The Truth About Linux and Viruses

[Lisandro]

Linux Explorer: The Truth About Linux and Viruses
Extracted from: Scot’s Newsletter (free) (http://www.scotsnewsletter.com/subcenter/subscribe.htm)

Conventional wisdom says that a virus scanner is one of three protections necessary these days for computers connected to the Internet. (The other two being a spyware scanner or two, and a trainable spam filter.) The same wisdom also says that the only reason Linux and Macintosh computers don't see the same level of virus attacks as Windows PCs is because Windows PCs are so much more prevalent.

While this may be partly true, it's not the whole reason. According to various virus lists, there are less than 100 known viruses for Linux, none of which spread the way a Windows virus does. Meanwhile, there are thousands and thousands of Windows viruses. With the so-called discovery of a Linux/Windows virus, more light is being shined on the subject of Linux security.

But it's easy to protect yourself in Linux, once you know a few things about viruses under the operating system. And if you still think you need it, we're including instructions on how to use Frisk Software International's F-Prot Antivirus.

1. If you run Linux and only Linux, you do not need antivirus software. In its efforts to make Windows easier to use, Microsoft simplified the process of running executables under its operating system many years ago. Not only can a user launch a program by clicking an e-mail attachment, but it's possible for an executable to launch automatically just by hitting the preview pane of some email packages, including older versions of Outlook and Outlook Express. Scot's Newsletter Forums member Nathan Williams has provided an excellent FAQ for the All Things Linux forum explaining why Linux when used alone does not need antivirus protection.

Under Linux the steps for launching an executable from an e-mail are separate, discrete steps. A user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable. And to be truly damaging, the latter two would have to be done as root — not something informed users would allow. (For more information see Ch- Ch- Changing File Permissions.)

2. If you dual boot Linux and Windows and get a virus-infected mail in Linux, it can NOT jump to your Windows partition. Nor can it spread over the local network to other systems. You can even store the attachment in your /home directory and open the zip or click the file, and it will be dead in the water. Windows executables won't run under Linux. Linux files need to be granted permission to become executable. And even then, it can't spread beyond the home folder. (This is also why Linux AV programs do not have a "live guard" module in them — the virus does not execute or move.) You could even leave a virus executable there as long as you wanted to without risk. Windows will not get infected, unless you deliberately copy the virus to your Windows partition.

3. If you dual boot, however, you better get a good antivirus program for Windows. Microsoft's operating system and its bundled applications, Outlook and Internet Explorer, offer users powerful functionality in their attempts to be easy to use and easy to update. As a result, it's all too easy for virus writers to exploit the same functionality in a malicious way. Don't leave them an opening. Install an antivirus program and keep it updated.

4. The only time you'll need a Linux antivirus program is if you're running a mail server. And that's just good social behavior. It's not to protect your Linux server or client computer so much as to make sure you don't pass a virus on to a Windows system.

Think about it this way: If you have two warehouses, and you use the first one to store cheese, are you going to place mouse-traps in the second one where you only store stainless steel? I mean, be reasonable, mice do not eat stainless steel! So don't let antivirus vendors make you unnecessarily paranoid.

[Culpeper]

You can see why Avast for Linux is going along at a snail's pace.

[bimbom]

Well, I think that it is not a good idea to leave this post without a replay. Well, be so kind and spend a minute to read this:

Problem one:
I stand my position on my very first post, so I'll not repeat  it here, but to my knowledge the article has a serious bug, I mean the numbers of Linux viruses (warms, exploits etc.) is highly mismatched. In my personal Linux Virus Collection the number  at time of writing is 358 files sized about 30 MB, but I know it is only a part of existing code. That is, why I started to construct Linux Virus Lists, cos` I believe in "hard evidence" not folks. My post was ignored so far, and I am pretty sure why :-(.

Here you are the Linux Viruses List (in overall numbers) collected from avaible to Debian Linux antivirus programs (e.g Grisoft AVG does not run under Debian due to unresolvable library conflict) - I can provide these lists as files in txt format at request:

vendor   *                         All viruses   Linux   Unix
AVIRA Antivir                     390 121    562      118
FRISK F-Prot                     277 100        7      485
Softwin BitDefender            141 479     807        96
Kaspersky Lab kav              108 420     906      148
ClamAV                               56 467      ?           ?
ALWIL avast!                       54 914      46         46

* caution:
Althrough I did my best to collect db chart correctly,all data are estimated due to db format and heuristic / generic detection;
these numbers are only guidelines to VX Scene on Linux and are NOT confirmed by vendors!
If any vendor want to correct these numbers or want Me to remove them, do not hesitate to contact Me,
certainly I will update the chart. Methodology (very simply) is also avaible at request.


Problem two
Due to my personal investigations,  covered by the scope on my graduate work, main reason why the number of Linux viruses is so low is in fact that authors of Linux viruses tutorials do not want to publish all their works, and it is in a  "good style" to behave like this: do not provide Linux related tuts! The number of criminals, going to exploit system vulnerabilities for profit is still low until there are only a few Linux desktops and workstations. EU wars with Microsoft (Redmond, USA) opened the marked and more and more corporations deal with Linux support vendors (in Poland e.g. Suse has a deal with U.X. systems - OpenOffice vendor to provie support 4 Suse Desktop). If the free systems like Debian will be marginalize, new generation of commercial operating systems can be attacked as furious as before, whatever they'll be Windows, Linux, McOS or from Mars.

Resume
Think Linux, do not believe in folks and tails sent by journalists who hardly saw Linux at all, maybe passed once by the Linux powered PS. Search for facts and share them, do not panic (kernel panic). Do not be blind! Viruses comes on Linux, so it is good idea to get knowledge, learn how to use av tools on Linux (avast! 4 Linux?). Otherwise - in case of a disaster - M$ will stand a new marketing slogan: Vulnerable as Linux.

That in why I am here, and I hope that is why avast! team keeps this Linux threat for as. Thanks a lot for that to avast!
Finally avast! team has a best knowledge is Linux market worths interest? Am I right or not?!

[linuxinit]

This isn't directed at the parent... This is directed at bimbom.

There are and will be viruses for any platform. That's just part of it. What makes Linux different is, that a vast majority of Linux users aren't going to download some free screensaver, or some free card came, etc... Why? Either they already have it by default, or there is a free, open source, trusted alternative. Even if you did download a binary on accident, and accidentally 'clicked on it', guess what happens. Nothing, unless your filemanager automatically makes it executable, and automatically executes it. You might start looking for a better file manager when that happens.

The idea of Linux virus is nothing like that of Windows, and the idea of a Linux worm is just hillarious. Give two Linux users cloned HDs in two identical boxes. Come back in 2 months, and you'll notice something. Their systems are completely different. They will most likely be using two completely different web browsers, different mail clients, different everything. When you use Linux, you have a choice. You aren't forced to use explorer.exe.

If you wanted to write a Linux 'virus' you would have to attack something common to all Linux boxes... bash, xorg, the kernel, gnu-utils, etc... These are all far too mature to be attackable by the random script kiddie. Linux is open. If somebody finds a hole, it's plugged. If you choose to run closed source software on Linux, fine, so be it. I just pray that it's mature, and not running as a server on the internet side. The biggest threat to Linux, in my opinion, is having a weak password, and leaving SSHD running if you don't use it. And don't forget the dumb user. And in this case, all that should happen is that either you get rootkitted (very very rare), or that users files get deleted. Don't allow root to login remotely. That's retarded. Don't even allow your user to login remotely, make a user that you use for remote work. You can su to your primary account from there.

Your average Linux user is much more saavy than your average Windows user. It's two different worlds, don't even try to compare. Linux is not Windows.

Linux is being used on corporate firewalls, massive DNS servers, large websites, space shuttles, satellites, navigation systems, etc... And guess what. Without antivirus. In reality, you 'could' run Windows with no antivirus. I've done it. Use a good hardware firewall, make sure other machines on your network are seperated, or similarly protected, and don't run every damn exe you come across.

Guess what. I put a Linux box on a Windows network, and enabled Samba, and setup a default, wide open share, similar to that a Windows user would have. Guess what happened? That samba share was filled with random exes with catchy names. What happened after that? Nothing! They were all the same exact file, just a different name. I actually, ran one with Wine, Cedega, and Crossover for fun. Guess what happened... Nothing! Guess what happened to the Windows boxes. RPC crashed and forced a reboot. I'm sure you know what worm I speak of. You know what happened next? Those Windows boxes tried to phone home to an IRC server. What happened then? My Linux firewall blocked it. Now my Linux firewall/router runs antivirus and a spam filter. Not a single Windows machine in my office runs antivirus, or a firewall, or a spam filter. And you know what? We don't get viruses, worms, spam, or any of the other cruft that plauges other networks.

That Linux antivirus checks for Windows viruses, not Linux. No viruses/worms in, no viruses/worms out, no viruses/worms between machines. I've infected a box on purpose with as many worms and viruses as I could get my hands on, and it didn't spread.

Linux is not Windows.

[WizSF]

I have to disagree that Linux can't be attacked, can't be compromised by a virus because it's managed by people who are so much smarter and it's so much harder to  penetrate. 

I have to disagree as I am one who owns a Linux system that was penetrated by a hacker who placed a virus in the root, changed the passwords so we could not get in, deleted the system logs (and directory).  That person or persons (and yes we called in the FBI and we have saved the HD for forensic analysis - we take this seriously).  They did it for a time without our knowledge (how we became aware of the hack, I won't say for security reasons). 

We were running SME Mitel 5.5.  We don't think it was hacked, we think it was one of the apps we put on it (we don't know which one so we assumed all of them and upgraded the server and have not started many of the apps until we figure out how to better protect the server.

Yes, we had Samba on it but it was not Samba that caused the problem, it was a direct attack from the cable modem.   Nothing on Windows compromised the Linux, rather it was the other way around. 

The Linux firewall was penetrated, make NO mistake about it.   We didn't at that time run a rootkit scan (we do now).  The first virus placed was Linux.RST.A  and the second was Breplibot.R.

So my advice is to stop being so smug about Linux.  The bad guys don't care what you have, they want to break it, use it, bring the world under their control and you better try real hard to stop them or be prepared to be abused by them.

A sad but now wiser Linux user.

[danxz]

Nobody said linux is  unattackable every platform is attackable but a virus is a different thing from a hacker, if someone  enough capable wants to hack a system then it will happen but do you think having an antivirus program could have made your system more secure? I am talking about antivirus because that was the subject. Nobody in linux world says linux is unattackable but of course is well protected from viruses. Do you know about the way antivirus programs works? They store section of potentially dangerous programs and scanning continually system folders and files they check if those sections are included in something but before being able to search for a virus they need  to be updated and have in their data the information to search for viruses, so they are not able to prevent system contamination by a new virus they don't know. Consequently there are a few step to follow before an antivirus can shield a system, one platform have to be infected, the user of that platform have to call the assistance to get rid of the problem unless the infected computer is the one of an antivirus house where a technician is trying by purpose to get infected in order to discover new viruses, the dangerous program is analized, updates containing signature of the virus are sent to the users antivus programs. On linux you don't have thousands of autorunning viruses continually trying to pass modem ports, you don't have unverified programs potentially containing dangerous code and that it is particularly true for Ubuntu users, the few linux viruses existing are not able to run automatically themselves unless a hacker puts them in your system and by this point of view windows systems are equally or more vulnarable and having an antivirus program it is useless because a hacker is not a virus, finally when a possible threat (normally a hole that a hacker could exploit) is discovered linux community acts exactly as an antivirus house releasing updates to the users in order to prevent damages. So antiviruses are useless in linux because programs cannot start automatically, the existing viruses are not a threat because they are not viruses, possible new viruses are not detected by an antivirus program for the reasons explained above but new threats are analized by programmers linux community and took under control by releasing updates.
The viruses that WizSF is talking about are two different programs, Linux.RST.A needs to be execute by permissions root as stated here http://www.securelist.com/en/descriptions/old21734 by a user running a not verified program containing the code and Breplibot.R is a windows virus totally harmless in linux and that's the only reason you shoud run an antivirus on linux in order to avoid sending virus to your windows friends that are harmless in linux but dangerous in windows. So if you want run an antivirus on linux to protect your windows friends you are right.

[polonus]

Hi danxz,

There are two sides of that medal. It is true that the vulnerability to the classical malware of windows in combination with particular user agents is known.
But the linux environment is also vulnerable. Why to have snort, why all the attacks on misconfigured and badly hardened linux apache servers leading to mixed environment compromitation?
How many webmasters and hosters do not even have minimal security measures taken giving away to the world full server version numbers and website software used, headers given away far to much about dynamical content being run, etc. etc. We see it everyday in the virus and worms section with thousands and thousands of vulnerable sites and AS and infection examples or intrusion attack logs.
In linux you should be able to view attacks not even visible with windows logging, but that won't help the security blind and one eyed. I know I was trained in the Win NT4 environment together with  the kernel with a lot of linux trainees making the switch when first mentioned environment had to be rolled out mainly in hospitals, transport firms, etc. etc.  I am aware of the arguments and the mutual mythology being build. Some facts are crystal clear open versus closed software, layers of code being built upon each other in thousands and thousands of lines for the windows OS making zero-days just a matter of letting a fuzzer run long enough. But it is not all that black and white as you like to present it here, there are many shades of grey, my friend,

polonus

[danxz]

Hi polonus,
I didn't speak black and white because I said

Nobody said linux is  unattackable

, but the word "linux"  includes lots of environment and every environment can have various configuration, that is left  to the system administrator being more or less carefull in configuring that environment exposing the system to external attacks and again we are talking about hackers and not about viruses or malwares. But let's confront Windows environment with the most used linux platforms like Ubuntu and derivatives, SuSe,Red Hat, Android etc., use them without making system modifications or lowering system security and follow the rules installing only verified programs and you will stay secure, make the same thing on windows (without antivirus and antimalware as in linux systems) and you will get into trouble. I don't know if all this will go forever and I will change my mind when I will know about a virus capable of penetrating linux firewall, discovering root password, logging itself as root and running automatically whithin the system making chaos without errors on security by the user. Regards.

[MAG]

For the average linux desktop home user, who is cautious by nature, never logs in as root, and only installs from the approved repositories, I wouldn't have thought from what I've read that either viruses or hackers/rootkits are likely to be the main issue.

I would imagine that a greater concern would be web based attacks on the home folder/partition that work on any operating system. The ubuntu wiki warns of Cross Site Scripting, Cross Site Request Forgery, Click-Jacking, Session Riding in this respect. And then there's always direct phishing to consider.

Currently I use noscript/bitdefender trafficlight and I have set the apparmor profile for firefox to deny. Noscript occasionally requires a level of knowledge on my part as to which scripts to allow for page functionality that I'm not always comfortable with, and apparmor is testing too.

A linux antimalware system that offered some reassurance against these would be welcome to me. Chromium with seccomp sandbox also looks interesting (but again, I don't really have enough knowledge to decide exactly what this is protecting me against).

I'm probably on the less knowledgeable side of Linux users - but if Linux is serious about increasing its penetration, it is going to have deal with (and keep safe) millions who are even less knowledgeable than me.

[polonus]

Hi danx i mag,

But you see where the situation is going to change and tables may turn, that is where the environment gets in the hands of the masses and the malcreant has a vested interest to infest.
Take the Android linux based operating system, used by Google and protected by an avast application. The security situation for this platform is changing rapidly.
So if linux get any marketshare it will explode with malware: http://www.zdnet.com/android-malware-numbers-explode-to-25000-in-june-2012-7000001046/
link author = Emil Protalinski for Zero Day
So in the hands of the security savvy windows can be used securely as can linux, but in the hands of the n00b clicker with malcode and social engineering nearby  the situation can change rapidly. A linux setup by a system admin in a controlled environment is something different from a linux driven smartphone in the hands of the digital illiterates,

polonus

[Abraxas]

I'm not sure what people are saying, or why a thread from 2006 has been dug up to perplex people who use Linux.

Personally I am very lucky to run a Linux Distro which is built by a small community who take pride in how they package programs and dependencies, and give relevant instruction on how to use our Distro with common sense.

The worst a Linux user can do is login as / (root).
Equally, to use the "sudo" command, over "su".

Installing packages outside of your Distro's Repo can have diverse effects upon your system, due to the fact these packages are built with your Distro in mind.

Some interesting reading:
Major attacks, September 2011.
Linux source code site hacked
LinuxFoundation.org and Linux.com taken down

http://en.wikipedia.org/wiki/Linux_malware
New password-stealing trojan hits Linux, Apple

I've read the posted speculations preceding my post, and agree:
1.) MS Windows users number 90 to 95% of online users.
2.) Linux users number approximately 3 to 5% of online users.
3.) Apple users number approx. 5% of online users.
4.) With the 'portability' of online computing, i.e.  Tablet and Smartphone users escalating online we are seeing these as very attractive platforms to Hack, or Infect, as generally a lot of personal information is held on these machines. They are often used in insecure ways, and used often due to their portable nature.
5.) Speculating about Linux fallibility is kind of silly as the response time to patch any vulnerability is immediate, clinical, and responsible.
6.) It's a great defence for MS Windows to say because they have most of the online market share they are more fallible, however the money they make should provide resources to counter the amount of Malware susceptible Operating Systems they have online.
7.) If Third party companies didn't aid MS, and non paid Malware experts, MS Windows Operating Systems would be unusable online.
8.) For all the above reasons I use Linux. 

[danxz]

Yes, I have to agree on Android being a platform in which security has been lowered by purpose to please lots of illiterate users and where malware is a concern, but you don't have viruses banging at the door trying to enter in the system.

[MAG]

If you want to have lots of users then it seems inescapable that most will be what you term 'illiterate'.

[polonus]

Hi mag and danxz,

That is why we are glad to have users like you two here. Wished we had enough of them for the Windows platform as well to make the critical break-through. The situation would be rather different, but education won't work as users already have been "brainwashed" to use a particular platform. Young users should be confronted with both platforms alike during school years and then we could make a different discussion,

polonus

[danxz]

to mag,
I didn't want to be arrogant saying "illiterate users", I took this expression from Polonus precedent post when he refers to users that not yet have enough knowledge to avoid malware and that is only a finding of fact (I hope the expression is right I used google translator), you cannot please lots of users with a system like Ubuntu or similar because the average user wants to click and go on so they lowered security for this reason and to permit market on apps.