Linux desktop growth could spur new malware activity

When the Indiana Department of Education began installing PCs running Linux in schools last year, it installed open-source antivirus software on servers to scan incoming e-mail. But it didn't bother installing antivirus software on the desktop computers.

"I hate to admit this, but I wasn't worried," said Forrest Gaston, a consultant managing the project for the state. Despite heavy student usage of the Internet, Gaston's optimism has so far been borne out: "It hasn't been an issue."

Besides Linux's low cost, its relative immunity from viruses, spyware, worms and other malware has long been one of the open-source operating system's key attractions to potential desktop users. Vendors who will be at next week's Desktop Linux Summit in San Diego certainly tout it. "

"There are almost no viruses for Linux. Certainly I've never seen one," said Tom Welch, chief technology officer for Linspire, the desktop Linux vendor and a show co-sponsor.

Jeffrey Jaffe, the chief technology officer at Novell, another show co-sponsor, feels much the same way. In a recent blog entry, Jaffe wrote that since joining Novell late last year and switching to Linux, viruses have become "things of the past." Novell is pushing its SUSE Linux for corporate desktop use.

Even vendors hawking Linux antivirus products admit the platform does not suffer today. "Our product is more used to filter Windows viruses than actual Linux viruses," said Ron O'Brien, an analyst with U.K.-based antivirus software maker, Sophos.

But experts warn that could change if Linux begins to win a mass audience on the desktop, bringing in millions of users who are less technically-proficient and security-conscious than today's typical Linux user.

"Windows was the only game in town, but now Linux is offering a more tempting prize," said John F. Andrews, president of open-source market research firm, Evans Data.

Earlier this month, Evans released survey data showing that 11 percent of developers reported seeing malware on their Linux systems, with more than a third of those having three or more infections. While still low compared to infection rates among Windows users, they are the highest totals ever reported in Evans' twice-year survey, which began in 2002.

Earlier this month, a cross-platform virus emerged that could theoretically infect both Windows and Linux. The virus, called Virus.Linux.Bi.a/Virus.Win32.Bi.a, has not been used in any known attacks.

But experts such as Johannes Ulrich, chief technology officer at Internet security group The SANS Institute, say such proof-of-concept code has traditionally presaged the launch of actual malware. "I think we'll see an increase in virus activity as Linux becomes more mainstream," Ulrich said.

Microsoft's efforts to boost security in the upcoming Windows Vista, which will include built-in access controls similar to Linux, may also cause virus creators to look for greener fields elsewhere.

The number of viruses that has so far targeted Linux remains small compared to the thousands of viruses and billions of dollars in estimated damage and lost productivity caused by Windows viruses.

Some experts argue that because Linux, with its Unix heritage, was created from the ground up as a multi-user system with built-in access controls and privileges, it is fundamentally more secure than Windows. For instance, users on Linux generally do not run as the root or administrator user, unlike Windows XP. That limits the amount of damage a virus can cause to just those files and volumes accessible to the user, rather than to the entire computer or network.

Both Red Hat and Novell say they have enhanced those access controls, via their respective Security Enhanced Linux (SELinux) and AppArmor tweaks to the Linux kernel.

The relatively small number of Linux users spread among different versions of Linux has long hindered the growth of new software by creating a lower reward/effort ratio. That has also driven away virus creators, said Ed Metcalf, product marketing manager for McAfee.

But the semblance of a "monoculture," as Linux advocates sometimes derisively call the Windows environment, is starting to emerge, with all of its pluses and minuses.

Vendors at the Desktop Linux Summit are expected to unveil a new integrated server and desktop standard, which a number of leading Linux vendors, including Red Hat, Novell, the Ubuntu project and Linspire, are expected to comply with.

While Ulrich praises Novell's AppArmor for its ease of use, he said SELinux is a "pain to configure," especially for desktop users. He also pointed out that even if malware is unable to access root files and applications, it can still cause plenty of damage to files and applications. And contrary to popular belief, he said Linux may actually be more vulnerable to virus propagation by e-mail because so many e-mail programs use the same underlying application.

"Even if you use a graphical mail client like Thunderbird, it still uses Sendmail," Ulrich said. "Once the virus gets going, it can go straight to Sendmail by itself."

Some Linux users, while reluctant to install antivirus software on client computers, are starting to take more safety measures. Ritz Camera Centers, which is in the process of upgrading more than 4,000 Point-of-Service terminals in stores nationwide to run Novell Linux Desktop, is taking pains to ensure the computers are isolated from the Internet, according to Bob O'Hern, senior vice-president of information systems.

"We're taking precautions because ultimately anything is subject to viruses," O'Hern said.

Join the newsletter!

Error: Please check your email address.

More about Evans DataLinspireMcAfee AustraliaMicrosoftNovellRed HatRitz Camera CentersSANS InstituteSendMailSophosSuseThe SANS InstituteVIA

Show Comments

Market Place