Technical insight: Linux – new target for threats?
By Christopher Bray
When one thinks of malicious attacks on a businesses network, most assume that the organisation has in preparation ensured its network and nodes have the latest version of anti-virus software, additional protection in the form of gateway protection, intrusion detection and, in some cases, intrusion prevention, firewalls and all the necessary tools to prevent a disaster.
However, what happens in a Linux or “open source” environment? Is it a case of those users sitting back and smiling smugly in the confidence that Microsoft’s Windows systems are the only target? Think again.
It has been some years since the discovery of the first Linux binary virus Linux/Bliss and, slowly but surely, there has been an increase of activity as it was clearly demonstrated that Linux was vulnerable to attacks. However, the dominance of MS Windows, particularly as a desktop operating system, meant that few virus writers focussed on Linux. The use of Linux as an operating system has increased considerably, partly due to the popularity of Linux distribution such as RedHat and SuSE and as it has gained popularity, virus writers have “taken up the challenge” and viruses written specifically for Linux are gaining momentum.
Currently there are more than 100 known viruses that target Linux and it is likely that this number will increase as the use of Linux itself grows. In addition, other threats targeting Linux have become apparent, such as worms, Trojans, denial-of-service (DoS) attacks and rootkits, a collection of tools that a hacker uses to mask intrusion and obtain administrator level access to a PC or network.
But how does a Linux virus work and what are the vulnerabilities within this operating system? Many Linux viruses and worms infect executable and linkable format (ELF) files which are the most common Linux file types.
These include regular file infectors that change entry points within the file and modify the host code.
Other threats make use of UNIX shell scripts (a type of code that when embedded in a message, may be used to perform potentially damaging tasks unauthorised by the user) that are supported on most Linux distributions.
They are easy to write but are very powerful and although traditional Linux users have a higher technical understanding of the operating system and might notice the presence of scripts on the system, there is an increase in novice users migrating to Linux.
While the growth of Linux threats has been rather slow, there has been an increase in sophistication from Linux virus writers. The W32/Etap.d virus for example has illustrated complexity as it is a polymorphic virus, using confusing entry point techniques making it difficult to detect. In addition, the variant of this virus, which first appeared in May 2002, is able to infect Windows 32 portable executable files in addition to Linux files.
Linux has also become susceptible to “blended threats” and the Linux/Slapper.worm makes use of a known vulnerability in the Open SSL library to infect Apache web servers. This is further illustrated with the Linux/Adore.worm that uses a random port scan to identify systems that contain a root access vulnerability on Linux servers.
What has become apparent is that although threats for Linux are not as prolific as those for Windows, there is a trend developing which sees new developments by virus writers initially exploiting Windows operating systems, and shortly thereafter, Linux operating systems.
It is also becoming increasing common for organisations to make use of Linux alongside Windows, as a file server used to store Windows applications. Since such files may become infected at the desktop, and the infected files get stored on the server, scanning at the Linux server delivers effective multi-tier defence against malicious code attacks.
Saying this, the best approach is to be prudent and ensure security measures are in place for Linux. Ignorance is never an excuse and in the case of Linux users, over confidence in the belief that Linux is impervious to threats could land one in hot water. A typical example of this is the recent buffer overflow vulnerability in Sendmail, a widely deployed mail transfer agent that is included in many UNIX and Linux systems. The vulnerability could allow an attacker to overflow a buffer and create the opportunity to execute arbitrary code. However, using best practices and
Intrusion prevention methods these attacks can be stopped by detecting specific exploits instead of sounding the alarm after the perpetrator has penetrated the network.
Christopher Bray is Network Associates’ Regional Director of sub-Saharan Africa. he can be contacted on Tel. 011-7075500 or by e-mail on mailto:email@example.com