Initially I wrote this as a reply to local group discussion with similar question. And then my friend said I should publish my answer as a post. Thanks for the advice, and here is our discussion.
First, what is malware?
Malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to certain computer. It can appear in the form of executable code, script, active content, anything. From user perspective, any malware often called as virus but it’s not exactly true. Virus is one malware categories. Malware can be divided into some categories such as computer virus, worm, trojan horse, adware, rootkits etc. If we want to discuss about malware, it can be another topic so let’s limit our discussion to computer virus and worm.
There’s a myth, if you are using Linux you are immune to malware. This is partially true. Viruses and Worms are exists even in Unix world. You can read some list from Wikipedia.
Now, it comes to the real question, why Linux/Unix is less infected by malware? Some people might answer from user demographic (who use Linux and other OS). Personally I don’t choose this answer and rather go to more technical answer.
Please note that this is my own opinion and might be biased.
From OS distribution, most operating system used worldwide is still Windows. I pick the statistics from W3schools, Linux and Unix got less than 10% each. Per September 2014, most operating system used are Windows 7.
Linux and Unix mostly used for server, embedded system, devices, etc although quite many people use Linux as their main operating system. As we know one who creating something must have specific goal or purpose. As the OS market share still dominated by Windows then no wonder malware for Windows are keep popping up. Mostly they are targeting users.
If by chance Linux dominating the market share, it should be obvious malware will sprung and targetting linux. This is natural.
To determine the answer, first we need to look to inside of both OSs.
Why Windows sucks?
- Windows API – Windows has rich APIs. Some of Windows API (WIN32 API) can be executed by any user. Yes, you got the point. When one user make mistakes, boom! The system is in danger. Also, Windows is famous with its being want to be backward compatible as possible (hence, we have Windows 10 instead of Windows 9) which implicate that you can use that API.
- Access Control List – Yes, Windows have ACL. But how many of us knows, or using it? People don’t know and maybe not apply it. Without control, malware can spread freely. Yes, you can use ACL but by default each resource you have is not affected by ACL.
- Multiuser Design – Windows have common user and superuser (known as Administrator). But on most system, one user on the system is also a super user.
- Device Access – Literally! On some Windows, any program can access any devices connected if you program it. Life is easier.
- Registry system – Windows use a huge database for it’s global configuration, known as registry. Like I said in point (1), whoever you are, you can access registry. Also you can change configuration easily, you can even set the autostart entry in registry to call your malware.
- Extensions – Most worms used other extension to camouflage. For example, a worm might disguise itself as Word Document program, using the same icon as the Microsoft Word. User can be fooled by this appearance. Also, the extension itself is registered to registry. Windows will look registry and call the appropriate program for this extension.
Now let’s compare it to Linux.
- API – Linux also has API for some operations. But, the operation is guaranteed always complies with Access Control. You can do what you are given. Linux/Unix access control is often called as Discretionary Access Control and it is enforced in the kernel itself. You cannot do something which you are not privileged to.
- Access Control – The Discretionary Access Control used by Linux/Unix is describing read/write/execute access to resource (file, directory, nodes, etc). This strict rule is integrated to kernel. Also, as a Linux/Unix user you are always inform to follow Least Privilege principle. Least Privilege principle means any operation you do should be done as low privilege as possible, you might request more privilege if the previous privilege is not sufficient but you should not always use super user privilege. Often some Linux distribution limit yourself from using root access.
- Multiuser Design – Linux is multiuser and multitasking. However, Linux make clear separation of each users. Linux have term users and groups to separate system power. On every Linux/Unix system you have a superuser account (root) and you are obligated to create your own user account. Most distribution will enforce you to create and use your own user account. This account however is different with root so you are guaranteed to not harm your system by accident, unless you are doing so.
- Device Access – be a network interface, printer, scanner, or any device connected all are managed by kernel by udev or similar mechanism. And the good news is any node has specific privilege.
- Registry System – what is registry? Linux/Unix doesn’t know that. To configure a system globally, one should modify config files and most of them stored in privileged directory. Unless you are root or given access to it, you are powerless.
- Extensions – Linux recognize file not by extension but by their header. Every file format has header and something we called magic words to distinguish the format and other formats. Even if the extensions are changed, Linux/Unix can know what it is and still give you correct information.
Apart from above comparison, there is one thing extra you should know! Windows executable is using PE (Portable Execution) format while executable format in Linux is ELF (Executable and Linkable Format). So you cannot run Windows program natively, in case you don’t know 🙂linux, security, windows