> I'm looking for the core details as to why UNIX doesn't get viruses.

Oh it can, but it heavily depends on what kind of virusses and in what way.

For example; Unix isn't safe for the so called 'trojan horse' virusses; but
when used in a sane manner the damage will always be limited to the users own
homedirectory and/or other personal files on the system. The system itself
won't be harmed.

The reason why is obvious: a user doesn't own all the files on the system and
as such doesn't have the option to access them all.

When you wish to attack the system itself you'd be looking at trying to gain
root access. And that is close to impossible when it comes to automating this
since there are just too many possible scenario's out there.

For example; suppose you wish to compromise a system using a backdoor in a
certain program which has been installed suid (execute as user, and its owned
by root). You'd have to be able and get the version of the program so that you
can be sure its exploitable. Not all programs support this. You can't simply
assume that "Unix version 6" will always have this program available, even if
we're talking about system-related binaries.

Now... Lets assume you did manage to get into the system using this backdoor.
Then what ? A virus needs to spread itself, but how are you going to do that?
On Solaris (9 and up anyway) becoming root doesn't automaticly have to imply
you're also becoming all powerfull (RBAC control).

Further more your ways of spreading can be equally limited. For example; on my
servers both incoming /and/ outgoing traffic is limited by a firewall. But
since this is a manual-build firewall its a little tedious for an attacker to
simply change this. He might get away by adding a certain rule directly in
memory, but how long would it last ? Its nearly impossible to write out his
changes to some script since well.. it /could/ be /etc/ipf/ipf.conf but it
doesn't have to be the case. The virus could even be running in a non-global
zone, thus having absolutely no control over the firewall at all, root or not.
And even if it is /etc/ipf/ipf.conf, where exactly would he add the rule?
Another common trade of virusses is to remain on a low profile, but if you
simply add a rule allowing certain access to a port on top of a script (even
before the comments start) it would be a little too easy to spot.

And when all of this isn't enough you can also keep in mind that "Unix" covers
an awfull lot of operating systems. You can't simply put 'm all in the same
collection since the OS maybe a Unix (-like) operating system, it doesn't imply
that its fundamentally the same. Some things like "ls, cp, dd" maybe, but you'd
need more than that for an effective virus.

So lets forget this mumbo jumbo and attack an already exposed program directly,
thats basicly the same approach most MS based virusses use (an e-mail infecting
a system, a word macro infecting a system, etc.). What we'll do is attack the
mailserver itself, thats bound to work.. not. A common mailserver doesn't run
with the credentials as root, thus limiting his access to the system. On most
of my servers the mailserver can only write data in 2 places; the mail spool
and the global /tmp directory. Both are mounted in such a way that it is
impossible to execute programs from those places. That makes it a little bit
difficult to abuse the server in such a way. Same applies to my webserver, irc
server, etc.

And even if you /do/ manage to write up a virus which is capable in taking all
of these issues into account.. First of all you'd be already too late since
most of the vulnerabilities you targetted will be already fixed, second your
program is likely so big that its hardly a slick virus anymore.

So commonly speaking I think it is safe to say that virusses on Unix like
operating systems are nearly impossible.

The moment when Windows manages to allow a user to do his things /without/
having full access to trivial parts like $windows\system and $windows\system32
is the moment they're taking a giant step forward on catching up.

Note; I am aware that this approach is already possible, even from Win2k and
up, but not in such a transparent way where Joe Doe would seriously consider
using it in order to protect his (and others) safety. Simply because in order
to install/remove certain software would always mean switching users, which
takes too much effort from an end-users point of view.

Groetjes, Peter

..\\ PGP/GPG key: http://www.catslair.org/pubkey.asc