Malware and Antivirus Systems for Linux

Discussion in 'Linux Security' started by DevynCJohnson, Aug 19, 2013.

?

Have you ever had or suspected malware to be on your Linux system?

  1. Yes, I had malware.

    12.5%
  2. I suspected malware, but I never proved it.

    12.5%
  3. Never

    75.0%
  1. DevynCJohnson

    DevynCJohnson Well-Known Member Staff Member Staff Writer

    Messages:
    1,379
    Likes Received:
    1,094
    Trophy Points:
    113
    All computer systems can suffer from malware and viruses, including Linux. Thankfully, very few viruses exist for Linux, so users typically do not install antivirus software. It is still recommended that Linux users have antivirus software installed on Linux systems that are on a network or that have files being transferred to the device. Some users may argue that antivirus software uses up too much resources. Thankfully, low-footprint software exists for Linux. To better understand antivirus programs, it may be beneficial to understand malware itself.

    NOTE: I am not suggesting that people should not use antivirus software. True, malware for Linux exists, but is rare. It is up to the user to decide if they need antivirus software. Personally, I recommend antivirus software for servers and important and business computer systems. For private computers, it is up to the user to determine if they want antivirus software.

    Types of Malware:

    Malware - Simply, malware is "bad" software. Malware includes any software that harms a system, data, or processes/applications. Many of the malware categories overlap like trojans and spyware.

    Trojan - In a simple summary, trojans hide in applications to get into a user's system or they act as a program themselves. This malware does not replicate. For illustration, a hacker could make a password manager that will supposedly store the users passwords and enter them in for the user. Instead, the username, site, and password combinations are sent to the trojan maker instead of storing the data - this would be a spyware trojan. Additionally, the hacker can hack a real application that handles sensitive data. The data would then be sent to the hacker. Trojans not only take private data, but they may sneak in ads or destroy the system.


    Spyware - This malware gathers a user's private data (financial info, passwords, usernames, etc.) and sends it to the spyware maker or other entity that will use the information. Spyware can be trojans and some trojans can be spyware.

    Adware - Software that displays ads is considered adware. Not all adware is bad. For instance, Flashget is a freeware Windows application that is adware. The program is safe to use. The ads just fund the development of Flashget. Because most Linux developers make applications open-source, not very many Linux adware programs can be found.

    Worms - A computer worm is a replicating program that spreads to other computers. Most rely on networks for transportation. Many readers may ask "What is the difference between a virus and worm?". Simple, viruses attach to programs and worms are standalone software. Viruses come on programs that users download and worms break in through the network. As a general rule, if a user brought it into the system, then it is a virus, else if the malware got in without user intervention, then it is a worm.

    Viruses - Computer viruses are replicating code that spread by hiding inside of infected applications and installers.

    Zombies - Computer zombies are computers that are controlled by a malicious hacker, trojan, or computer virus to complete malicious tasks.

    Riskware - Software with unintended malicious potential. These applications can be used by malware to cause a lot of damage. Because this software is not malware, but can be dangerous is called riskware.

    Scareware - Malware that scares users into downloading malicious software or paying money for the fix is scareware. For illustration, scareware may pop up a message that says something like "Your data will be deleted unless you pay $100.". Scareware may also come in the form of a free virus scan over the Internet. This virus scan does not scan the system, but pretends to do so. The scanner will say it found a virus. The scanner then asks the user to pay money to have the virus removed. In summary, scareware scares computer users into paying money or installing malware to protect themselves against a nonexistent threat.

    Ransomware - Ransomware is similar to scareware. Ransomware locks the computer and files and will not lift the restrictions until the user pays a ransom. Ransomware really locks the system while scareware bluffs.

    Proto-Virus - Some malware is simply annoying. Malware developers might make a computer virus as a prank to bother people. Such malware does not cause damage. A well-known example is the Cookie Monster virus (http://en.wikipedia.org/wiki/Cookie_Monster_(computer_program)) that simply makes messages saying it wants a cookie.


    Antivirus Software/Virus Scanners:

    Virus scanners are security applications that search the system for malware. The scanners look for certain patterns of code or specific characteristics of malware. Depending on the threat potential, virus scanner, and settings, the malware may be deleted instantly or the user will be asked what to do with the malicious software.

    NOTE: I do not support or promote any particular antivirus software. I am listing the ones seen below so readers are aware of many popular antivirus software for Linux.

    ClamAV - The most popular Linux antivirus software is ClamAV. ClamAV is a command-line antivirus program with a small resource footprint. This software is completely free and open-source under the GPL license. The updates are also free. ClamAV's web-address is clamav.net. Users can go to the site for downloads to install the software or they can type the following commands (with Root privileges) to install and run ClamAV:

    Code:
    apt-get install clamav clamav-daemon clamav-freshclam clamav-unofficial-sigs && freshclam && service clamav-daemon start
    
    ClamAV's definitions are updated via freshclam. Type "sudo freshclam" every so often to update the virus scanner's definitions.

    ClamTK - ClamTK is a free frontend (GUI) for ClamAV. ClamTK is licensed under the GPL license. ClamTK passes parameters to ClamAV, but ClamTK does not perform the scan or any other task itself. To install ClamTK, go to clamtk.sourceforge.net and download the software or type the command below:

    Code:
    sudo apt-get install clamtk
    Avast - Avast is a freemium antivirus software. Avast is not open-source and uses up resources like RAM. Many users feel that Avast offers more protection than ClamAV. The paid version of Avast offers numerous features that ClamAV lacks. For instance, Avast can sandbox applications. To obtain Avast, visit avast.com and download the application.

    AVG - Anti-Virus Guard is a proprietary virus scanner that can be downloaded from free.avg.com/us-en/download.prd-alf.

    Comodo - Comodo is a proprietary scanner that can be downloaded from comodo.com/home/internet-security/antivirus-for-linux.php.

    Kaspersky - Kaspersky is a proprietary scanner that can be found on this link - kaspersky.com/product-updates/linux-file-server-antivirus.


    Protecting and Repairing:

    The best way to protect a system against viruses is to only download and install software from trusted sites and developers. For example, get programs from your distro's official repository before using a program obtained from some third party site.

    There are two ways to remove malware. The first method includes using a virus scanner to remove the malware. Depending on the antivirus software and the type of malware, some antivirus scanners can repair the infected file. Thus, the file does not need to be deleted. The second way is to manually delete the files that are known to be the culprits.

    To repair damaged executables, reinstall the infected or damaged software. For example, if a virus infected a Firefox executable, then re-download and install Firefox. After doing so, the user should probably reinstall various system executables and files like Grub and the Linux kernel.

    If a user is unsure if an application is malware, then they can scan the software for viruses and sandbox the program. Sandboxing is a security mechanism where the sandboxed application is being executed with restricted resources. Malware cannot harm the system because the restrictions keep the malicious code from completing its tasks or executing at all. If the system detects that the application running in the sandbox is trying to perform malicious tasks, then the user or security system can delete the program. Some antivirus software supports sandboxing. If not, a sandboxing application can be installed.

    Linux Security Modules (LSMs) can help prevent malware from damaging the system too severely if malicious code does find its way into your computer. More about these Linux Security Modules can be found in this article (http://www.linux.org/threads/the-linux-kernel-security.4223/). Some examples of LSMs include SELinux and AppArmor.

    Keeping security patches up-to-date and using properly configured firewall can help reduce the chances of getting malware. Installing browser add-ons that prevent users from going to malware sites can provide additional protection. Also, never use Root privileges unless it is needed. The frequent use of Root privileges increases the chance that malware on your system can gain such privileges. This could happen if a user executes or installs malware or infected files.


    Knowledge is Power:

    When protecting yourself against malware, it is important to know that malware is typically in an executable, or the malware is the executable itself. However, malware can exist in non-executable files. This is a fact many people tend to disregard (including myself at one point). For instance, *.doc files, text files, and FLV files could contain viruses, but how? Well, anyone that is familiar with a macros in a word processor (like MS-Word or Libre-Office) is aware of the possibility of macros viruses. A macros virus is simply a virus written using macros code. As for viruses in text files, a user might download a program whose executable gets the code for the virus out of a text file that came with the malicious application. As for FLV, it is possible to make a Flash-virus, so the Flash-player would execute the malicious code that is in the Flash-video file. Another fact to remember, most screensavers are executables, so malware may hide in screensavers.

    Some malware might infect your system by sneaking in through an open network connection or hijacking an active connection. This is one reason why some server admins configure unused ports to be closed.



    Even though Linux has very few viruses, all computers and servers should have some form of protection against malware. Knowing how malware works and how to protect computers will aid in protecting many systems. Also, keep in mind that crackers (bad hackers) may find clever ways of designing and releasing malware, so be careful.

    Attached Files:

    Last edited: Jul 28, 2014
    Rob and ryanvade like this.
  2. ryanvade

    ryanvade Administrator Staff Member Staff Writer

    Messages:
    1,391
    Likes Received:
    454
    Trophy Points:
    83
    Only go to trusted sites, check the source code before compiling, and keep your firewall on. I am one of those users who doesn't like wasting resources on Active system scanning. I do keep a copy of ClamTK installed for emergencies, but I have never had use it. I have been using Linux since 2008, no viruses yet. :)
    Rob and DevynCJohnson like this.
  3. DevynCJohnson

    DevynCJohnson Well-Known Member Staff Member Staff Writer

    Messages:
    1,379
    Likes Received:
    1,094
    Trophy Points:
    113
    Thanks for sharing some tips Ryanvade!
    I never had Linux malware either. However, a Windows system I once had caught two viruses (one virus each instance).
    ryanvade likes this.
  4. Rootkit

    Rootkit New Member

    Messages:
    1
    Likes Received:
    3
    Trophy Points:
    3
    Please don't forget about Bitdefender. They have debs and rpms available for 32bit and 64bit. A note on Comodo: you must use Ubuntu 12.04 LTS in order to enable kernel specific driver. Thanks!
    Rob, ryanvade and DevynCJohnson like this.
  5. DevynCJohnson

    DevynCJohnson Well-Known Member Staff Member Staff Writer

    Messages:
    1,379
    Likes Received:
    1,094
    Trophy Points:
    113
    Thanks Rootkit for the information!
  6. Ludd1t3

    Ludd1t3 New Member

    Messages:
    2
    Likes Received:
    2
    Trophy Points:
    3
    Great, informative article; thanks!

    Know of any tests of Clam, AVG, etc. to catch any of the bugaboos targeted to Linux machines?

    E.g., I read this unflattering review of Clam:
    http://www.pcworld.com/article/231520/clamwin_free_antivirus.html
    but it's just concerning its ability to help Windows--not the *nixes, *unbuntus, Gn*s, Mints, hats, etc. we love and respect.
    DevynCJohnson likes this.
  7. ryanvade

    ryanvade Administrator Staff Member Staff Writer

    Messages:
    1,391
    Likes Received:
    454
    Trophy Points:
    83
    You will need to make a file that looks like and might act like a virus. A "False Positive", but one that you intended on happening.
    DevynCJohnson likes this.
  8. DevynCJohnson

    DevynCJohnson Well-Known Member Staff Member Staff Writer

    Messages:
    1,379
    Likes Received:
    1,094
    Trophy Points:
    113
    ClamAV has test files that can be installed. On Debian-based systems, type "sudo apt-get install clamav-testfiles". These files are made to appear as viruses. They cannot harm your system. AVG should also recognize these files as viruses.
  9. Ludd1t3

    Ludd1t3 New Member

    Messages:
    2
    Likes Received:
    2
    Trophy Points:
    3
    Excellent. Thank you both for the great ideas!

    Finding false positives is useful. Indeed, Clam does on my system (esp. among the archived legacy files), and I don't mind the extra thoroughness.

    But, I think the missing of false negatives are the tests I'm more interested in.

    Still--like you both said--my use of anti-malware under GNU/Linux OSs is more like lining a helmet with tin foil: Good practices and strong, open source codes are my real defenses.

    Cheers!
    DevynCJohnson likes this.
  10. kittencatlover

    kittencatlover New Member

    Messages:
    2
    Likes Received:
    3
    Trophy Points:
    3
    I just got the FBI virus on my computer last night. haven't had a chance to use ClamAV. Should ClamAV find and take care of this virus?
    DevynCJohnson likes this.
  11. ryanvade

    ryanvade Administrator Staff Member Staff Writer

    Messages:
    1,391
    Likes Received:
    454
    Trophy Points:
    83
    Use Bleachbit.. https://www.ultimateeditionoz.com/forum/viewtopic.php?f=365&t=5447&p=43548&hilit=FBI#p43513
    Basically remove all of your browsers Cookies, configuration files, and settings files. Bleachbit can do that for you.

    P.S. This is not a VIRUS. It is Ransomware:
    http://en.wikipedia.org/wiki/Ransomware_(malware)

    It is OS independent, it affects the Browser not the System. It effects Windows and OS X users just as much as Linux and FreeBSD users.
    DevynCJohnson likes this.
  12. kittencatlover

    kittencatlover New Member

    Messages:
    2
    Likes Received:
    3
    Trophy Points:
    3

    If I may ask - How do I activate or download Bleachbit?
    ryanvade and DevynCJohnson like this.
  13. ryanvade

    ryanvade Administrator Staff Member Staff Writer

    Messages:
    1,391
    Likes Received:
    454
    Trophy Points:
    83
    Sorry...
    It can be installed with most package managers. Or you can get it from here:
    http://bleachbit.sourceforge.net/download/linux

    Once it is installed, a menu item should be available to start it.

    DevynCJohnson likes this.
  14. timothy cribb

    timothy cribb New Member

    Messages:
    1
    Likes Received:
    1
    Trophy Points:
    1
    I plan to get Linux but unrelatedly I have to say that's a very clever reference in the picture lol XD I don't think most of the people that see this forum would get it The kimpatchi reference is flawless hands down.
    DevynCJohnson likes this.
  15. DevynCJohnson

    DevynCJohnson Well-Known Member Staff Member Staff Writer

    Messages:
    1,379
    Likes Received:
    1,094
    Trophy Points:
    113
    Thanks for the comment on my slide!
  16. Cristal Skull

    Cristal Skull Member

    Messages:
    44
    Likes Received:
    23
    Trophy Points:
    8
    Devyn , before the antivirus installation , for the real-time protection (file-acces scan) , the dazuko module (from clamav ) or redirFS (for Comodo or AVG) must be compiled ! in this case , the kernel-devel , kernel-headers, kernel-source is required :)
    DevynCJohnson likes this.
  17. DevynCJohnson

    DevynCJohnson Well-Known Member Staff Member Staff Writer

    Messages:
    1,379
    Likes Received:
    1,094
    Trophy Points:
    113
    How are you installing ClamAV?
  18. Cristal Skull

    Cristal Skull Member

    Messages:
    44
    Likes Received:
    23
    Trophy Points:
    8
    DevynCJohnson likes this.
  19. omega5081

    omega5081 New Member

    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Isn't the entire Ubuntu operating system adware?
  20. ryanvade

    ryanvade Administrator Staff Member Staff Writer

    Messages:
    1,391
    Likes Received:
    454
    Trophy Points:
    83
    No. Ubuntu is a Linux Distribution based on Debian developed by Canonical. Richard Stalman, the creator of GNU and the Free Software Foundation, has said Ubuntu is spyware because of the Amazon search feature in Ubuntu's Unity search. However, with recent Ubuntu releases the option to turn off the Amazon search along with the "Anonymization" of search data has shown Canonical is willing to help keep users data private.

    It is up to interpretation however. But most users agree that saying Ubuntu is spyware is too extreme. Personally since Unity by default does not use Amazon in searches (in 14.04 development branch) I no longer have any issues with Unity. As long as searching Amazon is an OPTION, I am okay with it.

Share This Page