Skip to content

Your Baby Is Dead!

That’s what you’d hear if your Linux server fell victim to the thousands of malware attacks lurking in the average network.

That is, according to the PCI DSS. I read the PCI DSS Summary of Changes. It’s pretty much business as usual until you get to 5.1. That’s where you find this little gem:

Clarified requirement applies to all operating systems types commonly affected by malicious software, if applicable anti-virus technology exists.

Okay, sounds good.

Besides use of the term “anti-virus software,” changed the term “virus” to “malicious software.”

Good call, no doubt someone has tried to wriggle out of compliance using that excuse.

Deleted note stating “Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes.”

WTF?!?!?!? Is this some kind of twisted April Fool’s prank.
::Channelling Brian Regan::

“Hey, come here; look what I put for Section Five. Did you see? I just did it as a joke but it’s going out like that. It’s already on the website. I don’t know what to do.”
“Just let it go I guess. There’s nothing you can do now.”

Raise your hand if you’ve ever seen a Unix box infected with a virus. Yeah, me neither.

It doesn’t take much imagination to figure out where this comes from. There’s a lot of big money that doesn’t like Unix boxes getting a free pass for pretty much all of Section 5 of the DSS.

To unravel this “mystery” let’s start by figuring out who *loses* money by Unix not needing anti-malware… Yeah it’s Microsoft. You have to think they’ve been shoving money in the pocket’s of PCI over this. After all, if businesses realize that they can save money by switching to Linux, especially in the current economic climate, they’re gonna do it. And what business wouldn’t, switching to Linux saves you the outrageous anti-malware fees and the exorbitant Windows license fees.

Now, besides Microsoft, who stands to benefit from this? Of course the answer is the anti-malware venders: Symantec, McAfee, TrendMicro, Sophos, AVG (formerly Grisoft), Kaspersky (I’m not going to dignify them with links). If you want some good laughs go read what these guys have to say about Unix viruses.

McAfee, circa 2006:

Macintosh platform vulnerability discovery rates have increased by 228 percent in the past three years alone…

Translation: Your baby is dead!
To their credit, they did follow that up with:

…from 45 found in 2003 to 143 in 2005

Holy hell! Please McAfee, take my money, just protect me!

Sophos, February 13th, 2008, says of the Linux/Rst-B virus:

Analysis of malware in Sophos’s Linux honeypots have shown almost 70 percent of the infections are due to this six-year-old malicious program.

Translation: Your baby is dead!
Holy hell! Nooooo! Not the honeypots! Those things highly secure! It takes mad 733t skillz to pwn a honeypot! Lots of critical thinking going on there.
In that same press release, I liked this:

“…we hope that Linux users who aren’t running security will at least run this tool to find out if they are infected with this granny virus.”

Ha ha, “granny virus,” awesome. And are you “running security” on your Linux box? What exactly does that mean? No matter, I wrote my own Linux/Rst-B scanner, check it:

echo "Scanning for Linux/Rst-B virus..."
echo "No virus detected!"

To Sophos’ credit the did put this in:

Hackers typically gain control via weak SSH password or some other vulnerability.

But that’s it. The rest of the time it’s “Linux viruses are taking over! Give us lots of money, and we’ll protect you!”

Here’s the only place where you can argue Unix anti-malware makes sense: email and file servers. Let those servers be good Samaritans and catch the Windows viruses before they are spread around. It’s a waste anywhere else.

That being said, one could argue running anti-malware on a Unix box does more harm than good. It’s more than the obvious sucking up resources. My biggest problem is running anti-malware on a box adds one more attack vector an attacker has. Historically, there have been many instances where anti-malware software has made people more vulnerable, my favorite being this one.

Finally, I want to add that viruses are already becoming passe. Okay maybe not for Windows, but certainly Unix. Just look at the pwn2own contest. Yeah, the Mac fell in like two minutes, but it had *nothing* to do with a virus, or any kind of malware that’s going to be detected. And that’s the point. Linux, OS X, and other Unix OSes are not going to be taken by traditional malware. Any attacker worth his salt is gonna do it through the web browser. Email: lame. Open ports: too much work. SSH: maybe. Web browser: booyah!

The web browser is the ultimate vector, because you as a user, are giving some portion of control of your computer to a remote machine. Just look at the recent OS X viruses, they change your system network settings so your traffic goes to the bad guys site. Oh snap!

At any rate, PCI removing the statement that Unix systems are not commonly affected by malware has no basis in reality and exists *soley* to make big, slow, outdated, technology companies more money.

That’s bad enough in and of itself. But what makes it worse is the fact that PCI auditors are just an army of box ticking robots. Seriously. Trying to reason with one is an exercise in futility.

Now the worst part: There’s nothing we can do about it. PCI can come up with any bull shit, cockamamie rule they feel like, and you have comply or you’re out of business. Rant off.

P.S. – To any box ticking robots that read this, get off your Huffy and write to me. I’m not an auditor, what’s your side of the story.

Posted in Linux, OS X, Rant, Security.

Tagged with , , , , , , .

2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Will Jones says

    All valid points. But at the end of the day, you need to install AV on your linux boxes to comply. So what approach do you take to comply?

  2. jtanium says

    There really is only one choice: ClamAV.

Some HTML is OK

or, reply to this post via trackback.