Slapper, one of the best known worms for Linux, is three years old tomorrow. It caused an outbreak back in 2002. This anniversary started me thinking about Linux malware:
Before Slapper, Linux viruses had been around for a while. Bliss, a virus which appeared in 1997, was the first to demonstrate that Linux was vulnerable to viruses. And once Bliss opened the door, other types of malware followed.
Many Linux viruses infect ELF [Executable and Linkable Format] files, the most common Linux file type. However, this is not the only technique. Some viruses use Unix shell scripts which are supported by most Linux distributions. These are powerful and easy to write. The Ramen worm, for example, uses known system exploits to gain root access to vulnerable Linux servers and then employs ELF binaries and shell scripts to find other servers to infect.
The number of Linux threats has increased slowly. But they have grown more sophisticated. Multi.Etapux, for example, is a complex polymorphic virus which uses entry-point obfuscation to evade detection. It is also able to infect Windows 32 PE files as well as Linux ELF files. There are also Linux threats which exploit system vulnerabilities in order to attack. The Slapper worm, for example, utilizes a known vulnerability in the Open SSL library to infect Apache web servers. And the Adore worm uses a random port scan to identify systems that have a root access vulnerability in the BIND.DNS service on Linux servers.
Linux virus writers (and all other Unix flavours) face quite a few difficulties. For example, to modify ELF binaries, it’s necessary to have root administration rights. And there may be specific dependencies related to specific Linux versions, making it hard for a virus writer to create a single virus for all implementations of Linux. But such obstacles can be overcome. The use of scripts, for example, makes a virus or worm less dependent on a specific Linux distribution. One of the early Linux viruses, Staog, uses a vulnerability to get root access to the system. Slapper uploads itself as a uuencoded source file. It then decodes and compiles the source into an ELF binary, re-compiling itself using a local copy of the ‘C’ compiler.
So why hasn’t there been more malicious code for Linux? The dominance of Windows, particularly as a desktop operating system, is the key reason. Malware authors want the biggest possible bang for their buck so they target the operating system that is most widely used. Linux simply isn’t widespread enough to be a serious target – at the moment.
That said, the use of Linux as an operating system is increasing, partly due to the popularity of Linux distributions such as RedHat and SuSE. Currently there are 712 pieces of malware that target Linux. This number will almost certainly increase as the popularity of Linux itself increases.
And one other thing to consider – more and more organizations are starting to use Linux alongside Windows, with a Linux file-server storing Windows applications. These files can be infected at desktop level, with infected files then being stored on the server. Organizations must therefore accept the necessity of scanning the Linux server to protect against malicious code attacks.