Virus v. Trojan: not just about semantics

Whenever a new trojan appears for Linux, Mac OS X, or (now) Android, inevitably you get a crowd of ignorant panic-mongers up in arms saying “See? [fill in the blank] gets viruses, too! Ah ha! Better install that antivirus now.” Now, apart from the fact that so-called “antivirus” software is for all practical purposes useless (a placebo at best), viruses and trojans are conceptually very different types of malware.

And, no, this is not just a matter of some geeky semantics.

The mass hysteria out there right now about Android malware reminds me of HIV/AIDS “information” back in the early or mid 80s. People were genuinely afraid you could catch AIDS from hugging someone or drinking from the same water fountain as someone who had AIDS. There wasn’t a lot of reliable and consistent information about how people became HIV positive.

Same deal now. If you read any mainstream press coverage of Android malware, you’ll see the focus is really on quantity (Android Malware Surges Nearly Five-Fold Since July or Android sees a 472% increase in malware since July) of malware instead of actual risk of infection. In typical pop journalism fashion, a lot of “news” articles are taking the “here’s one extreme, and here’s another extreme, so you decide” approach instead of actually informing consumers of the facts of how they can protect themselves from malware.

For example, Security Experts Concerned About Google’s Attitude Toward Android Malware makes it sound as if there is Chris DiBona saying Android malware isn’t a problem and then there are the “antivirus” vendors saying it is a problem. Same deal in Android Security: Threat Level None?

All these articles leave the consumer with is a sense of confusion, and no real practical steps to protect oneself. The former, for example, says:

Most malware researchers agree that the openness of the Android platform, which allows installing non-vetted apps, and more importantly the openness of the Android market, which lacks a strict application review process, contribute to its malware problem.

The latter at least hints that users could be responsible for malware proliferation:

Now that we have a few different views on this topic, who do you think is right? Well, there’s some truth to what the security vendors are telling us. Smartphones—and apparently Android devices in particular—can be infected with malware through careless use.

Careless use. Who is doing the careless using? Phone owners. Phone users.

That is the big difference between a virus and a trojan. The trojan you have to give permission to. You have to invite the trojan in. You know the famous story about the Trojan Horse? Yeah, that attack wouldn’t have worked if Troy had said “Yeah, fancy wooden horse? We’re not letting that into our city.” Same deal with malware. If you don’t install malicious apps pretending to be legitimate, you won’t magically get infected with malware. This is true for Android, Mac OS X, and Linux. I have never heard of any malware proliferating on any of those platforms that was not a trojan.

So if you want to protect yourself, don’t install “antivirus.” Install some common sense instead. Here is a great, step-by-step guide on how to do that: How to be safe, find trusted apps, & avoid viruses – A guide for those new to Android

You’re welcome.

The antivirus paranoia culture

Recently, I’ve spent some time looking at the computer section of Yahoo! Answers, and it’s a fascinating place from a sociological perspective. If the questions and answers popular there are indicative of what common attitudes and practices are among Windows and Mac users, then this is how a typical user operates:

  • Install free antivirus software
  • Install Limewire and use it to download copyrighted songs and movies as well as software cracks.
  • Run as administrator all the time (no limited user account).
  • Get infected with a virus or rogue.
  • Ask for suggestions about a better antivirus.
  • Consider that maybe paid antivirus solutions may be more effective than free ones.
  • Consider that Frostwire may be safer than Limewire.
  • Switch antiviruses.
  • Switch P2P application.
  • Get infected again.
  • Try to remove the infection with MalwareBytes.
  • Spend hours trying to remove infections with various other programs.
  • Eventually give up and reformat entire drive without backing up files.
  • Continue cycle.

There also seems to be a popular misconception that Windows’ malware problem has to do primarily with its popularity and not any flaw in security (like running as administrator by default all the time). So when a trojan (which requires user stupidity, not a flaw in the security of the operating system) appears for Mac OS X, the Windows users on Yahoo! Answers say “Aha! See? Macs get viruses too. They’re no more secure than Windows” and the Mac users on Yahoo! Answers say “Oh, no. What antivirus should I use to protect my Mac? I thought Macs were immune to viruses.”

I hope you see the problem here. Antivirus software companies may not be so nefarious as to actually create viruses (though maybe they do—we don’t have any irrefutable evidence either way), but they have definitely created a culture of paranoia and not just healthy fear.

Most computer users are paralyzed when it comes to security. They have no concept whatsoever as to what makes a computer secure or insecure. They just think “If I run ‘the best’ antivirus software, I can do whatever I want and my computer will be safe.”

Yet, I’d be willing to bet that most of these people would be better at spotting a fake valet before handing over the keys to their cars and would know better than to actively seek out burglars to give out their bank ATM cards and PIN codes to.

What can we do to turn around this culture of paranoia and turn it into proper, healthy fear properly channeled through education and good practice?

I used to be part of this culture, back when I was an exclusive Windows user. I got malware of some kind and panicked. And I thought if I just got a “better” antivirus and changed from Internet Explorer to Firefox that my security would be so much better.

It wasn’t until I got more familiar with the worlds of Mac OS X and Ubuntu that I realized privilege separation matters. Yes, it’s theoretically conceivable that malware could infect a limited user account if it were designed that way, but if it did and was detected in a short amount of time, then it could be easily removed. Malware as it is now thrives because it digs deeply into the Windows system files so that booting into safe mode or trying to use system restore to get rid of it isn’t enough. If you use a limited user account, no system files will be affected, and if malware were ever designed to affect a limited user account, you could just delete that account and carry on.

More importantly, the paranoia comes from a total lack of understanding about how computers become infected with malware. They have the same understanding of computer diseases that “doctors” had about human diseases centuries ago. It’s a bad humor. It’s punishment for doing something evil. It’s not germs you actually have to come in contact with.

A lot of malware comes in not through software flaws but through user flaws. Social engineering is a great way to get malware installed because Microsoft, Apple, and Linux developers can do nothing about it through better programming. If you can trick the user into installing “the codec you need to watch this video” or “this pirated version of iWork” or “this cool new software,” then any kind of built-in security goes out the window.

Couldn’t these users who suffer from such paranoia and ignorance save themselves a lot of heartache if they did a few simple things?

  1. Use a limited user account in Windows
  2. Take ten minutes to read up on social engineering and how not to be a victim of it
  3. Back up personal files regularly
  4. Use Norton Ghost or Acronis True Image to image a working installation so a reinstall wouldn’t take so long
  5. Install system security updates

The way a lot of people run their computers, it’s like having rampant unprotected sex and then getting an HIV test every six months. That won’t stop HIV! Get a condom! Computers have condoms too, even though Microsoft doesn’t make them very easy to put on.

Does Ubuntu need antivirus?

This is a very common question that comes up on the Ubuntu Forums from new users migrating from Windows. The answer, of course, is “No, Ubuntu doesn’t need antivirus.” Linux (and sometimes Mac) users often get accused of being smug or complacent for saying they don’t need antivirus, so I think I have to clarify that answer for the skeptics.

What kind of virus are you looking for protection from?
I’m not an expert on all the terminology out there for malware, but there are basically two kinds of malware, when it comes to security—malware that self-replicates and infects through security holes and malware that tricks the user into installing it (what’s called social engineering).

What makes the first kind of malware such a problem in Windows (at least in XP—I’ve never tried Vista) is the default-to-administrator-account setup, which is reinforced by some programs designed for Windows requiring the user be administrator, documentation for Windows assuming you are administrator (very seldom have I seen instructions for installing a setup.exe ask you to right-click, select Run as… and authenticate with an administrator account, with the assumption that you must be using a limited user account regularly), and the inconvenience of not being an administrator all the time (Run as… is not perfect and is often difficult to use).

The administrator account in Windows has access to almost everything on the system, so if it gets compromised, the entire system is compromised. And if you’ve ever had to clean malware off a Windows computer, you know how difficult it is to get all the junk out of the registry and all the reappearing programs and .dll files out of system directories.

A limited user account, on the other hand, has access only to its own account and very few system directories. I don’t know of any Windows malware that targets limited user accounts, but if the limited user account got compromised, cleaning up the malware would be a lot easier, as you could create another account, and one by one quarantine and examine user files you copy over from the compromised account to the newly created account and then delete the compromised account.

In Ubuntu (and in most Linux distributions and Mac OS X), the default account operates mainly as a limited user account, with write access to mainly its own user directory, and then the user in the admin group (in the case of Ubuntu and Mac OS X) is able to “sudo” and temporarily escalate privileges for particular tasks after password authentication. On non-Ubuntu Linux distributions, the authentication is a temporary login to the root (total access) account.

While a lot of people make the case that separating user privilege from system privilege alone guards against malware infestation (and they probably have a point), I’d at least argue that that separation makes cleanup after an infection a lot easier. The only trustworthy cleanup I know of a Windows-compromised computer is a complete reinstallation of the operating system.

But then there is social engineering. This could be anything from a tainted email attachment a friend innocently sends you and you open to a website asking you to download a “codec” (disguised malware) to play a video. The point is that the flaw isn’t the operating system itself but you, the user. If you’re tricked into installing a piece of malware, it won’t matter what kind of security you have set up. Don’t listen to Linux users who will tell you that you have to first make a file executable and then run it. With all the “user-friendly” graphical tools now available, all someone has to do is create a malicious “cool” .deb file for Ubuntu and trick Ubuntu users into downloading it, double-clicking it, and authenticating with their password. That .deb can run any command then with root privileges and compromise your entire system. It could install a keylogger or a rootkit.

Another time you shouldn’t listen to Linux users is when they try to say a lack of malware on Linux has nothing to do with marketshare, since Linux dominates the server scene, and Linux servers are not more compromised by malware than Windows servers. While what they’re saying is true, it’s also misleading. Most corporate servers are run by trained professionals or at least knowledgeable amateurs, and they’re less likely than the general populace to fall for a phishing scam or other kind of social engineering attack. This is not, true, however, for home users. Nevertheless, the point is moot. If security by minority has any validity, I think you can rest pretty easy that within the next three years, Ubuntu won’t reach over 50% of home user marketshare, no matter how successful it is or how many “years of the Linux desktop” pass by.

But don’t Linux viruses exist?
Yes, but they are either proof-of-concept ones created for research purposes or ones that took advantage of flaws that have since been patched. There aren’t any Linux viruses that are actual threats to Linux systems. If malware relies on social engineering, though, and you’re tricked into installing it, then your system is screwed either way—running an antivirus program won’t help you.

Should you run antivirus just in case?
Well, obviously I can’t stop you. You can also wear a gas mask around all the time when walking through perfectly healthy air. I won’t stop you from doing that either. But in either case, I’m not going to pretend what you’re doing makes sense.

Most antivirus applications in Linux scan for Windows viruses, and if a Linux virus came into existence and actually was a threat, it wouldn’t automatically be in your antivirus application’s definitions anyway, since the virus is new. So you wouldn’t be protected. A vaccine against polio isn’t going to protect you from getting AIDS. Neither is an outdated set of virus definitions going to protect you against a new threat.

Shouldn’t we protect Windows users?
Some have made the case that it is our responsibility to protect our Windows-using friends and relatives by scanning files before they’re sent to Windows users. While that case could be made, I don’t think Linux home users make up a large enough demographic to protect Windows users in such a way. It’s about as effective as building a wall around a city for protection but having the wall go less than 1/10 way around the city. Great. The attackers will just go to a different entrance to attack the city. (See the first link in the Further Reading section for more details.)

This brings up a good point, though. If you’re using Ubuntu as a regular desktop or laptop computer, you don’t need to run antivirus, but if you’re using Ubuntu as a mail server, you probably should install and use antivirus. In fact, many mail servers are Linux-based, so you would be part of a very large wall—an actual first line of defense.

What good is antivirus?
I do have to say, though, I think antivirus is mainly a resource hog and almost a placebo. It’s something that makes people think they’re secure without actually making them secure. In fact, every time I’ve seen a Windows-using family member or friend get infected with malware, that person has always been running antivirus, antispyware, etc. You can’t rely on a program to protect you. You have to learn good security practices yourself—don’t run as administrator regularly, use strong passwords, learn to recognize social engineering and phishing scams, do not visit sketchy websites, etc. Relying on anti* programs for protection is like thinking the vaccinations you get from the doctor protect you against all disease in life. You can’t then just have unprotected promiscuous sex, never wash your hands, eat anything you find in the forest, and have extensive physical contact with sick people, and then expect to stay healthy.

Antiviruses operate in two ways, and ultimately neither way ends up being effective for home use. One way is maintaining a list of known viruses. Well, when a new virus shows up, it won’t be in that list before it’s done some serious damage. The other way is trying to identify malware based on the content of the file. This leads to a lot of false positives and essentially defeats the point of antivirus, since it ends up being the user deciding what files are trustworthy or not… or just getting used to overriding the false positive identification of the antivirus application to the point that it’s like whitelisting everything. I would actually argue that you don’t need antivirus in Windows either. I know that sounds brash, but I believe it’s true. If you want Windows to be secure, use a limited user account, show file extensions for all files, use Thunderbird instead of Outlook, learn how to identify and avoid social engineering, and use strong passwords.

Frankly, I’ve never seen a real epidemic threat to Ubuntu users, but if one appeared, I promise you that having antivirus installed would not protect you from it. Saying you don’t need antivirus in Ubuntu is not complacency—it’s common sense. Learn about real security good practices and stop clinging to the antivirus placebo.

Further Reading
A succinct sum-up of this rather long-winded blog post you’re reading
A short write-up on Ubuntu security
A more in-depth write-up on Ubuntu security