Tag/tag.png

Needs Expansion
This article is incomplete, and needs to be expanded. More info...

So You Want to Know How to Use Anti-virus Software on Ubuntu?

You've got an Ubuntu system, and your years of working with Windows makes you concerned about viruses -- that's fine. There is no virus by definition in almost any known and updated Unix-like operating system, but you can always get infected by various malware like worms, trojans, etc. If you are an unaware user who does dangerous non-advised actions like login as root. However most GNU/Linux distros like Ubuntu, come with built-in security by default and you may not get affected by malware if you keep your system up to date and don't do any manual insecure actions.

Avoid being Root or SuperUser, see RootSudo. Avoid entering your password to grant higher levels of permission to programs without being aware of having started those programs. Unexpected extra internet traffic is a possible indication. The quoted risk level was at the malware's peak performance.

The following is an overview of the entire list of Linux malware, worms and trojans known at this time, courtesy of Wikipedia:

Keep in mind that it may some-times refer to any kind of malware as virus!

  • Kaiten: Linux.Backdoor.Kaiten discovered 14th Feb 2006, risk level low.

  • Rexob: Linux.Backdoor.Rexob discovered 26th July 2007, risk level very low.

  • Alaeda infects other binary (program) files in the same directory. If you run as a normal user doing non-programming work, you should not have any other binaries in your home folder. Alaeda won't have anything to infect. This is a good reason why you shouldn't download and install random files off the Internet. If you don't know why you're typing in your password, don't do it. Realistically, though, ELF files (the Linux equivalent of a Windows .exe) are pretty picky about what system they run on, so the chance of getting infected is slight.

  • Bad Bunny discovered 24th May 2007. Once executed, the threat infects all files in the folder the SB.Badbunny worm was originally executed - so don't run it somewhere you have files that you don't want to get infected. It's file-name was "BadBunny.pl". It was written as a cross-platform virus affecting Windows users far more than Linux users because it's easier for programs to grab Root or SuperUser privileges in Windows.

  • Binom is from 2004 and affected ELF files in a similar manner to Alaeda. The same conditions apply here. Your chance of getting infected is zilch if you don't give a password, and not much even if you do. Be safe, though, and don't run random attachments.

  • Bliss was probably a proof-of-concept by someone from 1997 trying to prove that Linux could be infected. Because of the Linux user privilege system and the thousands of versions of Linux, it didn't do well at all. This is my favourite virus. It writes a neat log of all its actions to /tmp/.bliss and even has a "--bliss-uninfect-files-please" command line option which actually does what it says. The writer apologised for not having enough time to develop bliss beyond the beta-testing stage. It's one of the very few viruses that made it out into the wild but couldn't spread faster than people were (usually accidentally) wiping it out. Also, almost nothing about the Linux kernel is the same as it was in 1997 so Don't Panic! This one is almost a collectors item but i think it's extinct.

  • Brundle-Fly was a research virus for an operating systems course and was never in the wild. It even has a website and an uninstaller. If you want to get infected by a virus, this one is good. You'll need to compile it for your system, though, so be prepared to follow a lot of complicated instructions.

  • The Bukowski Project This project is intended to demonstrate that current popular approaches to software security (e.g. DAC, VMA randomization, etc) are not sufficient and that other approaches should be considered more seriously (e.g. MAC, design by contract). Their website

  • Diesel is called "relatively harmless" by viruslict.com. It's an ELF virus, just like the others, discovered in 2002. No need to be concerned

  • The Kagob Virus comes in two flavors and even contains a copyright notice (2001). There are no symptoms of infection. Interestingly, when run, the virus disinfects the infected file to a temporary directory before running, then deletes the file after it is executed. Same ELF problems as before. You won't get this one, either.

  • MetaPHOR also known as Smilie is another project with its own web page. The exact function and evolution of the virus is laid out. From 2002, it shouldn't represent any risk, even if you can find one in the wild. If you really want to get infected, download the source and compile it yourself.

  • Nuxbee Virus.Linux.Nuxbee.1403, discovered Dec 2001. This was a fairly harmless, non-memory resident parasitic Linux virus. It searched for ELF files in the directory bin, then wrote itself to the middle of the file. The virus infected files if run with SuperUser rights. It wrote itself to the Entry point offset, encrypts and saved original bytes at the end of a file. See the page at VirusList.

  • OSF.8759 is the first really dangerous virus on the list. It not only infects all files in the directory (and system files if run as root), but also installs a backdoor into your system. The backdoor doesn't suffer from the problems of normal ELF viruses because the virus itself loads the backdoor. This means that the virus still needs to work under ELF, though, limiting the chance that it will work on your system. Since the virus is from 2002, there is virtually no chance that it will run on your system. If a new version becomes available, you might need to worry.

  • Podloso The iPod virus, discovered 4th April 2007. Linux.Podloso was a proof-of-concept virus that infected specific iPodLinux files on the compromised device. Once the infection routine was completed the message "You are infected with [REMOVED]e first iPodLinux Virus" was allegedly displayed. It also displayed predetermined greetings message when Linux was shutdown.

  • Rike discovered August 2003. Rike.1627 was a non-dangerous non-memory-resident parasitic virus. It searched for Linux executable files in the current directory, then wrote itself to the middle of the file. It's size was 1627 bytes and wais written in Assembler. Next, the virus inserted a Jump command to the Entry Point address. See the page at VirusList.

  • RST is also from 2002 and also installs a back-door. It, however, operates under normal ELF rules, making it virtually harmless to today's systems.

  • Satyr discovered in MArch 2001 and was another harmless non-memory-resident parasitic Linux virus. The virus was a Linux executable module (ELF file). It searched for other ELF files in the system, and then attempted to infect them. From Virus List again.

  • Staog was the first Linux virus, created in 1996. It used vulnerabilities which have long been patched. It cannot harm you.

  • VIT is another ELF virus, this time from 2000. Since Ubuntu didn't exist seven years ago, you won't be running a system that old and won't be infected.

  • Winter is also from 2000 and is the smallest known Linux virus. It suffers from the same problems as all ELF viruses.

  • Lindose was also known as Winux and PEElf. It was another proof-of-concept virus, showing how a virus can be constructed to infect both Windows and Linux computers. It has never been seen in the wild. Made in March 2001.

  • Wit apparently released December 2007, another proof-of-concept by the looks of it.

  • ZipWorm passes by infection of .zip files. When run, the virus infects all other .zip files in the directory. It has no other ill effects. From 2001, it is unlikely you'll ever run across it.

  • Net-worm.linux.adm: This is from 2001 which exploited a buffer overrun (one of the most common methods for viruses). It scans the network for computers with open ports, tries the attack, infects web pages hosted on the system and propagates further. This worm is not dangerous to you because the buffer overruns have been patched for years and you do not have any open ports.

  • Adore: An infected computer scans the network for DNS, FTP, and printer servers, infecting them using various methods. A back-door is installed and the worm propagates itself. This worm is not dangerous to you because the methods of attack are also from 2001 and have been long patched. Even if the weren't patched, you don't have these services running on your Ubuntu system.

  • The Cheese Worm used a back-door which was installed by another worm. The Cheese Worm then removed the back-door and propagated. It was an attempt to clean an already infected system. This worm is not dangerous because the worms it needed to propagate are no longer dangerous. Whether it was ever dangerous in the first place is debatable.

  • Devnull is a worm from 2002 which used an old OpenSSL to infect a system, becoming part of an IRC controlled botnet. The worm could only propagate if a compiler was present on the system. The vulnerability this worm used has long been patched. OpenSSH is not installed on your system by default.

  • Kork uses the Red Hat Linux 7.0 print server and needs to download part of itself from a website. That website no longer exists. Red Hat 7.0 is not Ubuntu Linux. You are safe.

  • Lapper has no information about it at all, anywhere, so I can't give you any information about it, but it was added to the list in 2005, and any vulnerabilities it exploited have almost certainly been patched by now. I can't say for certain whether this worm could affect you or not, but most vulnerabilities are patched within days, not weeks, so two years makes it very unlikely you could be affected by this.

  • The L10n Worm (pronounced "Lion") was active in 2001 and used a printer server for exploit. The vulnerability has been patched and the server is not installed on Ubuntu. This is no danger to you.

  • The Mighty Worm appeared in 2002 and used a vulnerability in the secure session module of the old Apache web server, installing a backdoor and joining an IRC botnet. This vulnerability has been patched, Apache is not installed on your system, and the entire architecture of the web server has changed. You can never get infected.

  • Millen discovered 18th November 2002. It replicated to Linux systems on Intel platforms and used remote exploits on four different servers to spread to vulnerable computers. If it succeeded in exploiting a system, it spawned a shell on the system to retrieve the mworm.tgz package by using ftp. It then uncompressed the contents of mworm.tgz to the "/tmp/...." directory. The worm was supposed to open a back-door on port TCP/1338 and offer a remote shell to an attacker for connecting to this port.

  • Ramen apparently spread in January 2001 attacking only RedHat systems, not our Debian family. An unusual feature of this worm was its calling card that made infected systems easily identifiable: It replaced all files on the system named "index.html" with a modified version with the page title "Ramen Crew"

  • The Slapper Worm used the same vulnerability as the Mighty Worm and operated similarly. You can't get this one, either.

  • SSH Bruteforce was apparently being developed in 2007 but seems to have never reached even alpha release, let alone beta-testing!

That's the entire list of Linux viruses and worms. Fewer than thirty. Compare that to the estimated 140,000 viruses for Windows, and you'll understand why people say you don't need a virus scanner on Linux.

The Reality

If you are going to trade files in a Windows world, you'll need to scan those files for viruses. You won't get infected, but you may help infect someone else. There are two ways to do this:

  1. Run all the files through a server which checks for you. GMail, Yahoo mail, and Hotmail all have wonderful checking software.
  2. Check the files for viruses yourself.

You can install a program called ClamAV. Install the package. It won't appear in the menu. Run it by getting to a command-line and type in "clamscan -h" to get some help on how to run it. If you really need to use a gui front-end and don't like the command-line then just install "clamtk". See the AntiVirus page for other antivirus packages and more detailed instructions.

Even if you do not trades files with the Windows world it is worth staying reasonably well up-to-date with normal updating procedures. https://help.ubuntu.com/community/InstallingSoftware#Automatic%20updates:%20Update%20Manager

External References

http://www.symantec.com/connect/symantec-blogs/security-response

http://www.viruslist.com/en/index.html

This information was originally copied from http://ibeentoubuntu.blogspot.com/2007/10/so-you-want-to-know-how-to-use-anti.html by the original writer but has been added to from Wikipedia

http://en.wikipedia.org/wiki/Linux_malware

http://www.techradar.com/news/software/operating-systems/how-your-secure-your-linux-system-915651


CategorySystem CategoryInternet

Linuxvirus (last edited 2019-03-24 10:41:00 by dani.behzi)