Malware Storm

Attacks on open source doubled in just one year, and the open source community is bracing for more.

by / July 31, 2006 0
You might think Dennis Wells would be worried.

As policy and planning manager in the Office of Information Services at Oregon's Department of Human Services (DHS), Wells is running an open source customer relationship management (CRM) system at a time when attacks against open source operating systems and products are increasing at an alarming rate.

"It's probably because of the rising popularity of open source," Wells said of the newest attacks against the Linux operating system and other open source products. "Because it is there -- out there, where people can see it -- it provides more of an interesting challenge to attackers."

Yet Wells said he has it covered. Sugar CRM, which sells the CRM software Wells uses, keeps the DHS's machines patched and updated, and an entire community of open source users keeps him abreast of threats.

That appears to be the lay of the land in Linux and open source these days. On one hand, a rising tide of threats; on the other hand, vigilant vendors working in consortium with users to keep the open source environment safe and stable.

On the face of it, the numbers do give cause for concern -- the pace of malware attacks against Linux operating systems doubling during 2005, according to Kaspersky Lab's 2005 *nix Malware Evolution report. Kaspersky reported 863 attacks on Linux in 2005, up from 422 in 2004.

However, it's still a drop in the bucket compared to Windows. Security firm Symantec reported nearly 11,000 Windows viruses and worms in just the last half of 2005. Still, the increase in the number of attacks on open source is ringing warning bells.

"We are still in the very beginnings of what will come," cautioned Ben Chelf, chief technology officer of open source code security firm Coverity.

A Deeper Threat
It's not just the attacks' increase, but also their nature, Chelf said. The majority of Windows usage still resides on the desktop, he said, whereas Linux typically operates at the server level. Desktop damage is certainly a problem, but back-door access to the server presents a far deeper level of threat.

Given the seriousness of that threat, Andy Stein, director of IT in Newport News, Va., is paying close attention to the situation. Stein is directing the development of a new e-government site based on open source code. He said the relatively low number of attacks on Linux should not lull one into a false sense of security.

"I am just as concerned about open source [malware] as I am about the fact that Windows is under attack," Stein said.

For government users in particular, the nature of the present attacks against open source products may be a cause for concern. Windows attacks typically come in some flavor of overwhelm-and-destroy: Crash the system, bring traffic to a halt. Linux attacks on the other hand have tended in the direction of information plundering.

"The most common class of these things is the back door or Trojan things used to capture and export data," said Robert Shoemaker, CEO of IT support firm HelpMeRemote.

For government IT managers, that focus on data can be a big issue.

"Of course, governmental agencies have very strict requirements about privacy of data, and face a dilemma of needing to protect data while often lacking the budget to do so," said Bernard Golden, CEO of open source system integrator Navica.

The Good News Is ...
Threats there may be, but proponents of open source argue that the Linux and open source communities today are prepared to deal with them, despite what some people may think.

"The misconception is that there is no vendor support, that there is no option for vendor support. The assumption is that you are depending on the good will of the larger community for everything, but that's not true," said Stein, whose department maintains support contracts with Red Hat and Novell.

There are reasons for the misperceptions. Open source is an underground development, and was, for quite some time, a tinker's toy. At the same time, because the code is free, some assume its use is a free-for-all, with managers left to their own devices when it comes to patches and upgrades.

Today's open source community says otherwise. With a combination of vendor support, and an active base of users eager to share information, help seems to be readily available.

Wells gets support from Sugar CRM and a user community whose patches and changes are first vetted by Sugar CRM technicians before being widely released. It's one of the things Wells likes best about open source.

"This way you have the opportunity to engage in that discussion," he said, rather than just watch for patches as new threats evolve.

"The opportunity for response may be quicker," Wells said of relying on community support. "The releases you see for open source are more frequent, and there is maybe a greater sense of pride in work, pride in ownership."

This enthusiasm for open source products' communal nature is commonly heard, but some say the dependence upon homegrown patches comes with its own set of risks.

Shoemaker puts it this way: Suppose a user in the broader community crafts a patch for some new nasty. Now suppose another user distributes a patch for some other piece of malware. Now suppose those two patches can't play nicely together.

"Now your machine doesn't work because one patch doesn't work right with someone else's patch," Shoemaker said, adding that his solution is to go with a proprietary, corporate-sponsored version of Linux, such as a version supported by IBM, and to get patches only from the vendor. "That would be the only way I would feel comfortable with it."

Another alternative would be to turn to proven, recognized open source tools designed with security in mind.

"Snort is a well known intrusion detection system that enables organizations to detect attempted security attacks and stop them," Golden said. "Because these applications are free, governmental agencies can, without trying to scare up budget dollars and without going through extended budget cycles, put protective mechanisms into place to secure sensitive applications and data."

Finally there's always the possibility of an upgrade.

Developed in conjunction with the National Security Agency, Security Enhanced Linux delivers security in the form of mandatory access control. In essence, an administrator can dictate which functions programs can perform. Thus, if a virus reaches an application, an administrator can curtail the damage by limiting full functionality of that application.

On the Radar
Ironically it may be the very success of Linux that has led to its newfound position as target du jour.

"As soon as a platform starts becoming more popular, viruses and other malicious programs for this platform will begin to appear," Kaspersky reported. "Of course, software developers issue patches for known vulnerabilities, but this results in virus writers searching for new methods and weak spots to attack. Overall, malware gains momentum in a snowball-like fashion."

For Linux and open source users in government and elsewhere, that means the worst may be yet to come.

"It was inevitable that these kinds of attacks would be launched toward open source operating systems like Linux," Golden said. "Hackers focus on large targets. As open source has grown, it presents a larger opportunity."

Some say the operating system's openness invites abuse by offering hackers direct access to the guts of the system. But open source proponents say just the opposite is true. A proprietary system hasn't stopped Windows hackers, they note. Moreover, the financial logic of open source may make it especially compelling for cash-strapped government users.

"Since the software is available at no cost," Golden said, "there is never any danger of security fixes being unavailable because software maintenance fees have not been paid or, even worse, software maintenance support being skipped due to budgetary pressures."
Adam Stone Contributing Writer