Malware and Antivirus Systems for Linux

Discussion in 'Linux Security' started by DevynCJohnson, Aug 19, 2013.

?

Have you ever had or suspected malware to be on your Linux system?

  1. Yes, I had malware.

    10.5%
  2. I suspected malware, but I never proved it.

    5.3%
  3. Never

    84.2%
  1. DevynCJohnson

    DevynCJohnson Super Moderator Staff Member Staff Writer

    Messages:
    980
    Likes Received:
    859
    Trophy Points:
    93
    All computer systems can suffer from malware and viruses, including Linux. Thankfully, very few viruses exist for Linux, so users typically do not install antivirus software. It is still recommended that Linux users have antivirus software installed on Linux systems that are on a network or that have files being transfered to the device. Some users may argue that antivirus software uses up too much resources. Thankfully, low-footprint software exists for Linux. To better understand antivirus programs, it may be beneficial to understand malware itself.

    Types of Malware:

    Malware - Simply, malware is "bad" software. Malware includes any software that harms a system, data, or processes/applications. Many of the malware categories overlap like trojans and spyware.


    Trojan - In a simple summary, trojans hide in applications to get into a user's system or they act as a program themselves. This malware does not replicate. For illustration, a hacker could make a password manager that will supposedly store the users passwords and enter them in for the user. Instead, the username, site, and password combinations are sent to the trojan maker instead of storing the data - this would be a spyware trojan. Additionally, the hacker can hack a real application that handles sensitive data. The data would then be sent to the hacker. Trojans not only take private data, but they may sneak in ads or destroy the system.

    Spyware
    - This malware gathers a user's private data (financial info, passwords, usernames, etc.) and sends it to the spyware maker or other entity that will use the information. Spyware can be trojans and some trojans can be spyware.

    Adware - Software that displays ads is considered adware. Not all adware is bad. For instance, Flashget is a freeware Windows application that is adware. The program is safe to use. The ads just fund the development of Flashget. Because most Linux developers make applications open-source, not very many Linux adware programs can be found.

    Worms - A computer worm is a replicating program that spreads to other computers. Most rely on networks for transportation. Many readers may ask "What is the difference between a virus and worm?". Simple, viruses attach to programs and worms are standalone software. Viruses come on programs that users download and worms break in through the network. As a general rule, if a user brought it into the system, then it is a virus, else if the malware got in without user intervention, then it is a worm.

    Viruses - Computer viruses are replicating code that spread by hiding inside of infected applications and installers.

    Zombies - Computer zombies are computers that are controlled by a malicious hacker, trojan, or computer virus to complete malicious tasks.

    Riskware - Software with unintended malicious potential. These applications can be used by malware to cause a lot of damage. Because this software is not malware, but can be dangerous is called riskware.

    Scareware - Malware that scares users into downloading malicious software or paying money for the fix is scareware. For illustration, scareware may pop up a message that says something like "Your data will be deleted unless you pay $100.". Scareware may also come in the form of a free virus scan over the Internet. This virus scan does not scan the system, but pretends to do so. The scanner will say it found a virus. The scanner then asks the user to pay money to have the virus removed. In summary, scareware scares computer users into paying money or installing malware to protect themselves against a nonexistent threat.

    Ransomware - Ransomware is similar to scareware. Ransomware locks the computer and files and will not lift the restrictions until the user pays a ransom. Ransomware really locks the system while scareware bluffs.


    If a user is unsure if an application is malware, then they can scan the software for viruses and sandbox the program. Sandboxing is a security mechanism where the sandboxed application is being executed with restricted resources. Malware cannot harm the system because the restrictions keep the malicious code from completing its tasks or executing at all. If the system detects that the application running in the sandbox is trying to perform malicious tasks, then the user or security system can delete the program.


    Antivirus Software/Virus Scanners:


    Virus scanners are security applications that search the system for malware. The scanners look for certain patterns of code or specific characteristics of malware. Depending on the threat potential, virus scanner, and settings, the malware may be deleted instantly or the user will be asked what to do with the malicious software.

    ClamAV - The most popular Linux antivirus software is ClamAV. ClamAV is a command-line antivirus program with a small resource footprint. This software is completely free and open-source under the GPL license. The updates are also free. ClamAV's web-address is clamav.net. Users can go to the site for downloads to install the software or they can type the following command:

    Code:
    sudo apt-get install clamav clamav-daemon clamav-freshclam
    ClamAV's definitions are updated via freshclam. Type "sudo freshclam" to update the virus scanner's definitions.

    ClamTK - ClamTK is a free frontend for ClamAV. ClamTK is licensed under the GPL license. ClamTK passes parameters to ClamAV, but ClamTK does not perform the scan or any other task itself. To install ClamTK, go to clamtk.sourceforge.net and download the software or type the command below:

    Code:
    sudo apt-get install clamtk
    Avast - Avast is a freemium antivirus software. Avast is not open-source and uses up resources like RAM. Many users feel that Avast offers more protection than ClamAV. The paid version of Avast offers numerous features that ClamAV lacks. For instance, Avast can sandbox applications. To obtain Avast, visit avast.com and download the application.

    AVG - Anti-Virus Guard is a proprietary virus scanner that can be downloaded from free.avg.com/us-en/download.prd-alf.

    Comodo - Comodo is a proprietary scanner that can be downloaded from comodo.com/home/internet-security/antivirus-for-linux.php.

    Kaspersky - Kaspersky is a proprietary scanner that can be found on this link - kaspersky.com/product-updates/linux-file-server-antivirus.


    Protecting and Repairing:

    The best way to protect a system against viruses is to only download and install software from trusted sites and developers. For example, get programs from your distro's official repository before using a program obtained from some third party site.

    There are two ways to remove malware. The first method includes using a virus scanner to find and remove the malware. The second way is to delete the executables manually that are known to be the culprits.

    To repair damaged executables, reinstall the infected or damaged software. For example, if a virus infected a Firefox executable, then re-download and install Firefox.

    Also, when protecting yourself against malware, it is important to know that malware can only be in an executable or be the executable itself. For instance, a PNG, MP3, and FLV files cannot be viruses. An application simply opens the files for the user to see or listen. In addition, remember that most screensavers are executables, so malware may hide in screensavers.


    Even though Linux has very few viruses, all computers and servers should have some form of protection against malware. Knowing how malware works and how to protect computers will aid in protecting many systems.

    Attached Files:

    Rob and ryanvade like this.
  2. ryanvade

    ryanvade Administrator Staff Member Staff Writer

    Messages:
    910
    Likes Received:
    291
    Trophy Points:
    63
    Only go to trusted sites, check the source code before compiling, and keep your firewall on. I am one of those users who doesn't like wasting resources on Active system scanning. I do keep a copy of ClamTK installed for emergencies, but I have never had use it. I have been using Linux since 2008, no viruses yet. :)
    Rob and DevynCJohnson like this.
  3. DevynCJohnson

    DevynCJohnson Super Moderator Staff Member Staff Writer

    Messages:
    980
    Likes Received:
    859
    Trophy Points:
    93
    Thanks for sharing some tips Ryanvade!
    I never had Linux malware either. However, a Windows system I once had caught two viruses (one virus each instance).
    ryanvade likes this.
  4. Rootkit

    Rootkit New Member

    Messages:
    1
    Likes Received:
    3
    Trophy Points:
    3
    Please don't forget about Bitdefender. They have debs and rpms available for 32bit and 64bit. A note on Comodo: you must use Ubuntu 12.04 LTS in order to enable kernel specific driver. Thanks!
    Rob, ryanvade and DevynCJohnson like this.
  5. DevynCJohnson

    DevynCJohnson Super Moderator Staff Member Staff Writer

    Messages:
    980
    Likes Received:
    859
    Trophy Points:
    93
    Thanks Rootkit for the information!
  6. Ludd1t3

    Ludd1t3 New Member

    Messages:
    2
    Likes Received:
    2
    Trophy Points:
    3
    Great, informative article; thanks!

    Know of any tests of Clam, AVG, etc. to catch any of the bugaboos targeted to Linux machines?

    E.g., I read this unflattering review of Clam:
    http://www.pcworld.com/article/231520/clamwin_free_antivirus.html
    but it's just concerning its ability to help Windows--not the *nixes, *unbuntus, Gn*s, Mints, hats, etc. we love and respect.
    DevynCJohnson likes this.
  7. ryanvade

    ryanvade Administrator Staff Member Staff Writer

    Messages:
    910
    Likes Received:
    291
    Trophy Points:
    63
    You will need to make a file that looks like and might act like a virus. A "False Positive", but one that you intended on happening.
    DevynCJohnson likes this.
  8. DevynCJohnson

    DevynCJohnson Super Moderator Staff Member Staff Writer

    Messages:
    980
    Likes Received:
    859
    Trophy Points:
    93
    ClamAV has test files that can be installed. On Debian-based systems, type "sudo apt-get install clamav-testfiles". These files are made to appear as viruses. They cannot harm your system. AVG should also recognize these files as viruses.
  9. Ludd1t3

    Ludd1t3 New Member

    Messages:
    2
    Likes Received:
    2
    Trophy Points:
    3
    Excellent. Thank you both for the great ideas!

    Finding false positives is useful. Indeed, Clam does on my system (esp. among the archived legacy files), and I don't mind the extra thoroughness.

    But, I think the missing of false negatives are the tests I'm more interested in.

    Still--like you both said--my use of anti-malware under GNU/Linux OSs is more like lining a helmet with tin foil: Good practices and strong, open source codes are my real defenses.

    Cheers!
    DevynCJohnson likes this.
  10. kittencatlover

    kittencatlover New Member

    Messages:
    2
    Likes Received:
    3
    Trophy Points:
    3
    I just got the FBI virus on my computer last night. haven't had a chance to use ClamAV. Should ClamAV find and take care of this virus?
    DevynCJohnson likes this.
  11. ryanvade

    ryanvade Administrator Staff Member Staff Writer

    Messages:
    910
    Likes Received:
    291
    Trophy Points:
    63
    Use Bleachbit.. https://www.ultimateeditionoz.com/forum/viewtopic.php?f=365&t=5447&p=43548&hilit=FBI#p43513
    Basically remove all of your browsers Cookies, configuration files, and settings files. Bleachbit can do that for you.

    P.S. This is not a VIRUS. It is Ransomware:
    http://en.wikipedia.org/wiki/Ransomware_(malware)

    It is OS independent, it affects the Browser not the System. It effects Windows and OS X users just as much as Linux and FreeBSD users.
    DevynCJohnson likes this.
  12. kittencatlover

    kittencatlover New Member

    Messages:
    2
    Likes Received:
    3
    Trophy Points:
    3

    If I may ask - How do I activate or download Bleachbit?
    ryanvade and DevynCJohnson like this.
  13. ryanvade

    ryanvade Administrator Staff Member Staff Writer

    Messages:
    910
    Likes Received:
    291
    Trophy Points:
    63
    Sorry...
    It can be installed with most package managers. Or you can get it from here:
    http://bleachbit.sourceforge.net/download/linux

    Once it is installed, a menu item should be available to start it.

    DevynCJohnson likes this.
  14. timothy cribb

    timothy cribb New Member

    Messages:
    1
    Likes Received:
    1
    Trophy Points:
    1
    I plan to get Linux but unrelatedly I have to say that's a very clever reference in the picture lol XD I don't think most of the people that see this forum would get it The kimpatchi reference is flawless hands down.
    DevynCJohnson likes this.
  15. DevynCJohnson

    DevynCJohnson Super Moderator Staff Member Staff Writer

    Messages:
    980
    Likes Received:
    859
    Trophy Points:
    93
    Thanks for the comment on my slide!
  16. Cristal Skull

    Cristal Skull Member

    Messages:
    42
    Likes Received:
    23
    Trophy Points:
    8
    Devyn , before the antivirus installation , for the real-time protection (file-acces scan) , the dazuko module (from clamav ) or redirFS (for Comodo or AVG) must be compiled ! in this case , the kernel-devel , kernel-headers, kernel-source is required :)
    DevynCJohnson likes this.
  17. DevynCJohnson

    DevynCJohnson Super Moderator Staff Member Staff Writer

    Messages:
    980
    Likes Received:
    859
    Trophy Points:
    93
    How are you installing ClamAV?
  18. Cristal Skull

    Cristal Skull Member

    Messages:
    42
    Likes Received:
    23
    Trophy Points:
    8
    DevynCJohnson likes this.
  19. omega5081

    omega5081 New Member

    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Isn't the entire Ubuntu operating system adware?
  20. ryanvade

    ryanvade Administrator Staff Member Staff Writer

    Messages:
    910
    Likes Received:
    291
    Trophy Points:
    63
    No. Ubuntu is a Linux Distribution based on Debian developed by Canonical. Richard Stalman, the creator of GNU and the Free Software Foundation, has said Ubuntu is spyware because of the Amazon search feature in Ubuntu's Unity search. However, with recent Ubuntu releases the option to turn off the Amazon search along with the "Anonymization" of search data has shown Canonical is willing to help keep users data private.

    It is up to interpretation however. But most users agree that saying Ubuntu is spyware is too extreme. Personally since Unity by default does not use Amazon in searches (in 14.04 development branch) I no longer have any issues with Unity. As long as searching Amazon is an OPTION, I am okay with it.

Share This Page