The meagre living of Linux virus writers

According to anti-virus firm Trend Micro, the number of Linux viruses in the wild has not changed dramatically for two years, but its figure of 500 dangerous and exploitative programs dashing around the Internet seeking unprotected systems is cause for concern, until you look closer at the reasoning.

Rainer Link, assistant to head of the company's EMEA (Europe, Middle East & Africa) Operations, admits the figures can be misleading and says it refers to Linux malware in general, including malware running on Linux whose ultimate target is Windows.

The figure also includes viruses, worms and software tools written for the purpose of helping or propagating other malware. For example, "root kits" are applications that invade a Linux server and acquire root privileges for the user. Root privileges are required to install or configure applications on a Linux operating system, so are a useful first step to wider exploitation.

In addition, multiple variations of the same virus are counted separately and the accounting mechanism Trend Micro uses is somewhat broad brushed.

Due to the few numbers involved, and Link says that 500 is minimal compared to the figure for Windows, Trend only have one category for malware affecting Linux, that of the ELF_ prefix. The figures therefore include any type of malware that has ever existed for Linux. So that's 500 examples for all time.

He also believes growth in virus numbers halted when two hackers quit the trade. Silvio Cesare turned white-hat and began working to improve the security of the Linux kernel, and 'Benny' gave up writing malware for virus group 29A in favour of a monthly pay cheque. The fact that two individuals can make a difference to the statistics is testament to the numbers of people actively involved in writing Linux malware; very few.

According to Link, this is due to the mean living available writing malware for Linux. "It could be tomorrow or the next day that another guy gets interested," he says, "but usually you target the system which is most widely used. Microsoft is considered the bad guy, and the virus writer wants to target the bad guy not the good guy. This may change in one or two years. Who knows? "

Hacking Linux is currently an intellectual pursuit rather than designed for profit. Due to the "good guy" image of Linux, it is considered well-mannered to give the community several weeks notice when a vulnerability is detected.

"Normally if you are a good guy and you find a vulnerability," says Link, "you write an encrypted email to vendors and say you'll give them five weeks to fix it before making the vulnerability and exploit public."

He adds that it's rare for a "black hat" to publicise a vulnerability without giving the community time to fix it, and even the most damaging Linux worm so far encountered, Slapper in September 2002, was introduced two months after a patch had been released.

So how many of the 500 viruses, worms and assorted malware inflicted damage on users? Link knows of root kits used to break into University machines and explains how, in Germany, they sometimes have trouble when Linux servers are hacked and used for Denial of Services attacks.

And he talks about a virus known as Vit .4096, a non-memory-resident parasitic virus that caused some infection of PCs at Universities because a hacker's root kit was infected. "But at the moment," he says, "the chances of being infected by Linux virus or worm is rather limited. Of course you have to take care of your system. If there is security vulnerability in the Linux kernel it is your duty to update."

Epidemiologists studying organic viruses have found that when a certain percentage of a population is immune, the spread of a disease is stopped. Known as herd immunity, this critical percentage depends on the disease, but 90% is not uncommon. The fact that others in the population are immune provides protection to all.

So in a speculative moment, one could easily estimate that when Linux is approaching 10% of the desktop market we might expect a virus to take hold in the wild, but probably not before.

IT Analyst Gartner, says Linux is installed on 1.3 percent of European desktop PCs and expect that figure to more than double by the end of 2005. If this rate continues, 2007 could be the breakthrough year for Linux viruses.

William Knight

Jun 09, 2005