virus, featuring self-embedding into the system kernel, will require, from unprepared anti-virus vendors, considerable improvements to their products, including the complete redesign of anti-virus engines.

In addition, open source code significantly simplifies the process of searching and exploiting the breaches within the Linux security structure, which requires just a simple analysis of the system code. The corresponding exploits under Windows are accomplished accidentally or by a long-term well-directed disassembling of the Windows kernel, but this is a rare occurrence.

The best way to close the security breach is by timely installation of appropriate patches. Once again Linux is not the best choice. Applying patches for Windows or any other 'closed' platform is very simple and requires a minimum effort from the end user; normally a user just clicks on a patch file and then reboots the system. Under Linux it can become much more complicated since a patch requires a user to recompile the source code itself (which is not always successful) and to add to the difficulty, not all Linux distributives are completely compatible with each other.

In other words (prepare yourself: extremely shocking statement!), Linux is the most aggressive and user-hostile environment one can imagine!

Despite the conventional wisdom, Linux is not insured against 'background' (in Windows they are called 'memory-resident') viruses. The first background Linux virus, 'Siilov', originally discovered at the beginning of 2000, acts in a similar fashion to ordinary Windows viruses by modifying the table of entry points and intercepting the main function for executing files. Another well-known way of penetrating background Linux viruses into the system is by changing the list of system services (daemons). Just like system services in Windows NT they are automatically uploaded into the memory, where the viruses are able to perform their hostile actions, including infection, file modification, data theft, etc.

Needless to say, the methods described above successfully bypass the main argument against the existence of background computer viruses under Linux: smart memory management, which reliably isolates all active processes by allocating a separate memory block for each application, preventing infection from one application to another.

Another foible inherent to all operating systems, including Linux, is script languages, which enable script viruses like the LoveBug to exist, even in Linux. The most advanced of these languages (for instance, Perl) are powered by an even greater functionality than visual basic script (VBS), the most common script language for Windows platforms, which is used for the creation of the majority of script viruses.

The Perl scripts can perform all file operations (creation, modification, deletion), collect and send off sensitive information, gain access to email, etc. The Perl scripts require no compilation to execute them and are available in the source code. Due to this feature of all script languages, including VBS, there are now more than 40 variations of the LoveBug virus. This is simply because in order to create a new virus variant one only needs to find a virus sample (available for free on the numerous virus-related web sites on the Internet), modify a couple of strings and bingo! - a new virus is ready!

Furthermore, Perl and many other script languages for Linux are platform-independent. This means that Perl scripts originally developed on different operating systems generally will work on Linux as well. Obviously, they are not fully portable and compliant with all platforms since the methods of file infection are different between, say, Windows and Linux, simply because the file formats are different. However, this turns out to be more of a disadvantage than an advantage to Linux; Linux Perl viruses can be successfully cleaned and the infected files restored. If, however, a Linux file becomes corrupted by a Windows Perl-based virus, restoration of a file may prove to be less successful.

Besides Perl there are many other Linux script languages which are even more widespread and universal. The picture deteriorates if we look into the future. Many office applications (such as Star Office) are about to enter the Linux platform, giving users new opportunities for word processing, spreadsheet and database management, and … catching viruses! Can you imagine a modern office package with no macro or script language in it? I don't think this is a modern package.

So, simultaneously along with new office extensions moving towards Linux there will be more opportunities to create new types of viruses for this platform.

Now, don't forget that Linux is powered by many advanced network and, especially, Internet features. In some cases it is even more powerful than Windows. However, there are no fundamental obstacles to the existence of mass mailing viruses like Melissa or LoveBug. Firstly, in just the same way that a Windows virus exploits Outlook, a Linux virus can gain access to, for example, the Sendmail email gateway and send out infected messages to all the addresses found on the computer. Secondly, it is doubtful that the mentality of an average Windows user is different from the mentality of an average Linux user. So, if in the future Linux becomes as popular as Windows is nowadays, we will see 'love letters', 'résumés', 'million dollar cheques', etc., attachments being opened, leading to global epidemics comparable to contemporary outbreaks.

Some Linux paladins are moving further in their notions about Linux invulnerability against viruses, affirming their opinion that no anti-virus protection is needed for Linux. The fallacy is that Linux stations can be used for transmitting files developed for other platforms and possibly carrying a virus payload. It is certainly true that they will do no harm to the Linux-based PCs, but sooner or later they will affect other stations, for example Windows or DOS ones! This demonstrates negligent inactivity and disregard toward the overall anti-virus security of the global village. Furthermore, the implications are more severe if it is a Linux-based server on a corporate network that is involved (bear in mind that nowadays Linux is primarily a server operating system). In this case, I am apt to think that the corporate security policy defies common sense when no Linux anti-virus protection is installed.

There is an opinion that correct adjustment of user access rights is a panacea against proliferation of Linux viruses. I admit that this could be the case, but nevertheless it is currently unachievable. First of all, it is very difficult to set up Linux security, taking into account all its peculiarities. Unlike Windows, where there are thousands of guides available on how to create a security structure and keep a reliable enterprise-wide security policy, for Linux there is a lack of trustworthy sources of information of this type. In addition, in Linux there is a difference between practice and reality: the documentation often is not in accordance with the system's functionality.

Secondly, numerous Linux distributives essentially differ from each other. Often what is good for one is bad for another, so not all the security settings are equally suitable for the entire Linux family. All this significantly hinders the Linux security system configuration. Thirdly, viruses can still exist and do their dirty deed within the environment of a particular user account without proliferating to other accounts. Finally, there is no guarantee that new security breaches will not be found, allowing a malicious person to gain all root access rights from a user account, which has already happened many times.

To do Linux justice I am not implying it is an absolutely useless toy and I should mention that in general its security level is equal to Windows NT. By default both platforms have the same resistance to computer viruses, but they handle the problem in slightly different ways. Correct configuring of the operating system (security-oriented differentiation of user access rights, disabling of potentially dangerous modules [telnet, ftp, etc.], ports locking, encrypting of file systems, etc.) may significantly complicate the virus activity so not one of the existing Linux viruses will be able to do any harm. However, on the other hand, it will not be easy to use such a security-oriented PC in day-to-day work. This is because many of the features that make this system user friendly are fully disabled or strictly limited. So, once again the eternal question emerges: what is a reasonable balance between the two contending concepts, security and functionality?
 

Despite all that is said, Linux is still far behind the popularity of Windows and therefore behind in the attention virus writers pay to this operating system. This is true notwithstanding that almost every week a new Linux virus is discovered. Even though many of them are squalid and botched, these attempts are becoming more and more aggressive and, what is frightening, many are successful. It is obvious; a global epidemic of Linux viruses is on the horizon. When will it happen? Cross your fingers and make your play!

SC On-Line
SC Magazine
www.scmagazine.com