Linux recovery clean

MyDoom, Windows and Linux

In MyDoom's aftermath, once more I'm confronted with the old lie that if Linux were only as popular as Windows, it too would have Windows-sized security problems. What nonsense!

Yes, Linux has security problems too. Yes, by sheer count of security problems patched, Linux (not Windows) has more holes. But that's not important.

What's really important is how serious those problems are. With Linux, the problems tend to be small and fixed quickly. With Windows, the problems tend to be larger and not fixed quickly enough. Take, for example, the Internet Explorer phishing bug, which everyone knew about by early December but wasn't fixed until Feb. 2.

Or, more to the point, take MyDoom itself. According to mi2g Intelligence Unit Ltd., a digital risk firm, MyDoom has done at least $22.6 billion of economic damage in terms of loss of business, bandwidth clogging, productivity erosion, management-time reallocation and cost of recovery.

I believe mi2g's numbers. Companies hate to talk about security problems, but off the record I know of at least five Fortune 500 companies that had to shut down their e-mail systems and desktops for hours to clean out the worm, which had clogged their e-mail systems worse than any spam blitz.

I wouldn't be surprised if most of the Fortune 500 were significantly damaged. Despite the lessons of SoBig and Blaster, security continues to be an afterthought in most companies and far too many companies rely on Windows for their desktop operating system and Outlook for their e-mail reader.

Desktop Windows' built-in problems come from its history as a stand-alone PC operating system. Unfortunately, today it's a networked world. Windows applications have interprocess communications (DLLs, OCXs, ActiveX) that can be activated by user-level scripts (Word macros, for example) or programs (Outlook's view window), which can then run programs or make fundamental changes to the operating system. Microsoft included this because it makes IPC very easy for Windows programs, and it does do exactly that. This is fine in a stand-alone PC where you may want to have your Word document's financial chart to change depending upon the information set in an Excel spreadsheet, but it's a fatal security flaw in a networked computer.

Now, the security of Outlookwhich is by far the most vulnerable of Windows applicationshas improved significantly since the day in 2000 when ILOVEYOU was the worm of the hour and I said Outlook was a "security hole that happens to be an e-mail client." Today's versions of Outlook come with proper security settings so that a user can't start a worm simply by reading or using the view pane to look at a file. But that still leaves other problems.

Next page: Getting to the "root" of the problem.

The closest thing Unix/Linux has to this is that for many years some programs required Joe User or Joe User's process to be "root" (the master user with command over all the machine's processes) and these programs would automatically do this for Joe. Many Unix/Linux security breeches were based on this hole. Today, most of these programs have been closed down, and this trick doesn't work anymore. Of course, if you run your Linux computer as root, you too can be hammered, but the key difference is that in almost all Linux distributions, default users do not run as root.

In Windows, though, any user can always act as root for their machine's core programs and MyDoom uses this opening to add %system%/shimgapi.dll, %temp%/Message and %system%/taskmon.exe. Taskmon.exe is a core Windows 98 family file, and Windows lets a user-level program change this, or in the case of the NT/2000/XP family, add this file! This is security at its worst.

Adding insult to injury, Windows also lets this user-level program add keys and values to the Windows registry and set up a Simple Mail Transport Protocol (SMTP) clientthat is, a mail server that sends out MyDoom-infected messages! How crazy is this? Linux was designed from the get-go to be an operating system that works with multiple users on a network. Unlike desktop Windows, it doesn't have networking and basic multiuser security jury-rigged on top of it.

Is Linux vulnerable to attacks? You betcha it is. But it is not now, nor will it ever be, as vulnerable to attacks as Windows, no matter how popular it gets.

However, Linux boxes can be taken down. In all the hubbub around MyDoom no one seems to have noticed that SCO, for all of its Linux hating ways, runs its Web servers on its own UnitedLinux and OpenBSD/NetBSD. Any serverLinux or notcan be brought down by a bad enough distributed denial-of-service (DDoS) attack.

Indeed, MyDoom doesn't even use a fancy DDoS attack; all it does is constantly fire HTTP GET requests at www.sco.com. That's probably why MyDoom's DDoS attack hasn't caused, as some expected, much trouble on overall network throughput. Hundreds or even thousands of GET requests won't cause that much trouble on most networksit's when hundreds of thousands of them target a single IP address that things start to go awry. In short, MyDoom relies on volume, rather than sophistication, to get its DDoS point across.

No, as I see it the real trick to preventing such attacks is twofold. The first, as Larry Seltzer eloquently puts it in his column "MyDoom Lessons: Failures of Education, Antivirus Vendors," is to start using SMTP authentication at the network level to stop the rogue SMTP servers on which MyDoom, Welchia and SoBig rely. The other is for companies to start weaning themselves from Windows desktops. Linux desktops aren't perfect, but they are inherently more secure in today's Internet world; that's a fact that any CIO adding up the costs of his MyDoom cleanup needs to keep in mind.

Discuss This in the eWEEK Forum

Editor's note: Minor changes were made to clarify some points in this column. The revisions clarify MyDoom's behavior as an SMTP client and the relationship between taskmon and the Windows 98 family.

eWEEK.com Linux & Open Source Center Editor Steven J. Vaughan-Nichols has been using and writing about operating systems since the late '80s and thinks he may just have learned something about them along the way. Be sure to check out eWEEK.com's Linux and Open Source Center at http://linux.eweek.com for the latest Linux news, views and analysis.