Linux malware

Linux malware includes viruses, trojans, worms and other types of malware that affect the Linux operating system. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected, but not immune, from computer viruses. According to advocates like Scott Granneman, Linux provides better protection compared to Microsoft Windows.^[1]

There has not yet been a widespread Linux malware threat of the type that Microsoft Windows software faces; this is commonly attributed to the malware's lack of root access and fast updates to most Linux vulnerabilities.^[2]

The number of malicious programs — including viruses, Trojans, and other threats — specifically written for Linux has been on the increase in recent years and more than doubled during 2005 from 422 to 863.^[3]

Linux vulnerability

Like Unix systems, Linux implements a multi-user environment where users are granted specific privileges and there is some form of access control implemented. To gain control over a Linux system or cause any serious consequence to the system itself, the malware would have to gain root access to the system, which requires a users' password and so would be difficult to accomplish.^[2]

Shane Coursen, a senior technical consultant with Kaspersky Lab, claims, "The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system ... The use of an operating system is directly correlated to the interest by the malware writers to develop malware for that OS."^[3] Rick Moen, an experienced Linux system administrator, counters that:

[That argument] ignores Unix's dominance in a number of non-desktop specialties, including Web servers and scientific workstations. A virus/trojan/worm author who successfully targeted specifically Apache httpd Linux/x86 Web servers would both have an extremely target-rich environment and instantly earn lasting fame, and yet it doesn't happen."^[4]

Some Linux users run Linux-based anti-virus software to scan insecure documents and email which comes from or is going to Windows users. SecurityFocus's Scott Granneman stated:

...some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance, may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel, that contain and propagate viruses. Linux mail servers should run AV software in order to neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express users."^[1]

Because they are predominantly used on mail servers which may send mail to computers running other operating systems, Linux virus scanners generally use definitions for, and scan for, all known viruses for all computer platforms. For example the open source ClamAV "Detects ... viruses, worms and trojans, including Microsoft Office macro viruses, mobile malware, and other threats."^[5]

Viruses and trojan horses

The viruses listed below pose a potential, although minimal, threat to Linux systems. If an infected binary containing one of the viruses were run, the system would be infected. The infection level would depend on which user with what privileges ran the binary. A binary run under the root account would be able to infect the entire system. Privilege escalation vulnerabilities may permit malware running under a limited account to infect the entire system.

It is worth noting that this is true for any malicious program that is run without special steps taken to limit its privileges. It is trivial to add a code snippet to any program that a user may download and let this additional code download a modified login server, an open mail relay or similar and make this additional component run any time the user logs in. No special malware writing skills are needed for this. Special skill may be needed for tricking the user to run the (trojan) program in the first place.

The use of software repositories significantly reduces any threat of installation of malware, as the software repositories are checked by maintainers, who try to ensure that their repository is malware-free. Subsequently, to ensure safe distribution of the software, checksums are made available. These make it possible to reveal modified versions that may have been introduced by e.g. hijacking of communications using a man-in-the-middle attack or via a redirection attack such as ARP or DNS poisoning. Careful use of these digital signatures provides an additional line of defense, which limits the scope of attacks to include only the original authors, package and release maintainers and possibly others with suitable administrative access, depending on how the keys and checksums are handled.

Vulnerability to trojan horses and viruses results from users willing to run code from sources that should not be trusted and to some extent about distributions not by default checking the authenticity of software downloaded while a system was the target of an attack.

Worms and targeted attacks

The classical threat to Unix-like systems is vulnerabilities in network daemons, such as SSH and web servers. These can be used by worms or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords.

Web scripts

Linux servers may also be used by malware without any attack against the system itself, where e.g. web content and scripts are insufficiently restricted or checked and used by malware to attack visitors. Typically a CGI script (meant for leaving comments) by mistake allows inclusion of code exploiting vulnerabilities in the web browser.

Buffer overruns

Older Linux distributions were relatively sensitive to buffer overrun attacks: if the program did not care about the size of the buffer itself, the kernel provided only limited protection, allowing an attacker to execute arbitrary code under the rights of the vulnerable application under attack. Programs that gain root access even when launched by a non-root user (via the setuid bit) were particularly attractive to attack. However as of 2009 most of the kernels include address space layout randomization (ASLR), enhanced memory protection and other extensions making such attacks much more difficult to arrange.

Cross-platform viruses

A new area of concern identified in 2007 is that of cross-platform viruses, driven by the popularity of cross-platform applications. This was brought to the forefront of malware awareness by the distribution of an OpenOffice.org virus called Badbunny.

Stuart Smith of Symantec wrote the following:

"What makes this virus worth mentioning is that it illustrates how easily scripting platforms, extensibility, plug-ins, ActiveX, etc, can be abused. All too often, this is forgotten in the pursuit to match features with another vendor... [T]he ability for malware to survive in a cross-platform, cross-application environment has particular relevance as more and more malware is pushed out via Web sites. How long until someone uses something like this to drop a JavaScript infector on a Web server, regardless of platform?"^[6]

Social engineering

As is the case with any operating system, Linux is vulnerable to malware that tricks the user into installing it through social engineering. In December 2009 a malicious waterfall screensaver was discovered that contained a script that used the infected Linux PC in denial-of-service attacks.^[7]

Anti-virus applications

The ClamTk GUI for ClamAV running a scan on Ubuntu 8.04 Hardy Heron

There are a number of anti-virus applications available for Linux, most of which are designed for servers, including:

Avast! (freeware and commercial) AVG (freeware and commercial) Avira (freeware and commercial) BitDefender (freeware and commercial) ClamAV (free open source software)[8] Dr.Web (commercial) [9] eScan Anti-Virus for Linux (commercial)[10] Eset (commercial)[11][12][13] F-Secure Linux (commercial)

Kaspersky Linux Security (commercial)[14] Linux Malware Detect (free open source software)[15] McAfee VirusScan Enterprise for Linux (commercial)[16] NORMAN Norman Security Suite for Linux (commercial)[citation needed] Panda Security for Linux (commercial)[17] rkhunter (free open source software)[18] Sophos (commercial) Symantec AntiVirus for Linux (commercial)[19] Trend Micro ServerProtect for Linux (commercial)

Threats

The following is a partial list of known Linux malware. However, few if any are in the wild, and most have been rendered obsolete by Linux updates. Known malware is not the only or even the most important threat: new malware or attacks directed to specific sites can use vulnerabilities previously unknown to the community or unused by malware.

Trojans

Kaiten - Linux.Backdoor.Kaiten trojan horse[20] Rexob - Linux.Backdoor.Rexob trojan[21] Waterfall screensaver backdoor - on gnome-look.org[22]

Droiddream[23] FakePlayer - Trojan-SMS.AndroidOS.FakePlayer.a[24]

Viruses

42 [25][26] Arches [27] Alaeda - Virus.Linux.Alaeda[28] Bad Bunny - Perl.Badbunny[6][29] Binom - Linux/Binom[30] Bliss - requires root privileges Brundle[31] Bukowski[32] Caveat [33][34] Coin [35][36] Diesel - Virus.Linux.Diesel.962[37] Hasher [38][39] Kagob a - Virus.Linux.Kagob.a[40] Kagob b - Virus.Linux.Kagob.b[41] Lacrimae (aka Crimea) [42][43]

MetaPHOR (also known as Simile)[44] Nuxbee - Virus.Linux.Nuxbee.1403[45] OSF.8759 PiLoT[46][47] Podloso - Linux.Podloso (The iPod virus)[48][49] RELx [50] Rike - Virus.Linux.Rike.1627[51] RST - Virus.Linux.RST.a[52] (known for infecting Korean release of Mozilla Suite 1.7.6 and Thunderbird 1.0.2 in September 2005[53]) Satyr - Virus.Linux.Satyr.a[54] Staog - obsoleted by updates Vit - Virus.Linux.Vit.4096[55] Winter - Virus.Linux.Winter.341[56] Winux (also known as Lindose and PEElf)[57] Wit virus[58] ZipWorm - Virus.Linux.ZipWorm[59]

Worms

Adm - Net-Worm.Linux.Adm[60] Adore[61] Cheese - Net-Worm.Linux.Cheese[62] Devnull Kork[63] Linux/Lion

Linux/Lupper.worm[64] Mighty - Net-Worm.Linux.Mighty[65] Millen - Linux.Millen.Worm[66] Ramen worm - targeted only Red Hat Linux distributions versions 6.2 and 7.0 Slapper[67] SSH Bruteforce[68]

See also

• List of computer viruses
• List of computer viruses (Numeric)
• List of computer viruses (A-D)
• List of computer viruses (E-K)
• List of computer viruses (L-R)
• List of computer viruses (S-Z)

References

1. ^ ^{a b} Granneman, Scott (October 2003). "Linux vs. Windows Viruses". http://www.securityfocus.com/columnists/188. Retrieved 2008-03-06. 
2. ^ ^{a b} Yeargin, Ray (July 2005). "The short life and hard times of a linux virus". http://librenix.com/?inode=21. Retrieved 2008-06-24. 
3. ^ ^{a b} Patrizio, Andy (April 2006). "Linux Malware On The Rise". http://www.internetnews.com/dev-news/article.php/3601946. Retrieved 2008-03-08. 
4. ^ "Virus Department". http://linuxmafia.com/~rick/faq/index.php?page=virus. Retrieved 2009-10-11. 
5. ^ ClamAV (2010). "Clam AntiVirus 0.96 User Manual". http://www.clamav.net/doc/latest/clamdoc.pdf. Retrieved 2011-02-22. 
6. ^ ^{a b} Smith, Stuart (June 2007). "Bad Bunny". http://www.symantec.com/enterprise/security_response/weblog/2007/06/bad_bunny.html. Retrieved 2008-02-20. 
7. ^ Kissling, Kristian (December 2009). "Malicious Screensaver: Malware on Gnome-Look.org". http://www.ubuntu-user.com/Online/News/Malicious-Screensaver-Malware-on-Gnome-Look.org. Retrieved 2009-12-12. 
8. ^ "ClamAV". http://www.clamav.net/. Retrieved 2011-02-22. 
9. ^ "Dr.Web anti-virus for Linux". Dashke. http://products.drweb.com/linux/. Retrieved 2010-05-25. 
10. ^ "eScan Antivirus for Linux". eScan Anti-Virus. http://escanav.com/english/content/products/escan_linux/escan_linux_desktops.asp/. Retrieved 2009-01-13. 
11. ^ "ESET File Security - Antivirus Protection for Linux, BSD, and Solaris". Eset. http://www.eset.com/products/linux.php. Retrieved 2008-10-26. 
12. ^ "ESET Mail Security - Linux, BSD, and Solaris mail server protection". Eset. http://www.eset.com/products/linux_mail.php. Retrieved 2008-10-26. 
13. ^ "ESET NOD32 Antivirus for Linux Gateway Devices". Eset. http://www.eset.com/products/gateway.php. Retrieved 2008-10-26. 
14. ^ "Kaspersky Linux Security - Gateway, mail and file server, workstation protection for Linux/FreeBSD". Kaspersky Lab. http://www.kaspersky.com/linux. Retrieved 2009-02-11. 
15. ^ "Linux Malware Detect". http://www.rfxn.com/projects/linux-malware-detect/. Retrieved 2011-02-22. 
16. ^ "McAfee VirusScan Enterprise for Linux". McAfee. http://www.mcafee.com/us/enterprise/products/system_security/servers/linuxshield.html. Retrieved 2009-06-11. 
17. ^ "Panda Security Antivirus Protection for Linux". Panda Security. http://www.pandasecurity.com/spain/homeusers/solutions/linux/. Retrieved 2009-01-13. 
18. ^ "Root Kit Hunter". http://www.rootkit.nl/projects/rootkit_hunter.html. 
19. ^ Symantec (January 2009). "System requirements for Symantec AntiVirus for Linux 1.0". http://service1.symantec.com/SUPPORT/ent-security.nsf/ppfdocs/2005110716014248. Retrieved 2009-03-07. 
20. ^ Florio, Elia (February 2006). "Linux.Backdoor.Kaiten". http://www.symantec.com/security_response/writeup.jsp?docid=2006-021417-0144-99. Retrieved 2008-03-08. 
21. ^ Florio, Elia (December 2007). "Linux.Backdoor.Rexob". http://www.symantec.com/security_response/writeup.jsp?docid=2007-072612-1704-99. Retrieved 2008-03-08. 
22. ^ Vervloesem, Koen (December 2009). "Linux malware: an incident and some solutions". http://lwn.net/Articles/367874/. Retrieved 2010-09-16. 
23. ^ "The Mother of All Android Malware Has Arrived". Android Police. March 6, 2011. http://www.androidpolice.com/2011/03/01/the-mother-of-all-android-malware-has-arrived-stolen-apps-released-to-the-market-that-root-your-phone-steal-your-data-and-open-backdoor/. 
24. ^ Blasco, Jaime (March 2011). "Analysis of Trojan-SMS.AndroidOS.FakePlayer.a". http://www.alienvault.com/blog/jaime/Malware/Analysis_of_Trojan-SMS.AndroidOS.FakePlayer.a.html. Retrieved 10 August 2011. 
25. ^ herm1t (August 2008). "Linux.42: Using CRC32B (SSE4.2) instruction in polymorphic decryptor". http://vx.eof-project.net/viewtopic.php?pid=1049. 
26. ^ Ferrie, Peter (September 2008). "Life, the Universe, and Everything". http://blogs.technet.com/mmpc/archive/2008/09/10/life-the-universe-and-everything.aspx. 
27. ^ herm1t (August 2006). "Infecting ELF-files using function padding for Linux". http://vx.netlux.org/lib/vhe00.html. 
28. ^ Kaspersky Lab (May 2007). "Virus.Linux.Alaeda". http://www.viruslist.com/en/viruses/encyclopedia?virusid=21703. Retrieved 2008-03-08. 
29. ^ Smith, Stuart (May 2007). "Perl.Badbunny". http://www.symantec.com/security_response/writeup.jsp?docid=2007-052400-3656-99. Retrieved 2008-03-08. 
30. ^ McAfee (December 2004). "Linux/Binom". http://vil.nai.com/vil/content/v_130506.htm. Retrieved 2008-03-08. 
31. ^ Rieck, Konrad and Konrad Kretschmer (August 2001). "Brundle Fly 0.0.1 - A Good-Natured Linux ELF Virus". http://www.roqe.org/brundle-fly/. Retrieved 2008-03-08. 
32. ^ de Almeida Lopes, Anthony (July 2007). "Project Bukowski". http://sourceforge.net/projects/bukowski/. Retrieved 2008-03-08. 
33. ^ herm1t (February 2008). "Caveat virus". http://www.vxheavens.com/lib/vhe06.html. 
34. ^ Ferrie, Peter (July 2009). "Can you spare a seg?". http://vx.netlux.org/lib/apf29.html. 
35. ^ herm1t (October 2007). "Reverse of a coin: A short note on segment alignment". http://www.vxheavens.com/lib/vhe04.html. 
36. ^ Ferrie, Peter (September 2009). "Heads or tails?". http://vx.netlux.org/lib/apf31.html. 
37. ^ Kaspersky Lab (February 2002). "Virus.Linux.Diesel.962". http://www.viruslist.com/en/viruslist.html?id=3994&key=00001000050000200004. Retrieved 2008-03-08. 
38. ^ herm1t (October 2007). "Hashin' the elves". http://www.vxheavens.com/lib/vhe02.html. 
39. ^ Ferrie, Peter (August 2009). "Making a hash of things". http://vx.netlux.org/lib/apf30.html. 
40. ^ Kaspersky Lab (April 2001). "Virus.Linux.Kagob.a". http://www.viruslist.com/en/viruses/encyclopedia?virusid=21720. Retrieved 2008-03-08. 
41. ^ Kaspersky Lab (undated). "Virus.Linux.Kagob.b". http://www.viruslist.com/en/viruses/encyclopedia?virusid=21721. Retrieved 2008-03-08. 
42. ^ herm1t (June 2008). "README". http://vx.netlux.org/herm1t/Lacrimae_EN.txt. 
43. ^ Ferrie, Peter (February 2008). "Crimea river". http://vx.netlux.org/lib/apf12.html. 
44. ^ The Mental Driller (February 2002). "Metamorphism in practice or "How I made MetaPHOR and what I've learnt"". http://vx.netlux.org/lib/vmd01.html. Retrieved 2008-03-08. 
45. ^ Kaspersky Lab (December 2001). "Virus.Linux.Nuxbee.1403". http://www.viruslist.com/en/viruses/encyclopedia?virusid=21725. Retrieved 2008-03-08. 
46. ^ herm1t (November 2007). "INT 0x80? No, thank you!". http://www.vxheavens.com/lib/vhe05.html. 
47. ^ Ferrie, Peter (September 2009). "Flying solo". http://vx.netlux.org/lib/apf37.html. 
48. ^ Ferrie, Peter (April 2007). "Linux.Podloso". http://www.symantec.com/business/security_response/writeup.jsp?docid=2007-040516-4947-99. Retrieved 2008-03-08. 
49. ^ Ferrie, Peter (April 2007). "The iPod virus". http://www.symantec.com/enterprise/security_response/weblog/2007/04/the_ipod_virus.html. Retrieved 2008-03-08. 
50. ^ herm1t (December 2009). "From position-independent to self-relocatable viral code". http://www.vxheavens.com/lib/vhe08.html. 
51. ^ Kaspersky Lab (August 2003). "Virus.Linux.Rike.1627". http://www.viruslist.com/en/viruses/encyclopedia?virusid=21733. Retrieved 2008-03-08. 
52. ^ Kaspersky Lab (January 2002). "Virus.Linux.RST.a". http://www.viruslist.com/en/viruses/encyclopedia?virusid=21734. Retrieved 2008-03-08. 
53. ^ "The ways of viruses in Linux HOW SAFE?". http://www.linux-magazine.com/w3/issue/62/Viruses_in_Linux.pdf. Retrieved 2009-08-21. 
54. ^ Kaspersky Lab (March 2001). "Virus.Linux.Satyr.a". http://www.viruslist.com/en/viruses/encyclopedia?virusid=21736. Retrieved 2008-03-08. 
55. ^ Kaspersky Lab (March 2000). "Virus.Linux.Vit.4096". http://www.viruslist.com/en/viruslist.html?id=3135&key=00001000050000200003. Retrieved 2008-03-08. 
56. ^ Kaspersky Lab (October 2000). "Virus.Linux.Winter.341". http://www.viruslist.com/en/viruses/encyclopedia?virusid=21756. Retrieved 2008-03-08. 
57. ^ Rautiainen, Sami et al. (March 2001). "F-Secure Virus Descriptions: Lindose". http://www.f-secure.com/v-descs/lindose.shtml. Retrieved 2008-03-08. 
58. ^ "The Wit Virus: A virus built on the ViT ELF virus". http://members.hellug.gr/nmav/papers/other/wit-virus.pdf. Retrieved 2008-12-31. 
59. ^ Kaspersky Lab (January 2001). "Virus.Linux.ZipWorm". http://www.viruslist.com/en/viruses/encyclopedia?virusid=21759. Retrieved 2008-03-08. 
60. ^ Kaspersky Lab (May 2001). "Net-Worm.Linux.Adm". http://www.viruslist.com/en/viruses/encyclopedia?virusid=23854. Retrieved 2008-03-08. 
61. ^ Rautiainen, Sami (April 2001). "F-Secure Virus Descriptions: Adore". http://www.f-secure.com/v-descs/adore.shtml. Retrieved 2008-03-08. 
62. ^ Kaspersky Lab (May 2001). "Net-Worm.Linux.Cheese". http://www.viruslist.com/en/viruses/encyclopedia?virusid=23856. Retrieved 2008-03-08. 
63. ^ Rautiainen, Sami (April 2001). "F-Secure Virus Descriptions: Kork". http://www.f-secure.com/v-descs/kork.shtml. Retrieved 2008-03-08. 
64. ^ McAfee (June 2005). "Linux/Lupper.worm Description". http://vil.nai.com/vil/content/v_136821.htm. Retrieved 2010-10-10. 
65. ^ Kaspersky Lab (October 2002). "Net-Worm.Linux.Mighty". http://www.viruslist.com/en/viruses/encyclopedia?virusid=23864. Retrieved 2008-03-08. 
66. ^ Perriot, Frederic (February 2007). "Linux.Millen.Worm". http://www.symantec.com/security_response/writeup.jsp?docid=2002-121114-1432-99. Retrieved 2008-03-08. 
67. ^ Rautiainen, Sami et al. (September 2002). "F-Secure Virus Descriptions: Slapper". http://www.f-secure.com/v-descs/slapper.shtml. Retrieved 2008-03-08. 
68. ^ Voss, Joel (December 2007). "SSH Bruteforce Virus by AltSci Concepts". https://www.altsci.com/concepts/virus/. Retrieved 2008-03-13. ^{[dead link]}

External links

• Linux virus samples at VX Heavens