Debunking the "Linux is virus free" Myth

by on February 11, 2009 · 21 comments· LAST UPDATED February 11, 2009

in , ,

Is Linux is virus free? The author of foobar blog provides some insight about the same. Linux users can't just catch a virus by email or downloading malware from the Internet, contrary to "those Windows users".

From the foobar blog post:

Then you save an email attachment under Linux, the execute flag is normally NOT set and thus, the file can't be executed just by clicking on it. So, no luck?

Not so fast. Modern desktop environments, such as Gnome and KDE, conveniently offer a nice "workaround" called 'launchers'. Those are small files that describe how something should be started. Just a few lines that specify the name, the icon that should be displayed and the actual command to execute. Conveniently, the syntax of those launcher files is the same for Gnome and KDE. And those launchers don't have to have any execute permissions set on them! Desktop environments treat those files as a special case, so when you click on them Gnome or KDE will happily execute the command that was specified within the launcher description and without the need for the execute bit to be set on the launcher itself. Now we are getting somewhere!

Sure Linux is bit secure out of box, but Linux desktop is all together different thing. It is just matter of time, once Linux got popular crackers will target Linux desktop too (think of all those netbooks loaded with Linux). Right now there is not much protections for normal user account and users who will foolishly click on something in an email with attachments. However, SELinux or AppArmor may be used to protect the system.

Read more: How to write a Linux virus in 5 easy steps

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 21 comments… read them below or add one }

1 georgesdev February 12, 2009 at 7:00 am

I totally agree. Linux does not have as many viruses mainly because it does not have as many users.
I continue to not run an anti-virus though. I just don’t download and execute random files.
I do use a firewall and a good account password.
I do not use SE Linux because it gets in the way of getting work done. When I read reviews such as “SE Linux now has no more bad side effect” then I’ll use it.

Reply

2 ble February 12, 2009 at 8:08 am

i read this article a few days ago, and what that guy wrote is not a virus.. For a program to be classified as virus it needs to be self-replicating without user interaction.

Reply

3 jammrk February 12, 2009 at 9:57 am

That’s not actually true. The main reason why windows gets hit with viruses has to do with how windows handles permissions. Windows user’s are normally given admin level permissions out of the box, which is why a virus can infect the system so easily. This is not the case with linux. This is why you saw uac in vista. Also the thought that opensource software is not popular enough is just not true. The web runs on opensource software, Apache is the most deployed piece of software on the web.

Reply

4 George Kharmujai February 12, 2009 at 10:43 am

No one can say that there are no viruses in Linux, but imho i feel that there are viruses for linux too…but its just that due to Window$ popularity and that Window$ hating community that most viruses are aimed at Window$ only.. Moreover , who will want to crack a Linux system when its source is freely available and thats not the case for Window$ where its source gets locked up somewhere in the closet..

Reply

5 Tom February 12, 2009 at 1:48 pm

Not entirely true. It’s true that there _are_ viruses in Linux, but it is not obscurity alone. Sure, it’s a factor, and sure, part of the issue is that Linux users tend to be more savvy about who and what to trust. But the fact of the matter is that Linux is designed the be more secure than Windows.

Windows is broken by design with regard to viruses and malware. Users typically run as full privileged admin 24/7. And that’s really just one reason.
http://www.theregister.co.uk/2003/10/06/linux_vs_windows_viruses/

Reply

6 Henrik Nordvik February 12, 2009 at 2:36 pm

ble: No, it doesn’t have to be self-replicating to be called a virus. That’s the definition of a worm. Worm spreads, virus infects. This one is more like a trojan horse.

George Kharmujai: You ask who wants to crack a Linux system? I do, cause then I’d be rich :)

Reply

7 Tyrone Miles February 12, 2009 at 3:03 pm

Even if or when Linux gets super popular it’s still going to be hard to make viruses for Linux. One of the main ways you get viruses in Windows is because almost all Windows machines can do the same things. That is that you know if you send a file to someone it will execute the same on almost ALL Windows machines. On Linux that is not and never will be the case because of all the different Window Managers and desktops. Things are different on Gnome then KDE then XFCE etc. So now you will have to write your virus to address all these different environments if you want something that spreads on Linux.

Then on top of that even if you have a Suse, Ubuntu and Fedora machine all running Gnome lets say, all 3 will act different in some ways. Permissions on each are different by default, etc. Some use SUDO and others do not.

People say that “Windows is so popular which is why Windows machines get hit more” That is the case on the desktop. But lets look at servers. There are WAY more Linux and Unix servers on the internet then Windows servers, yet Windows servers still to this day have to be firewalled into the twilight zone to protect them. While millions of Linux and Unix servers are directly facing the internet. They are also facing the internet through software on Routers, Switches, Firewalls, Mail Servers etc. Yet the internet keeps going.

Why?? 1 reason is that a lot of the same issues that get Windows PC’s can get Windows servers. Where as Linux and Unix servers a lot of times don’t run GUI’s you eliminate that whole vector. Another reason is that when you do get something like a Worm or Trojan on your Linux machine the problem is contained to a users home directory. The problem is not always escalated to a whole system compromise.

Also we can see from the Mac market share rising that Viruses are still not an issue. Yes Trojans hidden in stolen applications (Like downloading iLife 09 from the net) are more of a problem. But yet still no Viruses that can replicate themselves and infect Mac’s like can happen on Windows.

I mean you can add a simple stupid IE toolbar to an application and boom you have a Trojan or keylogger. And sooooo many companies now add google, yahoo or other tool bars to their installers it’s not funny. People just install them. Then call me wondering why their PC is so slow on the internet. I look at their PC and see they have like 7 tool bars in IE! And at least 1 is always bootleg.

Oh and one last thing about market share. Yes there are more viruses and worms out for Windows then other OS’s because there are MORE Windows users to rob from. BUT even if people didn’t write malware for Windows the holes would still be in Windows. Also the security companies that find issues with Windows, also spend as much time finding holes in Mac OS and Major versions of Linux. Remember that 90’s of the holes taken advantage of in Windows are found by security researchers, not the malware writers themselves. If you look at security research sites a lot of times you will see that there are more security postings about Mac OS and Major versions of Linux BUT the problems found in Windows are always much more major. There are always many more Critical issues found in Windows then any of the other popular OS’s. That has nothing to do with market share. Market share does not make security issues, it just lends to having those issues taken advantage of faster.

Reply

8 furicle February 12, 2009 at 3:30 pm

Read the article. Basically it says ‘look – a user can destroy his own files by downloading and running a program’. Of course – he can just throw them in the trash too. Or type ‘sudo rm -rf /’ and enter his password. You can’t design a computer to run programs, then squawk when it runs a program that it’s a security flaw! yesh….

Reply

9 kgas February 12, 2009 at 5:18 pm

I agree with Tyrone more over to execute a .desktop file its mode has to be changed to executable. Now some Linux distros even removed the /home/user_name/bin folder from the default PATH to get any scripts executed.It is known that any security holes found are quickly patched up in GNU/Linux. As furicle mentioned it is the user responsible for what he is doing with his/her system :-)

Reply

10 omgirc February 12, 2009 at 6:34 pm

why not jsut place the blame where it belongs? when you have people who click anything and everything, your going to have people who write the code as to steal account info, game passwords, and email passwords. Instead of complaining about firewalls and vista this and linux that, how about an effort to educate people on what is and is not safe to click on the internet. i run 8 computer, 4 of which are windows with no firewall and no virus scanner. WHY ? cause i’m not an idiot who clicks every little thing that pops up on my screen. all 4 windows machines have been installed for over a year now and visual scans (cause antivirus’ are for the weak) show no signs of spyware or malware, or any type of noteworthy infections.

btw, cleaning out your browser history once daily is a good idea (hint hint window$ users)

Reply

11 sims February 12, 2009 at 11:52 pm

Viruses by traditional definition are self-replicating and do not exist as file but rather as infections of file. This is a “true” electromagnetic-virus. It’s like a biological-virus which doesn’t have cells but rather infects cells and duplicates with cells and spreads from cell to cell. I remember some of the coolest viruses lived in the boot sector.

Then came the Internet, bad programming, and n00bs. Now there are email “viruses”, browser “viruses”, etc. All this is actually malicious code. It’s just like writing a macro for Word that changes all your settings or deletes your letter. So you tell a user to open this cool macro you made, and there it goes, running as intended. There is a big technical difference on machines. However, depending on what you consider to be a “cell”, you change the definition. The problem with calling email “viruses” viruses is that they would be required to spread to other emails and live there. Rather, they run code on the email software and send out “spores” that plant themselves in other email software which will do the same. So in this case it’s more that the machine is a cell and the network is the organism. In that case, the network is sick and the infected machines must be cured or removed.

Remember, the platform has to be poorly designed in the first place in order for code to be written to make it do such things as self-duplication or other malicious things. This is why you should not use and software that relies on MS html engine or ActiveX engine. It’s utter rubbish.

Since the browser become somewhat of a platform, the more modern definition of electromagnetic-virus is becoming blurred. Though I must say that self-replicating is probably one requirement for a virus. If a virus does not spread, well, then it is really not a virus.

I understand the authors concern, and now that he mentions it, I can actually think of a few ways that a n00b might run an attached file in say, Kmail. I’m going to have a play with this at home. Fun!

Reply

12 sims February 12, 2009 at 11:56 pm
13 hiko2 February 16, 2009 at 5:42 pm

I think that when the quantity of linux users reach the point that viruses appear from now and then and start to become some problem worth of our time, the same linux users are going to be capable of taking care of them, as many of them are good programers Ubuntu(the distro I use) is updated quite often, they could share the update or way they use to get rid of the virus with the rest of the world, at least that is the way a real linux users would act.

Reply

14 Zombiiee February 17, 2009 at 5:28 pm

Moral of the story – use root when you have to, and never log into a desktop as root. So it can only hack your account but not root, though it can steal lots of private info…

Reply

15 Linuxrebel February 17, 2009 at 9:39 pm

Nope launchers won’t do it. Sorry this article is written by someone intent on FUD and short on knowledge. Having the launcher will only work IF the program and the launcher are both executable. Any e-mail reader in Linux (not running under wine) is not going to allow an attachment to be permissioned as an executable. They will be readable, writable but not executable.

So in order for the launcher to work it involves 3 steps.

1. chmod 755 launcher
2. chmod 755 execution file
3. click on the launcer

It would be a lot easier to just run the “I Love You Linux” virus listed below.

1. Delete all .gif .jpg and .png files from your box.
2. open your e-mail client
3. Send an e-mail with these instructions to every one in your contact list.

Same number of steps, just as likely to happen. In order to understand why this is true you need to understand the concept of privilege separation and how it is capable of mitigation of escalation.

Finally Not all computers are desktops. Windows does have the largest chunk of the desktop. So what, most computers are servers or control systems and in that realm Linux Rules, Unix provides and Windows gets the mail. When you look at the total realm of computers, Tron is still the most common OS and it never gets a virus. So the popularity thing really flies out the window. (no pun intended.)

Reply

16 r4v3n February 27, 2009 at 1:10 am

A post on running Windows malware in linux.

Reply

17 Jack Crow March 15, 2009 at 1:02 am

I’ll have to disagree with most of the comments agreeing with this article. The main problem with viruses on more popular Operating Systems is that there is no ‘root’ user and no password to enter to allow privileges to system files. Another good point to make is that, unlike Windows, Linux actually separates these files from the programs and documents you use most frequently.

This means the virus has absolutely no way of defending itself, or preventing you from getting rid of it. Also, you’ll need to file to be somewhere without root privileges on your hard drive allow this. So in theory, yes, you could create a virus. A virus that does nothing without your permission, and operates solely through a launcher based application that would require an observable impotus.

Most people who make viruses want something more out of it than to shout in the user’s face, “I got on your computer and you don’t know how! But if you wanna’ delete me, go ahead, it won’t be hard.”

They want to implement keyloggers and steal your information, or something that would benefit them beyond knowing they made a program that accomplishes nothing.

Linux has over 30 million users, so if it had security flaws anywhere near Windows’ issues then they’d have been exploited by now. Another main factor is that Linux is updated constantly, so if there were a threat it’d be gone within about a day of being reported, and be implemented through the kernel, not through a special third party software.

Just like Windows machines with excellent antivirus programs work effectively, so does Linux as its defense measures are built into the system itself. So even if it had the same issues as Windows, it would at any rate still be virus free.

I guess you could say my theory is as extreme as yours, but until disproven I don’t think we can say virus free is due to anything like a popularity contest. Only what’s observable should be taken into account.

Reply

18 Jimbo August 13, 2009 at 9:53 am

Thats not the point, all operating systems to some degree are vulnerable to a ‘normal user’ inadvertently executing some malicious code. The real issue is that this used to be pretty much the only way to get a virus onto a computer. Microsoft went and innovated a million ways to allow malicious code to execute without the user even doing anything. Microsoft essentially took HIV and made it airborne. A few years ago you could connect a fresh Windows installation to the network and watch it become infected in under 30 seconds.

Reply

19 Anonymous May 5, 2010 at 10:43 am

um, BULLSHIT.
Not a virus. Without privilige elevation your opportunities for effective replication are – none.
Nasty macro in a sandbox?
Nasty macro that will only work in a very, very limited number of sandboxes?
Viri in *nix is patently and demonstratively possible – but all that the article demonstrates could be summarised as:- idiot sets fire to own head, proves self idiot.

Reply

20 ActionScript 3 PRogrammer November 20, 2010 at 5:06 am

Dear sir,

This is bull shit. In Windows, its way too easy to put a program in startup of a system. In Linux, its not.

In Windows, any one can write a program which binds itself with any other executable, in linux, its not. You cannot even modify a file that you don’t have rights to modify.

Most importantly, more than 90% of the softwares that we do have for Linux are open source. So whatever anyone is making goes through everyone’s eyes.

These are the reasons which make it virtually impossible for any virus to come into a computer.

Reply

21 iNT13 November 21, 2010 at 12:18 am

Self proclaimed security experts should eat their own dog food. The level of ignorance displayed by some of the Windoof fan bois in these posts is hilarious.
Sophism is word they should try looking up in a dictionary, and while they’re there – look up “computer virus”. If your lips get sore here’s a summary:- self-replicating code. A worm is a form of computer virus that uses the network to propagate.
Your knowledge of *nix and Windoof is seriously deficient.
UAC does not protect your computer from malicious code – it reduces the damage done to your computer by the user (silent L) eg. *code* doesn’t need to physically move a mouse to elevate privileges. Yes, running as a member of Administrators increases the damage that malware can do – though that is not a problem unique to Windoof. It’s called “inheritance” and affects all OSs.
The problem with Windoof is that escalation of priveleges is made easy due to the authentication flaws – one window authenticates calls from another window by…. asking it (Fail!).
Numbers has nothing to do with whether an exploit is possible (more Windoof than Linux) – it just determines the value of a target for exploit developers, not the ease with which exploits can be developed. Hint:- Windoof is *not* the most common Operating System – it is not the operating system that is the highest value target. eg. access to the banking details of the average Windoof user is far less attractive to black hats than access to the Banks. But that’s the problem with ignorance – it’s used to dismiss what is not known on the basis of what some one wants to believe, rather than by empirical methods. Is French a language not worth anything just because some one doesn’t speak it? (does ATA_LOCK *not* work on Windoof?…).
Most of Windoof “protection” comes from add-ons. With *nix the privelege system is build into the core. Not that *any* OS is totally secure.
To say that Windoof is exploited because it’s more common just demonstrates ignorance…. what – more common on the desktop? It’s about as stupid as those that proclaim their Windoof machine to be clean. How do you know? I’m not a doctor, so I don’t “know” I don’t have cancer.
I “know” my machine is clean of ‘some types of malware’ by studying the logs of a transparent proxy and sniffers – not because I have a “gut feeling”.
I “know” that the examples of a ‘virus’ given here is bullshit, because I can understand what is meant by the term “virus” – through looking up the term and measuring it’s meaning against the examples given. Not through trying to justify some emotional investment in rubbish.
Not that *nix fan bois are free of ignorance either… “many eyes” does not guarantee that the eyes see and understand everything. And before other point out the problems from backdoors in compilers – Windoof is built from C too (most OSs are).
Windoof security problems are three-fold:-
A core built on a stripped/dumbed down copy of *nix (CPM)
A user-base with a silent L (who think Harvard architecture is an english building style)
A marketing model based on obsolescence (nearly twenty years of patching).

Pick a flavour of Windoof – measure the base install size, then add up the size of all the issued patches…. now think of Windoof as a car and patches as recalls. Is your car made of sand and spit?
In the land of the blind the one-eyed man is king, and if 16 million believe a stupid thing – it. is. still. stupid.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , ,

Previous post:

Next post: