The holidays are over, the New Year has begun, and Santa (or someone much more sinister) has brought a late present for our Windows using colleagues in the form of a 0 day vulnerability exploiting a flaw in the WMF windows media file format. Luckily we Linux users are mature enough not to gloat. Most of us, anyway.
It's much the same story as last year, Windows worms and viruses continually propagate, crossbreed, and multiply while Linux remains above the fray. Sober and the other "newsmaking" viruses all infect and attack Windows while all Linux admins get out of it are a few hits to our Snort rulesets. Yes, there are worms attacking Linux, and Linux, like any other system, is certainly not immune. Linux is, however, more resistant.
One reason is made clear when the internet is compared to a biosphere. Linux is a mutt. Every Linux distribution does things slightly differently, Linux runs on very varied hardware, many Linux users compile their own software. Things just aren't as standardized in the Linux world, which is viewed as a flaw by many pundits, though it has many benefits when it comes to security. A Linux security flaw may only affect a certain distribution or application, and most distributions and applications lack the massive marketshare to provide enough sustenance for a worm to really get going. Meanwhile, the applications that do possess large marketshare, such as Apache, tend to be generally secure due to their source code availability.
Windows, on the other hand, lacks this genetic diversity. One copy of Windows XP is exactly like the next, and the source is closed so previously unknown flaws are discovered all the time. Yes, Windows does have a greater marketshare making it a bigger target, but I'd wager that if the marketshares of Windows and Linux were even Windows would still have more vulnerabilities. In nature, populations that lack genetic diversity run the risk of being decimated by a virulent disease, and the internet is no different. There's a reason we use biological metaphors like "worm" and "virus" to describe malware. Linux also benefits by tending to not be a primary target for malware authors because they have such a juicy target in Windows. Of course, keeping systems patched has been and will remain key, luckily most Linux distributions available today tend to be very polished in this area, with tools such as apt-get, yum, and portage providing easy application and system upgrades.
The Bad and the Ugly
So much for the good. Looking to the future, things go from bad to beyond ugly. We Linux users should realize how good we have it right now and recognize that the current security situation will not remain so benevolent for us. In an environment of dumb worms and viruses targeted at the least common denominator, Linux is well prepared to hold fast and remain generally secure. However, sinister trends are developing now that may end this state of complacency and need to be addressed.
Crime related to spam, spyware, and other online illegalities is said by some experts to have recently passed international drug trafficking in dollars earned, and malicious hacking that used to be performed for fun is now a big business. Websites once hacked only so the culprit could deface them and show off are now penetrated in order to steal customer data and engage in identity theft. Botnets of more than a million compromised hosts are not unknown, used to send spam, host child pornography, and perform distributed DoS attacks. An underground market for botnets has made the creation of viruses and trojans into a thriving business opportunity for the unscrupulous.
Extortion attempts threatening denial of service are becoming commonplace in the "gray markets" of internet pornography and online gambling, and this may lead to similar threats to more mainstream online businesses. Other schemes involving penetrating a system, encrypting important files and holding the decryption key hostage for payment have also occurred and may spread in the future.
The spread of targeted attacks is another major threat on the horizon. A major scandal in Israel this year involved targeted trojans sent to major corporations on behalf of their competitors for the purposes of industrial espionage. These targeted attacks make existing signature-based virus scanning technology worthless, since the software is specific to its target, and in the Israeli case firewalls and IDS systems were bypassed by sending the trojan disguised as marketing material on a CD-ROM. Targeted attacks like this expose the flaws in our existing signature based security software, and show the need for a "default deny" philosophy and implementation of mandatory access control systems.
This growing professionalism among the ranks of the malicious hackers and malware authors is alarming and will affect Linux users as well as Windows users. As more people move off of a Windows platform deemed vulnerable to Linux, our juiciness as a target grows larger. Targeted attacks aimed at Linux are simply a matter of time, and as the profit potential for compromising Linux systems grows so will the number of attackers focusing on the platform. Windows functions as our canary in the coal mine, the specific methods attackers will use to attack will change but their motives will remain. The days of "hacker curiosity" and penetrating systems "for fun" are over, the new breed of attacker has more material goals in mind, and while a more secure platform can help deflect attacks it may no longer help prevent Linux from being a target as it has in the past.
Pax Dickinson has over ten years of experience in systems administration and software development on a wide variety of hardware and software platforms. He is currently employed by Guardian Digital as a systems programmer where he develops and implements security solutions using EnGarde Secure Linux. His experience includes UNIX and Windows systems engineering and support at Prudential Insurance, Guardian Life Insurance, Philips Electronics and a wide variety of small business consulting roles.