[LUNI] Free anti virus for Linux...

[Chad Perrin]

Peter Harkins wrote:

> The problem with this article of faith is that it's blatantly false; a virus
> could be very, very successful without root privileges. It can replicate,
> slowly corrupt or quickly destroy a user's files, and make the machine into
> a jumping-off point for spammers and crackers; and a virus could escalate
> its privileges through root over time, especially if it the author provides
> a mechanism for the virus to obtain new exploit code.
> 

The question that arises in my mind is this:
How will the virus execute itself?  Doesn't the user have to actually DO 
something to make it execute?

A true computer virus is, in effect, a self-replicating patch to a type 
of file or program.  In order for it to replicate, however, it needs to 
A) be executed and B) have write privileges on the target files.  While 
write privileges are much more carefully controlled in Unix systems than 
in Windows systems, it's true that a virus could potentially have write 
access to at least some files on a system.  The necessity of being 
executed is a whole 'nother deal, though.

Unlike with Windows, files are not executed by the OS automatically 
based on file extension and location.  A user needs to take conscious 
action to allow a new file to be executed, and when executed it is only 
done in a manner consistent with the methods of the action taken by the 
user.  That means that when you open a file using some application, it 
is not being run as a stand-alone executable, and will only exist within 
the context of that program.  Attacks in Unix, for this reason, tend not 
to be virus attacks, but rather are application exploits.  Application 
exploits can exist for applications running in any OS, of course, but 
for a user to be compromised by them he or she must be fooled into 
making use of a compromised file.

A "virus" in the usual sense doesn't exist in the Unix world because 
malware in a Unix environment requires user interaction.  The closest 
thing to virus behavior in Unix systems involves services/servers that 
perform automatic operations on received files.  Because such services 
perform actions within the realm wherein they're meant to operate and 
don't also perform actions completely unconnected to themselves, and 
because (as far as I know) such services don't just blithely rewrite 
themselves using received data, about the worst that's likely to happen 
with virus-like malicious code directed at these services is that 
resource usage will increase.  This has happened once or twice, in the 
thirty-plus year history of Unix, with worms that acted as 
self-replicating message packets, but that's about it.

In any case, I have a hard time imagining how a true computer virus (not 
to be confused with a worm or trojan, for example) will compromise a 
Unix system.  I'm not saying it can't happen, but I haven't yet figured 
out how it would.

--
Chad