Just in case you Windows users don't have enough to worry about ... there is this article:
http://www.bbc.com/news/technology-28701124Berlin-based researchers Karsten Nohl and Jakob Lell demonstrated how any USB device could be used to infect a computer without the user's knowledge.
The duo said there is no practical way to defend against the vulnerability.
...
"Basically, you can never trust anything anymore after plugging in a USB stick."
...
However, this latest research demonstrated a new level of threat - where a USB device that appears completely empty can still contain malware, even when formatted.
That is because many manufacturers, according to Microsoft's specifications, include a separate partition on each USB stick where "security" and reformatting software is stored, much like the phantom drive on most computers that come with Windows pre-installed. While one can reformat or even remove the phantom partition on a computer hard drive, the "security" partition on a USB stick is immutable. One can delete its visible contents but not the hidden contents, and one can not remove the partition, or even rename it.
What you are witnessing is a demonstration of the differences between the Windows and Linux paradigm for software execution. Windows is designed to run any program that can be moved into memory from any source, as if it were called as an executable (*.bat or *.exe or DOS command) called directly from the hard drive or USB stick. Hence, an email which contains an attachment which is an executable Visual Basic program or Java applet is seen to contain a .bat or .exe extension and a dynamically linked library, a.k.a. *.dll) given the marketing name of "ActiveX" will execute that attachment. What is really tricky is the way Microsoft wrote Windows so that an attachment can have multiple extensions. Your email client receives an email with an attachment named "nakedpic.jpg.exe". Windows email client (and Explorer as well) shows it to you as "nakedpic.jpg" but the ActiveX control only sees the ".exe", identifies it as an executable, and immediately executes it.
Compare that to Linux.
In Linux EVERYTHING is a file ... applications or programs, ports, sockets, everything ... and they must exist and reside on the hard drive.
An executable file in Linux is one which meets the following conditions:
1) It resides as a file on the hard drive.
2) It is an ELF binary (ELF=Executable Linux File) OR a shell script executable shell commands with "#!/bin/sh" as the first line. Or a java applet.
AND
3) Your account's execute permission bit for is is set.
Only if all of these conditions are met will an executable binary, shell script or java applet run on Linux.
(An aside: Apple Mac's, like Linux, are also a Unix derivative operating system, but they have relaxed the security controls somewhat. Regardless, I'd run a Mac before I'd run Windows.)
So, as a Linux user, if you were to get an email with a malware attachment the ONLY way it could run on your Linux system was if YOU detached and saved the attachment to the hard dirve. THEN, you marked the execution bit. THEN you gave a shell command to run it.
This is why Linux is not susceptible to email attachments. About the only reason Linux users run email virus scanners is IF they happen to forward an on to a Windows using friend. A friend doesn't send malware to another friend.
Why won't the invisible malware on the USB stick activate when plugged into a Linux system? After all, it is a file on the "hard drive", i.e., the USB stick. Well, even IF it were an ELF or proper bash script, it would have to have it's permission bit for MY account set. And, I'd have to know its secret name and location and deliberately set its permission bit and then deliberate give a shell command to run it. On Linux it won't run itself, there are not "ActiveX" dll's residing in memory just waiting to see an executable anywere (memory, HD, USB, Eth0, Lpr, socket, etc...) so it can execute it. This is why Windows has millions of malware programs released against it each year. It is SO vulnerable. And, to maintain backwards compatibility with pre-existing applications, it must remain so. IF you run Windows then hopefully the time gap between when a particular piece of malware is released and when it is discovered, announced and patched, is short enough that you don't fall victim. More often that not that time gap is months or years because Microsoft has threatened software security houses with crippling or destroying lawsuits IF they find a security hole and announce it to the public BEFORE Microsoft does. So, most security houses send the bugs they find to Microsoft. Microsoft decides IF they will fix the security hole or program bug AND when. If past performance is any indication it all depends on their bottom line.
I often hear Windows fans proclaim that IF Linux were as popular is Windows it would have just as many malware programs released against it as Windows does. Time has proven that belief wrong. Linux now holds about 12 to 18% market share in the US, depending on who you believe. In 2008 Steve Ballmer himself presented a graph at that time showing that Linux held 10% market share in the US. With the advent of VISTA and Win8 many, many Windows users have migrated to Linux or Mac and the Linux market share is much higher in many other countries. Two million Windows malware applications are released per year. If popularity were the rule, it would mean that at least 200,000 Linux malware programs were released last year. None have been found. The AV houses, always willing to sell Linux AV software, have taken to a dishonest tactic -- they began including the word "linux" in many of their jpg viruses just to give the impression that AV software is sorely needed in Linux. It is not. I've been using Linux since May of 1998 and I haven't used AV software. Linux has no "ActiveX" dll's which automatically execute programs.
The best way to destroy the security paradigm of Linux is to pile a lot of globally permitted Java applets on top of it, mimic ActiveX, and call it Android.
