Papers and books relating to Unix Computer Viruses

Bruce Ediger
Bruce Ediger's blog

This page presents my bibliography of papers and books containing information on Unix computer viruses.

My question about Unix viruses

We know that several people have written computer viruses that run under Unix. We know that anyone who looks can find source code for several Unix viruses. We know that cross-platform, or platform-independent viruses and worms exist. Given that some tens of thousands of viruses exist for the Wintel PC platform why don't Unix viruses exist in the wild?

If you have an answer to this question, mail me.

I think that the answer has something to do with the mild amount of "immunity" that Unix file permissions grant. If an ordinary, non-root user happens to execute a virus-infected executable, the virus can only infect files that user has permission to write to. This eliminates boot-sector viruses (formerly one of the most widespread forms of PC viruses), as most Unix machines don't grant write access to disk device files.

Further immunity occurs because Linux and Unix users have and use a vast array of text editors, word processors and email clients. A chainmail virus analogous to "Klez" just won't get far in an environment where only a few per cent of the users execute the email client that the chainmail virus can execute in.

Another area of diversity comes in versions: Linux software in particular undergoes rapid development. Should a macro virus for a Linux word processor arise, the many versions of the word processor that end up in service provide quite a bit of "immunity". Whatever bug or feature a macro virus might exploit to spread probably comes in several different varieties, one for each version of the hypothetical word processor.

Diversity constitutes the key feature of each of these examples: diversity of file permissions by user ID, diversity of email clients, diversity of versions of a word processor. By constrast, the Windows computing culture constitutes a monoculture. Virtually all users run the same word processor, the same web browser, the same email client and the same web server, on the same hardware. Any flaw in one piece of the system allows a single virus (or worm) to infect all of the systems.

Preventing the spread of viruses probably doesn't amount to making 100% of the hosts 100% immune. Prevention probably entails making enough hosts possess a variety of immunities, through local effects like file access permissions and executing different versions of a variety of software.

Serious research exists to support my position on software diversity.

Related web pages

$Id: virefs.html,v 1.15 2000/05/13 15:59:06 bediger Exp bediger $