Tuesday, 26 November 2013

GNU/Linux: Is it immune to Malware?

When someone switches to GNU/Linux, one of the attributes assigned to GNU/Linux and other Open Source Operating Systems (that are free [as in freedom]) is that GNU/Linux is VIRUS or Malware free.

I have been answering (some of the misunderstandings in this respect) at multiple forums and lists, but here is the comprehensive answer.

The truthful answer is YES, writing and enabling malware executing within GNU/Linux is possible.

I prefer the term Malicious Software (abbreviated Malware), rather than the obscure and rather obsolete term 'Vital Information Resources Under Siege' (VIRUS that sounds like a poorly named movie. )

Dissecting the malware situation for GNU/Linux and other Free or Open Source Operating systems may require a simple, yet unbiased approach.

These answers are not to deter you from using GNU/Linux, but to ensure that you, as a user, are informed of the facts without bias - either of the Proprietary OS community or the Free/Libre Software community.

Most security experts know the answers to these questions and consulting one if you have a serious requirement is best advised. The following is a series of questions that are either frequently answered with bias or left unanswered to let you make an assumption. The answers here are to ensure that your assumptions can be based on facts rather than fads.
Frequently Unanswered Questions

  1. Malware tries to render itself undetectable. Is this possible in GNU/Linux ? Yes. (It is less easier.)
    • To spread Malware, one distributes code in obscure (proprietary/binary) formats - 'pirated software' being a favored medium which is far less common for GNU/Linux.
  2. Can Binary-only packages be installed on GNU/Linux? Yes. (As long as we use multiple sources for application packages, we remain vulnerable. Not all of us run LFS or Gentoo.)
  3. Can GNU/Linux user-space and kernel-space memory get fragmented beyond use? Yes (permitting Worms.) - {Yet, a secure init could help one restore a running system, at the cost of having to signal all running programs. This wouldn't be too difficult even for a newbie. Keep watch of all posts of recently published exploits and patch regularly.}
  4. Can a user-space program run with elevated privileges on GNU/Linux? Yes (lookup the setuid bit and 'chmod a+s' infamy. Hijacking 'sudo' is done less often, but with Ubuntu being used plenty, you can hijack the binary or the call itself.)
  5. Can StuXnet, ZenNet, High Orbit Ion Canon, Low Orbit Ion Canon and such "remotely activatable DoS-ware" (Denial of Service software) be deployed in an exclusive GNU/Linux network? Yes. (They'd show up a little earlier [as Linux machines never respond to DHCP like MS/Windows machines] - but only if you're looking for them.)
  6. Can file formats be used to piggy back malware in GNU/Linux? Yes. (This includes ELF and DWARF - excepting if the Kernel used a secure executable identifier mechanism. In many kernels building a kernel module and inserting is possible, only far difficult as kernel-version identifiers may easily prevent a module from being loaded.)
What does an Anti-VIRUS do?
  1. Recognize that there is malware attached to a file or a block in media.
  2. Attempt to Identify the malware [Pattern Match]
  3. Eliminate the malware leaving the original data (file or block) intact.
  4. If safe elimination failed, attempt to eliminate the file or block.
  5. If unsafe elimination failed, sound an alarm and announce that the situation seems irrecoverable.
( The tough part being [1,2,3] is why they end up as pricey software. )

PS: The usual trick is to throw the malware into the AntiVIRUS "monitor" app, and use it to infect the rest - easy piggybacking and privilege levels. This piggy-back makes it far more difficult for an AntiVIRUS program to run realtime on most operating systems (especially Win32/64 which still dominates desktops and laptops.)
Anti-VIRUS programs for GNU/Linux

ClamAV is shipped under GPL. BitDefender is decidedly not. It is provided on a 1-year free use license and is not open source software. I would not advise using proprietary binaries in GNU/Linux as they themselves perpetrate the possibility of such infection.
These programs can scan files, mails and network connections for infection on Win32/Win64 environments, and clean them with relative ease on GNU/Linux.

Malware targeted at GNU/Linux has fewer tools to detect, as the "open" nature of the OS can allow a fairly experienced user to identify a threat and take evasive action. There are however exploit malware available for GNU/Linux. Most can't detect infected code inside a kernel. 

If you run ClamAV or another antiVIRUS program inside an infected GNU/Linux environment, they are sure to be rendered less useful or useless. You can even gzip an executable (while it remains executable) to make things a lot more obscure to such a scanner, looking for files that are executable in GNU/Linux environments. [We aren't even talking Windows here.]

To safely pry contents of an "infected" machine, use "Knoppix".
You can take any of the "Rescue" distros from the list here -> You also have Forensic distros available specifically for intermediate levels of data recovery without high end hardware equipment.
The Sysadmin Checklist for Security
  1. Partition your disk carefully. - ensure your /sbin /bin /usr/bin /usr/sbin and all corresponding /lib folders, configurations in /etc are read-only after your core-installation [easier said than done.]
  2. Run your own kernel and disable modules after you have all your hardware recognized. (If you have proprietary hardware like nVidia with proprietary drivers, don't use it unless you are sure that it is *free* of malware - you need security, not convenience - you can't have both.)
  3. Ensure that no executable files within your PC/ecosystem can get elevated privileges.
  4. Run a highly secure "init" (your /sbin must already be read-only)
  5. Send all your machine logs to a printer. [easy, but spends paper; dot-matrix with recycled paper is usually an affordable solution. If the intruder or malware cannot overwrite the logs, you will find it easier to determine an 'Incident'.]
  6. If this is a server/router used for administration, get rid of compilers and interpreters except for shells with low privileges. [ sash - stand alone shell, rsh - restricted shell are my preferences. ]
  7. For workstation installation, you can use Fedora Core or Redhat Enterprise Linux which has easier "Remote Administration" setup. (All other distros have it too, but enabling them during an installation is less easier.)
All the above can help far better than any antiVIRUS program.  
No antiVIRUS program is a match for a skilled intruder.
Susceptibility of GNU/Linux to Malware

The openness of GNU/Linux, for a skilled user, would show symptoms sooner with enough detail that things are amiss. Whatever renders malware more susceptible to detection is a significant deterrent. The fact that there are far less users of GNU/Linux has insofar not started a malware escalation for GNU/Linux. Further, GNU/Linux packages distributed in source for rebuild permit the user to perform multiple checks, rebuild new versions without having to depend on third party binary sources. This significantly reduces opportunities.

Users, especially the majority, are seldom looking into the health of the Operating System which is the very reason malware manages to exist and propogate using simple replication techniques. 

It is true that there are far less malware programs (in volume) on GNU/Linux and almost too few I know for FreeBSD and other BSD variants that make them ideal choices to stay out of malware.

Yet Google-Android is GNU/Linux with a Virtual Machine running on top of it. With "rootkits" and "mods" available, the malware availability for Android (and therefore GNU/Linux) is on a steady, but linear increase. This is stemmed partly by Google's verified App-Market. 
Blaming the existence of Malware on proprietary software isn't correct, as that closed/proprietary nature is merely conducive to ease of distribution. I've seen many dismiss the very existence of malware or label the threat infinitesimal on GNU/Linux too often. 
Threat Increase

Users need to know that malware can be written for Desktops/Laptops/Phones/Tablets/Routers and just about any device that can run an Operating System. Recently added equipment include In-Vehicle-Infotainment systems of Vehicles. 

In many such scenarios, the "Embedded" Operating System in use is GNU/Linux or a variant, where the user has little option to exercise the "freedom" or experience the "openness", thus making it easier for malware to exist. Few of us have the time when we buy a new Surveillance Camera or a Wireless Router or DTH-Box to inspect the OS contained within and confirm that it is free of malware.

In the "Embedded GNU/Linux" scenario, the onus to ensure that malware does not come prepackaged and cannot be added in as Over-the-air updates (App installs or upgrades) is with the Vendor of the device.