« Deep Wisdom | Main | Friday Five »

September 19, 2003

Reader Question

If you have a question (about Macs or Unix or living Down Under) that has always puzzled you, why not ask the ozguru?

Reader Milos, asks: "Can u tell me why UNIX boxes r resistant to viruses?"

Answer:

Short answer: they don't run Microslosh software :-)

Longer answer: most of the viruses out there depend on things being in the right place - i.e. that file exist in a certain location, that memory is ordered in a certain way, that services will work in a particular manner. This is true for windows but is a lot less true for Unix.

1. There are many varients of Unix and they are all different so the target market for a virus is much smaller.

2. Unix dynamically allocates a lot of things (like inode and memory blocks) and so these may well vary between installations. For example, pid 1 is always init? Not on Solaris 9 or BSD 3....

3. Unix network services are often tuned using services like firewalls or tcp wrappers which are only just appearing on the windows side (and often not installed correctly). The average virus writer can't be bothered writing the extra code to get around these.

4. Unix has a long history of user involvement which means that bugs likely to be useful to virus writers are usually solved and sealed much more rapidly. The SSH hole (for example) was reported on a Friday. Monday there was a work around and by Wednesday Sun, HP, IBM and Linux all had patches (BSD was not affected). If the same thing happened in Windows:


Friday 13th: Bug announced
Monday 14th: US Homeland security puts out advisory
Monday 21st: Exploit and how-to published in PC Week
Monday 28th: Sample code published on hackers web page
Next month: Someone adds the code to the script-kiddies pack
Two months: First virus appears but fails for lack of interest
Three months: Better virus appears
Six months: Internet saturated with super virus
Nine months: MS release patch (very quietly)
Ten months: Another super virus
Ten months + 1 day: Billg appears on TV blaming inadequate system administration because the patch was issued "some time ago" and the fact that millions of customers haven't installed it is not MS fault!

Hope that helps.....

Posted by Ozguru at September 19, 2003 09:09 AM

Comments

Yes, it did help. I always wondered about it too.

Posted by: Melodrama at September 19, 2003 09:09 AM

Added some more steps :) Friday 13th: Bug announced Monday 14th: US Homeland security puts out advisory Monday 21st: Exploit and how-to published in PC Week Monday 28th: Sample code published on hackers web page > MS tries to sue ISPs hosting "hacker" material into oblivion [Hey it's easier to sue, than actaully write good code.] Next month: Someone adds the code to the script-kiddies pack Two months: First virus appears but fails for lack of interest Three months: Better virus appears Six months: Internet saturated with super virus Nine months: MS release patch (very quietly) > Patch creates new holes or re-opens existing ones. Ten months: Another super virus Ten months + 1 day: Billg appears on TV blaming inadequate system administration because the patch was issued "some time ago" and the fact that millions of customers haven't installed it is not MS fault! > and crap on about how using Paladium equiped anal probes would put an end to viri (and any remaining civil rights) for good. > New patch released. Have to agree to install MS Palladium Anal Probe (MS-PAP) as part of the installation licensing agreement.

Posted by: Prasad at September 19, 2003 09:09 AM