-
Hi 2 Al! !
About Me
I am just a student at http://www.szkola-linuxa.com (entusiastic private Linux school- EU,Poland Warsow). I prepere graduate work "Viruses on Linux - VX Scene Today". I stay on position that there is virtually no Linux security superriority of any kind while market is beeing open 4 Linux Desktop & workstations PS's. Despite there are no Linux viruses on "On The Wild List" at the moment, there are many bed news around. Due to Silvio Cessare, Solar Design (end others: +Marek Sell, Eugen Kaspersky) reports, and keeping in mind Linus Torvalds criticism on 2.6 kernel branch - viruses come on Linux. Google for these reports first that argue, please. Next, browse VX Haeven for Linux viruses collection and ELF infector tutorials. Last Linux epidemy (2001-2002) by Slapper is well described on FRISK web http://www.f-secure.com/slapper/. So I do think it's better to keep an eaye on VX Scene than claim "Linux is virus-free", rather. So I decided to graduate on viruses and to take a chance to build a personal career on it. Many AV produckt vendors provied not only server, but WS's tools like avast!. Greatings and thanks to avast! team for Linux HE and Betas and this forum as well!
Building Linux virus lists - the problem description
My search for Linux viruses goes on: I started to build statistic based on builded Linux viruses list from different av vendors. Building Linux virus lists is avaible on SOFTWIN BitDefender for Linux v7, AVIRA Antivir and FRISK F-Prot - free av tolls. At the time of writing, Kaspersky list consist of more than one thousand harmware cod examples and seams to be the giggest one avaible:
#date
wto maj 23 14:58:11 CEST 2006
# keepup2date
# kavscanner -g/home/user/Desktop/kaspersky.viruslist.log
...108342 records has been saved
# cat /home/user/Desktop/kaspersky.viruslist.log | grep Linux >/home/user/Desktop/kaspersky.Linux.viruslist.log
# cat /home/user/Desktop/kaspersky.viruslist.log | grep Unix > >/home/user/Desktop/kaspersky.Linux.viruslist.log
It gives me 1054 entries! So here my Question comes: how to do the same for avast! ? I just have starded with --viruslist=MASK option. It gives me 109440 entries. OK, but go further and grep for something usefull like e.g. ELF (LInux Unix Lin nix etc. gives missmached results) - this time I get 92 results :( only:
# /opt/avast4workstation-1.0.5/bin/avast-update
avast! is running, can't update.
# /opt/avast4workstation-1.0.5/bin/avast --version
avast: avast v1.0.5
VPS: 0621-1 (date: 22.05.2006)
Copyright(C) 2003-2006. ALWIL Software. All rights reserved.
# avast --viruslist=* >/home/user/Desktop/avast.viruslist.log
# cat /home/user/Desktop/avast.viruslist.log | grep ELF >>/home/user/Desktop/avast.ELF.viruslist.log
Has someone a better knowledge of avast! names convention? Any ideas how to build avast! Linux virus list are welcome...maybe a Win32 HE has more capabilieties?
-
I just have discovered a bug in my own post: here U are the fix to it:
Prepering the previous post I not intentionally doubled avast! virus database and avast! ELF virus list as wall. Thrully sorry about that! Additionaly a problem with lockfile has accured.
Problem description: lockfile stops databases from reloading
Executable avastgui (both in root and user mod) download new databases, but can't reload them. The reason is very ordinary: a lockfile steel exist. The lockfile-root and lockfile-user (in /root/.avast and /home/user/.avast directories accordingly) are files that keeps PID (Procces ID) for the avastgui preventing to start it twice. They should be delated on exit, but in my Debian 2.4.27-3-k7 are not for some reason - investigating why at the moment...Theose files should be removed manually then:
# rm /root/.avast/lockfile-root
# rm /home/user/.avast/lockfile-user
or
In case avastgui is being used to download new databases, it shows its version. But - hardly to belive - the chek are they beeing loaded is not done, for unknown reason (to me). So how to check whether avast! databeses are loaded (for shure), I meen reloaded after a succesfull download? This is pretty simply again:
# /opt/avast4workstation-1.0.5/bin/avast-update
#
# date
wto maj 23 20:21:55 CEST 2006
# avast --version
avast: avast v1.0.5
VPS: 0621-2 (date: 23.05.2006)
Copyright(C) 2003-2006. ALWIL Software. All rights reserved.
#
If "avast: can't update avast is runnig" message is shown, quit avastgui and remove lockfiles as described before. This time my avast! databeses are on tackt, downloaded and reloaded an I can count correct valus to my viruslist. Here U are updated numbers:
# avast --viruslist=* >avast.all.viruslist.log
# cat avast.all.viruslist.log | grep ELF >/home/user/Desktop/avast.ELF.viruslist.log
Now, my avast.all.viruslist.log is 54400 line long, and my avast.ELF.viruslist.log is only 56 line long. I gues is seems OK.
By the wayI have been asked, how long it takes me to count these thousands af lines in a text file. This is hild easy again, cos` any Linux editor shows line, and furthermore vi can be used as follows: start vi with + parameter, so it will start with the last line of the file, and then press "Crtl" + ": " and type in "set number", vi will show line numbers, the last sould be the highier:
# vi + /home/user/Desktop/avast.ELF.viruslist.log
-
I just have discovered a bug in my own post: here U are the fix to it:
Prepering the previous post I not intentionally doubled avast! virus database and avast! ELF virus list as wall. Thrully sorry about that! Additionaly a problem with lockfile has accured.
Problem description: lockfile stops databases from reloading
Executable avastgui (both in root and user mod) download new databases, but can't reload them. The reason is very ordinary: a lockfile steel exist. The lockfile-root and lockfile-user (in /root/.avast and /home/user/.avast directories accordingly) are files that keeps PID (Procces ID) for the avastgui preventing to start it twice. They should be delated on exit, but in my Debian 2.4.27-3-k7 are not for some reason - investigating why at the moment...Theose files should be removed manually then:
# rm /root/.avast/lockfile-root
# rm /home/user/.avast/lockfile-user
or 4 good:
# shred -n1 -u /root/.avast/lockfile-root
# shred -n1 -u /home/user/.avast/lockfile-user
In case avastgui is being used to download new databases, it shows its version. But - hardly to belive - the chek are they beeing loaded is not done, for unknown reason (to me). So how to check whether avast! databeses are loaded (for shure), I meen reloaded after a succesfull download? This is pretty simply again:
# /opt/avast4workstation-1.0.5/bin/avast-update
#
# date
wto maj 23 20:21:55 CEST 2006
# avast --version
avast: avast v1.0.5
VPS: 0621-2 (date: 23.05.2006)
Copyright(C) 2003-2006. ALWIL Software. All rights reserved.
#
If "avast: can't update avast is runnig" message is shown, quit avastgui and remove lockfiles as described before. This time my avast! databeses are on tackt, downloaded and reloaded an I can count correct valus to my viruslist. Here U are updated numbers:
# avast --viruslist=* >avast.all.viruslist.log
# cat avast.all.viruslist.log | grep ELF >/home/user/Desktop/avast.ELF.viruslist.log
Now, my avast.all.viruslist.log is 54914 line long, and my avast.ELF.viruslist.log is only 46 line long. I gues is seems OK.
By the wayI have been asked, how long it takes me to count these thousands af lines in a text file. This is hild easy again, cos` any Linux editor shows line, and furthermore vi can be used as follows: start vi with + parameter, so it will start with the last line of the file, and then press "Shift" + ": " and type in "set number", vi will show line numbers, the last sould be the highier:
# vi + /home/user/Desktop/avast.ELF.viruslist.log
That's it.