[LUNI] Free anti virus for Linux...
perrin at apotheon.com
Mon Nov 22 19:25:04 CST 2004
Peter Harkins wrote:
> The problem with this article of faith is that it's blatantly false; a virus
> could be very, very successful without root privileges. It can replicate,
> slowly corrupt or quickly destroy a user's files, and make the machine into
> a jumping-off point for spammers and crackers; and a virus could escalate
> its privileges through root over time, especially if it the author provides
> a mechanism for the virus to obtain new exploit code.
The question that arises in my mind is this:
How will the virus execute itself? Doesn't the user have to actually DO
something to make it execute?
A true computer virus is, in effect, a self-replicating patch to a type
of file or program. In order for it to replicate, however, it needs to
A) be executed and B) have write privileges on the target files. While
write privileges are much more carefully controlled in Unix systems than
in Windows systems, it's true that a virus could potentially have write
access to at least some files on a system. The necessity of being
executed is a whole 'nother deal, though.
Unlike with Windows, files are not executed by the OS automatically
based on file extension and location. A user needs to take conscious
action to allow a new file to be executed, and when executed it is only
done in a manner consistent with the methods of the action taken by the
user. That means that when you open a file using some application, it
is not being run as a stand-alone executable, and will only exist within
the context of that program. Attacks in Unix, for this reason, tend not
to be virus attacks, but rather are application exploits. Application
exploits can exist for applications running in any OS, of course, but
for a user to be compromised by them he or she must be fooled into
making use of a compromised file.
A "virus" in the usual sense doesn't exist in the Unix world because
malware in a Unix environment requires user interaction. The closest
thing to virus behavior in Unix systems involves services/servers that
perform automatic operations on received files. Because such services
perform actions within the realm wherein they're meant to operate and
don't also perform actions completely unconnected to themselves, and
because (as far as I know) such services don't just blithely rewrite
themselves using received data, about the worst that's likely to happen
with virus-like malicious code directed at these services is that
resource usage will increase. This has happened once or twice, in the
thirty-plus year history of Unix, with worms that acted as
self-replicating message packets, but that's about it.
In any case, I have a hard time imagining how a true computer virus (not
to be confused with a worm or trojan, for example) will compromise a
Unix system. I'm not saying it can't happen, but I haven't yet figured
out how it would.
More information about the luni