This article can also be found in the Premium Editorial Download "Information Security magazine: Exposed: Why your AV software is failing to protect you."
Download it now to read this article plus other related content.
Only a handful of Linux malware has ever been released in the wild. While the Lion (2001), Ramen (2001) and Slapper (2002) worms and the Bliss virus (1997) presented problems for Linux users, they weren't nearly as crippling as the worst Windows malware.
So, should Linux users brush off concerns about malware plagues? Short answer: No.Don't be complacent. Malware writers will discover Linux as its popularity grows.
Poor quality, high TCO and persistent security vulnerabilities are driving Windows shops to use Linux alternatives. Consequently, Linux implementations and GUIs are becoming easier to use, and it's probable that this wider adoption by novices will make Linux a greater malware target. But despite its advantages in averting infections, Linux isn't impervious.
The new GUIs function much like Windows. The critical differences: No Linux mail client will automatically launch an executable when the user clicks on the attachment (although they'll let the user view the file in another program); and, there are a few extra steps to running an executable, which makes infection by an e-mail-borne virus a lot more difficult than in Windows' Outlook.
Linux has no such standard e-mail client to exploit but instead uses an assortment of programs. Most implementations ship with Evolution, a mail client with commercial Exchange support; others use Kmail, Mozilla and even a few text-based mail readers. This diversity makes it difficult for a Linux virus to gain the same penetration and propagation as Windows malware.
Nevertheless, it only takes one hapless user opening a malicious executable with multiple attack threats to launch a devastating virus.
Linux worms face similar challenges: Worms depend on network communications to find and infect new hosts. Nearly every Linux distribution comes with a kernel-embedded firewall (iptables) automatically configured during install, which means worms have to exploit a vulnerability in the kernel before they can reach a vulnerable program. (Windows XP SP2, due out this summer, activates its embedded Windows Firewall by default.) But firewalls aren't always a dependable defense. For instance, Slapper attacked Apache servers through a routinely allowed firewall port (HTTPS).
There are other infection vectors. For instance, if a Linux user executes an e-mail attachment, it might infect user-owned administration scripts.
If the virus could gain root privileges, it could to modify other programs.
Another possibility: A malware writer could target a specific vulnerability using specially crafted PDF files, e-mails or even streaming music. These viruses are rare, but very possible.
Unfortunately, technical impediments aren't the only reasons Linux malware is scarce. Malware authors can make greater names for themselves exploiting Windows because there are so many more potential victims. Despite the necessary ingenuity, creating a Linux worm won't get them CNN coverage. This could change if Linux begins to rival Windows deployments.
Linux users who don't use AV software are pushing their luck, but it won't last long. Some crafty teenager will inevitably shake us from our complacency with a surprising and ingenious Linux worm. Linux-focused enterprises and those looking to adopt the platform for backend and desktop deployments should start investing in AV solutions before they need them.
About the author:
Jay Beale is the lead developer of Bastille Linux and the editor of Syngress Publishing's Open Source Security series.
This was first published in June 2004