News Stay informed about the latest enterprise technology news and product updates.

Mainstream means more malicious code for Linux

It's not FUD, it's fact: Linux is every bit as susceptible to malicious code as Windows. Experts say the only difference between the two as attack vectors is the greater prevalence of Windows in enterprise data centers and on desktops. F-Secure Corp., a Finnish antivirus vendor, believes the problems for Linux may slowly escalate, as more CIOs and IT managers introduce Linux into their environments. In this interview, Jyrki Tulokas, business manager at F-Secure, explains the breadth of the current threat to Linux systems from malicious code and predicts how the landscape may change.

Are there any Linux viruses that could jump from platform to platform? There are some that I'm aware of that could...

run on Unix and Linux.

It's more about the applications that are running on top of Linux that can cause a problem.

Another problem occurs when Linux is providing data to Windows users -- for example, when an Apache Web server presents data to a Windows user. In an enterprise environment running Linux file servers via Samba to Windows users, you want to secure that Linux box as you would a Windows box. You don't want it to be a propagation point for viruses.

Also, if your CRM or e-commerce applications are connected to a Linux server, the scope of damage caused by a virus could be beyond imaginable. There are a relatively small number of Linux viruses, but you need programs to secure them. Plus the cost of running antivirus is small compared to the damage losing those applications could bring. Is Linux engineered to fend off malicious code better than Windows?
In a Linux environment, it's difficult to run an application at root. User privileges are much stricter. You can't run programs as freely as you can on Windows. With the latest Windows platforms, Microsoft is taking steps to do away with these rights for users.

Also, Linux has always had a simple firewall built into the system. From the start, Linux is more secure than Windows. Is malicious code written for Linux structurally different from code written for Windows?
They are more likely to use code that exploits some kind of vulnerability on existing software running on Linux, like OpenSSL or Apache. On the Windows side, viruses rely on users to execute an executable file.

The code itself is written differently. The Windows platform is so much different from Linux, there's a different skill set there.

With Slapper, that virus spread in source-code form. It is available for anyone to copy. Anyone could modify it to make a new one. Virus writers aren't writing malicious code for kicks any more, are they?
The main reason most viruses are written for Windows is because more end users are using Windows, Outlook and Internet Explorer. They want to write viruses that are going to affect 95% of PC users.

Today, viruses and malicious code [are] written by people who want to make money. Spamming, for example is a motive. Most of today's viruses install back doors that enable spammers to send spam from end users' computers. It's all about how you can make money writing viruses today.

Also, Linux is being used more on servers today running mission-critical services like CRM and Web servers on Apache. It's quite scary for an enterprise if one of these applications is not running any more because of a virus. Network-aware worms are considered more dangerous because they spread faster and can cause denial-of-service conditions?
Right. If you look at Slapper, that was a very fast-spreading worm. Once it infects a machine, it is programmed to look for other machines with the same vulnerabilities that are connected to the Internet. It can do this very quickly, [sometimes] in 15 minutes.

In the Linux world, viruses will be different. Corporations will need to do more than file scanning [of e-mail messages]. It's about firewalls and intrusion detection.

Linux worms in the wild

They may not have the infamy of Code Red and Nimda, but there are Linux viruses and worms in the wild. Here are some of the more infamous pieces of malicious code that have a taste for Linux:

Slapper: The most dangerous Linux worm; it's network-aware and in August 2002 it exploited a flaw in OpenSSL libraries in Apache servers with OpenSSL enabled.

Bliss: Also a well-known bug, it infects ELF executables, locating binaries with write access and overwrites those with its own code.

Lindose: A rare cross-platform scourge, able to jump Windows PE and Linux ELF executables. It's a proof-of-concept worm and has not hit the wild.

Ramen: Not just a noodle, another network-aware worm jumping from Linux server to server.

Staog: Considered the first Linux virus, it infects ELF executables.

Typot: A Linux Trojan that does distributed port scanning, generating TCP packets
with a window size of 55808.

Source: F-Secure Corp.

How much of a threat is malicious code to Linux as it becomes more of a mainstream server operating system?
You can write a virus to any platform. Linux is more secure than Windows by default, but it's not difficult to make a malicious program that would run on Linux. There are about 100 viruses in existence for Linux. It's obviously a little different story on the Windows side.

On Windows, most of the viruses are e-mail borne. On the Linux side, today and in the future, viruses are network-aware, and [they] take advantage of vulnerabilities in networks or systems to infect machines. The Slapper worm, for example, attacked vulnerabilities in OpenSSL and Apache.

If and when Linux becomes used more in corporate environments, the prevalence of viruses will depend on the applications running on Linux.

Dig Deeper on Linux servers

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.