Sophos Cloud Optix
Welcome to the first installment of a brand new Naked Security column, Flaming Retort!
Some of the topics we write about on this site provoke spirited comments from our readers, both here and on our Facebook page. Unsurprisingly – this is the internet, after all! – some of these comments represent what one might politely call an uncompromising position. And not a few of them are outright flames.
Flaming Retort does not exist to praise our readers’ best flames, nor to repeat them merely in the name of perverse humour, nor to return fire in the wearisome tradition of a flame war.
The goal of Flaming Retort is to comment on one or two recent flames which represent a position which a significant minority seem to believe, but which isn’t quite as true or as certain as they might think.
To kick off, then, we’ll consider malware on Linux. Naked Security writer Carole Theriault mentioned last week that Sophos had just won (yet another!) VB100 award for Ubuntu.
That’s right. Anti-virus on Linux.
As you can imagine, it wasn’t long before we had our first outspoken comment:
I object to running a Windows virus scanner on my *nix systems just to help prevent the spread of viruses to/from Windows machines. They want to run an insecure system, so be it, but leave me out of it. And certainly don't expect me to expend my CPU cycles to try (in vain) to solve Windows' security issues."
Wow! With friends like that, who needs enemies? As a follow-up remarked:
I buy and sell diseased animals intended for use as food. Never mind, I don't eat meat, I don't care.
Nice attitude.
Ouch. Hot dog, anyone?
The first comment doesn’t actually say that Unix is secure by design. It takes an “us-and-them” attitude, and simply says that “they” are insecure. But a later comment wasn’t so equivocal, stating explicitly that:
The architecture of Linux prevents malware from being a self-propagating problem.
That’s not exactly a flame, but it’s certainly a grandstanding position. And it would be lovely if it were true. But it’s not. The architectures of Windows and Linux are surprisingly similar – they’re much more alike than they are different – and although Linux malware is, happily, very rare, there is nothing about the architecture of the operating system which prevents it.
(Be careful of claiming that something is impossible in computer security. A single counter-example will knock you off your pedestal. And 12,238 counter-examples will leave you reeling. That’s the number of unique IP numbers SophosLabs enumerated, between May and July 2008, which were infected with the Linux/Rst-B virus. In 2008, this virus was already more than six years old. And we only counted computers on which the virus was running as root. It doesn’t call home if it’s not running as root, so the total number of active infections was probably significantly higher.)
So here’s my flaming retort to the Linux-heads out there:
* Linux malware exists. It’s not a huge problem. It’s easily avoided. But don’t be in denial. There’s no “magic smoke” inside your operating system which renders you automatically immune to a determined cybercrook.
* Windows systems aren’t invariably less secure than those running Linux. You may know how to secure a Linux system more tightly and more easily than a Windows one. But other Linux admins might not. And accept that at least some Windows admins will know how to secure their systems to a standard as high as yours.
* An injury to one is an injury to all. Stopping malware and spam even though it won’t harm you directly is just the sort of altruism which the internet needs. Please don’t be aloof about the problems which affect everyone.
TY! I'm sick of ppl claiming linux cant get a virus, like your post "suggests", lets stop trying to 1up each other and instead, respect the others opinions and work together. 🙂
"… The architectures of Windows and Linux are surprisingly similar – they're much more alike than they are different …"
This is an absurd lie. The Unix/Linux operating system architecture is VERY different from MS Windows in very significant aspects- from DOS to Windows XP. Windows Vista/7 was a lame, and fittingly failed, attempt to mimick Mac/Linux systems for security. Yet, you have the endless cycle of infection-patch-infection that Windows users have to endure, and for which 3rd party AV software has failed to cure.
For instance, *nix systems do an adequate job of separating user space from system space. Unlike Windows, Linux does not get its critical system environment infected by simply being pluged to a live network.
Even if your inflamatory statement that there are over 12 thousand examples of Linux infections is true, there is NO evidence that these computers were infected the same way Windows computers get infected: "the biggest security vulnerability sits behind the keyboard." – you said it.
Windows computers get infected without user's help.
By the way, do you know how many Windows infections are out there, in the wild? Do you know what type of damage these cause to their users?
There is no real-life example (either in your labs or in the public domain) of a virus causing the same type of havoc or damage that Windows users are used to experiencing by the millions, such as stolen identities, hardware freezes, sudden reboots, computer hijackings, etc.
"Linux malware exists". OK., show me the damaged goods or be quiet.
"And accept at least some Windows admins will know how to secure their systems to a standard as high as yours." Windows admins have to jump through some serious hoops just to keep their systems afloat: 3rd party software and network hardware, continuous intensive care for the operating system, and if that was not enough, interpret and enforce company IT policies specific to Windows weak spots (users.) Speaking of users, how come you did not say "Windows sers will know how to secure their systems to a standard as high as yours"? Because they can't.
"An injury to one is an injury to all. Stopping malware and spam even though it won't harm you directly is just the sort of altruism which the internet needs." That's why I always tell those I care about that they should switch to Apple computers or Linux- Friends don't let friends use Windows!
Hmmm. You seem to be rejecting my suggestion that the architectures of Windows and Linux have more similarities than differences as an "absurd lie" – fighting words! – on the basis that Windows gets infected a lot, whilst Linux doesn't.
I recommend that you read the next post. That explains a few of the issues you've overlooked rather well.
But lots of material for next week's Flaming Retort! I am beginning to wonder if we'll ever get beyond the Linux meets malware topic.
Linux Virus DOES exist see this video by SophosLabs:
P.S. I think you better embed this video to see a virus hitting all three major os’s 😀
Dude, I know this is a late reply but SERIOUSLY, this just needs ripping apart…. from the point of view of the self-taught Windows power-user (that's me).
"This is an absurd lie. The Unix/Linux operating system architecture is VERY different from MS Windows in very significant aspects- from DOS to Windows XP. Windows Vista/7 was a lame, and fittingly failed, attempt to mimick Mac/Linux systems for security. Yet, you have the endless cycle of infection-patch-infection that Windows users have to endure, and for which 3rd party AV software has failed to cure. "
In regards to the part you were replying to, MODERN Windows is actually not as dissimilar as you are desperate to believe… even down to robustness. As to Win Vista/7 being lame?? At the last THREE BlackHat gigs, Vista/Win7 actually held out longer to hacking that OS X (that fell by far the quickest) and Linux machine…. beating the latter by bare margins each time. The records are publicly available to go check yourself!
"Windows admins have to jump through some serious hoops just to keep their systems afloat: 3rd party software and network hardware, continuous intensive care for the operating system, and if that was not enough, interpret and enforce company IT policies specific to Windows weak spots (users.) Speaking of users, how come you did not say "Windows sers will know how to secure their systems to a standard as high as yours"? Because they can't. "
Hmmmm… as I said from the start I am a power user, not a trained admin, although my current role at work is both maintaining our Win7-based systems and managing and continued development of our on-line presence (Joomla-based). That being said, I've been using on my home systems both Vista and Win7 respectively since beta pre-releases. As far as AV's in that time I've used both Symantec Corporate (which evolved into Endpoint Protection) then migrated to Comodo's free Internet security packages after a period of Endpoint's network protection not being compatible with Win7 pre-releases.
Now, to further iterate my coming point, I ALWAYS run Win7 in Admin user mode, with UAC turned right down. I'm a BIG utorrent user, and most of my main applications are installed/registered via keygens, cracks & Host-file patches (although note that I am typically cautious in what I download and install & I DO know how to deal with pretty much any infection I might encounter).
Now given all that, according to YOUR analysis of Vista/Win7, my system should be full of viruses/malware, yet do you know how many successful infection episodes I've had to deal with since ditching XP?? NONE! Oh I've witnessed attempts, but in-built Windows' measures, combined for most of that time with a free AV, they've all been prevented… and again, I'm SELF TAUGHT! Even my COMPLETELY untrained wife hasn't managed to infect hers on either Windows build
"Speaking of users, how come you did not say "Windows sers will know how to secure their systems to a standard as high as yours"? Because they can't. "
Speaking out of inexperience!
"That's why I always tell those I care about that they should switch to Apple computers or Linux- Friends don't let friends use Windows! "
I have nothing against Linux (that atrocity called Ubuntu aside…. always been a fan of SUSE). However, if you recommend Apple over (modern) Windows you are a fool! Although OS X may have its earliest roots in UNIX (NeXTSTEP was built of a forked UNIX kernel, which was further evolved as the basis of OS X), Apple has so diluted their security protocols (whilst ironically upgrading prevention of any interference/modification of their GUI) to the point of near nonexistence, all in the name of a gooier user experience! The day any serious virus/malware author turns their sight to Apple, all hell will break loose!
SELinux and AppArmour do make virus propagation slightly more difficult on a well locked down system (especially if the distro locks down as standard)…
The biggest advantage Linux has over the Windows world is the sheer diversity of configurations and platforms. If virus code relies on x86 architecture and you have Mips, then you are pretty secure from that particular virus, ditto for viruses that rely on certain versions of installed packages or filesystem layouts… While this means that the Linux ecosystem is harder to write viruses for, it doesn't mean we are immune, far from it… it just means that the barrier to entry for a widely propagated virus is far higher than the homogeny of the windows world…
Lets just hope that when it does come to pass it isn't something with a really nasty payload… :/
Nicely said.
What I can't seem to find is evidence of what percentage of internet-connected Linux systems are using SELinux.
And as for writing "cross-distro" malware – that's what autoconf (and/or static linking) is for, surely? Oh, and why we have scripting languages like Perl, Python, Ruby etc 🙂
The reason Windows is so attacked is the market share, plain and simple. I am certain that if Linux had such a user base then it would be exposed every other week. Ironically those claiming Linux is immune would be running Windows claiming it is immune.
High time for us to all grow and and accept that no system written is immune from malware. Reason being is that humans make mistakes in every endeavour, it is how we learn. Also, humans like to exploit flaws and opportunities. Thus, whilst humans develop OS's and opportunism rules there will always be a threat of malware regardless of OS.
"The reason Windows is so attacked is the market share, plain and simple."
I assume you mean client side only on this comment? because Linux holds the highest share of Servers out there the percentage is as high as 74.29% ( Source: Security Space )
So technically wouldn't a server be more at risk since its technically always available?
you could say that servers with long-term support cycles are even more insecure.
No, it’s not market share. If market share or volume was the only consideration, the Inernet (over 80% Unix/Linux based) would have been brought to a halt years ago.
The reason Windows is so attacked is its architecture. Plain and simple.
I think the key to what makes my Linux system secure is my only installing software from reputable sources- I get *all* my Linux software from Google, Skype, and the Ubuntu Software Centre. I also update my system on a daily basis, using the Update Manager tool, which updates all the software on my PC (with the exception of Skype and Chrome, and Chrome keeps itself up to date).
Perhaps it's better to work on the principle that the sound practices you mention above are _a_ key to your security 🙂
What you do – and where you go, and with whom you interact – with the software you download matters too, of course…
(One thing which often astonishes me is to hear Linux users saying how confident they are about security "because they never _login_ as root", only to watch them _running_ enormously complicated scripts – sometimes including downloading, unpacking, compiling and installing new or updated software, albeit from a reliable source – as root, using sudo.)
You said it. Security is assured when you are installing software that is inside of the repository that was supported of the distro you were using.
Developers do the compiling, installing, scripts etc, not the end user.
So extending this using Aln's terms you are hand-holding the OS and applications to ensure they are kept up to date. I do the same with Windows, Mac OS X and iOS. Every platform needs handholding in this regards.
I wouldn't say I'm 'hand-holding' as such- I click 'Install Updates', and enter my password. That's it.
If I wanted, I could take a few seconds and set it to apply all security updates automatically, in which case I'd not have to do *anything* to keep my software up-to-date.
@ Author: "That's not exactly a flame, but it's certainly a grandstanding position. And it would be lovely if it were true. But it's not. The architectures of Windows and Linux are surprisingly similar – they're much more alike than they are different – and although Linux malware is, happily, very rare, there is nothing about the architecture of the operating system which prevents it."
Care to substantiate it?
In Unix/Linux everything is a file.
Root Directory —————–> /
yes forward slash
In Windows:
C:
D:
E:
etc.
Similar?
I'll let the rest of you argue the architectural _differences_ (until the next Flaming Retort, at least!) but my main point about architectural similarity is that both Linux and Windows took the conventional "split everything pretty much in half" approach to OS privilege. There's user-land and kernel-land. That's about it.
And neither Windows nor Linux is a microkernel OS. All interaction with the hardware, and almost all management of system resources, happens in kernel-land. And, as a result, kernel-land is pretty big in both OSes, and all device drivers run in kernel-land – with all the security risks that brings.
On your more specific point about slash and backslash – standard Windows command-line tools use "/" to denote command-line options (e.g. DIR /S /P), so that you can't use "/" as a directory separator. That would be ambiguous.
However, the Windows API (as, indeed, the DOS API before it) accepts "/" as a directory separator just fine.
In Linux, though, all necessary device drivers are supposed to be included in the kernel. How are official device drivers insecure?
Aln, I think the Linux god like position you take is very sad.
Why, if you insist *nix is so much better, don’t you offer advice about what can be done to help secure a predominently windows environment, even if it is to use *nix as a tool to assist.
This devide between platforms serves no purpose in a modern evironment. Try acknowledging the differences and working together.
Btw, the user factor is something you have to deal with on any platform, *nix being no exception.
I have not taken any god-like position to this discussion. I simply posted a retort to a glaring lie from the author: That Windows and Linux systems are essentially the same.
From a technical point of view, Linux is built very differently from Windows.
Let’s look at this fact: Microsoft products, including Windows, have historically been very easy to compromise, even by script kiddies with rudimentary skills. When MS came up with Windows 7 and IE8, the company’s marketing machine spent millions of dollars to convince users that these where the most secure products- ever! Sure enough, these were infected in no time. On to the infinite patch-merry-go-round again.
Let’s take another example of Windows inherent inferiority: When the Wikileaks controversy took center stage, the hacker commuinty orchestrated attacks on various websites and successfully broght them down by controlling botnets. Do you know what Botnest are? Millions of Windows computers!
So, damien, my advice to secure a predominantly Windows environment is to remove Windows- Completely!
The technical and philosophical divide between these two platforms comes from their histories and the concernt to protect users.
I agree with the point that Linux malware is less widely spread. Simply because there is no point to write malware for OS which can be tightly controlled by proper admin, and also is less used by users. “ROI” is very low compared to Windows world here.
But you still may need to run antivirus on your computer/server, if you are in constant contact with Windows users. Simply to stop spreading the infection if any.
Where do you get ROI from Windows after investing heavily in 3rd party AV providers just to clean the mess after an infection? Where’s the ROI when you have to re-install the OS frequently? Or how about the ROI of downtime? And ROI on lost data because an infection? Or the ROI from stolen identity?
Windows has very little ROI after your system gets compromised. Nevermind that Windows is much slower and less reliable than Mac or Linux.
Sure malware is everywhere and it's open season on every OS, but the oft "the-sky-is-falling" stance Security vendors take does not help the situation either. I'm aware virus paranoia is beneficial to the bottom line, but what I would LOVE to see is some hard figures – the install base of Windows (all versions), Linux, Mac OS X and BSD along with known malware in the wild to put all this in perspective.
I can likely stand in the middle of a poppy field in Saskatchewan and dance a jig with little consequence, but do the same in Helmund province Afghanistan and 3 layers of body armor likely won't save you. At least today, it's a much more dangerous world if you run Windows.
It's a tad moot these days since the improvements in default setup that came in with windows Vista, but I would argue that the greatest advantage that Linux as had in AV has been the fact that for much longer user processes run as non-root.
Architecturally I agree there isn't a great deal between POSIX and win32 in terms of what can be put in for AV defence. However in the real world the principle of minimum privilege is much better adhered to in Linux packages that on windows.
Of course this is partly because most linux packages are packaged by the distro – commercially packaged (non-distro distrubuted) applications on Linux IME start to have the same issues that apps on windows do. (Requiring privileges they don't actually need). But the issues remains running linux is an advantage.
At the moment a Linux user is likely to have a number of advantages in keeping themselves safe against virus – as a whole there system is running at much closer to a minimum privileges set and there are less active exploits in the wild.
Or course that is t not zero , and the recent Exim problems show that Linux isn't invulnerable – although the rootkiits I found where much easier to detect and remove than some windows viruses , but thats because the rootkits as yet don't have the sophistication of windows virii.
Here's a thought…
Some users don't like scanning for malware that can't run on their OS (there was an almost identical flame regarding OS X vs Windows a while back).
However,
this malware DOES affect you. Sure, it might not infect your computer. But it does fill up your mailbox, and all the infected computers in your area eat up your ISP's bandwidth with all their network activity… which results in less bandwidth for you, higher ISP costs (which get passed down to you) and a number of other spill-over consequences.
The bottom line is: If you're in a networked environment that includes computers susceptible to malware (and that includes the Internet), then you're affected.
You're even affected when your tax return agent has to charge you more because of the costs THEY bear because of malware.
So sure, you can say "It won't affect my computer; I don't care," but while it *might* not affect your computer directly, it will definitely affect *you*.
millions and millions of my closest linux using internet friends have told me for the past several years that i don't need AV protection on my linux computer. now you come along and tell me i do need the very product that your company just happens to be selling. whew, what dilemma. i wonder what i should do? i think i'll rely on my experience for the past several years and continue clicking any link i want without fear and opening any email attachment i want without fear. until somebody posts a link or attachment that infects my computer i think i'll avoid buying your product. i really don't think i need it. thank you and good day.
i use bit defender for linux (free) and clamav to scan my linux and windows drives and email. i regularly run rkhunter and chkrootkit and run guardog firewall, never log in as root. i have eset on my windows 7 installation and regularly scan the windows drives, of course windows cant see linux drives out of the box. Can be done but geez lifes too short..
I do this so im not sending or passing on anything nasty to friends and relatives via email
and so no-one can obtain my data, banking or whatever (i hope)
i don't see what the problem is in looking after your own house and respecting others.
i don't get the linux/windows war because i use both, i like playing games and well linux doesn't cut it on that front yet. i want to open the box, put the dvd in the drive and play. bluray movies are another windows only experience at the moment too. but for everything else i use linux.
I try and do everything i can do to stay secure without becoming paranoid but even then stuff slips through now and then, but thats the way it goes. i will install anything (within reason) if i fancy trying it. I've got the original installation disks if all else fails….
Linux is not immune, no. But care to share a similar map with Windows infections? You wouldn't even see the land mass itself, even if adjusting for the difference in numbers of machines.
> Stopping malware and spam even though it won't harm you
> directly is just the sort of altruism which the internet needs.
While this would be nice, lets get everyone running Linux first and see how necessary it is; better to be protected right away than have to rely on this altruism that won't happen anytime soon. Just as people resist running Linux, Linux people will resist protecting Windows users who don't practive better computing habits.
Brand advocacy doesn't help anything. Transforming windows users with bad habits into linux users with bad habits doesn't gain anything, other than providing the adversary a route to systems that were previously obscured. More linux users means more incentive for the bad guys to develop exploits.
We can already see how necessary it is. Linux is hackable, once targeted. Macs are hackable once targeted. Windows is hackable, and it the target of choice these days. Rather than changing the target of choice, the trick is to educate the users and find ways to keep the defensive technology moving forward at a pace that makes the attack more difficult. Any system can be compromised, if the return on the attack is large enough to justify the effort and expense.
"…lets get everyone running Linux first and see how necessary it is"
Given that Linux runs on the same Intel processor architecture that Windows does; and given that Linux is written in C (or derivatives thereof) which means it is subject to the same buffer overflow programming error; and (maybe most importantly) when you move all those systems to Linux you will move all those USERS to Linux, and those users will bring every one of their bad habits with them; my prediction is that, within 6 months, the market for Linux malware was explode, and the bad guys would turn their fuzzers on all that Linux code, exposing a whole lot of bugs to the light of day.
~EdT.
As was pointed out above, there are many servers out there running linux 24/7 providing actual services to internet users. Are they targeted? Of course they are. They provide the access to attack unsecured windows boxes in bulk quantity. Pwn the server for a reasonably popular web site, and you can add your code to that site, and effortlessly take a shot at every internet user who views that site. Is that linux server secured? Obscurity is of no help. That bad guy is not picking targets at random, he is identifying a strategic target, and intentionally targeting it. Being different from the rest of the cloud won't help protect that system, it needs actual defenses, and "I run linux" doesn't count.
Sophos labs sells anti virus software, that's their thing. So of course they are going to claim that the sky is falling, that viruses are coming to linux etc. And while sophos has managed to create proof of concept "linux virii" they have never had any luck getting it to propagate in the wild.
The fact is , the design of unix and the design of peecee operating systems is starkly different. Only someone looking at the most superficial level would attempt to argue otherwise. Nice attempt to parody the linux community as claiming some sort of secret sauce, rather than reporting the facts: that unix systems, by virtue of ownership and permissions, compartmentalization, separation of privilege, and a tru multi-user design from the beginning, are inherently much harder to crack than pc operating systems.
Oh wow! the antivirus industry has screwed up, bloated and f@#$d windows and now they want to do the same thing to Linux and co???
I am now running Windows XP professional with all patches, Limited user account with surun. Add to Firefox (or any other decent browser) with addons like noscript+safe browsing and most importantly: Common sense. Antivirus software? NONE. For the past two months, I’ve been trying this experiment and surprisingly, no malware, virus, zilch, nothing…..
Just for fun, I downloaded trend micro’s house call and scanned my system nothing turned up….used a couple of others too..nothing…
No OS is invulnerable…but trying to shove an AV package to linux seems like complete stupidity…I’m a Windows user but in the past I’ve also tried Linux distros like Open Suse and Ubuntu…
I’ve also become completely sick with antivirus software slowing down my system…Without antivirus software, my system is much smoother, faster and just zipping along..I understand that most users would not like my setup and would think me crazy..
But then, av software is downright useless right now…I use my system or rather the internet for browsing the web, downloading games, torrents etc…..It’s still going fine right now…A little bit of safe browsing+Limited user account +COMMON SENSE (add in something like no script and group policies) is all you need to secure your system.
Not an AV scanner which pawns your system:(
Paul – One more point to your retort:
"Don't presume that, what was one true, still is. In its early days, Microsoft Windows was indeed an inherently insecure operating system. (So was Mac OS and even Linux, but Windows got the rep because it had the exposure.) As OS vendors find – and fix – security flaws in their software, the bad guys have had to change their tactics. And they have – just look at the attacks now targeting userland apps such as Flash, Adobe Reader, and the ubiquitous web browser (all flavors.) Though pretty much all these new attacks require human interaction in order to spread, thanks to social engineering the barrier to entry seems to be pretty low. And, despite what some may think, Linux and Mac users have no genetic mutation which renders them especially immune to social engineering techniques."
~EdT.
Market share may be one reason why Linux isn't targeted as much as Windows – the other may be because it's harder to wreck the system because Linux was designed from the ground up to separate system files from user files. Microsoft belatedly realised this was a good idea with the release of Vista, but of course many people turned off UAC because lots of legitimate programs expected to be able to write to C:Windows or C:Program Files.
Obviously, if any Windows machines connect to and store files on the Linux box, it's a good idea to run an AV to (hopefully) squash them before the Windows user runs the file.
However, there's another good reason. While a Linux virus may not be able to trash the system unless you're either running root or absent-mindedly don't check what program spawned that gksudo prompt; I'd imagine a Linux virus could quite easily trash user space, deleting all your documents / music / videos. It might even be able to roam around the dot folders that store most of your program settings and modify them.
So just because it's quite unlikely your Linux box will get a virus, that doesn't mean you should be complacent and think it will never get a virus, or engage in dodgy browsing practices in the mistaken belief that any Windows virus downloaded couldn't do any damage to your system anyway.
I run clamAV on my linux boot, because it was in my repo, and from my research it was better than some other commercial options.
To me, it seems like the real reason that linux gets less viruses falls into the way that linux users are often trained by their community. things such as using validated repos, and rarely running as root, along with the lack of motivation to code malware for linux and the fact that there are so many different types of linux help. No matter what, use safe browsing methods and run AV. If only to keep viruses off your usb for when you need to plug it into a windows machine. Why take the chance???
Paul – is there an update of this column?