Wednesday, March 24, 2010
Home » Linux » security » virus » Understanding viruses in Linux
Hasan Basri
2:47 AM
0 comments

Understanding viruses in Linux

Before I started using Linux I was exclusively using Windows. I had never tried Apple, and my interaction with UNIX systems was limited and very seldom. When I started using Linux, it was kind of a first off for many new concepts that had little or nothing to do with those of Windows.

One of the things that got my attention initially was reading that there were no viruses in Linux, which was quite a departure from Windows ways. I was always curious about that... How could it be? After all, Windows users are flooded with attacks, so how was Linux performing the magic? Inevitably, I started searching for answers and found out that it was a somewhat controversial concept. Some people claimed that Linux was mostly benefiting from a very small market share, thus making it unattractive for those creating viruses. Some others claimed it was down to the very diverse and segregated nature of Linux (countless distros, no unified packaging, etc.). Finally, there were also people who claimed Linux was completely immune to viruses and that those who claimed otherwise didn't know what they were talking about.

Eventually, I found no reason to doubt Linux immunity to viruses, so I took it for granted, and thought it was a given in general. My experience is that lots of new Linux users understand, just like I did, that "no viruses" equals "no security threats". I believe that this is mostly down to how the term "virus" has been abused and misused. It almost has become a "wildcard" for all things malware.

In this post I will try to give some background about viruses and Linux security, hopefully clarifying some potential voids and misconceptions while I am at it.

WHAT IS A VIRUS?

First off, let me say that it is TRUE that there are no Linux viruses. That much is right, but it doesn't really mean much as long as we don't know exactly what a virus is. Here's the definition from Wikipedia:

"A computer virus is a program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer"

This definition already clarifies many things. Here are the most important concepts:

- A virus must be an executable program.
- A virus must have the ability to run and copy itself somehow, with no user intervention.
- The only spread mechanism available for a true virus to infect a computer is through its host being on the target machine.

Now, if you have heard about the many forms of malware in existence, you will quickly realize this definition only covers a part of them. This subset is the one we Linux users should not be concerned about. I will briefly touch on the ones we should be conscious about at the end of this post, but for now, let's see why viruses are not our problem:

VIRUS BASICS AND LINUX ARCHITECTURE

As we just learnt, and this is a very important part of its definition, a virus must be able to "do its thing on its own". In other words, user interaction is not required and the virus activity should go unnoticed. There are two methods a virus can use to copy itself:

METHOD 1: Adding its own code to system executables.

Linux, being the good UNIX sibling it is, sports a file system that natively supports ownership and privileges. Simply put, here's how it would work in real life:

1.- If a user creates, copies or downloads a file into a Linux system, that file is owned by the user account and group, and it lacks executable rights. Therefore, it cannot execute itself (there is a practical exception to this which we will cover later).

2.- If the user is misled to trust some malicious piece of code and grants executable rights to it, it would still be bound to the user account's access rights, which are limited to the user home folder. Therefore if a user was having this kind of problem, it would be as simple as creating another account and moving the necessary files over to the new home folder. Note that in this case we would no longer be talking about a virus, for user interaction was required for the trick to work. In practical terms, a virus would have no way to infect any other applications unless it was run under the root (superuser) account.

The root (superuser) account is disabled on many Linux distros out of the box. If it is not, warning messages are displayed frequently while in use or at login time, trying to discourage the user from using it. In fact, unless you are a system admin, you should be able to get the most out of your Linux desktop without ever having to log in as root.

Please, DO NOT use the root account unless strictly necessesary!

METHOD 2: Anchoring itself to another process' memory during execution time

Linux runs on Intel's x86 architecture CPUs (AMD 64bits is actually an extension to Intel's x86), so it is important to understand how Linux uses it. The x86 architecture uses four rings, labeled 0 through 3. Linux uses 2 of those rings, namely ring 0 for Kernel (system) code and ring 3 for process(user tasks, applications, etc.) code. These two pieces of code are never mixed under Linux, they fall on different rings and there is only one "gate" for both to communicate. The fact of the matter here is that only the Kernel itself would be able to change this so a virus could exploit it.

So process code cannot infect kernel code... How about a process infecting another process?... Well, this is also a no go. The Linux kernel provides each process with an isolated piece of memory, one that is not shared with any other process. As a result, even if one of those processes scanned all memory available to it, it would not be able to address that of any other process, for it would be out of its scope. Long story short, this method does not work either.

Obviously, this is very technical talk, but hopefully I managed to explain why viruses are not a concern for Linux users without causing more confusion!!

OTHER FORMS OF MALWARE

Now that viruses are out of the way, let's talk a bit about other similarly malicious pieces of code.

ROOTKITS

Available for a wide variety of Operating Systems, Linux included, rootkits are either a modification to the kernel or to an application code. In the case of Linux, the former are most concerning, as they are very difficult to spot, and can compromise the whole system. As a result, even with the use of specific applications, it can be extremely difficult to detect a rootkit of this nature.

Fear not, for creating a successful rootkit for Linux is no trivial task. It must be created using the exact same code that will be available on the target machine, and its installation would once again require admin rights. Because of the sheer diversity in the Linux world, the fact that there are so many distros, so many packaging variants, etc., it would be very difficult to create something that could have any significant impact. Having said so, rootkit infections have been reported.

If you ran a certain executable you did not trust and suspect you could be infected by a rootkit, or if you simply want to give yourself some piece of mind, here's what you can do:

Because rootkits can become virtually undetectable during runtime, the best thing is to boot from a removable drive (CD-ROM, USB pendrive, etc). Then, use CHKROOTKIT or RKHUNTER , which are two popular rootkit scanners available for us Linux users.

TROJANS

Sometimes referred to as Trojan horses, these are applications designed to deceive the user, seemingly providing a service, while actually opening the door for a third party to remotely control the machine or access personal information. In other words, they can potentially steal passwords, confidential information, install software, log key strokes, use the machine for spamming, etc.

I have already discussed about a GNOME and KDE VULNERABILITY that would allow a trojan in the form of a launcher to execute without admin rights. It would still require the user to save the launcher locally and double click on it, but judging by how frequently that happened in Windows, I believe this should be something to watch out for.

Some users have reported being infected by trojans when using packages downloaded from a popular site containing eyecandy for the GNOME desktop. In fact, Linux users are potentially easy targets for such attacks, for what exactly could be wrong about anything downloaded from community resources? There is a sense of trust which is inherent to the community itself, and I believe that could be a weakness if it is misunderstood. Trust is fine, just do not be careless.

CONCLUSION

I guess the most important thing to take away from this article is that using Linux will do a lot for your computer security, but does not perform miracles. Viruses are no concern, but we sure cannot be careless. Be careful and protective of your own data and privacy. Stay away from using the root account, avoid running software from untrusted sources, never share your passwords... and react quickly if you think your computer has been compromised.

Thanks for reading and good Luck!
Posted by Hasan Basri at 2:47 AM
Labels: , ,
Share:

0 comments:

Post a Comment