MyDoom, Windows and Linux

 
 
By Steven Vaughan-Nichols  |  Posted 2004-02-03
 
 
 

MyDoom, Windows and Linux


In MyDooms aftermath, once more Im confronted with the old lie that if Linux were only as popular as Windows, it too would have Windows-sized security problems. What nonsense!

Yes, Linux has security problems too. Yes, by sheer count of security problems patched, Linux (not Windows) has more holes. But thats not important.

Whats really important is how serious those problems are. With Linux, the problems tend to be small and fixed quickly. With Windows, the problems tend to be larger and not fixed quickly enough. Take, for example, the Internet Explorer phishing bug, which everyone knew about by early December but wasnt fixed until Feb. 2.

Or, more to the point, take MyDoom itself. According to mi2g Intelligence Unit Ltd., a digital risk firm, MyDoom has done at least $22.6 billion of economic damage in terms of loss of business, bandwidth clogging, productivity erosion, management-time reallocation and cost of recovery.

I believe mi2gs numbers. Companies hate to talk about security problems, but off the record I know of at least five Fortune 500 companies that had to shut down their e-mail systems and desktops for hours to clean out the worm, which had clogged their e-mail systems worse than any spam blitz.

I wouldnt be surprised if most of the Fortune 500 were significantly damaged. Despite the lessons of SoBig and Blaster, security continues to be an afterthought in most companies and far too many companies rely on Windows for their desktop operating system and Outlook for their e-mail reader.

Desktop Windows built-in problems come from its history as a stand-alone PC operating system. Unfortunately, today its a networked world. Windows applications have interprocess communications (DLLs, OCXs, ActiveX) that can be activated by user-level scripts (Word macros, for example) or programs (Outlooks view window), which can then run programs or make fundamental changes to the operating system. Microsoft included this because it makes IPC very easy for Windows programs, and it does do exactly that. This is fine in a stand-alone PC where you may want to have your Word documents financial chart to change depending upon the information set in an Excel spreadsheet, but its a fatal security flaw in a networked computer.

Now, the security of Outlook—which is by far the most vulnerable of Windows applications—has improved significantly since the day in 2000 when ILOVEYOU was the worm of the hour and I said Outlook was a "security hole that happens to be an e-mail client." Todays versions of Outlook come with proper security settings so that a user cant start a worm simply by reading or using the view pane to look at a file. But that still leaves other problems.

Next page: Getting to the "root" of the problem.

The Root of the


Problem">

The closest thing Unix/Linux has to this is that for many years some programs required Joe User or Joe Users process to be "root" (the master user with command over all the machines processes) and these programs would automatically do this for Joe. Many Unix/Linux security breeches were based on this hole. Today, most of these programs have been closed down, and this trick doesnt work anymore. Of course, if you run your Linux computer as root, you too can be hammered, but the key difference is that in almost all Linux distributions, default users do not run as root.

In Windows, though, any user can always act as root for their machines core programs and MyDoom uses this opening to add %system%/shimgapi.dll, %temp%/Message and %system%/taskmon.exe. Taskmon.exe is a core Windows 98 family file, and Windows lets a user-level program change this, or in the case of the NT/2000/XP family, add this file! This is security at its worst.

Adding insult to injury, Windows also lets this user-level program add keys and values to the Windows registry and set up a Simple Mail Transport Protocol (SMTP) client—that is, a mail server that sends out MyDoom-infected messages! How crazy is this? Linux was designed from the get-go to be an operating system that works with multiple users on a network. Unlike desktop Windows, it doesnt have networking and basic multiuser security jury-rigged on top of it.

Is Linux vulnerable to attacks? You betcha it is. But it is not now, nor will it ever be, as vulnerable to attacks as Windows, no matter how popular it gets.

However, Linux boxes can be taken down. In all the hubbub around MyDoom no one seems to have noticed that SCO, for all of its Linux hating ways, runs its Web servers on its own UnitedLinux and OpenBSD/NetBSD. Any server—Linux or not—can be brought down by a bad enough distributed denial-of-service (DDoS) attack.

Indeed, MyDoom doesnt even use a fancy DDoS attack; all it does is constantly fire HTTP GET requests at www.sco.com. Thats probably why MyDooms DDoS attack hasnt caused, as some expected, much trouble on overall network throughput. Hundreds or even thousands of GET requests wont cause that much trouble on most networks—its when hundreds of thousands of them target a single IP address that things start to go awry. In short, MyDoom relies on volume, rather than sophistication, to get its DDoS point across.

No, as I see it the real trick to preventing such attacks is twofold. The first, as Larry Seltzer eloquently puts it in his column "MyDoom Lessons: Failures of Education, Antivirus Vendors," is to start using SMTP authentication at the network level to stop the rogue SMTP servers on which MyDoom, Welchia and SoBig rely. The other is for companies to start weaning themselves from Windows desktops. Linux desktops arent perfect, but they are inherently more secure in todays Internet world; thats a fact that any CIO adding up the costs of his MyDoom cleanup needs to keep in mind.

Discuss This in the eWEEK Forum

Editors note: Minor changes were made to clarify some points in this column. The revisions clarify MyDooms behavior as an SMTP client and the relationship between taskmon and the Windows 98 family.

eWEEK.com Linux & Open Source Center Editor Steven J. Vaughan-Nichols has been using and writing about operating systems since the late 80s and thinks he may just have learned something about them along the way. Be sure to check out eWEEK.coms Linux and Open Source Center at http://linux.eweek.com for the latest Linux news, views and analysis.

Rocket Fuel