Re: Linux (in)security (Was: Re: Re: No Subject)

[Paul Schmehl <pauls () utdallas edu>]

--On Wednesday, October 22, 2003 6:00 PM -0600 Bruce Ediger 
<eballen1 () qwest net> wrote:
> The real questions go something like:
>
> "Source code for Unix viruses has been available for years, from sources
> almost too numerous to mention.  Why haven't Unix viruses become epidemic
> the way that Windows viruses have?"
The usual argument is that Windows is more ubiquitous than Unix and is 
therefore the target of choice.  I would argue that the *real* reason is 
that Windows is more ubiquitous as a *desktop* operating system and is 
therefore the target of choice.  However, that's changing.  Linux is 
gaining in the desktop space and so is Mac OS X, which is really "exposed" 
for the first time.  By that I mean that previous Mac OSes weren't as 
easily attacked remotely because they used Appletalk rather than TCP/IP. 
(Yes, Macophiles, I know TCP/IP was available before OS X.)

The real key to prevalence of malware, IMNSHO, is the ease of attack *and* 
the potential pool of victims.  People think it's really stupid to "surf" 
the Internet using an administrator account on Windows.  Well what do you 
think the neophyte Linux users are doing?  I seriously doubt you'll find 
many that have a regular account and use su or sudo to do administrative 
tasks.  They're bound to run in to something sooner or later that they find 
irritating (like being prompted for root's password every time they try to 
run up2date on RedHat) and they'll do the same thing they always do on a 
desktop system.  They'll start logging in as root because they don't get 
"pestered" by all those warning messages and they can install software any 
time they want.  (Mind you, Windows still has a long way to go in that 
regard.  MS doesn't make it easy to run as an unprivileged user, that's for 
sure.)

And when folks are on the net, logged in as root, on a Unix box, they're 
just as susceptible to worms and viruses as any Windows user is.  All it 
takes is some momentum in the desktop space and the stats will change. 
When the average desktop user can figure out how to burn CDs, listen to 
music and print on *nix as easily as they can do it on Windows, you'll see 
more and more malware for *nix as they move over to it (if they do.)

Now I am *not* arguing that Windows is the best OS to use (or even a good 
one for that matter) or even that Windows is no easier to attack than *nix. 
But worms and viruses will follow desktop users, not OSes, no question 
about it.

> "Security problems of the same magnitude as .ida buffer overflows, or
> MSRPC buffer overflows exist in unix programs like Sendmail and others.
> Why hasn't a worm materialized for this problem?"
Because unpatched apache isn't installed *and* running on *nix boxes by 
default.  We had 90 boxes hit by Code Red.  Only one was an "IT" box, and 
that one had just been installed and was *at* windowsupdate when it got 
infected.  Of the other 89, all but three were desktop systems.  When Nimda 
hit, we had 40.  All 40 were desktops.  People who know what they're doing 
don't get infected with that crap.  People who don't, do.  What OS they're 
using is irrelevant.

> "The scalper worm didn't effect nearly as many hosts as msblast did.
> Why not?  Why did the scalper worm seem to die out, yet wormwatch.org
> still records many hits from much older worms like SQLSpida and Nimda?"
Because desktop users don't patch.  Scalper didn't make much headway 
because *very few* desktop *nix boxes run Apache, and servers that do are 
admined by people who understand the need to patch.

Remember the SunOS.Poisonbox.worm?  That made pretty good headway on 
Solaris boxes and can still be found today.  What did it attack?  Sadmind, 
which few server admins would ever run and far fewer would run unpatched. 
Only desktop users have that on and don't want to be bothered with 
patching.  And they got infected.  Every *nix infection that I've had to 
deal with has been a desktop system, not a server.

Why do you think wuftpd is so heavily attacked?  I think it's because it's 
had many holes *and* lots of desktop users run it because it lets them 
easily move files around.

> And I guess you can generalize and ask why the Windows "culture" generates
> so many problems of such a magnitude, that last so long?  My home office
> web server got a Code Red hit on Sept 19th 2003, for example.  Other
> computing cultures (Unix, Mac, etc) don't seem to exhibit this.  Why not?

Well, historically *nix was for the clued in.  All others were excluded. 
And Mac wasn't easily exploited due to Appletalk.  But all that's changing.

KDE has been riddled with security problems.  Once the number of desktop 
users using KDE reaches critical mass (whatever that is) you'll start 
seeing more and more malware on *nix.  Malware follows negligent users, 
*not* OSes.

> Shouldn't we focus our efforts on figuring out what aspects of Linux or
> Mac cultures keep epidemics from occuring?  It's certainly a waste of
> breath to point out that OS X has horrendous security flaws when none of
> them turn into grotesque epidemics like Sobig.f.
Well, think about it for a minute.  You're going to write a virus that's 
designed to trojan machines so you can use them in a massive distributed 
spam network.  What do you attack?  The 5 million Mac machines worldwide? 
Or the 150 million Windows boxes?  If your rate of success is 1 in 500, you 
get 2,000 bots with Mac and 300,000 with Windows.  Which would you choose?

I don't doubt that there is some politicization in malware production 
(people who hate Gates and his OS and want to embarrass him any way they 
can), but most malware authors are simply trying to get the most bang for 
the buck, if you will.  They'll follow the desktop crowd wherever it leads 
them.  And they won't have any more difficulty infecting KDE users than 
they do Windows users.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html