In Chapter 4 of Sun Tzu's great work, The Art of War, the Chinese master says
that
"invincibility lies in the defense; the possibility of victory in the
attack". Software platforms throughout the world often set forth only half
of this equation, to their detriment. Of course, Linux has been the exception on
every security parameter imaginable, said its strongest backers.
But, at last, surfaces a worm specially designed to hit the invincible
penguin where it hurts. And, the first major anti-Linux strike by the worm,
which McAfee named the 'Lupper', Computer Associates as 'Lupper.A' and
Symantec as 'Plupii', clearly drives home the point that the democrat (open
source) is as vulnerable as the oligarch (proprietary software).
Of course, Lupper is not the first anti-Linux program and certainly won't
be the last. The ADM worm was the first virus aimed specifically at Linux users
and appeared briefly in 1998. Symantec has reported three Linux viruses in the
wild since the start of 2004.
As
for Lupper, when security advisory Secunia first sounded a warning in February,
corporate eyebrows were not raised high enough, though many website content
management and blogging systems which run on Linux were reasonably worried. This
was because, as Secunia explained, content management systems based on the PHP
scripting language were vulnerable to a flaw in PHP's handling of XML commands.
Researcher James Bercegay of GulfTech Security Research had said that the flaw
could be exploited remotely using a specially crafted XML document.
Turning off the XML-RPC function, a simple protocol used to make remote
procedure requests to Internet-based servers, was suggested as a quick solution.
But the vulnerability continued to be present in popular applications such as
PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ. Which
Lupper targeted on November 8.
Data passing through Web servers is still not meticulously screened against
possible attack scenarios. Port 80 continues to be a key gateway to everything
from Hell. That Linux is no less vulnerable to port 80 intrusions is a
revelation. The Internet Storm Center says that Lupper attempted to download a
remote-access trojan from one system and use the trojan to try to connect to
another site via port 80.
According to a McAfee report, "the worm blindly attacks Web servers by
sending malicious http requests on port 80.
While discussing security alternatives to Lupper, the classic case of the
fence eating the crop would surface again. For, security protocols in today's
data centers do not afford the luxury of giving every user the right to update
his system. Often, this would prevent timely updates to potential target
systems. While Linux supporters point out that the OS has very strong updation
capabilities and download managers to effect the same without expert
intervention, the fact is that many Linux users still fail to make full use of
the same.
But hey, just over 35,000 bytes of info has been affected at the time of
writing, so why worry? And, Linux's lack of a Windows-style data center
penetration is right now a blessing in disguise. However, the idea that Linux is
inherently more secure than Microsoft, while partly true in some contexts, also
lends itself to the low-density factor of Linux. Microsoft is targeted more
heavily, simply because of its high usage.
So, complacency has been where the real danger lay ensconced. Even the
security firms had waited long enough for a worm to hit Linux hard before coming
up with counter-measures. Leading security firm Network Associates (NA) only
last year released its first Linux server anti-virus software, citing the need
to "stop the transmission through Linux servers of malicious code aimed at
Windows," according to an NA release.
Many security firms who had developed or focused fully on Unix anti-virus
products, are now moving to Linux to deal with potential threats to businesses
running both Windows as well as open source software. The other market will be
for securing Linux systems running on Unix servers. Granted that hackers are
focusing more on Microsoft, but comparisons are irrelevant where security
strategies go. Post-Lupper, the consumer will be demanding a stronger Linux.