Linux = Windows anti-virus? Not!

Hello,

Here comes an important article debating the misleading analogies of Windows versus Linux malware and anti-virus protection. If you're confused about what Linux security means, then you should definitely read this piece to learn what it does not.

http://www.dedoimedo.com/computers/linux-security-anti-virus.html


Cheers,
Mrk

 

Good reading there, thanks, this should be a sticky for those coming over from Windows.

 

Clicking is overrated and is not the risk on Linux that it is on Windows. Clicking doesn't do anything on Linux in regard to executing binaries unless certain steps are taken first.

First the user has to set the executable bit on the binary (umask). Then he has to run the binary from the terminal, and finally, he has to enter his sudo or root password. Yes, an ignorant user with root access can do all these things if he wishes and thus install a malicious file, but it's not as simple as it is on Windows and it certainly is not going to be done by accident (as is often the case on Windows).

So infecting oneself on Linux requires 5 stupid actions:

1) Bypass the digitally signed repos.
2) Download a malicious binary from some untrusted site on purpose.
3) Set the executable bit on said binary (chmod +x)
4) Execute the binary (./binary or dpkg -i binary.deb).
5) Give the binary the root password.

On Windows the actions required are:

1) Download the binary.
2) Double click it.

Or even worse:

1) Visit a malicious site that exploits a browser hole and automatically downloads and executes the binary.

Bottom line: Linux and Windows are not the same and do not face the same threats.

 

I'm not sure I follow you on the executable bit argument. For scripts and executables, yes. But as far as I can remember, I'v never had to mark .debs as executable.

That's a rather unfair comparison, and I think anyone who's ever used Windows and Linux can see what you're trying to do there.

Step 1 for Linux seems to have been put there solely for the sake of making Linux's list look longer. And even then it's quite a common occurrence. You don't get many proprietary software in repos - and even if they exist in the repos, they can be months out of date, making you hunt for external download sources or PPAs.

Comparing how you chose to word step 2 for Linux and step 1 for Windows, your bias is again evident - even though you're describing the exact same action.

Step 3 for Linux doesn't exist if the file is a .deb. Malicious screensavers, anyone?

For Windows, downloading a binary from the untrusted zone (aka the Internet) appends an NTFS stream to it that marks its source, causing Windows to throw up an extra prompt when you execute it. So that's an extra step there.

Lastly, for Windows, you again make the assumption that the user is running in an administrator account and has UAC disabled, so you can shave off a step for Windows. That's called intellectual dishonesty.

To be honest, I don't think that operating systems that ship with Firefox - the browser with most security leaks - should be throwing stones from inside their glass houses when talking about browser holes.

There's just an extra point I'd like to make here. Mac and Linux users can keep protesting about how they don't run in admin accounts by default, except that the thing is, UAC in Vista/Win7 has taught malware writers to shift their infection/propagation techniques to those that DON'T require admin access. You can autostart on boot/login without admin access. You can steal user data without admin access. You can trick the user into forking over cash to remove fake infections on their system without admin access.

Pretty much everything the bad guys want to do don't require root privileges anymore, just access to your profile folder and/or HKEY_CURRENT_USER. They don't want root access to own your system. Why would they? It's stupid, immature, a waste of time, and UAC makes it not worth the effort. It's your data and cash that they want. Time to wake up from the concept that UAC/non-root acct is somehow a malware deterrent, its pretty much way past its sell-by date now.

 

Mrk, nice article, especially the point of a backup/restore plan.

 

Another questionable statement from Mrkvonic's blog post:

It's true Linux servers are a much bigger target because they are more desirable and because there are so many of them. However, even if we accept this to be true, one must still ask the obvious question: where is all this server malware? Do you have any list of active Linux server malware in the wild right now? Any worms?

I don't dispute there *could* be some server malware, but I dispute that it's a major problem. It's certainly not enough of a problem to warrant wasting money on the snake oil that is AV software. Most of the Linux malware lists the AV companies list as proof that you need their AV software consist of rootkits, which is very deceptive because a rootkit cannot break into a system directly -- it is only used by the cracker as a tool to regain entry after the fact.

I will agree that the diversity of Linux distros helps a lot with the malware issue, but I still think the biggest deterrent to accidental malware infections are the package managers.

However, I will concede that as more Windows users convert (and millions more will convert in the coming years due to M$ prices and the usability of Linux) they will not understand the package manager paradigm and will fall prey to people who put malicious .debs and .rpms on various websites. But that's not a problem the OS can fix; if a stupid user has the root password, it's game over on any OS. Actually, malware is the least of your worries if a stupid user has the root password on a Linux box. He will find another way to bork the system.

EDIT:

To be far to Mrkvonic, I do applaud this paragraph:

We can agree on that.

 

Firefox comes with its apparmor profile and when thats enabled, its basically hack proof.

 

Only it's not enabled by default, and a novice wouldn't know how to enable it.

 

Agreed there but there is plenty of documentation on it and even in Windows world, AV, HIPS and limited user is not enabled by default. Also if any vulnerabilities is found in FF, usually big distros like Ubuntu, SuSE Fedora are quick to patch it on their own.

 

Hi Eice,

isn't it only single-file executables that can be run in these limited user directories and not installation type (sorry for my possibly poor terminology) executables? I'm not trying to disregard these single file types as harmless (keylogger gathering personal info comes to mind as devastating) but at least the prevention of full installer type executables minimizes the damage because removal of the former should be a routine process as opposed to the latter which hook their tentacles throughout the system, registry included. Also, I would have to question why malware writers would focus their efforts on limited users if the majority of people are running as administrator? Even with a UAC prompt in an admin account, it's only necessary to okay for consent rather than in a limited account supply a pw then okay for credentials. The careless individual lacking common sense and the unwavering conviction that things are so much easier running as admin make themselves even that much bigger a target than if they run as limited.

 

chrono, if you quoted bits, you should have also quoted the bit about how I classify malware. I did specifically write the nature of malware is different. One-to-one analogy with Windows malware is a bit tricky.

As to servers being hammered, you don't need fancy binaries to take over a machine, you can do that by replacing strategic conf files. Besides, servers are a different story altogether. The security model is different.

The point of the article is not to debate Windows vs. Linux security. It's to emphasize the point that if you're prone to get infected on Windows, moving to Linux is a workaround and not a solution to your illness.

Mrk

 

I have just started playing with Linux trying to find my way around. I understand the advantage of the signed repos as under 1) but have already come to downloads that were suggested here on this board that were not part of the download centre.
So if I download a file that is not in the official package manager in my ubuntu, am I not in the same situation as in windows? I have to trust the site and install -yes it will requires more than a click but if I want to install a file using the root password is a given.

Btw, for my windows installations I do scan files with virustotal or jotti - do these services work for linux programs too?

 

Granted that I don't have a lot of experience with linux, but what is the difference really between it and windows if you don't use the software from repositories, as has been said already? In either OS you have to elevate to install when logging in as a user. In either OS being a user and browsing restricts many rights, but as also mentioned opens userland attacks. Is it really any more safe if the actual security still lies in the hands of the user?

Would it not be the same, where an AV is used to scan untrusted/new software picked up from somewhere other than a repo? Would it not be the same, that if you are browsing and pick up a keylogger that is designed to operate in userland, that something like SBIE or execution control or firewall should be used to negate such things?

Linux brings stability that much I have seen. It can bring speed, but honestly I am quite suprised at how many resources todays distros actually cosume to that of just 5 years ago, at least in terms of what I can feel. And of course it brings a fantastic price tag. It seems though that if millions of people switch over to linux, more effort will be placed into making malware etc for it in hopes that those linux novices will want to install, and willingly elevate to root.

Is this not an accurate assumption? It sure seems like you would have the same situation if the user is the only blockade to something gaining root, as button clickers will likely feel even more secure on linux the way its security is touted.

Sul.

 

Sul, I've always said that you can make Windows practically as safe as Linux if (and that's a big IF) you apply LUA + SRP + discipline in installing software. But which percentage of the Windows users really does that?

I think Windows has 2 major problems:

1. Most Windows users are tempted to try zillions of geeky tools, optimizers, funny apps and the likes. In other words: The discipline required from Windows users NOT to install more or less questionable apps from more or less trustworthy sources is much bigger than under Linux where the need to install something not included in the repos is very, very rare.

2. You don't get automatic security updates for most apps. Sure, you can use, e.g, Secunia PSI - but how many people do that? And if they do, do they always follow its recommendations and download and install newer versions? (Besides, Secunia PSI requires - if I remember correctly - admin rights, thus it's not applicable in a LUA environment as a start-up app unless you start it with, e.g. SuRun).

So to sum up, the problem is mainly the user him/herself indeed. But the big advantage of Linux is its "infrastructure" which makes it much easier and feasible to apply a disciplined approach in everyday computer user's life.

 

Yes, this for sure makes sense to me.

It's because of you, tlu, and some others like Mrkvonic, Windchild, Lucy, Rmus and, heck, even Sul that I've set up our machines the way I have with mostly what's already built-in to the Windows O/S. It took some years because my curiosity and stubborness to explore the software side of security kept me from recognizing, until recently, the benefits of what's already there in Windows, although I am partial to Sandboxie as one 3rd party app for helping protect a couple of the machines.

 

Hmm. I guess I had not realized the repos were an integral part of the overall security of linux. I thought they were just a place to put software that was verified to work with specific distros or for convenience of having them listed in one place. That does explain a few things.

What then does one do when you find a software title that is not in a repo? If you don't use a virus scanner or other tool? I understand that you would not just willy-nilly install something that needs root (as so many are prone to do), but I am sure there are programs that do require root, maybe even install drivers. Does linux world have some sort of protocol that one would follow? In m$ world I might start vmWare and include in it a HIPS of some kind to sort of check and see what might be happening during install. Or watch a firewall to see if the new program is phoning home or such stuff. I ask because as I play with linux a little more, I am certain to come across this.

But then, perhaps linux will not offer me the same that windows does, where I am always futzing with things, breaking or fixing -- on purpose. Maybe if I ever transition over fully to linux I won't have that to do. The very thought sounds boring to me honestly, using a computer to actually do something

Neat stuff for those of us who are still wet around the ears with linux!

Sul.

 

Sully, Linux is BORING, security wise at home. Really boring. It's install and starting using, everything being installed for you, from the text editor to codecs to office. It's horrible for security freaks.
Mrk

 

There's a reason why so many PPAs exist for Ubuntu. That reason is not because Ubuntu's repositories are comprehensive enough that users don't need to hunt for external software sources. They aren't.

And it's not like PPAs get used very, very rarely. Any half-competent Ubuntu post-install guide is likely to recommend the installation of a handful of extra repositories. Actually, I'm willing to bet that you use external repositories yourself as well, to some extent.

Which major app doesn't come with an auto-updater nowadays, exactly? I see this argument being thrown around a lot, and I'm genuinely curious.

 

Running as non-admin does make malware removal much easier, but it doesn't necessarily deter infection. And, as you mentioned, there's plenty of devastating payloads that can be delivered with only read/write access to the user's profile folder. That's where all the data is.

I could try to provide my opinions, except that I could very well be wrong, not to mention that my opinions don't really matter. The fact is that this IS indeed happening.

 

I'm not sure about that article. I kind of liked it, but there's also stuff that I disagree with, like this part here:

Personally, I'd just say that people prone to getting infected in Windows will most likely escape infections after they've moved over to Linux. There's really no need for conditions. Even if the people are logged in as root all the time, there just isn't enough Linux-compatible malware out there for infection to be anything less than most unlikely. In the future, that may change, but probably won't, unless we live to see a day where massive quantities of John Average computer users with practically no knowledge about computer security migrate to Linux.

Assuming we're talking about the actual technology and not the default configuration of the OS, then there's really very little difference.

Let's say we've got a Linux user who uses a normal non-privileged user account, and a Windows user who uses a normal non-privileged user account - these are guys that don't run as root (Linux) or admin (Windows). So, what's the difference? Pretty much the only difference worth mentioning, excluding the software repositories of course, is how liberal the OS is in doling out the Execute file permission. In Windows, you're automatically given the Execute permission on some new file your browser just created, but in Linux you're not and you'd have to give it to yourself manually to make the file executable (or some exploit shellcode could just do the same, if someone actually bothered - unless your config doesn't allow you to change permissions for files that you've created). If you like how stuff isn't executable by default in Linux, well, you can do it in Windows, too. Although sometimes it seems to me that some Linux users don't actually know there's such a thing as an Execute file permission in the Windows world. If you want to tweak some file permission so everything doesn't become executable by everyone by default, you can do that in Windows, but few would bother, since you could just use stuff like SRP or AppLocker and achieve pretty much the same thing.

Some people act like there's some vast difference in architecture that makes Windows security fundamentally suck and Linux rock, but really, it's pretty much just 1) software repositories, 2) being stingy with the Execute permission and 3) generally smarter defaults.

And then there's always that Linux users on average just know a lot more about computers than average Windows users. It's always fun to hear folks make comments like this: "My newbie friend who can barely start his Windows PC and thinks Google is the Internet gets his Windows PC infected all the time, but my IT professional brother who runs a group of Linux servers hosting important company data never gets infected with anything even though there's tons of juicy stuff to steal on the servers. That must mean Linux is simply that much more secure!" One might think that servers would occasionally be operated by people with more computer security knowledge than home users have, which might affect, a little bit, the ease of pwning said servers. If you compare Windows home desktops and Windows servers, you may also notice that somehow Windows servers tend to be much less owned than Windows home desktops, even though servers are supposed to have the juicy data and be easier to access than the home desktops, since, well, the home desktops aren't supposed to be connecting with anyone who knocks on the door and asks nicely.

No, it's any and all executables that don't write stuff where limited users can't write. Many installers work just fine in limited user accounts, they just drop their files and registry keys in locations reserved for limited users: the user profile folders instead of Program Files and HKCU instead of HKLM in the registry, like Eice pointed out. And this is good, of course. It's nice for individual users to be able to install stuff for their own profiles. Well, unless the admin doesn't like that, in which case AppLocker, SRP, or changing some file permissions.

One reason to put some effort into making LUA-compatible malware is that security software is starting to have all kinds of BB and HIPS functionality that can detect when some program wants to do "suspicious" stuff that requires admin rights and either annoyingly block it or warn the user, neither of which the bad guys like. If your fake AV malware just creates a couple of files and registry keys in user profile areas, that's low impact and doesn't scream "MALWARE" like dropping a ton of randomly named files in system folders, or modifying system files, or creating weird autorun registry keys that legit software practically never would use. Another reason is that LUA in Windows is getting more common. UAC is a step that way, and there are loads of companies where users aren't admins, and if you're going to infect them, it would help if the malware actually worked as LUA. Evading detection by behavior blocking, future-proofing, making the malware compatible with a wider range of configurations... There are good reasons to make LUA-compatible malware, and that kind of malware is only going to get more common.

It's a good point that there's lots of nastiness that bad guys can do that doesn't require root. Data theft and destruction, scareware, everything works just fine. But, root access isn't useless, and some of the bad guys will keep wanting it: having root makes hiding and spreading the bad stuff so much easier it's often worth it.

 

Eice/Windchild, thanks for your feedback.

 

I agree with you guys at end what we are saving root or our data in home drive

i agree with mrk that there is not much use of antivirus in linux but whats harm in adding 2 3 different types atleast i never feel bored with looking my same antivirus screen on windows whole year they give me little change and feel good on eyes

also i see no harm it look cool like matrix when you open 2-3 different colourful terminal and run scanning in cli mode for 10-20 mins when chicks are all around your room

also i love be lazy and security careless rather that end up like Mr chin

-http://www.metacafe.com/watch/4680462/funny_ad_over_work-

 

The surefire sign of being a nerd: you think chicks are impressed by a CLI.

 

Give me some examples, please.

Yes, I use the mozilla-daily ppa. It's run by the Ubuntu Mozilla Team - if I cannot trust them I shouldn't use Ubuntu/Mint either, should I? And yes. I use the Virtualbox repo.

Oh, yes, many important big apps now offer auto-updates. But many of the mentioned smaller tools - be it a simple image viewer possibly affected by a buffer overrun - still don't. And even if they do, it's often more complicated to apply these updates compared to your Linux distro where you only have to press one button to keep your whole system updated.