Since my previous thread was jailed quite some time ago, and I have yet to know its status, I'm starting this one, and leaving out the part that caused the last one to get jailed.
I'll start this post with a simple assertion that I will argue: In its current state, if Ubuntu (or Linux in general) were as popular as Windows and had a similar user base, more Ubuntu machines would have malware than Windows machines.
Allow me to explain.
Some time ago, while my internet connection was spotty and I had nothing better to do, I spent about 3 hours (2 of which was actually testing) writing, as a proof of concept, a small bash script. I won't reproduce it here, because that's what got my last thread jailed. I hosted the script on a website and crafted a few small seemingly innocent commands that would download and run the script, which would alias the sudo command. When run as sudo, the script runs itself as root, executes the command the user expects to run, creates the file "/etc/undecimwashere" (as proof of root access) and cleans up (i.e. fix the sudo alias and deleted itself)
That was just one man and a few hours of time. And most of that was just making sure it was impossible for the script to leave the sudo command broken.
The point I want to make with such a script is that desktop Linux distributions are NOT secure from malware. Right now malware isn't a problem only because:
1) most Linux users are smart enough to figure out what a command does before running it
2) Desktop Linux isn't very popular on the desktop yet.
However, we want reason #2 to change. And when that begins to change, so will reason #1. Hence, if we're lucky, Linux desktop security will soon become a problem.
The point that Linux separates the user from root means nothing.
First of all, most malware will not require root privileges on a Linux system. There is no need to gain privileges to open a port (above 1024), to use slowloris, or to attack an SSH server.
Second, even if a piece of malware did require root privileges (e.g. to be a more efficient node in a botnet), it is easy to acquire it when you are a user that has the ability to run commands as root, especially if the actual user has already been ignorant enough to download a trojan.
Moreover, since software on nearly every Linux distribution is open source, it is currently trivial to perfectly mimic something such as the upgrade dialogue. Personally (and I guarantee this will apply to most users, especially as Ubuntu gains popularity), I don't know any person who would think twice about entering their password to upgrade their Ubuntu system when prompted. Even if you use the CLI to upgrade, It would only take about 5 minutes to add an alias for apt-get to a trojan, or to prepend the PATH variable with with a directory full of malicious binaries.
Many of you at this point will note that most of this requires some degree of social engineering, and dismiss the problems as unsolvable because the human element will always be a security hole. However, it is because of this fact that individuals and groups who write malware for profit rely on social engineering. It's not a fool-proof method to attack a single target, but it does yield a high number of infections by targeting the most ignorant of an operating system's user base.
If Ubuntu will equal Windows in market share, it is necessary to protect these users from their own actions in order to both reduce the number of machines that will become infected in the future, and consequently make Linux malware creation less lucrative.
Windows (and available third-party applications) already implements many countermeasures to trojans, such as informing the user (e.g., the warning box that appears when you download a .exe file), blocking the most prevalent trojans with on-download virus scans, and forcing any useful malware to acquire system privileges (which is currently trivial on most Windows OSs and easy to do on any OS where the user is ignorant enough to have run a trojan in the first place)
Ubuntu does none of those things. As a Linux system, it has the potential to be secure, but as a Desktop distribution, it's ignoring the most prevalent security hole: user error.
How soon before this becomes a problem?
Bookmarks