The Truth About Linux and Viruses

Avast Business Avast Business for Linux
1

Linux Explorer: The Truth About Linux and Viruses
Extracted from: Scot’s Newsletter (free) (http://www.scotsnewsletter.com/subcenter/subscribe.htm)

Conventional wisdom says that a virus scanner is one of three protections necessary these days for computers connected to the Internet. (The other two being a spyware scanner or two, and a trainable spam filter.) The same wisdom also says that the only reason Linux and Macintosh computers don’t see the same level of virus attacks as Windows PCs is because Windows PCs are so much more prevalent.

While this may be partly true, it’s not the whole reason. According to various virus lists, there are less than 100 known viruses for Linux, none of which spread the way a Windows virus does. Meanwhile, there are thousands and thousands of Windows viruses. With the so-called discovery of a Linux/Windows virus, more light is being shined on the subject of Linux security.

But it’s easy to protect yourself in Linux, once you know a few things about viruses under the operating system. And if you still think you need it, we’re including instructions on how to use Frisk Software International’s F-Prot Antivirus.

  1. If you run Linux and only Linux, you do not need antivirus software. In its efforts to make Windows easier to use, Microsoft simplified the process of running executables under its operating system many years ago. Not only can a user launch a program by clicking an e-mail attachment, but it’s possible for an executable to launch automatically just by hitting the preview pane of some email packages, including older versions of Outlook and Outlook Express. Scot’s Newsletter Forums member Nathan Williams has provided an excellent FAQ for the All Things Linux forum explaining why Linux when used alone does not need antivirus protection.

Under Linux the steps for launching an executable from an e-mail are separate, discrete steps. A user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable. And to be truly damaging, the latter two would have to be done as root — not something informed users would allow. (For more information see Ch- Ch- Changing File Permissions.)

  1. If you dual boot Linux and Windows and get a virus-infected mail in Linux, it can NOT jump to your Windows partition. Nor can it spread over the local network to other systems. You can even store the attachment in your /home directory and open the zip or click the file, and it will be dead in the water. Windows executables won’t run under Linux. Linux files need to be granted permission to become executable. And even then, it can’t spread beyond the home folder. (This is also why Linux AV programs do not have a “live guard” module in them — the virus does not execute or move.) You could even leave a virus executable there as long as you wanted to without risk. Windows will not get infected, unless you deliberately copy the virus to your Windows partition.

  2. If you dual boot, however, you better get a good antivirus program for Windows. Microsoft’s operating system and its bundled applications, Outlook and Internet Explorer, offer users powerful functionality in their attempts to be easy to use and easy to update. As a result, it’s all too easy for virus writers to exploit the same functionality in a malicious way. Don’t leave them an opening. Install an antivirus program and keep it updated.

  3. The only time you’ll need a Linux antivirus program is if you’re running a mail server. And that’s just good social behavior. It’s not to protect your Linux server or client computer so much as to make sure you don’t pass a virus on to a Windows system.

Think about it this way: If you have two warehouses, and you use the first one to store cheese, are you going to place mouse-traps in the second one where you only store stainless steel? I mean, be reasonable, mice do not eat stainless steel! So don’t let antivirus vendors make you unnecessarily paranoid.

2

You can see why Avast for Linux is going along at a snail’s pace.

3

Well, I think that it is not a good idea to leave this post without a replay. Well, be so kind and spend a minute to read this:

Problem one:
I stand my position on my very first post, so I’ll not repeat it here, but to my knowledge the article has a serious bug, I mean the numbers of Linux viruses (warms, exploits etc.) is highly mismatched. In my personal Linux Virus Collection the number at time of writing is 358 files sized about 30 MB, but I know it is only a part of existing code. That is, why I started to construct Linux Virus Lists, cos` I believe in “hard evidence” not folks. My post was ignored so far, and I am pretty sure why :-(.

Here you are the Linux Viruses List (in overall numbers) collected from avaible to Debian Linux antivirus programs (e.g Grisoft AVG does not run under Debian due to unresolvable library conflict) - I can provide these lists as files in txt format at request:

vendor * All viruses Linux Unix
AVIRA Antivir 390 121 562 118
FRISK F-Prot 277 100 7 485
Softwin BitDefender 141 479 807 96
Kaspersky Lab kav 108 420 906 148
ClamAV 56 467 ? ?
ALWIL avast! 54 914 46 46

  • caution:
    Althrough I did my best to collect db chart correctly,all data are estimated due to db format and heuristic / generic detection;
    these numbers are only guidelines to VX Scene on Linux and are NOT confirmed by vendors!
    If any vendor want to correct these numbers or want Me to remove them, do not hesitate to contact Me,
    certainly I will update the chart. Methodology (very simply) is also avaible at request.

Problem two
Due to my personal investigations, covered by the scope on my graduate work, main reason why the number of Linux viruses is so low is in fact that authors of Linux viruses tutorials do not want to publish all their works, and it is in a “good style” to behave like this: do not provide Linux related tuts! The number of criminals, going to exploit system vulnerabilities for profit is still low until there are only a few Linux desktops and workstations. EU wars with Microsoft (Redmond, USA) opened the marked and more and more corporations deal with Linux support vendors (in Poland e.g. Suse has a deal with U.X. systems - OpenOffice vendor to provie support 4 Suse Desktop). If the free systems like Debian will be marginalize, new generation of commercial operating systems can be attacked as furious as before, whatever they’ll be Windows, Linux, McOS or from Mars.

Resume
Think Linux, do not believe in folks and tails sent by journalists who hardly saw Linux at all, maybe passed once by the Linux powered PS. Search for facts and share them, do not panic (kernel panic). Do not be blind! Viruses comes on Linux, so it is good idea to get knowledge, learn how to use av tools on Linux (avast! 4 Linux?). Otherwise - in case of a disaster - M$ will stand a new marketing slogan: Vulnerable as Linux.

That in why I am here, and I hope that is why avast! team keeps this Linux threat for as. Thanks a lot for that to avast!
Finally avast! team has a best knowledge is Linux market worths interest? Am I right or not?!

4

This isn’t directed at the parent… This is directed at bimbom.

There are and will be viruses for any platform. That’s just part of it. What makes Linux different is, that a vast majority of Linux users aren’t going to download some free screensaver, or some free card came, etc… Why? Either they already have it by default, or there is a free, open source, trusted alternative. Even if you did download a binary on accident, and accidentally ‘clicked on it’, guess what happens. Nothing, unless your filemanager automatically makes it executable, and automatically executes it. You might start looking for a better file manager when that happens.

The idea of Linux virus is nothing like that of Windows, and the idea of a Linux worm is just hillarious. Give two Linux users cloned HDs in two identical boxes. Come back in 2 months, and you’ll notice something. Their systems are completely different. They will most likely be using two completely different web browsers, different mail clients, different everything. When you use Linux, you have a choice. You aren’t forced to use explorer.exe.

If you wanted to write a Linux ‘virus’ you would have to attack something common to all Linux boxes… bash, xorg, the kernel, gnu-utils, etc… These are all far too mature to be attackable by the random script kiddie. Linux is open. If somebody finds a hole, it’s plugged. If you choose to run closed source software on Linux, fine, so be it. I just pray that it’s mature, and not running as a server on the internet side. The biggest threat to Linux, in my opinion, is having a weak password, and leaving SSHD running if you don’t use it. And don’t forget the dumb user. And in this case, all that should happen is that either you get rootkitted (very very rare), or that users files get deleted. Don’t allow root to login remotely. That’s retarded. Don’t even allow your user to login remotely, make a user that you use for remote work. You can su to your primary account from there.

Your average Linux user is much more saavy than your average Windows user. It’s two different worlds, don’t even try to compare. Linux is not Windows.

Linux is being used on corporate firewalls, massive DNS servers, large websites, space shuttles, satellites, navigation systems, etc… And guess what. Without antivirus. In reality, you ‘could’ run Windows with no antivirus. I’ve done it. Use a good hardware firewall, make sure other machines on your network are seperated, or similarly protected, and don’t run every damn exe you come across.

Guess what. I put a Linux box on a Windows network, and enabled Samba, and setup a default, wide open share, similar to that a Windows user would have. Guess what happened? That samba share was filled with random exes with catchy names. What happened after that? Nothing! They were all the same exact file, just a different name. I actually, ran one with Wine, Cedega, and Crossover for fun. Guess what happened… Nothing! Guess what happened to the Windows boxes. RPC crashed and forced a reboot. I’m sure you know what worm I speak of. You know what happened next? Those Windows boxes tried to phone home to an IRC server. What happened then? My Linux firewall blocked it. Now my Linux firewall/router runs antivirus and a spam filter. Not a single Windows machine in my office runs antivirus, or a firewall, or a spam filter. And you know what? We don’t get viruses, worms, spam, or any of the other cruft that plauges other networks.

That Linux antivirus checks for Windows viruses, not Linux. No viruses/worms in, no viruses/worms out, no viruses/worms between machines. I’ve infected a box on purpose with as many worms and viruses as I could get my hands on, and it didn’t spread.

Linux is not Windows.

5

I have to disagree that Linux can’t be attacked, can’t be compromised by a virus because it’s managed by people who are so much smarter and it’s so much harder to penetrate.

I have to disagree as I am one who owns a Linux system that was penetrated by a hacker who placed a virus in the root, changed the passwords so we could not get in, deleted the system logs (and directory). That person or persons (and yes we called in the FBI and we have saved the HD for forensic analysis - we take this seriously). They did it for a time without our knowledge (how we became aware of the hack, I won’t say for security reasons).

We were running SME Mitel 5.5. We don’t think it was hacked, we think it was one of the apps we put on it (we don’t know which one so we assumed all of them and upgraded the server and have not started many of the apps until we figure out how to better protect the server.

Yes, we had Samba on it but it was not Samba that caused the problem, it was a direct attack from the cable modem. Nothing on Windows compromised the Linux, rather it was the other way around.

The Linux firewall was penetrated, make NO mistake about it. We didn’t at that time run a rootkit scan (we do now). The first virus placed was Linux.RST.A and the second was Breplibot.R.

So my advice is to stop being so smug about Linux. The bad guys don’t care what you have, they want to break it, use it, bring the world under their control and you better try real hard to stop them or be prepared to be abused by them.

A sad but now wiser Linux user.

6

Nobody said linux is unattackable every platform is attackable but a virus is a different thing from a hacker, if someone enough capable wants to hack a system then it will happen but do you think having an antivirus program could have made your system more secure? I am talking about antivirus because that was the subject. Nobody in linux world says linux is unattackable but of course is well protected from viruses. Do you know about the way antivirus programs works? They store section of potentially dangerous programs and scanning continually system folders and files they check if those sections are included in something but before being able to search for a virus they need to be updated and have in their data the information to search for viruses, so they are not able to prevent system contamination by a new virus they don’t know. Consequently there are a few step to follow before an antivirus can shield a system, one platform have to be infected, the user of that platform have to call the assistance to get rid of the problem unless the infected computer is the one of an antivirus house where a technician is trying by purpose to get infected in order to discover new viruses, the dangerous program is analized, updates containing signature of the virus are sent to the users antivus programs. On linux you don’t have thousands of autorunning viruses continually trying to pass modem ports, you don’t have unverified programs potentially containing dangerous code and that it is particularly true for Ubuntu users, the few linux viruses existing are not able to run automatically themselves unless a hacker puts them in your system and by this point of view windows systems are equally or more vulnarable and having an antivirus program it is useless because a hacker is not a virus, finally when a possible threat (normally a hole that a hacker could exploit) is discovered linux community acts exactly as an antivirus house releasing updates to the users in order to prevent damages. So antiviruses are useless in linux because programs cannot start automatically, the existing viruses are not a threat because they are not viruses, possible new viruses are not detected by an antivirus program for the reasons explained above but new threats are analized by programmers linux community and took under control by releasing updates.
The viruses that WizSF is talking about are two different programs, Linux.RST.A needs to be execute by permissions root as stated here http://www.securelist.com/en/descriptions/old21734 by a user running a not verified program containing the code and Breplibot.R is a windows virus totally harmless in linux and that’s the only reason you shoud run an antivirus on linux in order to avoid sending virus to your windows friends that are harmless in linux but dangerous in windows. So if you want run an antivirus on linux to protect your windows friends you are right.

7

Hi danxz,

There are two sides of that medal. It is true that the vulnerability to the classical malware of windows in combination with particular user agents is known.
But the linux environment is also vulnerable. Why to have snort, why all the attacks on misconfigured and badly hardened linux apache servers leading to mixed environment compromitation?
How many webmasters and hosters do not even have minimal security measures taken giving away to the world full server version numbers and website software used, headers given away far to much about dynamical content being run, etc. etc. We see it everyday in the virus and worms section with thousands and thousands of vulnerable sites and AS and infection examples or intrusion attack logs.
In linux you should be able to view attacks not even visible with windows logging, but that won’t help the security blind and one eyed. I know I was trained in the Win NT4 environment together with the kernel with a lot of linux trainees making the switch when first mentioned environment had to be rolled out mainly in hospitals, transport firms, etc. etc. I am aware of the arguments and the mutual mythology being build. Some facts are crystal clear open versus closed software, layers of code being built upon each other in thousands and thousands of lines for the windows OS making zero-days just a matter of letting a fuzzer run long enough. But it is not all that black and white as you like to present it here, there are many shades of grey, my friend,

polonus

8

Hi polonus,
I didn’t speak black and white because I said

Nobody said linux is unattackable
, but the word “linux” includes lots of environment and every environment can have various configuration, that is left to the system administrator being more or less carefull in configuring that environment exposing the system to external attacks and again we are talking about hackers and not about viruses or malwares. But let’s confront Windows environment with the most used linux platforms like Ubuntu and derivatives, SuSe,Red Hat, Android etc., use them without making system modifications or lowering system security and follow the rules installing only verified programs and you will stay secure, make the same thing on windows (without antivirus and antimalware as in linux systems) and you will get into trouble. I don’t know if all this will go forever and I will change my mind when I will know about a virus capable of penetrating linux firewall, discovering root password, logging itself as root and running automatically whithin the system making chaos without errors on security by the user. Regards.

9

For the average linux desktop home user, who is cautious by nature, never logs in as root, and only installs from the approved repositories, I wouldn’t have thought from what I’ve read that either viruses or hackers/rootkits are likely to be the main issue.

I would imagine that a greater concern would be web based attacks on the home folder/partition that work on any operating system. The ubuntu wiki warns of Cross Site Scripting, Cross Site Request Forgery, Click-Jacking, Session Riding in this respect. And then there’s always direct phishing to consider.

Currently I use noscript/bitdefender trafficlight and I have set the apparmor profile for firefox to deny. Noscript occasionally requires a level of knowledge on my part as to which scripts to allow for page functionality that I’m not always comfortable with, and apparmor is testing too.

A linux antimalware system that offered some reassurance against these would be welcome to me. Chromium with seccomp sandbox also looks interesting (but again, I don’t really have enough knowledge to decide exactly what this is protecting me against).

I’m probably on the less knowledgeable side of Linux users - but if Linux is serious about increasing its penetration, it is going to have deal with (and keep safe) millions who are even less knowledgeable than me.

10

Hi danx i mag,

But you see where the situation is going to change and tables may turn, that is where the environment gets in the hands of the masses and the malcreant has a vested interest to infest.
Take the Android linux based operating system, used by Google and protected by an avast application. The security situation for this platform is changing rapidly.
So if linux get any marketshare it will explode with malware: http://www.zdnet.com/android-malware-numbers-explode-to-25000-in-june-2012-7000001046/
link author = Emil Protalinski for Zero Day
So in the hands of the security savvy windows can be used securely as can linux, but in the hands of the n00b clicker with malcode and social engineering nearby the situation can change rapidly. A linux setup by a system admin in a controlled environment is something different from a linux driven smartphone in the hands of the digital illiterates,

polonus

11

I’m not sure what people are saying, or why a thread from 2006 has been dug up to perplex people who use Linux.

Personally I am very lucky to run a Linux Distro which is built by a small community who take pride in how they package programs and dependencies, and give relevant instruction on how to use our Distro with common sense.

The worst a Linux user can do is login as / (root).
Equally, to use the “sudo” command, over “su”.

Installing packages outside of your Distro’s Repo can have diverse effects upon your system, due to the fact these packages are built with your Distro in mind.

Some interesting reading:
Major attacks, September 2011.
Linux source code site hacked
LinuxFoundation.org and Linux.com taken down

http://en.wikipedia.org/wiki/Linux_malware
New password-stealing trojan hits Linux, Apple

I’ve read the posted speculations preceding my post, and agree:
1.) MS Windows users number 90 to 95% of online users.
2.) Linux users number approximately 3 to 5% of online users.
3.) Apple users number approx. 5% of online users.
4.) With the ‘portability’ of online computing, i.e. Tablet and Smartphone users escalating online we are seeing these as very attractive platforms to Hack, or Infect, as generally a lot of personal information is held on these machines. They are often used in insecure ways, and used often due to their portable nature.
5.) Speculating about Linux fallibility is kind of silly as the response time to patch any vulnerability is immediate, clinical, and responsible.
6.) It’s a great defence for MS Windows to say because they have most of the online market share they are more fallible, however the money they make should provide resources to counter the amount of Malware susceptible Operating Systems they have online.
7.) If Third party companies didn’t aid MS, and non paid Malware experts, MS Windows Operating Systems would be unusable online.
8.) For all the above reasons I use Linux. :wink:

12

Yes, I have to agree on Android being a platform in which security has been lowered by purpose to please lots of illiterate users and where malware is a concern, but you don’t have viruses banging at the door trying to enter in the system.

13

If you want to have lots of users then it seems inescapable that most will be what you term ‘illiterate’.

14

Hi mag and danxz,

That is why we are glad to have users like you two here. Wished we had enough of them for the Windows platform as well to make the critical break-through. The situation would be rather different, but education won’t work as users already have been “brainwashed” to use a particular platform. Young users should be confronted with both platforms alike during school years and then we could make a different discussion,

polonus

15

to mag,
I didn’t want to be arrogant saying “illiterate users”, I took this expression from Polonus precedent post when he refers to users that not yet have enough knowledge to avoid malware and that is only a finding of fact (I hope the expression is right I used google translator), you cannot please lots of users with a system like Ubuntu or similar because the average user wants to click and go on so they lowered security for this reason and to permit market on apps.

16

No problem here danxz.

I was just pointing out that if you seek a very wide user base you have to somehow make things both simple and safe.

The key point as I see it is that the system mustn’t face users with impossible decisions by asking them questions that they can’t understand then making them click either yes or no to proceed.

One of my earliest experiences of this was with an early windows application with a HIPS (I think it may have been a very early version of norton internet security). Every few minutes it asked me if I wanted to allow some file or other that I didn’t recognise to carry out some activity that I didn’t understand, or know the implications of. It was probably extremely secure in the right hands, but it lasted about an hour on my machine.

I think a corollary of this is that a good OS ‘for the masses’ should therefore be designed to restrict functionality to a degree to avoid putting too much responsibility for safety onto the user. For some people this will be unacceptable. Fine - let them use a different OS.

17

Hi danxz,

Please, you folks, do not read anything broader than “knowing how to protect against malcode” or “security savvy”.
With “illiterate” I refer to users that are “unsavvy” in these respects. This is not saying that users are not intelligent.
It just denotes that they did not learn how to protect themselves against getting infested with malcode
(malware in the broadest sense of the word from crap, unwanted ads, spyware, BHOs to more serious issues like rootkitted file-infectors).

I know of a category of users that will use “safe hex” practices and stayed malcode free for years and years.
Then there are those that haven’t learnt to do this properly.
Or they are not willing to do this because they “cannot be bothered” or only will wake up through working their computers into “doorstopper only state”.
Then there is a category that does not even feel affected by such events.
They will just start on a new computer if the old one has become unworkable.
Good for the man in the computershop, who will cleanse these machines to resell them.

As the linux users form the 5 to 6% “top notch” of the user population
they start with another attitude towards security and most do not have the problems outlined above,

polonus

18

Personally, I see Linux as a user based platform with no dreams of following the Model of MS. It has no intention of being a Mega Million dollar enterprise, moreso an Academic enterprise.

Place like Libraries, Schools, University’s, and some Government departments have been interested in taking up particular Linux platforms, kids love it. There have been projects specifically intended for young school children which have been very successful.

Linux certainly is not trying to become a corporate giant, therefore there is no problems on the horizon as far as malware.

Unix was the beginning.
“…During the late 1970s and early 1980s, the influence of Unix in academic circles led to large-scale adoption of Unix (particularly of the BSD variant, originating from the University of California, Berkeley) by commercial startups, the most notable of which are Solaris, HP-UX, Sequent, and AIX, as well as Darwin, which forms the core set of components upon which Apple’s OS X, Apple TV, and iOS are based.”

“Unix (officially trademarked as UNIX, sometimes also written as Unix in small caps) is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs.”

“During this period (before PC compatible computers with MS-DOS became dominant), industry observers expected that UNIX, with its portability and rich capabilities, was likely to become the industry standard operating system for microcomputers.”

In 1991, a group of BSD developers (Donn Seeley, Mike Karels, Bill Jolitz, and Trent Hein) left the University of California to found Berkeley Software Design, Inc (BSDI). BSDI produced a fully functional commercial version of BSD Unix for the inexpensive and ubiquitous Intel platform, which started a wave of interest in the use of inexpensive hardware for production computing. Shortly after it was founded, Bill Jolitz left BSDI to pursue distribution of 386BSD, the free software ancestor of FreeBSD, OpenBSD, and NetBSD.

In 1991, Linus Torvalds began work on Linux, a Unix clone that initially ran on IBM PC compatible computers.
http://en.wikipedia.org/wiki/Unix

19

I think canonical/ubuntu have aspirations to a wider user base at least. To use one of their forum quotes:

‘Sometimes I feel like Ubuntu is designed by arrogant nerds for the projected needs of the imaginary non-nerds of tomorrow’

-and in my opinion they do a pretty good job of it.

20

“…people don’t know what they want until you show it to them.”

Steve Jobs.

I use Debian and Android myself. ::slight_smile: