March 28, 2001

New Windows/Linux virus no big threat to Linux users

Author: JT Smith

- by Daniel Pearson -
This announcement, which has been quoted by at least one major news service, warns against an apparently new
virus that has the uncommon feature of infecting both Windows and Linux binary executables. A person who calls himself Benny claims to be its author. The original warning's publisher is a
company that sells anti-virus software, and it is using this as an
opportunity to hawk its wares. An uninformed or unwary reader might be led to believe that the "W32.Winux" virus is the
beginning of the great avalanche of Linux viruses that has been predicted at
various times by various pundits. But it isn't.
Examine the unadorned facts of the virus warning, and you'll realize that this threat presents nothing
new from a technical viewpoint. The infection method described in the advisory
is very simplistic: an infected binary secretly searches in the "current"
directory and its parent directory and writes the virus code into all the other
binary executables that it finds. (I am not exactly sure if the "current"
directory mentioned in the advisory refers to the user's current working directory at the time of execution or the directory in which the infected file

There are several flaws in this infection mechanism when it is attempted under
a Unix-like operating system such as Linux. The first is that an infected
executable must be acquired. The standard advice (which should be hammered
into the head of anyone who installs software on a
Linux machine) is that you should never obtain binaries
from an untrusted source
. If you only obtain programs from reliable
sources, then the chances that you will ever acquire a program that is infected
with a virus are very slim.

There are other barriers that stand in the way of viruses under
Unix, too. The most
important is the separation between the root user and normal users. Normally all programs installed on the system are
owned by the root user and can't be modified by normal users. And
since any program run on a Unix-like operating system only has the permissions
of the user running that program, an infected program would be unable to spread
its infection unless it was run by root. This leads to another standard
piece of important advice: Avoid using the root account as much as possible,
and be very careful what you run when you must be root.
This is a very
simple practice, but it offers a great deal of protection.

However, this form of protection will fail when a normal user owns executables.
Many users will never have ownership of the programs that run on a
system. They only run programs that were installed by root. But
some types of users will have good reasons to own executable programs. The type
of user that most prominently comes to my mind is anyone who writes his or her own
programs. It would not be uncommon such a user to have compiled instances of
previously written programs lying around in their user home
directory. These executables would be vulnerable to infection from a
program run by that user. This could be unfortunate for a single user,
but any and all damage would still be firewalled away within a single user
account. The system itself would not be compromised.

So you should consider the existence of this virus as evidence that those who
hand out the standard security tips really aren't kidding. We should all
adhere to the customs of the Unix culture that we've developed over the decades,
and practice good security habits. But we hardly need to panic about an
infection method that Unix-like operating systems have been designed to guard
against for as long as anyone cares to remember.

Daniel Pearson is a freshmeat appindex editor.

NewsForge editors read and respond to comments posted on our discussion page.


  • Linux
Click Here!