EXPLAIN: What’s Up With this Linux Virus in the News Today?

ZDnet is reporting a Linux virus this morning. Since there are so few Linux virii out there in the wild, I immediately get suspicious when I hear of one. I investigated this virus and here are my thoughts on it:

First off, while everyone is indeed calling this a Linux virus, I must disagree.

The vulnerabilities that this virus attacks actually belong to three scripts, not the OS itself. Therefore, I really wouldn’t call this a Linux virus. That’s like calling a vulnerability in MS Word or Windows Skype a Windows virus. That’s just not correct.

As McAfee states:

This worm spreads by exploiting web servers hosting vulnerable PHP/CGI scripts.

It’s the scripts, not the OS.

I think people are calling it a Linux virus because these three scripts primarily run on Linux machines, however I’m pretty sure the AW stats plugin is a Wordpress plugin will therefore run on IIS if the Wordpress installation it is plugged into is running on IIS. That’s just speculation on my part, though.

edit: as James points out in the comments section below, AW stats is not a WP plugin. Thanks, James!

There are many things inherent in GNU/Linux that make it very difficult for a virus to function which is the main reason why there’s virtually no GNU/Linux viruses out there. However, as the OS gains popularity, more people are going to start focussing on it and I expect we’ll see more viruses pop up. They won’t be nearly as destructive as Windows virii though.

This incident did remind me to create an entry on exactly why it’s so hard to infect a GNU/Linux machine with a virus. I’m on it….

Edit: I did a show with Mark Rais from Really Linux on GNU/Linux virii and security. If you’re interested, you can get it here.