The Root of the

By Steven Vaughan-Nichols  |  Posted 2004-02-03 Print this article Print

Problem"> The closest thing Unix/Linux has to this is that for many years some programs required Joe User or Joe Users process to be "root" (the master user with command over all the machines processes) and these programs would automatically do this for Joe. Many Unix/Linux security breeches were based on this hole. Today, most of these programs have been closed down, and this trick doesnt work anymore. Of course, if you run your Linux computer as root, you too can be hammered, but the key difference is that in almost all Linux distributions, default users do not run as root.

In Windows, though, any user can always act as root for their machines core programs and MyDoom uses this opening to add %system%/shimgapi.dll, %temp%/Message and %system%/taskmon.exe. Taskmon.exe is a core Windows 98 family file, and Windows lets a user-level program change this, or in the case of the NT/2000/XP family, add this file! This is security at its worst.

Adding insult to injury, Windows also lets this user-level program add keys and values to the Windows registry and set up a Simple Mail Transport Protocol (SMTP) client—that is, a mail server that sends out MyDoom-infected messages! How crazy is this? Linux was designed from the get-go to be an operating system that works with multiple users on a network. Unlike desktop Windows, it doesnt have networking and basic multiuser security jury-rigged on top of it.

Is Linux vulnerable to attacks? You betcha it is. But it is not now, nor will it ever be, as vulnerable to attacks as Windows, no matter how popular it gets.

However, Linux boxes can be taken down. In all the hubbub around MyDoom no one seems to have noticed that SCO, for all of its Linux hating ways, runs its Web servers on its own UnitedLinux and OpenBSD/NetBSD. Any server—Linux or not—can be brought down by a bad enough distributed denial-of-service (DDoS) attack.

Indeed, MyDoom doesnt even use a fancy DDoS attack; all it does is constantly fire HTTP GET requests at Thats probably why MyDooms DDoS attack hasnt caused, as some expected, much trouble on overall network throughput. Hundreds or even thousands of GET requests wont cause that much trouble on most networks—its when hundreds of thousands of them target a single IP address that things start to go awry. In short, MyDoom relies on volume, rather than sophistication, to get its DDoS point across.

No, as I see it the real trick to preventing such attacks is twofold. The first, as Larry Seltzer eloquently puts it in his column "MyDoom Lessons: Failures of Education, Antivirus Vendors," is to start using SMTP authentication at the network level to stop the rogue SMTP servers on which MyDoom, Welchia and SoBig rely. The other is for companies to start weaning themselves from Windows desktops. Linux desktops arent perfect, but they are inherently more secure in todays Internet world; thats a fact that any CIO adding up the costs of his MyDoom cleanup needs to keep in mind.

Discuss This in the eWEEK Forum

Editors note: Minor changes were made to clarify some points in this column. The revisions clarify MyDooms behavior as an SMTP client and the relationship between taskmon and the Windows 98 family. Linux & Open Source Center Editor Steven J. Vaughan-Nichols has been using and writing about operating systems since the late 80s and thinks he may just have learned something about them along the way. Be sure to check out eWEEK.coms Linux and Open Source Center at for the latest Linux news, views and analysis.

Steven J. Vaughan-Nichols is editor at large for Ziff Davis Enterprise. Prior to becoming a technology journalist, Vaughan-Nichols worked at NASA and the Department of Defense on numerous major technological projects. Since then, he's focused on covering the technology and business issues that make a real difference to the people in the industry.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel