GNU/Linux html home

The SecureMe page, for protection against virus worm and network attacks.

As in every page in this site, the current issue will be approached from different views.

Paragraphs in this page are:

A little theory
Myths
Precautions
Linux experience for MS Windows users

A little theory.

Q: What's a virus?

A: A computer virus is a relatively small piece of machine code that resembles the virus entity in biology in the way it "lives" in, spreads into, or damages the computer system(s).

It is located inside (often at the end) of an executable.
When the executable is called to run, the "virus" piece of code starts replicating itself into other, critical or not, executables. The criteria to choose might be of "popularity" of the target file, or "unsuspicion" to it.

Viruses that are clever enough, start damaging the system after a time of operation, so that the spreading has been accomplished at a certain rate, thus making the process of disinfecting the system more complicated.

Viruses choose programs that hold executable role in the system, so even a library or screensaver could be a target!

Viruses follow the "means of transportation" in which data flows in general.

In the early days of home or office computer use, the common virus spread was through the floppy disk, then infected the local hard disk and then, by it's turn many floppy disks that would be loaded in other systems.

In the intermediate days of the first network activities through Bulletion Board Systems (for the average user always), the infected files located in the "download" area affected the users that downloaded them, often without the need to infect the BBS system itself. Why hurt the means of transportation anyway?

Nowdays, with Internet being the most common network for the average user, viruses are spread usually as file attachments in mails that usually have an "attractive" subject.

Q: Are there any other code "entities"?

A: Yes. Worms, scripts, network attacks and exploits are some of them.

Think of a worm as a code (or entire program) that does not want to spread locally, but simply stay "alive" and do some "dirty" work, accessing files, running as a daemon for external control, stealing information, and affecting the system in a way that it will run again on next reboot (changing configuration files or registry etc.) and possibly try to replicate to other machines.

A worm could be localized (executable for the local platform) or portable (i.e. java)

A script (upper level batch of commands, therefore a macro and javascript too) can hurt the system by giving commands to a shell or program.

Macros are not machine code, but may have the method of a virus, trying to spread into other documents.

A network attack can stall the network capability of a system, consume a vast amount of cpu power or exploit a service (or kernel) vurnability.

This is a brief description, concerning only general information, so that the countermeasures can be more understandable.

Myths

Myth 1: There are not many viruses in GNU/Linux because of the popularity compared to other OSes.

Truth : Respecting the "Unix" tradition, all Unix (or GNU) compatible OSes have taken certain measures that prohibit the initialization, or even spreading of a virus or other attack.

1) The permissions and privileges.

The difference between the root and a normal user is a very strong one.

All GNU/Linux distributions, as well as the one and only FreeBSD that I have tested, take by default a certain precaution: First create a root account and as soon as possible in the installation procedure, create a normal user account.

There are distros that do not have it mandatory in the installation procedure, but either document it or apply to more exprienced users who know about this issue.

While other OSes handle every user as "root" or give permissions for Anyone to write Anything Anywhere, this is never the case in *nix.

Processes called by a user inherit the user's privileges.

So, if I "foo" catch a virus, I can't spread it to any vital area, because all executable library or systemwide configuration locations require the "root" privilege for modifications. Of course, my ~home directory can be damaged, but the system won't.

Programs must have the executable bit.

Unix-like systems do not rely just on file extensions to distinguish their executable files. Scripts and binaries need to be given executable bits per owner, group and world (others) in order to run. If these lack, then a aven more complicated command has to be used. So, casual and automatic running is even harder.

2) General *nix Design

An example of that is: when I call a program, the shell looks specifically for it's existance in the paths and not in the current directory. If I want to call bash, my shell will never look in the current location (unless I specify this in the path environment), so to run by mistake a command in the local directory would require a non-mistaken action: ./bash or . ./bash if it hasn't executable permissions.

But the paths lie in the root privileged areas.

So, accidental virus calls are far from possible.

Furthermore, because the *nix philosophy works more with scripts and small programs already included in our Distros, the complicated operations carry on without big, buggy ones and without open ports for remote procedure calls. And even so, never unauthanticated! And downloading possibly unsafe apps to do simple taska is never needed!

Using only the simple tools, I can compress a partition, send it over the network to another host using encryption and store the compressed file as a backup there.
I can then uncompress it and mount it on the other host if I ever need to do so, or even mount it locally, however "seeing" it over the network!

How many non Linux non Unix platforms do you know that can do such things without the need of special applications?

3) Small virus life.

Applications are either children from the ones that called them or by the "init" daemon, initially called by the kernel.

If you - root or user - actually "caught" a virus calling an executable, how long do you think it will live after you logout from the shell that called it?

Therefore, the *nix design does not grant virus operational longevity.

4) The concept of a portable project.

All projects in *nix - or at least the ones that concern the majority of us users - are distributed by source code and are free or open, completely or in a way.
The code is available to double and triple check by thousands of eyes, 100 times more experienced than the writer of this page.

Therefore, suspicious "malicious" code is virtually impossible to escape.
So we would already know if a program would be malicious, as opposed to other software "cultures", where even a "freeware" program would first have to be suspected
in terms of behavio, investigated and finally marked as malware.

90% and more of our apps in Linux are Free/Open. Only some major applications (i.e. VMWare, VirtualBox closed source edition) and certain drivers are not.

5) Data integrity check.

When we download precompiled as well as source packages, we have the tools to double check the credentials or integrity of the downloaded data.

One tool for credential is the PGP key, that guarantees the validity of the package, considering the trusted source.

The second tool is the md5 algorithm.

In serious sites, next to the package that is available to download there is also a string that is produced by the md5sum utility of the sender and can easily be checked with the md5sum utility of the receiver.

Therefore, if I locate my scripts in a tar.gz format in a download area along with the md5 algorithm AND I am a trusted source:

0ab67b49e8f47949c169da4be1c9ed55 scripts.tar.gz

when you download it you can issue the command: md5sum scripts.tar.gz and the result will have to be the same.

If not, something goes wrong and should be checked.

6) Free & Open world and multiculture.

In general, because the free or open communities are not dependent to marketing release dates and do not need to urge updating the external characteristics of their projects, they have the time to give more attention to the "mechanism" quality.

Portable projects are many and the pluralism gives a hard time to exploiters, because without monopoly, even if a security is breached it won't affect the 99% of the users, as opposed to other popular applications in other OSes.

7) Experimenting.

We have to admit that with few exceptions, viruses do not create lethal results to our systems. So, a virus designer, one for example that wants to experiment with the infiltration rate and to "epidemic" results of a virus spreading in the network, will choose the friendly ground instead of the unfriendly one.

And GNU/Linux, *BSDs and Unices are unfriendly ground for sure, at least for viruses and worms.

8) Gain.

The fact that other OSes are more popular is not an issue, because the average user's desktop does not have any crucial data to be stolen (aside credit card number and minor information in general)

In the contrary, the gain to hack a network server with crucial data that could hurt a lot more people, would be many times higher for the attacker.

9) Chain of command in a *nix system.

This is like a logical trap:

If I want to plant a virus inside an experienced user's remote system, I must be root in it.
But if I am root, I do not need a virus to hurt the system anymore!

This really tells us that the attacks to a *nix OS are more oriented to network transferred data, worms, scripts and exploits for the purpose to grant the attacker root access to the target system.

Let's now see these issues along with a second myth:

Myth 2: My GNU/Linux box is by default immune to viruses, worms or any attack.

Truth : a careless *nix operator, user or root, has lower to others, but still alarmingly high possibilities for his system to ne hacked.

There are service and kernel vurnabilities that could be exploited, therefore endangering the system.

Examples:

The NFS service relies on the authentication mechanism that all Unix-Compatible OSes operate, but there are tools that may enable the malicious user to "alternate" his user id.

Kernels have vurnabilities, like any software. These could be exploited with programs that may not be detectable as viruses.

Every server is a potential hole, especially if configured to "listen" to requests outside the LAN. Consider the X, Print, Telnet servers in the red list.

The 2nd level of the ethernet protocol according to OSI Standard is "Broadcast".
If swiches are not used, the data transferred to a specific host in an ethernet LAN is in reality traveling through the entire local network.

Almost every network card can be configured in a lower level to react in every signal, not just the actual referring to the card.

Furthermore, packet sniffers exist, meaning programs that capture data travelling through the network to various destinations, and swiches or routers can not solve the situation.

So, unencrypted data may be easily caught.

Precautions:

root must appear rarely in the system.

better for root to login from a separate shell, not "su"

choose your potential sudoers carefully.

user must not hold executables in his home directory, or if he has, they must not be in the path environment for root and other users, and if possible, not even accessible by other users.

the path "." must never be in the path environment.

always check for credentials of packages: i.e. md5sum, PGP key.

prefer to compile (allthough this does not grand total sequrity).

prefer to keep sources under ownership of a separate user that logs on only to compile.

trust projects that derive from easily accessible source code.

trust official sites.

allow Java-Javascript from trusted sites.

disallow external references in html formatted e-mail.

bounce but do not reply-to / unsubscribe-from spam.

prefer to see html e-mail in text mode (html source).

have an antivirus ready, especially if you host services for non *nix OSes.

bring up a firewall.

close not needed network ports.

check on the daemons and servers tha run on the box.

edit the /etc/hosts.allow as well as other related configuration, for your needs.

use encryption for network transfered data. SSH can be used even to X network data transmission.

when hosting shell services, prefer a separate machine, or user-mode-linux. Do Not host shells in a crucial server.

considering the nfs service, roots should never have write permissions to other hosts. Don't ussue the "no_root_squash" option in the nfs server's /etc/exports unless perfectly sure of what you are doing!

considering the smb service, be careful with the security=share global option as well as the guest ok option in shares.

Linux experience for MS Windows users

Despite my personal choice for the OS I use, I would never start a flame war considering OS quality comparison.

Sharing facts and advices with computer friends and visitors to this site, I find that a paragraph for MS Windows security is more than useful today, especially seeing the tons of e-mail circulating each day, mail that is not just spam, it is malicious.

Some advices are just the same with the ones in the previous paragraph, but explanations for MS Windows users will follow.

Use the Windows Update very frequently.

One of the mechanisms that a normal MS Windows user runs but does not know of is the
Remote Procedure Call. RPC is in simple words a protocol that enables a host to instruct a remote host to execute code and produce a result. This code "order" is run like a procedure but not locally: Parameters can be used and the output - if visible - can be redirected to the host that requested the procedure. First developed by Sun Microsystems, RPC is a mechanism used for distributed computing and is used by many platforms.

If this ability can be exploited as a security hole, visiting often the "Windows Update" site will help close these "holes".

Bring up a firewall.

To make things easier for the average user, Microsoft Windows have certain services up listening to ports by default and in every boot, unless you tweak the system using "Administrative Tools" or the so called "Tweaking User Interfaces".

Anyway, bringing up a firewall can help the user enjoy all the running services and in the same time being safe from the "outside world", this world being either a LAN or the internet.

Be a "regular" user.

To avoid confusion in the the average user's mind, the permissions and privileges concept is not very well documented in any MS Windows installation despite the fact that it is used in any Windows NT based MS Windows OS (NT, 2000, Xp).

Create a regular user account and use this for regular use.
Make (and remember) a password for Administrator.

You need to be Administrator (root in Windows terms) only for system administration and software installation.

In every NT based OS, is not hard to do if you remember that:

1) Every installation can be set to be available for "All Users".

2) When a regular user is running a desktop in MS Windows, the user's Start menu is a combination between the current user's menus and "All Users" menus. You can easily define these menus.

3) Being an average user, when you need to run an administrative task (which is in most of the times minor comparing to the "regular" ones) you just have to right click in the application and choose "run as different user" - choose Administrator - type the password and there you are.

4) The Windows Desktop has nowdays the very useful ability to "swich user", that is to run a different desktop, which can be the Administrator's one, and perform some tasks without closing the average user's desktop and tasks running. When finished, you can close the "administrative " one and return to your regular jobs - downloading, writing mail etc. as a regular user.

Note: The Non - NT MS Windows systems do not qualify to this paragraph. In these, even If a user's password is "cancelled" in the login screen, the desktop will most probably rise and all local tasks will run with administrative privileges. The only thing that will happen if the login screen is bypassed is that the computer will not login for File and Printer Services correctly.

Close the Autologin "luxury"

Do not be too proud if your default AND login-less desktop is the Administrator's one.
For this task to be done, the Administrator password has to be clearly mentioned in the registry, which is a major sequrity hole. The only cause of the luxury is login simplicity.

Login simplicity is not an issue. Security is.

Do not use this option even with a regular user autologin.
Always use the Login Welcome screen and instruct it to always show users that have set passwords.

Allow most remote code & cookies from trusted sites.

Even as a regular user, be selective about the code you run from sites.
This applies to Java, Javascript, ActiveX, VBScript end so on.

Same applies for cookies.

Show e-mails in plain text by default.

Even if not practical at first glance, you will be able to read your friends e-mails as html afterwards, but all the e-mails (including the spam) will not force your e-mail client to run html code whatsoever.

Disallow external references in html formatted e-mail.

E-mail clients tend to be so practical for use that some inserurities may rise.
Even if choosing to read an html formatted e-mail, it will be safer not to allow external references originate from your behalf to a remote server.

In this way, you will not be able to see photos "linked" to the e-mail.
But in the other hand, your ip will not be tracked by some "smart" guy.
Again, simplicity is not an issue.

Note. Photos (and other files) "embeeded" in the e-mail will be seen correctly.

Bounce but do not reply-to / unsubscribe-from spam.

Using the links to unsubscribe from spam, you may find yourselves receiving more and more spam.
This usually happens because unsubscribe in reality is useful for spammers to know that the mail they have sent to is actually working. The reply action would do the same just as well.

Prefer e-mail clients that have the "bounce" option. Bounce is returning the mail as undeliverable, thus "tricking" the spammer to consider your mail address as not useful and erasing it from his/her list.

Starting a "war" with my spammers and bouncing the mail from them for 4 complete weeks resulted in reducing the spam mail from 80 per day to 5!!

Note: These actions do not refer to serious newsletters. Consider this as "cheating the cheater"

Create a fake adress book contact. (this is an external tip from Billy (unknown)

" This is what you do: create a new contact/address name: 0000
[The numbers "0" not the letter "O"] without writing any e-mail address or any other kind of info at all. This new contact will install itself as the first contact in your book.
If a virus tries to spread itself in your phone book, it will start with your first contact (0000),
but since that one has no address, your computer will automatically react by creating an "error" message and the virus will stop without having spread to others..."

-Billy- "

Hide ip adresses in all your messengers.

Visit the WireMe page for better understanding this tip's explanation.

When we dial up, in reality we make three steps:

1) The modems (our and our IPS's) interconnect.
2) A ppp protocol (Level 2 - Data Link) is brought up.
3) A client IP Adress (ours) and a server IP Adress (in the other side of the ppp link) are assighed (Level 3 - Network).

This IP identifies our connected computer in the Internet (assuming that dialup is used. If we connect otherwise, slight differences rise).

If someone gets to know this ip, then port scans and other actions may happen.

The most "common" way for our IP to be identified by a "smart" person is often from online messengers like ICQ.

So: Hide ip adresses in messengers ...
... that do have this hiding option. If they don't, ditch them so that the programmer implements this option in the next version.

Careful: I am not talking about IRC (Internet Relay Chat).

Ditch full-of-holes peer-to-peer file sharing clients.

Some years ago, Shawn Fanning's "Napster" became very famous, being the first peer to peer file sharing client widely in use.
The program's concept was to mix the Client-Server features in a single program.
Each host was therefore able to become server and client in the same time.
This, mixed with the directory sharing feature and the ratio policy (upload required for downloads) made this program very famous for exchanging mp3s.

Just after that, Napster suffered the wrath of established corporations considering copyright issues and economic loss.
Politics and economy are not an issue of my Linux pages. But just for history, Napster was never considered positively illegal by any court of law, but instead sank below the tremendous economic pressure from lawsuit expences.

Anyway, many programs were successors to this "killer app". Some are full of holes.
If you are using such programs, beware of this: Most of them are heavily insecure.

Have your Office suites ask you first before running macros.

As a PC user, you do care about the work you have done and is stored in your private documents folder.

Using a computer for serious work will make your "works" folder 100 times more valuable that the whole system.

Running a malicious code as a regular user will prevent the whole system from infection, but will leave your personal documents vulnerable.

A malicious macro can be dangerous as well as a virus can be. So disable that option.

Run an active antivirus.

Running an antivirus with privileges to check for macros, e-mail attachments and ready-to-execute files can be a computer life-saving.

Beware though: Some bugs may rise when trying to install applications.
So, next time your game installer crashes, disable the antivirus software temporarily.

Disable the "autorun" feature.

Apart from convenience, automatically running an application when inserting a cd, especially as users with administrative privileges, may heavily compromize security.
Disabling this option in Win95-98-Millenium is very easy (properties in the cd-rom in the device manager), but in NT based MSWindows requires a little more effort.

Disable the "Hide Extensions" option.

Every OS has a "philosophy" as well as basic concepts. Trying to hide these just for convenience, may lead us to unwanted adventures.

The MS Windows system relies heavily on file extensions. Other OSes do not, but MS Windows does.
This is not a sequrity issue if handled correctly.

Hiding the extensions and relying to an icon only for determining the type of a file may mislead the user concerning the file type thus leading to a careless "run" action.

Many attachments in mail messages exploit the "hide extensions" convenience and present files that are executable (exe com scr) or scripts (vbs js) just as "innocent" text files.

As a small example, the file "Have you lost this.txt" along with a notepad icon may in reality be "Have you lost this.txt.exe" and running the file will force the OS to actually execute it.

So beware.

Favor "multiculture".

In MS Windows, specially from '97 till now a "monoculture" issue arose.
Most MS Windows users will use MSWord for documents, Outlook Express for mail and Internet Explorer for the web.

This is convenient of course because what I send will be seen correctly in the other end, but a very dangerous situation emerges.

Every program may have bugs and holes. In a monoculture environment, exploiting 2 or 3 bugs of the 2 or 3 famous apps can (and does) produce epidemic spreading of malicious code. Windows has become famous of this epidemic result not because it is a bad OS (which it isn't) but because of this perculiar issue where 99% of the users use the same application inside the same Operating System!

Favor multiculture, use several clients and applications and you will see that the exploiters will have a hard time from the next day.

Do not think simple.

Well, this is a conclusion referring directly to:

Close the Autologin "luxury"
Disallow external references in html formatted e-mail
Disable the "Hide Extensions" option.

Computers are not simple.

You "see" an external picture in the mail (what a luxury) and in the same time someone grabs your ip adress.

You run a messenger and (what a surprise) someone initiates a port scan and starts attacking your netbios service.

You click at the "Read me or you Lose" attachment and someone starts browsing your files.

And these are the "innocent" attacks.

Furthermore, if infected, you may not suffer from this but your computer may be used to attack another person.

This is a common phainomenon these days. Malicious mail may originate from totally unaware victims.

So, do not be so "simple" users yourselves.

Q: Why are we the "MS Windows" users the simple ones?
A: Because this OS attracts any new computer newbie by default.

Usually, when trying to use an alternative OS, the user has reached a state where he/she is not a "newbie" anymore.

Macintosh systems attract new users also, but now MacOSX, which derives from BSD Unix (which is a Unix compatible and inspired OS), carries a 30 years legacy on its back.

Windows paragraph finished, micro out.