Security: Linux, OS X, Unix and Malware (Viruses)

I recently had the opportunity to look into the anti-malware world of Apple OS X. One of our clients moved to a new office in late October 2011. As part of this move they also moved from Microsoft operating systems and software to Apple OS X systems and software, making a clean break from all things Microsoft. While researching their question about anti-malware for OS X I found that the world of anti-malware for OS X is just as fraught with information and disinformation from Apple fans, Apple opponents and anti-malware vendors as the world of Linux seems to be at times with its fans and detractors. I came to the following conclusion which is paraphrased and expanded from the e-mail I sent our client.

After a lot of research over the past month I have come to the conclusion that costly Unix, OS X and Linux anti-malware programs, such as Norton anti-virus on OS X, are a waste of money. It is not that unix-like systems are invulnerable to attack, but that the types of attacks I have seen mentioned over this month will get right through most anti-malware software on systems that are vulnerable. All these anti-malware solutions seem able to do is protect your Microsoft using friends and clients to whom you might forward an infected e-mail sent to you from someone else using an infected Microsoft Windows system.

The fact that Microsoft software is perceived to have the largest installed base does mean there are many more attacks against Microsoft systems on the desktop space. But, just because a system is highly targeted does not mean it can be successfully targeted. The flawed core design of all Microsoft operating systems, desktop and server, means more successful attacks. The “designed with security in mind” unix-like systems are much less likely to experience a successful attack on the desktop or the server. This is not to say they will never be targeted, they will. Just that the incidents of successful attacks are likely to be much lower than that of Microsoft’s systems. Of course, any desktop system that has a user interacting with it can be successfully attacked through social engineering. User education is the only solution to social engineering attacks.

Unix-like systems are typically not susceptible to traditional Viruses such as those found on Microsoft Windows. However, they can be susceptible to social engineering, Worm and Trojan Horse attacks. Here are some basic definitions:

Virus – Self-replicating malware that attaches to executable files. The infected program has to be run for the virus to spread. Typically viruses will seek out system programs that will start when the system starts. Or they will seek out specific software that is ubiquitous across the platform on which the virus is designed to attack.

Worm  – Self-spreading malware that attacks un-patched, vulnerable “services” on networks. These usually are a “rootkit” running on an infected system that will attack print servers, name servers, web servers, file servers, and the like. All modern desktop operating systems are likely to be running a service of some sort. Server systems will definitely be running some services. These malware only succeed if the service is vulnerable due to not being patched or up to date. A successful attack will then install itself as a new “rootkit” on the infected system and start scanning a network for more vulnerable systems it can successfully attack from the newly infected system.

Trojan Horse – Embedded malware that requires the end-user to install an application that is pretending to be something it is not. This is the most prevalent attack these days. In some cases it preys on a users ignorance by using social engineering to get the user to install malware. Fake anti-virus pop-up messages from infected web sites are the most common infection vector. In other cases deliberately infected source install files from “strange” web sites is the other attack vector. A Trojan Horse may include a virus, a worm or both.

For more detail see this: The Difference Between a Computer Virus, Worm and Trojan Horse

All anti-virus software is retroactive. In other words, for all of these, the anti-virus software has to already “know” about specific malware to be able to prevent it. In the event of web site pop-up malware, most, if not all, anti-virus software will happily let one install the software that is masquerading as anti-virus software. In some cases the end-user might get a warning that the software is malicious. But often no warning is given, even with web scanning enabled in the anti-virus software. Then the uneducated, gullible user clicks on the dialog and essentially, but unknowingly, agrees to infect the system.

Here is one example of a successful Trojan Horse web based attack on OS X systems:

Mac OS X Viruses: How to Remove and Prevent the Mac Protector Malware

If you are new to unix-like systems and have not yet purchased anti-malware for your Linux, Unix or OS X, here is what I recommend. Do not buy anti-malware for unix-like systems as you will likely just be wasting your money. Instead, use a “free” anti-malware package if you feel you must have one. Keep your unix-like systems up to date. Then educate yourself, your friends, your acquaintances and your employees about these web based Trojan Horse attacks. Think long and hard before you download and install any “strange” software from “strange” web sites. Ultimately the human mind considering the pop-up message on the screen or the program download from a “strange” site is the last line of defense against these attacks. An educated, cautious mind is the best defense against a social engineering malware attack.

Finally, we all know there are some people for whom no amount of training will suffice. Not all brains are equal in their ability to process and store information. These folk may listen politely to explanations about malware, nod that they understand, then go ahead and click the [Install] button on a malicious pop-up dialog and follow the instructions to completion. There are also people who refuse to learn anything they perceive to be “inconvenient”. They remain willfully ignorant of malware threats as a result. These people will always be the weak link in the chain when attempting to protect personal and business systems from malware. The malware clean-up businesses will still have a strong future with these people using computers, no matter what operating system they use.

Custom PC from ERACC   Custom Notebook from ERACC

Microsoft Windows – Promoting Mediocrity Since 1985

What do I mean “… Since 1985”? Go here for a timeline of Microsoft Windows: A history of Windows – Microsoft Windows

I am a Unix / Linux guy writing this article out of sheer frustration, so if one does not like pointed, accurate ranting about that Not A Unix OS to which one may be partial, stop here.

Our company web log, web site, shopping site and forum get hit by varying degrees with SPAM bots, or in some cases possibly paid SPAM shills, signing up for accounts, posting “comments” and sending “track-backs” that aren’t. Constant administration oversight is needed to keep these cleaned up, which is one reason why all comments and track-backs here at The ERACC Web Log are moderated. We see the SPAM so you don’t have to. I also see the occasional SPAM in my e-mail. Even though I have measures in place to mitigate the problem in all these locations, nothing completely stops these annoying SPAM-ing jerks. Invariably, when I trace back the IP addresses of these SPAM attempts with nmap and check the running OS I see something like this:

Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP2, Microsoft Windows XP SP2

It seems another technically ignorant Microsoft user, or dare I say “administrator”, has zero clue how to secure an internet facing operating system. (By the way, saying these folk are ignorant is not a slur on their character, because ignorance can be cured.) You see, when a company designs an operating system so mediocre and so “easy” an ignorant person can use it to connect a computer to the internet, you get ignorant people connecting computers to the internet. This in and of itself is not necessarily a Bad Thing™. Unless the operating system in question has flawed design decisions from its inception that leave the OS open to attack when connected to the internet by ignorant users. (Psst, meaning Microsoft Windows from 1985 to now.) Yes, all the Microsoft “guru” types out there are gnashing teeth and insisting Microsoft operating systems can be secured. Yup, I agree. But not by the technically clueless who are coddled by intellect smothering GUI love, which means the majority of Microsoft users.

Too many Microsoft users have been taught the attitude, “I don’t want to have to learn something ‘hard’, I just want this thing to work.” when talking about computer systems. This brings to mind one of my favorite paragraphs from a book I have read more than once:

“Would you fight so with a sword? No? I thought not! You would try to cut your enemy even as his blade split your heart. That is the Angrezi vice; you would rather die than go to the effort of thinking. You are not stupid, but you are lazy —” He touched the side of his head to show what he meant. “You will toil like bullocks with your bodies rather than make your brains sweat.”

David bar-Elias to Athelstane King after King “gives up” during a chess match with Elias in The Peshawar Lancers by S. M. Stirling.

Unfortunately, since Microsoft systems always use a brain atrophying GUI for Every Freaking Thing, the ignorant users are usually not taught how to think for themselves. So these people rarely know the hows and whys of network security or how to parse and solve network problems with their own brain. The GUI keeps these poor people ignorant. If “it” is not in a GUI, “it” is not possible or even knowable as far as many of these folks are concerned. Substitute some network security task for “it” in the previous sentence. (Hey, you. Yeah, you over there using that Microsoft OS. That is a multifunction tool called a computer, not a microwave oven or a toaster or a television set. Get an OS that can teach you that.)

Further, when basic design decisions are made that start off without any thought of security for this same operating system you get an operating system that is easy to suborn, regardless of the endless Microsoft Patch Tuesdays. Anti-malware is a bandage at best, because anti-malware is primarily retroactive. Anyone who is honest will admit that there are attacks that get through anti-malware on Microsoft systems all the time. Not every Microsoft system, because eventually the anti-malware vendors catch up. But if one is the first to get a new “infection”, one’s “heuristic” anti-malware has a fair chance of not catching a new malicious package introduced through that “Excellent FaceBook Page!!!11!!” one just visited with Internet Explorer. (For the record, it is not a “PC Virus”, sweetie, it is a “Microsoft Windows Virus”.)

Add to this heinous equation all the clueless Microsoft users and Microsoft “administrators” clicking their way to GUI Nirvana to realize a world-wide network nightmare called Microsoft Bot-nets, Microsoft SPAM relays and other Microsoft related malware spewing sewers. Here have some Microsoft based SPAM, or a Microsoft based DOS attack. Isn’t mediocrity just Totally Sweet?

When a company promotes ease of use mediocrity over security for its operating systems, perhaps its operating systems should not be allowed on the internet. I’m just saying …

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

GNU/Linux: Don’t Call Them PC Viruses

I use a PC. Actually, I use several PCs. My small business has 5 tower PC systems and 1 laptop PC system. All of these are what is called a PC. Any computer that can be purchased by an individual and used by said person for personal "stuff" is by definition a Personal Computer also known as a PC. That includes Apple Computer Systems Personal Computers known as "Macs". All of these devices are PCs.

So, we all can agree that all of these devices are PC systems. The fact that malware are written primarily for PC systems is a given and is well reported in the news. The fact that malware are written primarily for Microsoft Windows based PC systems is often not reported. When such a connection is made in the press or on a Microsoft friendly web site then the caveat is often added that Microsoft Windows suffers from popularity. The argument is that because Microsoft Windows is so ubiquitous it gives a good "Return On Investment" to malware writers. Supposedly these malware writers do not target other operating systems because they want to get the most bang for their buck. I call that hogwash. The reason Microsoft Windows is so often successfully attacked is because of its flawed security design. I run FreeBSD Unix and Mandriva GNU/Linux on my PC systems. I keep my systems patched with up to date bug fixes and security fixes. I will not install software that I do not know from whence it originates. I do not run any anti-virus software and yet I will never get a "PC Virus" on these systems. There is no such thing as a "PC Virus", call them "Microsoft Windows Viruses" or "GNU/Linux Viruses" or "Apple OS X Viruses" depending on the operating system which they successfully attack. Don't call them "PC Viruses".

What is a Virus? I refer people to this definition when asked: The Difference Between a Computer Virus, Worm and Trojan Horse. So, a Virus must be able to be shared and operate easily by user to user transfer to be successful.

All PC systems are targeted for attacks regardless of the operating system. Do not believe any person who says otherwise. The only difference is that some systems are attacked successfully more easily than others. Those more easy systems are almost all Microsoft Windows based PC systems. Anyone who has monitored an internet facing server of any type knows that systems connected to the internet are constantly probed for weaknesses in their open services. (Thank you China, may I have another?) These probes are often looking for unpatched services with known flaws that can be exploited. This is true of Unix, including OS X, GNU/Linux and Microsoft Windows based servers. Any of these open services that are not kept up to date can potentially be exploited. The only mitigating factor would be the underlying operating system on top of which the services are running.

If an attacker can get a root shell prompt, root being the "administrator" account, by exploiting a service flaw on a Unix or GNU/Linux system then the game is over, the attacker basically owns the system at that point. Further, since internet facing systems are often servers that handle traffic for a handful of users up to thousands of users these would be a cherry to pick that is much more "tasty" than some lone PC or even dozens of PC systems.? So why do we read so much about successful Microsoft Windows based malware attacks yet read so little about malware exploits of internet facing servers? Well, most of these are running some form of Unix or Unix-like operating system, such as GNU/Linux. The security by design nature of these Unix based systems make them a very tough nut to crack. Only the really, really smart attackers can figure out how to exploit these systems. The chance of exploiting very many is low because all one has to do to keep an internet facing server "safe" is make sure it is running a Unix based operating system and keep the open services that face the internet up to date. (Yes, I know one can maybe do this with Microsoft based servers too, but they are not in the majority when it comes to internet facing servers.) The majority of system administrators managing internet servers know this. Creating a Virus that can successfully attack these systems using the definition above is likely possible, but spreading it very much is not probable. Just because something is possible, writing a Virus for GNU/Linux, does not make something else probable, the easy spreading of said GNU/Linux Virus. So, attackers that target Unix based systems have to give them personal attention in most cases to find a successful attack vector. These folk are known as Crackers and are a different breed from the plethora of malware writers. Like malware writers Crackers are slime, they are just a smarter level of slime.

What we Unix and GNU/Linux folk worry about most are Crackers, Worms and Trojan Horses. Of course if one keeps service applications like BIND domain server, Apache web server, Postfix mail server, CUPS print server and so on up to date the probability of a successful Cracker or Worm attack is very low. If one uses only secured sources for installable applications and updates the probability of a successful Trojan Horse attack is also very low. Again these would not be called "PC Crack", "PC Worm" or "PC Trojan Horse". They would be called by the service they successfully attack, such as a BIND Worm that exploits known flaws in unpatched versions of BIND or an Apache Crack that allows a Cracker to successfully "get root" through an unpatched Apache web server. Do these attacks succeed? Yes they do sometimes. But they are much less successful than Viruses that are written to take advantage of user ignorance and Microsoft Windows design flaws.

So, if we ever do see a successful GNU/Linux Virus "in the wild" we will call it a "GNU/Linux Virus". As unlikely as that scenario is due to the mitigating factors that make up the security by design model used with GNU/Linux. Or will all you people that insist on calling Microsoft Windows Viruses by the misnomer "PC Virus" also insist we call a GNU/Linux Virus a "PC Virus"? Suuuure you will.

Internal ERACC advertisement: Windows users – need anti-malware (anti-virus) software? Get it from our on-line shopping site here: AVG Software

Number of unique accesses for this article:

click for free hit counter
university of phoenix

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.