Linux

With the rise of the Linux desktop, will viruses follow?

The Linux desktop is growing in popularity and many believe a growth in viruses will follow. Jack Wallen thinks that logic is flawed and explains why.

Over the last few days I've been following a thread on the Fedoraproject Users mailing list. The thread was centered on the idea that Linux is uncrackable. Fortunately, logic prevailed and most everyone on the list agreed that no computer, so long as it is connected to a network, is uncrackable. From my experience, that is a universal statement -- regardless of platform. But beyond that, some interesting thoughts came about and inspired the question to peek out from the recesses of my mind:

As Linux desktop popularity continues to rise, will Linux viruses also begin rising?

The common opinion is based on saturation. Most feel the reason that there are so many viruses for the Windows operating system is simply because it is so popular -- therefore, the viruses are more easily propagated. That argument has never settled well with me. Why? I've been using Linux as my only desktop platform since the mid-nineties and I have yet to deal with a virus. Not only that, but all the Linux users I know (as well as all of those global Linux users that contact me daily) have never reported a virus. Add to that, the proliferation of Linux servers without the proportional proliferation of Linux server viruses, and you might see why I doubt the "Linux desktop popularity correlation".

Since birth, the source of the Linux operating system has been open to the public. For this very fact hackers can scour through the code to locate vulnerabilities to exploit. The door is wide open. Linux says, "Hey hackers, here's my immune system! Find my weaknesses and use them to your advantage." And yet, they don't.

Is it possible that the weaknesses simply aren't there (or at least not in the abundance found in Windows)? Is it at all possible that Linux is simply, by design, a much less vulnerable operating system? My answer? Yes. Absolutely.

From within the Windows operating system, the desktop can be completely taken down (to the point of having to re-install the OS) by simply clicking on an email attachment. In Linux you would AT LEAST have to enter the root (or sudo) password for anything like this to happen. And certainly any user of Linux would know if an email attachment asked for an administrative-level password, shenanigans were afoot.

There's another issue that was brought up in the original thread. It was, from my perspective, a very telling thought that illustrated something unique to the open source development community. Let me try to summarize it simply.

  1. A vulnerability is found in a package.
  2. The developers of the package quickly fix the vulnerability -- even though they know it will break dependencies of other packages.
  3. The developers of said package release their fix and the source code along with the fix.
  4. All broken packages are now responsible to make their packages work again.

The above example happens within the open source community. Instead of leaving the vulnerability in their package (and avoiding an inconvenience to other developers and end users), the developers know it's their responsibility to fix their package. This "fix" happens quickly and is released into the wild immediately. All affected packages must then be fixed or wind up broken.

It's not a perfect model from the convenience perspective, but it's a model I'd rather follow than to know weaknesses remain within the code just to prevent an inconvenience. That is why (and how) open source packages are patched so quickly -- developers know they are directly responsible for not allowing their product to remain vulnerable. The open source community fully embraces their culpability, when it comes to vulnerabilities and bugs.

This immediacy in the patching of flaws keeps viruses at bay and always will.

Nothing is perfect. No system is immune. But when push comes to shove, I'd much rather rely on the Linux desktop for my work than a more vulnerable, weak platform. And with the continued rise in acceptance that the Linux desktop is finding, I feel confident a rise in Linux viruses will not follow. And even if they do start popping up, the vulnerabilities they exploit will be immediately fixed.

What do you think? Will the growth of the Linux desktop bring about an equal growth in viruses?

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

30 comments
SoulBurner
SoulBurner

I have been using Linux since the late 90s.  There have been security holes detected in some packages over the years.   Those are generally fixed quite fast.   The life of a linux virus is about a day with anyone who KNOWS their system.   I have seen instances of people getting the root password on a machine and installing software that alters different commands, but that is usually due to someone who had the password posting it on the internet.   


While I agree with the increase of Linux Desktops, you may see an increase of attempts.   But attempts are not necessarily successes.  


The best defense against intrusion on your system is to keep up with the security patches, change your passwords often, and don't download/install anything from any site you are not familiar with.   


These are the best defenses for your system. 
sborger
sborger

This article is right on target and off target to my situation. I am fixing a Nextbook Premium 8SE. It's built on the Linus OS. Not being able to go to Google Play store for apps. (Nextbook company said it's not available), they said I have to go to "1Mobile.com". Pretty much the same apps are available. Anyway, the problems started with the built in weather app that no matter how I work it, it will not find weather for any area accept the one it came with. A software flaw. New York and we are in Florida. Next, at the 1Mobile site, I open the web site and get a red bar at the bottom of the nextbook screen saying: "scaning system" "You are infected click now to remove". I contacted the company and they said It's in no way related to them. Before typing this on my pc, I tried it again and no red box anymore....????

The other issue is the apps that I downloaded for my customer's tablet. When you open each one, you are brought to you mail page to send out email about this great app to all your friends. Only way out of it is to dicard it in the trash can. Then you can use the app as you intended....LookOut Security suite that is on my Galaxy Note II cell phone is now the only one doing this on this tablet.....

I connected the device to my PC and scanned with Comodo Anti Virus, Malwarebytes and the downloaded app LookOut Antivirus. Now viruses found by noen of them....

I guess it's okay now....but that tells me the viruses for Linux are out there....

todd_dsm
todd_dsm

I like the 4-point concept you noted. But, getting back to some basics, I think there are additional reasons for the low occurrence of vulnerabilities. The Attack Surface From a security stand-point, the greatest attack surface is always going to be the most likely target to produce a favorable outcome. In military terms, it's easier to hit a larger attack surface than a smaller one; EG: putting a 50-cal projectile through the top of a beer bottle is far more difficult than tossing a grenade into a fox hole. We all have to justify our time output for likely success; if you never hit a target, the game becomes less productive towards the goal. This probability calculator must also apply to those that make viruses. Windows OS is the biggest target. Should Linux ever get to that place it may represent the greatest likelihood of attack success. But, there is another important factor as well... Corporate vs. Open Source Development Developers know what to do and what not to do. Corporations need to release on a date though; software ready or not. A release date is not chosen for the greatest good of the software/product but by quarterly need to keep the executives off middle management backs; everything rolls down hill. Open Source developers build with purpose and don't release until that purpose is met. They understand the importance of commenting their code, for example, so they don't forget the purpose of a code block and accidentally remove it at a later date during a rewrite. These comments serve as long-term memory and ultimately a set of requirements for the next go-round of development. You would be surprised how many large corporate development initiatives forgo this simple but important concept in the interest of time. Then there are the 4 points you've noted. Only the most competent can achieve this kind of ninja-like movement. The corporate types could do this as well if they weren't trying to meet other deadlines. It should be noted too that MS has less than a thousand developers and testers in their offices while open source projects will allow test results and bug reports from anyone in the world. Who has the bigger staff? The last point is Software Regression When an open source project puts in a fix it's in forever. Not till the next release or a new version - forever. A test case is added to cover the fix for the exploit and test automation is run on every subsequent build. Simple concept rarely happens in the corporation. In open source projects, if you see an exploit you're only likely to see it once and never again. Security vs. Usability The security design is the most important thing though. When a virus comes to the desktop the differences between Windows and Linux is clear: 1) Both accept email and store contents in a temporary location while you're reading a message. Linux stores them in /tmp and Windows, in a folder deep in the users applications directory. 2) During this temporary storage (pending user forward/reply/deleting the message) the difference is: *Linux stores message and payload without the ability to execute. *Windows stores message and payload with the ability to execute. *This assertion is testable, test it. Security vs. Usability is usually the argument I get at this point - not an issue. My Linux email works without the security gap just as Windows does with it. This one security measure is (more likely was) the single greatest problem contributing to virus execution. Seems like a simple fix. Apparently, since Microsoft hasn't fixed it in 20 years, it's more complicated than that. Either way, the easiest way to get a virus is to open Outlook and start forwarding joke emails. You'll find out just how funny they are soon enough. Moving Forward A heavier reliance on web-mail would fix most of these problems; then employ one server-side solution to scan emails for everyone before viruses make it to the desktop. I use a combination of postfix/greylisting (though it's more complicated that that) to filter messages before they ever hit MS Exchange. Then you're (mostly) only left with web-based attacks, malicious scripting embedded in web sites; it's the one thing facebook and porno sites have in common. After that, it's going to boil-down to a little training and common sense. Good article, Jack

janitorman
janitorman

Android is based on Linux. True, while it isn't an actual open source OS, it has had its vulnerabilities exploited. Why? I believe because of its popularity, and its use by people who have NO IDEA how to use it. I don't believe you need to verify passwords to install or change stuff on it either, whether because it's logged on as root, or whatever. That could be a point, as well. I tried last night to put a program on my Linux desktop computer, it used to work, but with a few updates to the kernal and a new release under its belt, enough dependencies were broken to where I couldn't figure it out. "Compile from source" was the solution. Well, being the geek I am, I still haven't figured THAT out. The instructions were too vague and confusing. BUT I couldn't just download a new program and bam.. have it work (and who knows what came in with it?) True I could have gotten the updated version but I've tried that and it works horribly. I think I should have stuck with the old distro, the old versions, etc. where everything worked! Part of the problem was, this is not a Linux native program, but converted for it from Windows. Most likely it's horribly complicated and never will "just work" on Linux.

Red_One
Red_One

As I remember Lindows did at one point log in as root.

TrajMag
TrajMag

I agree with the ROI camp. As the number of desktop, tablets etc grows it will become worthwhile to exploit. Just look at Android. Looks to be easily exploited through social engineering and poisoned apps. The distro will open Linux in general to attack.

rmerchberger
rmerchberger

... to [Yes (lots)] and [Yes (a few)] -- I mean, if the number of Linux viruses tripled, we'd get to what... 1 a year? I think there will be an increase, but not an alarming amount... Because of this fact, I did vote Yes, but I don't see this as "the end of the world." It's human nature to "not fix what isn't broken" and I think a lot of the viruses for Linux that may be created in the future will not target the latest-n-greatest kernel, but concentrate on older vulnerabilities that people don't patch for. For this to be "cost effective" for the virus creators, there has to be a "critical mass" of Linux machines already (which *might* happen in the next few years) and then wait for these individuals to ignore the patch manager. It's also possible that the virus creators could target embedded machines (routers, wireless APs, etc.) that would not be patched on a regular basis -- there are a *lot* of those machines out there now. And there are very secure closed-source operating systems out there - I don't believe there was ever a virus written for VMS, for example; and there were a *lot* of VAXen installed at one point in previous history... [[ Yes, I still have a couple in my basement... ]]

maury0324
maury0324

I am in year 11 of using Linux as my only system. During that time I have introduced family and friends to Linux and estimate we have collectively 60 years of run time and so far as I know the only successful attack was against my Daughters Yahoo online email address book which we caught right away and she had to change her password. That was a Yahoo problem and was a spam bot thst passed through emails that appeared to come from a friend.

macmanjim
macmanjim

I have seen the same logic said for the Mac OS, yet it's met by derision by the Windows folks. Will it be the same here?

Tony Hopkinson
Tony Hopkinson

unless some nitwit makes a distro which logs on as root for convenience and it becomes popular.

ozindfw
ozindfw

Is Linux more secure than Windows? Probably, but it's hardly perfect. Equal growth, maybe not. But never say never. As Linux popularity increases the value of attacking it will increase. As that value increases, so will the attacks. It's pretty basic market economics. There are already a number of Linux server exploits. I suspect a lot of this is due in part to Linux popularity in that area. I also think it makes no sense to define the problem narrowly. Rootkits, worms and other malware are problems. Malware is an issue for every OS, even Linux and BSD. It's only going to get worse as the value of attacks increase. Finally, the OS isn't the only attack path. Applications present attack paths as well. Linux may provide better tools for dealing with this, but very few installations apply those tools effectively. It's only going to get worse when less technically oriented users become a higher proportion of the base.

rkorb
rkorb

Maybe it is harder to crack, but impervious? Don't think so. Here's another theory: Could it be that hackers see Linux as part of the same counter culture movement that they belong to so why would they break into their own house? OK... It's a bit cynical but I it's a theory - nothing more... Tthe lack of viruses on the platform is for real and there is definitely something to be said for the open source system helping to resolve these things. BTW I have an android tablet that had the rotate feature crippled by a manufacturer pushed upgrade in OS level. Problem is there is no vector to get to the manufacturer and they have no official response even though it is a known problem. Why do I mention this? Well taking this discussion into account - maybe Linux/ubuntu does have a future on the tablet platform. At least with open source somebody who can do something may actually be listening.. (hear this Acer???)

Slayer_
Slayer_

You would also get more devs fixing holes. In the end, I think it would balance out. Some unlucky people (probably face book users) will get viruses as they are fresh. But then patches will quickly appear and everyone else will be safe. That and probably the most vulnerable code will be close source code like Flash and silverlight.

tanernew
tanernew

As system admins, engineers and developers we can prefer security, restrictions etc. but lots of the people will prefer to run everything without so much questions (remember how people hate from Vista) This is why they use linux. Of course when they lost their files due to a virus they'll start blaming but still they'll not run linux, because it'll be a very complex system for them. Even so many businesses will prefer to run insecure systems behind a firewall. Because when they install the new security patch so many applications will not work, will take a long time to fix and nobody can answer the claims. With current business model is it possible to dominate the desktop of average Joe?

bmullan
bmullan

I've used windows since it first appeared thru Win95, now Win7 and there is always the risk of virus attacks even with paid virus protection software. I've used Linux since Slackware was first introduced ... but have been an Ubuntu user for many years and have NEVER had even the hint of a virus and as far as I know, no one I am in communication with that uses Linux has ever seen a virus either. I personally think about the only risk to Linux users is just plain basic system security common sense. Don't all root login via ssh, keep your password safe & use good passwords etc... which of course are the same things you'd do with Windows.

Tony Hopkinson
Tony Hopkinson

People would have found it too different otherwise :p

Sagax-
Sagax-

Since there are, to date, NO viirii in the wild, the appearance of one would be an increase. The increase in numbers of Linux machines is less the issue than what is to be gained by the cracker. No profit, no attack. Given the general profile of Linux users, if a successful attack was crafted, they would detect and kill it quickly. Thus no profit. It is possible there may be a few crackers out there who would go to the time and trouble of writing malware for Linux just to prove it could be done, but I do not forsee any serious efforts.

bobc4012
bobc4012

I too was hit by the same "attack" and when I attempted to tell Yahoo they had a problem, they gave me a ration and implied I did everything from beating my dog (which I don't have) to going to Starbucks and passing out my password to the world. Joking aside, Yahoo would not admit they had been compromised and told me I had been careless with my password. At the time, I only had a desktop, no children at home and I was the only user.

bobc4012
bobc4012

On those rare occasions where I have logged on as "root", I would frequently get prompted for the password before the system would make a change. It irritated me since I had supplied the password to obtain root access in the first place and then prompted for a number of operations. BTW, I am assuming the "nitwit" did not rewrite the kernel.

knuthf
knuthf

Linux and MacOS/iOS/Unix is another league when it comes to security compared to Windows. Rootkits is impossible. worms are impossible. The malware that is possible is trojans that can be launched from emails and in the browser and cloud applications. But on Linux/MacOS you can detect the attempts, isolate, and they cannot do anything major wrong without you giving them the Admin password. When I say "cannot" the meaning is physical impossible, where "may" is a request for. Should an application try to go to some other place, it is "Address violation" or "Segment Fault" and that was that.

todd_dsm
todd_dsm

Let's make this crystal clear, for the cheap seats... You can build a server system that cannot be cracked. Following security standards that have been in place for years - and for good reason. All errors are created by people. The design of a POSIX system is anchored in security. Security gaps are left open by new admins that have no yet been educated but the systems themselves can be buttoned up - air tight.

knuthf
knuthf

Most viruses are not possible on Linux/MacOS. Only trojans, and for all, they can only get to the files you can get to without any effort. Regarding Linux on the tablet, most early days tablets ran Linux. Then the "analysts" demanded Windows, and Steve Jobs finally got them to make it with their variant of Unix: iOS. But the tablets came from Linux and will most likely return here because of the rich applications you find here.

jp-dutch
jp-dutch

Hackers are a diverse lot. 1) There is the counter culture like Anonymous, they will break into government computers (linux or wintel). Lulz will do just everybody if you happen to piss them off... 2) There are criminal hackers like the Russian Business Network. they will break into anything where they expect to make money. Wintel offers bigger bonusses than linux, but that's not much of a safeguard. 3) State hackers like Chines Army, Iranian Guard, Israels Mossad and the American agencies like CIA, FBI, NSA. They will break into anything, which they suspect, Linux, wintel or Apple. Not much of a safeguard either. In the end: with the rise of Linux there will be more break-ins. And a lot of break-ins are browser-attacks...

knuthf
knuthf

The first "viruses" were on Unix, and the usual attempt was to alter commands. To do that, they needed a "secure shell" like SSH or telnet. It is easy to move telnet to "guest" user and disable SSH port and then inhibit remote login to the few that needs it. There is no way you can change essential parts of Linux or MacOS without having to ask for the Admin password from the user, and been provided this. But, it is fully possible to embed a script in a Jpeg picture, that executes in the user's own context. If the user wants to see picture effects, video (Flash definitely contains a dangerous script language) and rich media, you will need a way to connect the presentation of these to local applications. These must be able to execute scripts, also to verify and authenticate. Knowing some of the flaws that allows viruses, I don't expect the developers will have to worry much, except that their code will be inspected to verify that it does just what it should and nothing else. The rest is simple. On Linux and MacOS, an application cannot modify another by accident. It cannot debug the kernel, it cannot chage the "rm" command. Should a pointer go way out in the blue, it will be trapped, and cannot "see" the memory of others (beside allocated shared memory). I believe most hacks originates from Linux today, since they can leave without making a trace. They have seen to that their systems cannot be hacked. So those writing virus scanners today are facing a bleak future.

SKDTech
SKDTech

"Given the general profile of Linux users" That may be true now, but if Linux were to draw a large number of users away from Windows(and possibly Mac) that general profile would change. One of the reasons that the recent Mac virii ave had success, even with a similar security setup to Linux/BSD/Unix, is that many of the users infected were previously Windows users that switched to the "virus-free" Mac. Rmember when Mac users and ads were spouting the line "there are no viruses for Macs"? People bought into that, got Macs, assumed they were safe and wound up authorizing the malware when hackers started writing it. Switching to a "more secure" platform had not helped them in the least because the basic behaviours which got them into trouble in the past had not been corrected. And having masses of people switch to Linux would net the same effect. It does not matter how secure a platform is if the user behaviour is not fixed. Once the platform becomes a large enough target hackers will start trying to break it in earnest.

bobc4012
bobc4012

When you have a kernel built on a sound basis, you cannot hack it. If you ever wrote a production operating system, you would understand. With virtual memory on main frames you have "keys" for each user and that prevents them from accessing other users or the nucleus (kernel). While you may POSSIBLY be able to attack the application in a particular user's memory, you won't be able to attack another user's nor the kernel. A good kernel will not provide any back doors to other components, unlike Windows gives access to its other products .

todd_dsm
todd_dsm

It's funny what people will leave out of a story; The first viruses were written as academic works in 1966 (predating Unix) by, John von Neumann "Theory of self-reproducing automata": http://cba.mit.edu/events/03.11.ASE/docs/VonNeumann.pdf Which can only mean that you're repeating some bit of rhetoric you overheard.

walks.in2.trees
walks.in2.trees

scammers and hackers love this over-confident mentality. it's what they all have wet-dreams about

ricardoc
ricardoc

I totally agree with you. The protection offered by the need to enter sudo to gain admin rights is no protection if the user keeps typing it every time it is requested (or the password via GUI) without understanding what's happening. As I teach in my training to users: the IT department with their AV, UTM and firewalls won't do much for you if you keep inviting the bad guys in. Users are the guardians of their system, period. You need to learn to use a computer safely and keep updating your skills. The problem with computers today is that most users and specially business users have their priorities for attention and learning on the job they are supposed to complete; many see the PC and all its issues as a burden they don't want to go through. They just wan to "use" the computer without getting a "master degree" in its use. This is the most common complain among my company's users: "I don't want to be a computer expert; I wan to do my job".