Helpful Information
 
 
Category: Antivirus Protection
Viruses, Microsoft and *nix

I'm wondering why there *seem* to be so few *nix viruses.

Do any people choose not to go the Windows (server) route because of the virus issue?

As a Mac user, I was often told that there aren't many Mac viruses because virus writers want to target as big as audience as possible, so when Mac went to Unix I thought that with Unix being around for 30 years and it being a major operating system within the internet I could expect to be hit by more viruses, but not one in 3 years. Why is that?

its largely to do with popularity, not as many people use macs so no1 writes virii for them.

Originally posted by crazybloke
its largely to do with popularity, not as many people use macs so no1 writes virii for them.

but that's just what I said. Unix is a hugely popular system and it's been around for 30 years, so it cannot be just that.

Unix is a hugely popular system that's run by people who know what they're doing.

Windows is a hugely popular system that's run by alot of people who don't have a clue what they're doing.

BIG difference.

Originally posted by macgruder
I'm wondering why there *seem* to be so few *nix viruses.

Path of least resistance, MS is an easy target :)

The "popularity" argument doesn't hold water anyway. The perennial example of that is that Apache is much more popular than IIS and it's nowhere near as problematic.

Not only do *nix people tend to have a more intimate working knowledge of their system (because it's not locked away from them the way Windoze is), it's a better designed system and has undergone it's stress testing. It handles permissions waayyy better than 'doze, has gotten away from the attitude of convenience before security, etc. There was a time when *nix systems were afflicted by scores of viruses and worms, it's just outgrown that stage (at this rate Windows will NEVER outgrow it though..).

I have to agree with the 'popularity' statement. After I read the above
threads, I tried looking for the article about how windows attacks
are on the decline while linux attacks are on the rise.

I believe this does have to do with popularity. The people that
started using Linux a few years ago are now knowledgable enough
to know how to attack it.


The "popularity" argument doesn't hold water anyway. The perennial
example of that is that Apache is much more popular than IIS and it's nowhere
near as problematic. Is this saying that since MAC is hardly touched compared to Windows
that MAC is a solid, secure OS? I don't think so...

Originally posted by Stink Sleeve

Is this saying that since MAC is hardly touched compared to Windows
that MAC is a solid, secure OS? I don't think so...

However, a great number of people that have switch to Mac OS X have been *iux users including myself. Many people have gone under the "hood" and tweaked the BSD core for added security.

Where I used to work, there were only a single OSS Zealot that still ran Mandrake, and only Mandrake, linux on his laptop.

Generally speaking though, there is something to be said about using off beat platforms. I had a job once where a bank was still using ALPHA servers with True64 Unix for a majority of the Database. Why? The number of people that know much about True 64 Unix is extremely small. The threat/security analyst basically said, "Well if they know the ends and outs of True 64, chances are we don't stand a chance of stopping them no mater what system we deploy."

Now there is one fact about Linux, *BSD, and most OSS projects is that when an exploit is found, it is usually patched within at least 2 - 3 days, usually hours, and most system admins know enough to go wget the patch and install. I have seen in installs at Hotels that are still running NT4 SP3 and IBM and others have not upgraded their system in proably two years. Its those systems that the coders can exploit and use in DOS and other attacks.

Originally posted by Stink Sleeve
I have to agree with the 'popularity' statement. After I read the above
threads, I tried looking for the article about how windows attacks
are on the decline while linux attacks are on the rise.

Of course, attacks aren't necessary the issue though. Vulnerability to attacks is. Perhaps the above post proves the point made by Ctb: more Linux attacks but far far less damage it seems.

The Mac issue is a bit of a red herring - I was really asking about *nix in general.

It's not a matter of it being solid because it's ignored. Mac OS X actually has a pretty good number of stupid problems. It's matter of it being unexploited because it's ignored, there's a difference.

Windows makes a convenient target for worms/viruses because it's so widely deployed and so homogenous. On top of that, Microsoft's patching history is HORRID. From ignoring problems to slow turnarounds, broken patches to unrealistically large ones, many people find it very painful to update Microsoft systems. As a result, exploits for Windows tend to have a good deal of time to grow in the wild before they're unleashed. An attack on 1 Win9x machine will probably work on 90% of all 9x machines and 75% of all XP machines. The problem is that it IS exploitable in a wide environment whereas each *nix system is not - it's exploitable in it's own little way.

*nix systems, have a tendency to be far less homogenous and so aren't typically exploited by worms or viruses anymore. *nix systems require you to dive in and get you hands dirty to pull off an exploit. For example, sendmail is a very popular, very broken application that runs on many, many *nix installations. However, rare is the occurence of a worm or virus that can exploit it because it often doesn't cross BSD/Linux/Solaris/AIX/OS X boundaries. Instead, most (if not 'almost all') of the sendmail exploits require you to actual get hooked up to the computer running the service and try to break your way in manually. This is far more difficult, so requires far more skill, and results in a loss of almost all the boring canned script-kiddies that can easily attack Windows. Also, you tend to have more security-conscious code slinger in OSS (probably due to the lack of marketroids telling them what to do) who don't do stupid things like embed VB scripting in spreadsheets. Windows has always taken the attitude that it was more important to be feature rich than safe and *nix has gone the other way. As a result, you get bloated, hole-riddled behomeths on Windows like Outlook and Word, and you get lots of little applications that can be chained for functionality on *nix. Since each little peice was written independent of all the other peices, you have fewer tie ins and less opportunity for wide-spread exploits.

Exploits on *nix exist, they just can't be exploited as easily most of the time. Windows, on the other hand, by design, is very easy to break using canned methodology because of it's insistence on convenience and 'make it familiar'.

The argument that it's exploited because it's popular just doesn't have any solid ground to stand on, really. Bear in mind that the juciest targets on the web are nearly all running something from the Unix family tree and they don't really get hit by normal exploits too often (DDoS.. yes.. but that's something that afflicts ALL systems).

I might note that the only thing that can be excused is viruses sent via e-mail. There really isn't much of anything that can be done about home users opening infections unless we can get them to stop doing it (although, heterogenous *nix systems would again make this type of exploit more difficult to pull off in as widespread a way as we see Windows attacks work). But then, that's where *nix shines again - by setting the proper executable restrictions on your filesystems, admins in a corporate *nix network can prevent these infections right at the source - the user. The same can (sort of) be done with Windows now, but it's usually such a hassle because it causes problems running other things that it's not a very good trade off.

Sorry... there's really no good reason to believe that popularity has anything to do with the widespread expoitations on Windows and not *nix....

My wife uses my old Mac to go online. I have SAM (Systematic Antivirus for Mac) on it which I've had since the late 80's. (now owned by Norton) I've never updated it's virus definitions.

A couple years ago, after downloading a program online, it gave my wife a message that the program she downloaded was trying to modify another program. I told her it was probably a virus, so she hit the "deny" button and deleted the program.

There's been several times a virus has tried infecting my computer (if you can call less then a dozen, "several") but each time, SAM detected and blocked it.

So why don't PC's use this type of virus protection? I can only guess that the Mac OS takes a more active roll in file access the Windoze.

BTW: I no longer use SAM since I switched to OSX. But then again, I rarely download programs any more.

There are plenty of systems out there for the PC that do various "passive checking" to watch for viruses indpendent of patterns.

Watching for unauthorized resource access attempts and fingerprinting original executable file sizes then watching for changes are two big ones.

Again... exploit != virus. Viruses take advantage of exploits and proliferate well on Windows platforms due to its homogenous nature and core design flaws. Exploits in general exist anywhere, including *nix systems, but are less likely to be effectively leveraged with canned attacks on *nix due to design discrepancies and, more-so, developers of those systems taking an active role to try and prevent people from being able to cause damage in that type of manner. It's that sort of thinking that makes *nix generally more difficult to use, but much, much more secure in the hands of a competent *nix professional than Windows in the hands of an equally competent Windows admin. The first breed of virus and worm all proliferated well before Windows came into existance. The Unix folks took heed and started beefing up their defenses and making smart design choices. Microsoft, on the other hand, went the route of convenience for it's users and is paying the price. They're just starting to learn this (they're "fashionably late" to every party...), but it's going to be impossible for them to actually build a secure system unless they ditch the existing kernel and rethink their system from scratch (unlikely since they've built themselves up by building systems for grannies and it's tough to create a system that's easy to use, secure, and actually does something).

One of the biggest problems with Windoze is that everything is run as the "root" user. That is just way too much control over the computer, and your average person does not have the knowledge to use that properly.

For Example (these are actual quotes from customers:

But I want to install the calendar program, gator, and my porn dialers, I don't care about the spyware, but it's slowing down or disabling my internet connection.

Or....I have antivirus, what do you mean it has to be updated, I only bought it a year ago. Oh, I turned off the automatic updates, they slowed down my surfing, and I disabled the antivirus software it slowed down my computer. I only open email attachments and programs that are from friends. Can I still get a virus?

The fact that it is sooo easy to install and mess around with Windoze is one of the biggest reasons the viruses get through. I don't know that there is a way of having it both ways.

On most of my XP and 2k networks users can't install anything, or change anything. They can only open the programs installed for them. Very few problems.

One of the biggest problems with Windoze is that everything is run as the "root" user.
That's the biggest "core design flaw" I was thinking of at the time, and another major problem is the insistence on tying everything to the kernel so that problems have a chance to worm through the system's tunnels. Monolothic kernels are OK if they're done right... but Microsoft seems to have this bizarre microkernel that everything then clings desperately to to create a weird sort of monolithic system.... it's all just very odd....


They can only open the programs installed for them. Very few problems.
You lucked out. They tried that here in a limited test run and the **** hit the fan. People had problems opening things they should've been able to open and all sorts of other crap (much of it was related to the inherent design flaws in the software itself - some of it Microsoft - that say they must be run with full privileges).

Also, we're running a lot of NT4 boxes, so the best they can really do is scan for unrecognized executables and slap people's wrists for installing them. I've gotten lucky though: they let me have near-admin privs on my own box, so they only thing I can't do is muck about with the registry. Most other people can't really do ANYTHING without incurring the wrath of the BOFHs (which is good).

Agreed, 100%

As for the networks, I actually followed something I read somewhere. The network I read about disabled user's privileges completely. They couldn't even click File -> Open. I like that, oh how I like that.

I've also run into what your company ran into, the need for more privileges. I had wonderful plans of completely locking down a new network. I even got it all setup and working. Then a software consultant came in and installed the accounting software. Because of the software I had to give everyone administrator level on their workstations. And then the "consultant" said how we should switch from using Netscape for browsing and email to IE and Outlook. So much for my plans of security and reliability.......

>>Its those systems that the coders can exploit and use in DOS and other attacks.

A denial of service attack is not OS specific. Any OS can be a target or attacker. In the most lethal form it is mainly routers that are used to perform a DDDOS.

>>Microsoft's patching history is HORRID.

They can't even patch their own servers. What hope do we mere mortals have?

>>they just can't be exploited as easily most of the time.

Code on EXACTLY how to exploit *NIX is not posted on every skript kiddies web page by radbid MS haters within minutes of the exploit being reported. Remember Blaster was for a reported exploit for which there was already a patch.
The reason the exploits are made public is however MS's fault. Years ago MS refused to fix a critical flaw. When the flaw was published MS was forced to fix the problem.

>>The argument that it's exploited because it's popular just doesn't have any solid ground to stand on, really

In a way it does.

These idiots are trying for the Warhol Virus (one that infects the 'net in 15mins).

If you were going to write a comercial desktop app for sale but can only do so for one OS. Are you going to write it for *NIX or MAC or for the OS running on 90% of your customers PC's? Its about maximising your target audience.....

>>There really isn't much of anything that can be done about home users opening infections unless we can get them to stop doing it

Well before the OS allows you to send similar mail to everybody in your list WITH an attachment, it could confirm with a messagebox. Not exactly hard to do.

Some of this stuff MS just does not want to fix. It motivates you to continue buying the new OS's (at 70%+ profit to MS)

>>On most of my XP and 2k networks users can't install anything, or change anything.

But this does not stop worms like Blaster. They can easily get admin access.

But this does not stop worms like Blaster. They can easily get admin access.

I wasn't trying to stop viruses, just protect users from themselves - Installing stupid screensavers, spyware, and other programs that cause problems.

For viruses I rely on firewalls, antivirus, etc. Sonicwall makes a nice firewall product that lets you disable any type of email attachment at the firewall just by specifying the extension - .pif, .exe, etc.

Not only that, Blaster got admin rights as incidental side effect of dumping a service running as admin. I highly doubt it actively sought to escalate privileges.

I work in a business now that either owns or services a great number of Kiosks in this area and most run off of Win2kpro with a Kiosk program on top of that, but when I first started here the boxes were not locked down.

Even though the software was not "supposed" to allow people do download things, AIM, CASINO.net, and a few other programs that used explolits in MSIE caused some major headaches. The Kiosk software on several of these terminals had to run in FAT32 and would not function under NTFS meaning that locking down those boxes was impossible.

And even on the ones that require an administrator's password, there are still some apps that some how manage to bypass that and install themselves anyway.

Recently we switched to a Linux based OS that was designed for digital signage and Kiosk usage and the two test boxes have been running for 13 days and 23 days without a single reboot and no problems with downloads. Even if they would download stuff, its not going to work. We will be switching all of the Kiosks we own around here to the Linux based system over the next 6 months and all future kiosks will be running the Linux OS.

As IT director, it makes my job a lot easier since if it breaks, I have to stop whatever I am doing, go out and fix the damn thing. When the Blaster Virus came along, two of our 14 kiosk got struck by it so we had to go out, swap hardrives, format and ghost the infected drives. In the future when that *#$&# comes along, I won't have to worry as much, just fix the boxes we have service contracts with.

>>When the Blaster Virus came along, two of our 14 kiosk got struck by it so we had to go out, swap hardrives, format and ghost the infected drives.

Why?

It takes two minutes to delete the worm from the system32 folder and find, then delete its reg entry.
And another few minutes to download the MS patch.










privacy (GDPR)