In comp.os.linux.advocacy, Roy Schestowitz
on Thu, 10 Aug 2006 16:04:37 +0100
> The short life and hard times of a Linux virus
> ,----[ Quote ]
> | For a Linux binary virus to infect executables, those executables must
> | be writable by the user activating the virus. That is not likely to be
> | the case. Chances are, the programs are owned by root and the user is
> | running from a non-privileged account. Further, the less experienced
> | the user, the lower the likelihood that he actually owns any
> | executable programs. Therefore, the users who are the least savvy about
> | such hazards are also the ones with the least fertile home directories
> | for viruses.
> | [...]
I will note here that none of this is all that original;
UNIX(tm), for all of the trollish complaints about it being
"old technology", had and has similar defenses against
malware. In a way, that's a good thing. Linux isn't doing
anything really new here; we know it will work because
it's been working in most commercial Unixes for decades.
I should chastise the author, however, for not mentioning Li0n.
However, it didn't get all that far, if it got out at all.
One might make a case that that was an Apache virus, though,
not a Linux one. So OK, maybe a few floggings with a wet noodle...
The above article links to
which is subtitled "Why Linux is Not Immune to
ILOVEYOU-style Worms". And it's true; Linux wouldn't
even *notice* ILOVEYOU-style worms, for to Linux, such
a worm is a series of data, passing through an opened
file descriptor. ILOVEYOU-style worms propagate through
a different vector: the emailer.
In this case, however, there's some resistance, as all
of the Linux emailers I know about -- Evolution, mailx,
balsa, pine -- do not allow the user to doubleclick and
run a script directly from the emailer (mailx doesn't
even know what doubleclick *is*; I don't think pine
does, either). Instead, one has to download the script,
explicitly set a bit executable (or run a script using
the right interpreter, e.g. 'bash scriptfile'), and then
watch the malware try to propagate.
Inconvenient, to be sure -- especially for the worm. :-)
And even then, the malware might have a difficult time of
it, as there's no standard place for the worm to find its
next set of victims. A sophisticated worm might look in
multiple places, of course.
I'm not sure regarding the "document" model. At this point
I think a far more sensible method would be a type-app
association; the type would be deduced by libmagic,
which virtually eliminates issues such as
"AnnaK.jpg .exe"-type extension hiding.
Any vulnerabilities exploited by worms would be those of
the app (e.g., one might contemplate trying to exploit
a buffer-overflow in a PDF viewer) and quickly fixable
Windows Vista. Because it's time to refresh your hardware. Trust us.