Kamis, 13 Maret 2014

Know All About Linux Malware !!!


Linux malware includes viruses, trojans, worms and other types of malware that affect the Linux operating system. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

There has not yet been a widespread Linux malware infection of the type that Microsoft Windows software has; this is attributable generally to the malware's lack of root access and fast updates to most Linux vulnerabilities.


Linux vulnerability.

Like Unix systems, Linux implements a multi-user environment where users are granted specific privileges and there is some form of access control implemented. To gain control over a Linux system or to cause any serious consequences to the system itself, the malware would have to gain root access to the system.

In the past, it has been suggested that Linux had so little malware because its low market share made it a less profitable target. Rick Moen, an experienced Linux system administrator, counters that:
[That argument] ignores Unix's dominance in a number of non-desktop specialties, including Web servers and scientific workstations. A virus/trojan/worm author who successfully targeted specifically Apache httpd Linux/x86 Web servers would both have an extremely target-rich environment and instantly earn lasting fame, and yet it doesn't happen."

The amount of malware targeting Linux has seen an increase in recent years, however. Shane Coursen, a senior technical consultant with Kaspersky Lab, claims, "The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system ... The use of an operating system is directly correlated to the interest by the malware writers to develop malware for that OS."

Tom Ferris, a researcher with Security Protocols, commented on one of Kaspersky's reports, stating, "In people's minds, if it's non-Windows, it's secure, and that's not the case. They think nobody writes malware for Linux or Mac OS X. But that's not necessarily true,"

Some Linux users do run Linux-based anti-virus software to scan insecure documents and email which comes from or is going to Windows users. SecurityFocus's Scott Granneman stated:
...some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance, may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel, that contain and propagate viruses. Linux mail servers should run AV software in order to neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express users.

Because they are predominantly used on mail servers which may send mail to computers running other operating systems, Linux virus scanners generally use definitions for, and scan for, all known viruses for all computer platforms. For example the open source ClamAV "Detects ... viruses, worms and trojans, including Microsoft Office macro viruses, mobile malware, and other threats."

  • Viruses and trojan horses

The viruses listed below pose a potential, although minimal, threat to Linux systems. If an infected binary containing one of the viruses were run, the system would be infected. The infection level would depend on which user with what privileges ran the binary. A binary run under the root account would be able to infect the entire system. Privilege escalation vulnerabilities may permit malware running under a limited account to infect the entire system.

It is worth noting that this is true for any malicious program that is run without special steps taken to limit its privileges. It is trivial to add a code snippet to any program that a user may download and let this additional code download a modified login server, an open mail relay, or similar program, and make this additional component run any time the user logs in. No special malware writing skills are needed for this. Special skill may be needed for tricking the user to run the (trojan) program in the first place.

The use of software repositories significantly reduces any threat of installation of malware, as the software repositories are checked by maintainers, who try to ensure that their repository is malware-free. Subsequently, to ensure safe distribution of the software, checksums are made available. These make it possible to reveal modified versions that may have been introduced by e.g. hijacking of communications using a man-in-the-middle attack or via a redirection attack such as ARP or DNS poisoning. Careful use of these digital signatures provides an additional line of defense, which limits the scope of attacks to include only the original authors, package and release maintainers and possibly others with suitable administrative access, depending on how the keys and checksums are handled.

  • Worms and targeted attacks.

The classical threat to Unix-like systems is vulnerabilities in network daemons, such as SSH and web servers. These can be used by worms or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords.

  • Spyware.

This malware gathers a user's private data (financial info, passwords, usernames, etc.) and sends it to the spyware maker or other entity that will use the information. Spyware can be trojans and some trojans can be spyware.

  • Adware.

Software that displays ads is considered adware. Not all adware is bad. For instance, Flashget is a freeware Windows application that is adware. The program is safe to use. The ads just fund the development of Flashget. Because most Linux developers make applications open-source, not very many Linux adware programs can be found.

  • Riskware.
Software with unintended malicious potential. These applications can be used by malware to cause a lot of damage. Because this software is not malware, but can be dangerous is called riskware.

  • Scareware.
Malware that scares users into downloading malicious software or paying money for the fix is scareware. For illustration, scareware may pop up a message that says something like "Your data will be deleted unless you pay $100.". Scareware may also come in the form of a free virus scan over the Internet. This virus scan does not scan the system, but pretends to do so. The scanner will say it found a virus. The scanner then asks the user to pay money to have the virus removed. In summary, scareware scares computer users into paying money or installing malware to protect themselves against a nonexistent threat.

  • Ransomware.
Ransomware is similar to scareware. Ransomware locks the computer and files and will not lift the restrictions until the user pays a ransom. Ransomware really locks the system while scareware bluffs.

  • Web scripts.

Linux servers may also be used by malware without any attack against the system itself, where e.g. web content and scripts are insufficiently restricted or checked and used by malware to attack visitors. Typically a CGI script (meant for leaving comments) by mistake allows inclusion of code exploiting vulnerabilities in the web browser.

  • Buffer overruns

Older Linux distributions were relatively sensitive to buffer overrun attacks: if the program did not care about the size of the buffer itself, the kernel provided only limited protection, allowing an attacker to execute arbitrary code under the rights of the vulnerable application under attack. Programs that gain root access even when launched by a non-root user (via the setuid bit) were particularly attractive to attack. However as of 2009 most of the kernels include address space layout randomization (ASLR), enhanced memory protection and other extensions making such attacks much more difficult to arrange.

  • Cross-platform viruses.

An area of concern identified in 2007 is that of cross-platform viruses, driven by the popularity of cross-platform applications. This was brought to the forefront of malware awareness by the distribution of an OpenOffice.org virus called Badbunny.

Stuart Smith of Symantec wrote the following:
"What makes this virus worth mentioning is that it illustrates how easily scripting platforms, extensibility, plug-ins, ActiveX, etc, can be abused. All too often, this is forgotten in the pursuit to match features with another vendor... The ability for malware to survive in a cross-platform, cross-application environment has particular relevance as more and more malware is pushed out via Web sites. How long until someone uses something like this to drop a JavaScript infecter on a Web server, regardless of platform?"
  • Social engineering.

As is the case with any operating system, Linux is vulnerable to malware that tricks the user into installing it through social engineering. In December 2009 a malicious waterfall screensaver was discovered that contained a script that used the infected Linux PC in denial-of-service attacks.

Protecting and Repairing:

The best way to protect a system against viruses is to only download and install software from trusted sites and developers. For example, get programs from your distro's official repository before using a program obtained from some third party site.

There are two ways to remove malware. The first method includes using a virus scanner to find and remove the malware. The second way is to delete the executables manually that are known to be the culprits.

To repair damaged executables, reinstall the infected or damaged software. For example, if a virus infected a Firefox executable, then re-download and install Firefox.

Also, when protecting yourself against malware, it is important to know that malware can only be in an executable or be the executable itself. For instance, a PNG, MP3, and FLV files cannot be viruses. An application simply opens the files for the user to see or listen. In addition, remember that most screensavers are executables, so malware may hide in screensavers.


Even though Linux has very few viruses, all computers and servers should have some form of protection against malware. Knowing how malware works and how to protect computers will aid in protecting many systems.

Author : Yohanes Gitoyo.
Reference :

  1. http://en.wikipedia.org/wiki/Linux_malware
  2. http://www.linux.org/threads/malware-and-antivirus-systems-for-linux.4455/
  3. http://www.bitdefender.com/
  4. http://www.comodo.com/
  5. http://forum.avast.com/
  6. http://www.clamav.net/

Tidak ada komentar:

Posting Komentar