Many IT news websites have been reporting that there is a new proof-of-concept “cross-platform” virus for both Windows and Linux.

This is largely overrated. There are a couple of reasons why this type of virus poses no threat to Linux users:

  • Linux users can’t write their applications, so the virus can’t infect the executeable files (at least for non-programmer users)
  • Linux users get their software from a trusted source, cryptographically protected software packages by their distributor. There is (fortunately) not this tradition of downloading untrusted shareware from random sites and running it (although autopackage tries to abolish this)
  • Linux distributions often compile their software using so-called “build daemons” and “personal package builder” which build software in a cleanroom environment. While this was introduced to ensure that software can automatically be recompiled and to allow developers to have “unreleased” experimental software on their own computers, this also effectively can prevent a virus from injecting itself into a distribution via an infected developer PC
  • Viruses (“traditional viruses”) that infect exe files are not too common anymore, all major virus attackes the last years were “worms” using bugs in (Microsoft) software.
    Attacks usually only work with a specific version of a specific application (usually Outlook Express as shipped with Windows and Outlook from Office) but the Linux community is using too many different versions (the Debian package will be slightly different from the Fedora, although the difference doesn’t play any role to the user) and too different applications (there are tons of different email clients and browsers in use on Linux)

So overall, this threat is very theoretic.

However, the Linux community should consider defense mechanisms for this. Debian can already verify the integrity of most of its files via md5sums, but some tools (e.g. prelink, to improve application start times) will modify the applications and thus the md5sums.

A couple of measures we could/should probably do:

  • Run virus checks on software uploaded, as extra safety net
  • Ship a basic virus scanner
  • Find a way to get the benefits of prelink without having to modify the executeable files
  • Don’t encourage users to use autopackage and such, but explain them the concept of “trusted software” for virus protection
  • Log/alert on write attempts to /bin, /sbin, /usr/bin, /usr/sbin and other dirs that should only be touched by the distributions package manager
  • Add sandbox facilities e.g. for webbrowsers and email programs (e.g. using SELinux)

These measures could make it even less attractive to write attacks against Linux software.

I can’t assess the potential security issues we might “inherit” from the Windows platform by offering the Mono C# implementation. This basically means that some of the to-come malware for Windows will run on Linux, too. Only if users try to run their Windows shareware, of course.

[Update: another win32+linux virus, from 2001. Noone cared, nothing happened.]