Maintaining antivirus integrity

[niroz]

Hi
Recently my computer was hacked, rather badly in terms of pervasiveness, although fortunately I've yet to seen it at all affect my personal information. Anyway, the thing is while I indeed was running an unsecure computer, I did have an anti-virus, and to have that suddenly try to scan my computer for what I can only assume are malicious purposes, I'd say it's a bit of a rude awakening. So I was wondering if there was any way to verify that avast for linux was still secure?

[mouniernetwork]

Hello,

You can try downloading the EICAR test file and see if avast detects it 

Al968

[niroz]

That would work if I wanted to know if the avast was working in general. However, that doesn't nesecarily show whether it's been suberted. Back when I used to be more in the know about this sort of thing, there was talk of virus's that would use a anti-virus in order to knock out all it's competitors, and even ignoring that, it's far more likely that the virus would just remove the signatures relating to it or just prevent it's files from being scanned/convincing the scanner (however forcefully) that it did not exist.

In my recent virus attack, for example, I ran a copy of combo fix, which to it's credit immediately diagnosed the problem, albet due to itself being subverted. But I was amazed to discover while looking through the process in the hope of fining where exactly the virus had saved itself/what processes it had been attached to it, I found a highly detailed script of what the virus wanted the program to say, over multiple reboots, ending in the death of the computer.

To be honest, given the inablity for any program to remove this virus (which according to combo fix, is a virut type, both scanning while logged on to that computer and accessing it through other operating systems, I'm inclined to think that sudden strange changes in programs are a much better indicators of the more serious malware out there than actual virus scans. Which is why in some way's process explorer has become vastly more useful since it became incredibly popular, as now the first sign of a virus is for the program to suddenly less than full functioning, Although it isn't the same on linux.

[zilog]

That would work if I wanted to know if the avast was working in general. However, that doesn't nesecarily show whether it's been suberted. Back when I used to be more in the know about this sort of thing, there was talk of virus's that would use a anti-virus in order to knock out all it's competitors, and even ignoring that, it's far more likely that the virus would just remove the signatures relating to it or just prevent it's files from being scanned/convincing the scanner (however forcefully) that it did not exist.

In my recent virus attack, for example, I ran a copy of combo fix, which to it's credit immediately diagnosed the problem, albet due to itself being subverted. But I was amazed to discover while looking through the process in the hope of fining where exactly the virus had saved itself/what processes it had been attached to it, I found a highly detailed script of what the virus wanted the program to say, over multiple reboots, ending in the death of the computer.

To be honest, given the inablity for any program to remove this virus (which according to combo fix, is a virut type, both scanning while logged on to that computer and accessing it through other operating systems, I'm inclined to think that sudden strange changes in programs are a much better indicators of the more serious malware out there than actual virus scans. Which is why in some way's process explorer has become vastly more useful since it became incredibly popular, as now the first sign of a virus is for the program to suddenly less than full functioning, Although it isn't the same on linux.

Hallo, in general, when someone hacks other's linu machine, the first thing is to install a backdoor (less severe variant, avast is able to catch the file), or a rootkit (basd vasriant, rootkit itself can't be usually  visible from userspace, but some supporting files might be still left on the disk, or, unusual changes in the kernel might be seen by a special tool).

the best thing is to boot from a clean live-linux CD, to mount the partitions, to install avast in ram, and doing scan. checking init, init sequence or bootloader params or modules might be vital too (those are often the vectors where the rootkit gets in control). it's quite untrivial to state "this computer was hacked, but now it';s fully clean", and it needs a deep analysis of the whole disc for any oddity. because linuxes are usually heavily customised, it's not possible to say whether the file was original or modified one - but you can use MD5 hashes or similar things, when the distribution itself uses them (many distros have this option, but it won't work for self-compiled stuff, of course).

there are also daemons, that periodically make hshes of your disk, and also periodically compare them with the current contents - good for catching backdoors. you can do the same using stock MD5 utility, by the way.

regards,
pc