Security: Linux, OS X, Unix and Malware (Viruses)

I recently had the opportunity to look into the anti-malware world of Apple OS X. One of our clients moved to a new office in late October 2011. As part of this move they also moved from Microsoft operating systems and software to Apple OS X systems and software, making a clean break from all things Microsoft. While researching their question about anti-malware for OS X I found that the world of anti-malware for OS X is just as fraught with information and disinformation from Apple fans, Apple opponents and anti-malware vendors as the world of Linux seems to be at times with its fans and detractors. I came to the following conclusion which is paraphrased and expanded from the e-mail I sent our client.

After a lot of research over the past month I have come to the conclusion that costly Unix, OS X and Linux anti-malware programs, such as Norton anti-virus on OS X, are a waste of money. It is not that unix-like systems are invulnerable to attack, but that the types of attacks I have seen mentioned over this month will get right through most anti-malware software on systems that are vulnerable. All these anti-malware solutions seem able to do is protect your Microsoft using friends and clients to whom you might forward an infected e-mail sent to you from someone else using an infected Microsoft Windows system.

The fact that Microsoft software is perceived to have the largest installed base does mean there are many more attacks against Microsoft systems on the desktop space. But, just because a system is highly targeted does not mean it can be successfully targeted. The flawed core design of all Microsoft operating systems, desktop and server, means more successful attacks. The “designed with security in mind” unix-like systems are much less likely to experience a successful attack on the desktop or the server. This is not to say they will never be targeted, they will. Just that the incidents of successful attacks are likely to be much lower than that of Microsoft’s systems. Of course, any desktop system that has a user interacting with it can be successfully attacked through social engineering. User education is the only solution to social engineering attacks.

Unix-like systems are typically not susceptible to traditional Viruses such as those found on Microsoft Windows. However, they can be susceptible to social engineering, Worm and Trojan Horse attacks. Here are some basic definitions:

Virus – Self-replicating malware that attaches to executable files. The infected program has to be run for the virus to spread. Typically viruses will seek out system programs that will start when the system starts. Or they will seek out specific software that is ubiquitous across the platform on which the virus is designed to attack.

Worm  – Self-spreading malware that attacks un-patched, vulnerable “services” on networks. These usually are a “rootkit” running on an infected system that will attack print servers, name servers, web servers, file servers, and the like. All modern desktop operating systems are likely to be running a service of some sort. Server systems will definitely be running some services. These malware only succeed if the service is vulnerable due to not being patched or up to date. A successful attack will then install itself as a new “rootkit” on the infected system and start scanning a network for more vulnerable systems it can successfully attack from the newly infected system.

Trojan Horse – Embedded malware that requires the end-user to install an application that is pretending to be something it is not. This is the most prevalent attack these days. In some cases it preys on a users ignorance by using social engineering to get the user to install malware. Fake anti-virus pop-up messages from infected web sites are the most common infection vector. In other cases deliberately infected source install files from “strange” web sites is the other attack vector. A Trojan Horse may include a virus, a worm or both.

For more detail see this: The Difference Between a Computer Virus, Worm and Trojan Horse

All anti-virus software is retroactive. In other words, for all of these, the anti-virus software has to already “know” about specific malware to be able to prevent it. In the event of web site pop-up malware, most, if not all, anti-virus software will happily let one install the software that is masquerading as anti-virus software. In some cases the end-user might get a warning that the software is malicious. But often no warning is given, even with web scanning enabled in the anti-virus software. Then the uneducated, gullible user clicks on the dialog and essentially, but unknowingly, agrees to infect the system.

Here is one example of a successful Trojan Horse web based attack on OS X systems:

Mac OS X Viruses: How to Remove and Prevent the Mac Protector Malware

If you are new to unix-like systems and have not yet purchased anti-malware for your Linux, Unix or OS X, here is what I recommend. Do not buy anti-malware for unix-like systems as you will likely just be wasting your money. Instead, use a “free” anti-malware package if you feel you must have one. Keep your unix-like systems up to date. Then educate yourself, your friends, your acquaintances and your employees about these web based Trojan Horse attacks. Think long and hard before you download and install any “strange” software from “strange” web sites. Ultimately the human mind considering the pop-up message on the screen or the program download from a “strange” site is the last line of defense against these attacks. An educated, cautious mind is the best defense against a social engineering malware attack.

Finally, we all know there are some people for whom no amount of training will suffice. Not all brains are equal in their ability to process and store information. These folk may listen politely to explanations about malware, nod that they understand, then go ahead and click the [Install] button on a malicious pop-up dialog and follow the instructions to completion. There are also people who refuse to learn anything they perceive to be “inconvenient”. They remain willfully ignorant of malware threats as a result. These people will always be the weak link in the chain when attempting to protect personal and business systems from malware. The malware clean-up businesses will still have a strong future with these people using computers, no matter what operating system they use.

Custom PC from ERACC   Custom Notebook from ERACC


Published by

Gene A.

Gene is a "Unix Guy", network technologist, system trouble-shooter and IT generalist with over 20 years experience in the SOHO and SMB markets. He is familiar with and conversant in eComStation (a.k.a. OS/2), DOS (PC, MS and Free), Unix, Linux and those GUI based systems from Microsoft. Gene is also a follower of Jesus (forgiven, not perfect), and this does inform his world view.

10 thoughts on “Security: Linux, OS X, Unix and Malware (Viruses)”

  1. Feel free to comment on this article at these locations:

    For the record, yes, I know Microsoft systems can be locked down and secured. But this does require knowledgeable system administrators to accomplish. A group that is in short supply to non-existent for many small business and home computer users.

  2. To be fair, at this point most new Windows malware is spread either as a Trojan Horse or else through a vulnerability in Flash, Java, or Adobe Reader rather than a vulnerability in the operating system itself.

    Interestingly, even when I ran Windows regularly, I always found anti-virus software to be a waste of money and, more annoyingly, processing power. I ran Windows without any anti-virus software of any kind for years behind a router with a basic firewall and was careful to take the type of steps you mentioned about potential threats from the Internet. Also, I never read email directly from a Windows machine other than my workstation at my job (which also some of the time has had anti-malware software installed by policy). The only malware I’ve ever gotten on a Windows computer that I ran was a master boot record virus on a Windows 98 computer from an infected floppy disk. Of course, I was also fortunate not to pick up anything through a Flash or Java ad on a website.

    Of course, even if Windows were perfectly safe from all malware, I would still prefer to run Linux, and I do.

  3. Particularly good (and thankfully succinct) presee of the computing society’s current predicament. Thanks, I will save that for future argument, and recommend to others.

  4. When you say

    ‘If you are new to unix-like systems and have not yet purchased anti-malware for your Linux, Unix or OS X, here is what I recommend. Do not buy anti-malware for unix-like systems as you will likely just be wasting your money. Instead, use a “free” anti-malware package if you feel you must have one’…

    I totally disagree with you… A specially When your new (even if your are experienced ) to these operating systems you need good (real-time active) Antivirus. New users a bound to experiment with their OS and download all sorts of applications and scripts to try out, even the Linux repository servers are not fully safe from hackers who put there malware in those hacked repos.
    OK the change you catch a linux/unix or os X virus is small because their are not many malware made for those operating systems but there is a great chance you get windows malware you can accidentally transfer to a friends/colleague windows machine by mail,USB stick or dropbox etc…
    I myself use Kaspersky for Linux Workstation/fileservers and on this workstation I’d got some window based trojans via mail, social-networks and torrents(OK to be honest, not the legal one’s) but the chance for me transfering those to a windows machine is pretty big and not negligible.

    Editor’s note: I put the quote in blockquote tags for you. 🙂

    1. Then you disagree with using ‘free’ anti-malware such as ClamAV? I do use Bogofilter to scan my mail on Linux for junk messages so I do not accidentally forward a malicious message to clients. So far it has been nearly 100% accurate once I trained it. I also refuse to participate in “Forward this message to everyone and your dog!!1!1!” message chains. Those just get deleted here. I see no need to have the intrusive, CPU cycle eating, disk drive hogging, must scan every action, anti-malware such as one needs on Microsoft. Why do you believe you need that on unix-like systems?

  5. To Gene…

    Thanks for the blockqoute tags I don’t react a lot to these kinds of blogs so I don’t have much experience with also 🙂
    No I don’t disagree with opensource/freeware malware security its better than having nothing, even on unix based systems.
    What you’re talking about is a spamfilter which is actually active protection. thumbs up for you… serious! I use spamassasin and clear OS for the firewall on my sever ( and its simplifies administration) .

    I also don’t like cpu/ram hogging anti-malware thats why I use.. the one I use…I don’t like to advertise to much 🙂 I don’t scan /xxx constantly only /home/user this helps off-course!
    And to answer you’re last question,I believe this is necessary because of the reason I gave earlier… the possibility of tranfering malware to other (mainly windows machines) is to big not to active scan files… but I think we can all agree that security is first of all the responsibility of the user and his actions than any Anti-malware apllication. Only if youre a litle bit paranoide like me you want to rule anything out:).

    1. What is wrong with using:
      clamscan -r --quiet ~/downloads
      Or Using:
      clamscan -ir ~/Mail
      Or using:
      clamscan /path/to/some/file
      … before sending files along to someone else? Do you really need a nanny application running in the background to do that for you?

      Added: BTW, to respond directly to someone’s comment here, click the word “REPLY” that is in the header of each comment.

      1. OK you caught me I’m lazy 🙂 I like It when things get done automated and worry free…. If of course it doesn’t take to much resources.
        Maybe you and other (Linux/mac) people are very disciplined about scanning/checking their files, but me and a lot of those (ex) windows folks are used to let the machine sort things out…. again…. security is first of all the responsibility of the user and his actions than any Anti-malware apllication.

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow the directions below to post a comment if you are human. After 3 failed tries reload the page to start with new images.