Linux/UNIX viruses and worms demand special attention

When developing your company's virus protection strategy, don't forget that Linux and UNIX systems need to be protected as well. See how Linux/UNIX viruses differ from Windows viruses and learn about your antivirus options.

Not that long ago, many administrators assumed Linux and other UNIX-based platforms were virtually invulnerable to viruses and worms. I'm not sure why they became so complacent in their analysis of these threats, particularly since the first major worm, launched in 1988 by Robert Morris, was released on UNIX systems that used the well-known Sendmail messaging program. I guess everyone became so caught up in criticizing the security of Microsoft operating systems and software—which has become the most popular target of virus writers—that they forgot about the existing vulnerabilities in UNIX.

Linux/UNIX threats
With the announcement of the Klez virus infection on Linux platforms, leading antivirus vendors started reminding us that Microsoft operating systems are not the only vulnerable OS when it comes to viruses. Even though users of Linux and other popular UNIX platforms may not be big users of the Microsoft bundled applications that transmit viruses, Linux and UNIX have their own vulnerabilities that may not be apparent at first glance.

Aside from Klez, other major threats affecting Linux/UNIX platforms are the Lion.worm, the OSF.8759 virus, Slapper, Scalper, Linux.Svat, and the BoxPoison virus—just to mention a few.

I remember sitting in a security audit done by one of the largest financial institutions in Europe about two years ago and hearing a well-known security expert tell the auditor that UNIX systems were not vulnerable to viruses. The auditor simply said "okay" and made a note that the UNIX systems were safe from viruses. Those days are gone, and you can expect auditors and IT security teams to start getting tougher on requiring virus policies for UNIX platforms.

An Austrian student named Alexander Bartolich has even written a guide to writing the ELF virus for Linux. Bartolich does not claim to be a Linux virus pioneer and says that he has only more efficiently documented and formatted in a nicer way the virus, worm, and Trojan vulnerabilities for Linux that have already been documented elsewhere. With such revealing documents posted on the Web, the proliferation of UNIX-based viruses is only going to increase, especially since the use of Linux in the server room is on the rise. System administrators may want to get a jump on Linux viruses by reading the guide themselves so they can better understand Linux vulnerabilities.

Virus authors are hackers who understand how to write code and are far more dangerous than hackers who put digital graffiti on Web sites, which takes much less skill than writing a virus. Although a hacked site can be quickly fixed, viruses are far sneakier. You may not even realize a virus is there until it has done irreparable harm to mission-critical systems.

Affected Linux/UNIX platforms
Not all versions of these platforms have been affected, but these are the Linux/UNIX platforms that have been affected by viruses in the past:
  • SuSE Linux
  • Mandrake Linux
  • Red Hat Linux
  • Debian GNU Linux
  • Slackware Linux
  • FreeBSD
  • HP/UX
  • SCO Unixware
  • SCO OpenServer
  • Sun Solaris
  • SunOS

The more Linux/UNIX systems connected to your LAN and WAN, the more vulnerable your organization is since many UNIX viruses proliferate rapidly. Linux and UNIX systems that use WINE are particularly vulnerable. WINE is an open source compatibility package that allows certain UNIX platforms to run Windows applications. WINE systems are especially vulnerable because they can make a system susceptible to both UNIX and Windows viruses, worms, and Trojans.

The nature of the threats
It shouldn't be any surprise that the Linux/UNIX viruses don't work the same way as viruses for Windows operating systems. However, viruses, worms, and Trojans for UNIX do operate using the same principles that these maelstrom pieces of code used for Windows.

Keep in mind that a virus is simply a program that infects or destroys other programs without your permission. A worm is a self-replicating piece of code that operates without your permission. Though bugs in computer programs may generate self-replicating code without your permission, the difference is that bugs are unintentional and viruses are intentional. Trojan programs hide their intentions for the purpose of causing digital damage. In a UNIX environment, a Trojan might be given the name of a legitimate program (e.g., tar or df), but may remove an entire file system upon execution.

How these viruses and worms work
To give you an idea of the havoc that can result from UNIX viruses, worms, and Trojans, I’ll take you through a couple of scenarios showing how they work. Every virus, worm, and Trojan has its own idiosyncrasies and behaviors, of course, but these examples will give you an idea of how they tend to operate in Linux/UNIX.

Let's start with the Linux.Slapper worm. Slapper works by exploiting an Apache server. It connects to HTTP port 80 and then sends an invalid GET request to find out the version of Apache being used so that it can customize itself for the particular target system. After finding the appropriate vulnerable systems, it connects to port 443 and exploits a buffer overflow vulnerability that it uses to extract the worm package for placement on the target system.

The worm can then compile itself using a local compiler such as gcc. The resulting binary is then launched from the /tmp directory and listens on one of the UDP ports to receive further instructions to launch a distributed denial of service (DDoS ) attack. DDoS attacks create TCP floods that can make systems inoperable. Certain variants of Slapper can scan an entire class B network in search of vulnerable Apache servers.

Another worm, the Linux Lion worm, scans random class B networks on port 53 in search of vulnerable versions of BIND, the most popular Linux/UNIX DNS server. When the Lion worm finds a vulnerable version of BIND, it cleans the log files and installs various Trojan files to hide its intentions. Trojan files installed by Lion can include:
  • /bin/in.telnetd
  • /bin/mjy
  • /bin/ps
  • /bin/netstat
  • /bin/ls
  • /etc/inetd.conf
  • /sbin/ifconfig
  • /usr/bin/find
  • /usr/sbin/nscd
  • /usr/sbin/in.fingerd
  • /usr/bin/top
  • /usr/bin/du

You can see that these files look like legitimate UNIX files and utilities, and therefore you may not suspect anything has gone awry at first glance—which is the point of a Trojan.

To cover its tracks, Linux Lion may delete the following files:
  • /.bash_history
  • /etc/hosts.deny
  • /root/.bash_history
  • /var/log/messages
  • /var/log/maillog

Once it has compromised a system, Lion can send out password files to remote computers, and other variants of Lion can launch password sniffers to sniff passwords on active connections. By obtaining system access, virus hackers can then use the remote system to launch DDoS attacks, steal credit card numbers, or pilfer and destroy other confidential data and records.

Antivirus products for Linux/UNIX
Since Linux is one of the most popular UNIX platforms, most of the new antivirus software being written for UNIX systems is aimed at Linux platforms. However, some vendors have packages for some of the less-popular UNIX platforms as well. If your organization is using Solaris, FreeBSD, or some other flavor of UNIX, don't expect to find too many antivirus choices. Clearly, antivirus software for Linux/UNIX platforms is still ramping up, and today, only a handful of vendors offer packages for various Linux/UNIX platforms. These vendors include:

Some of the antivirus products for UNIX are designed specifically for installation on firewalls, so you can block UNIX viruses at the firewall before they get to other systems. Other UNIX antivirus products are designed specifically for messaging and groupware servers.

Protect your systems from automated hacking
Viruses, worms, and Trojans are basically just automated means of hacking. It is probably much more likely that your Linux/UNIX systems will get a virus than be attacked directly by a hacker. Direct hacking typically targets servers, while viruses are equal-opportunity troublemakers. If your network includes Linux and/or UNIX systems—especially mission-critical servers—don't wait to find out whether UNIX viruses, worms, and Trojans really exist before taking action. Shop around and select an antivirus product for your systems so that they will be protected against infection before it's too late.


Editor's Picks