Linux: A Tempting Target for Malware?
Mar 25, 2008 4:00 AM PT
The Linux operating system is not immune to virus infections, although Linux-specific viruses are extremely rare. Linux servers face more risk of virus attack than Linux desktops.
That said, IT security and control firm Sophos recently issued a warning about potential virus infections targeting Linux servers that could pose risks to the Linux operating system. Sophos researchers warned Linux users of the importance of properly securing their Linux systems following findings from SophosLabs that a 6-year-old threat known as "Linux/Rst-B" is still infecting computers and servers.
Analysis of malware has shown almost 70 percent of the infections are due to this longstanding malicious program, according to Sophos. SophosLabs offers a free download of a small detection tool available here to help Linux users find out whether they are unwittingly infected with this virus. However, this detection tool does not provide automatic removal.
"Self-replicating viruses are not seen as a significant threat on the Linux platform. We decided to detect Linux/Rst-B since most of the hacking-related malware we found on our honeypots were infected with this virus. Therefore, the presence of Linux/Rst-B on a server implies that the server has been hacked into," Billy McCourt, malware researcher at SophosLabs, told LinuxInsider.
Linux servers are very valuable to hackers, according to SophosLabs experts. Servers, by their nature, are rarely turned off and often do not run sufficient protection against malware attacks.
This makes the Linux systems ideal candidates for the role of controller in a botnet -- the central control point when creating and managing an army of infected computers, known as "bots" or "zombies." Whereas Linux systems are most often found to be running as servers, Windows machines are more frequently used at home or as desktops in an office, and these computers are regularly switched off. This makes them less attractive as controllers, but ideal as bots or zombies, according to Sophos experts.
Hackers typically gain control via weak Secure Shell passwords or other vulnerabilities. Once in, they install Internet Relay Chat (IRC)-based malware and use IRC channels to control their bots.
"The number of malware in existence is around 350,000, and while only a teeny number of these target Linux, it seems as though hackers are taking advantage of this false sense of security," said Carole Theriault, senior security consultant at Sophos. "It was very surprising to see that a 6-year-old virus seems to be responsible for a large proportion of the malware collating in our Linux honeypot, and we hope that Linux users who aren't running security will at least run this tool to find out if they are infected with this granny virus."
What It Does
Linux/Rst-B is a virus that will attempt to infect all ELF (Executable and Linking Format) executables in the current working directory and the directory/bin. If the virus is executed by a privileged user then it may attempt to create a backdoor on the system, according to McCourt.
This is achieved by opening a socket and listening for a particular packet containing details about the origin of the attacker and the command the attacker would like to execute on the system. Attackers can gain access to a compromised computer and use it for their own purposes such as sending spam.
Linux users who find the Linux/Rst-B infection with the free detection tool can download the evaluation version of Sophos for Linux to clean up the malware infection, noted McCourt.
Linux users shouldn't necessarily view the Sophos warning as a rush to judgment that the Linux platform is becoming less safe relative to the Windows platform. However, Linux users have to be careful that they do not let down their guard.
"It is all too common to hear a Linux user say he or she couldn't possibly have anything [viruses]. It is true that the number of infections remains very low compared to PCs," Matt Sergeant, senior antispam technologist at software security firm MessageLabs, told LinuxInsider. However, Linux users do get infected with rootkits more than any other threat.
A rootkit is a malware program designed to run without restriction on the root level without the knowledge of the operating system or the user. Rootkits easily mask their existence to traditional antivirus and antimalware detection tools.
Linux servers that run PHP code also pose intrusion threats, according to Sergeant. PHP, or Hypertext Preprocessor, is a server-side HTML (hypertext markup language) embedded scripting language. It provides Web developers with a full suite of tools for building dynamic Web sites.
"PHP becomes a concern where there is an insecure application. There are myriads of PHP applications written with no security in mind," Sergeant said.
Linux Less Wine
Of course, cross-platform Web-based applications also pose security concerns for Linux users, he said, though Linux-specific viruses are not too common.
"I haven't seen one in 10 years," Sergeant noted.
Linux users can weaken the built-in resilience of the operating system by running Microsoft Windows programs under applications such as Wine, Sergeant added.
Wine is software that lets some Windows programs run in a special environment within the Linux OS. Its name comes from the acronym used in the original open source project. It stands for "Wine Is Not an Emulator."
Linux users shouldn't panic with fears of new attack vectors zeroing in on their hard drives, however. No really threatening virus attacks exist.
"There always have been some viruses for the Linux platform. But there is nothing new out there," Paul Piccard, director of threat research for phishing scams and Linux viruses at Webroot, told LinuxInsider.
The Linux OS is fairly stable and is not a well-deployed OS compared to Windows, he added. By contrast, Windows is the main draw of virus writers.