Thursday, July 19, 2007

The short life and hard times of a Linux virus

There are several reasons for the non-issue of the Linux virus. Most of those reasons a Linux user would already be familiar with, but there is one, all important, reason that a student of evolution or zoology would also appreciate.
First, let's take a look at the way Linux has stacked the deck against the virus.
For a Linux binary virus to infect executables, those executables must be writable by the user activating the virus. That is not likely to be the case. Chances are, the programs are owned by root and the user is running from a non-privileged account. Further, the less experienced the user, the lower the likelihood that he actually owns any executable programs. Therefore, the users who are the least savvy about such hazards are also the ones with the least fertile home directories for viruses.
Even if the virus successfully infects a program owned by the user, its task of propagation is made much more difficult by the limited privileges of the user account. [For neophyte Linux users running a single-user system, of course, this argument may not apply. Such a user might be careless with the root account.]
Linux networking programs are conservatively constructed, without the high-level macro facilities that have enabled the recent Windows viruses to propagate so rapidly. This is not an inherent feature of Linux; it is simply a reflection of the differences between the two user bases and the resulting differences between the products that are successful in those markets. The lessons learned from observing these problems will also serve as an innoculation for future Linux products as well.
Linux applications and system software is almost all open source. Because so much of the Linux market is accustomed to the availability of source code, binary-only products are rare and have a harder time achieving a substantial market presence. This has two effects on the virus. First, open source code is a tough place for a virus to hide. Second, for the binary-only virus, a newly compiled installation cuts off a prime propagation vector.
Each one of these obstacles represents a significant impediment to the success of a virus. It is when they are considered together, however, that the basic problem emerges.
A computer virus, like a biological virus, must have a reproduction rate that exceeds its death (eradication) rate in order to spread. Each of the above obstacles significantly reduces the reproduction rate of the Linux virus. If the reproduction rate falls below the threshold necessary to replace the existing population, the virus is doomed from the beginning -- even before news reports start to raise the awareness level of potential victims.
The reason that we have not seen a real Linux virus epidemic in the wild is simply that none of the existing Linux viruses can thrive in the hostile environment that Linux provides. The Linux viruses that exist today are nothing more than technical curiosities; the reality is that there is no viable Linux virus.
Of course this doesn't mean that there can never be a Linux virus epidemic.[2] It does mean, however, that a successful Linux virus must be well-crafted and innovative to succeed in the inhospitable Linux ecosystem.
[1] Bliss is the only Linux-compatible virus seen in the wild. Staog is the first known Linux virus.
[2] For another perspective on this issue, try this article on freshmeat.net.