Oct 282011

Can Linux be infected by MalWare and is it a big concern? The answer to that question is both Yes and No: Yes, Linux can be Infected and No, it isn’t a big nightmare – yet.

Unless you downloaded the Unreal IRCd (Unreal IRC daemon) and installed it between November 2009 and June 2010 on your Linux server. There was a Trojan downloader in it. A Linux Trojan. See the Softpedia Article

The Trojan went undetected because no one bothered to check for viruses for a whole 7 months. A simple virus scan before installing would have revealed the Trojan. The relative security of Linux had lulled the Sysop on the Unreal IRCd website into not checking for MalWare (Viruses and Trojans). Linux users for the most part don’t scan for viruses because they believe “Linux is Immune”

For 7 months a Trojan went undiscovered in a Linux software package

Out of date knowledge can be dangerous, especially for those who “assume” that “Linux is Immune”. Just isn’t true according to the current information that is out there. I just found out about the Unreal IRCd Trojan today October 27, 2011. I’d never heard of it because I’d never looked for it. I even was aware of the fact that Linux wasn’t immune.

So I spent some time online re-checking the “facts” as I know them. Found that I was mostly correct. Made a few adjustments but also was encouraged because I’ve been scanning downloads to my Linux systems for several years. A “bad” Windows habit that turned out being wise after all.

There are two main ways a virus or Trojan infects a computer system. It’s either self or user executed.

Self executed is a virus or Trojan that uses a system security flaw, or exploit, to install itself without user interaction. Usually comes from an external source like a website or a media device like a USB FlashDrive and without your knowledge

User executed is when you install infected software (the Unreal IRCd comes to mind), execute a file by opening it or by giving permission when prompted to install it.

How big is the current Linux MalWare problem today?

I came across an Ubuntu Community Document called Linuxvirus that’s dated April 9, 2011 and lists 35 total Malwares that could infect Ubuntu Linux, a good number of which are no longer a threat. At the bottom of the page it recommends a Linux Anti-Virus solution called ClamAV that scans for MalWare for all the platforms: Windows, Linux, Macintosh and even Unix.

So if you are not setting up a Linux mail server or are someone who doesn’t indiscriminately download and install software from dubious websites you really have little to worry about. The Unreal IRCd wasn’t “dubious”, it had been hacked!

If you exchange files with Windows users you don’t also have to worry. The Windows user has to worry, though.

If you need or want a anti virus program, how much is enough?

You don’t need an active scanner, one that scans every file as it’s downloaded, opened or executed. Such programs are needed with the higher risk Microsoft Windows platforms but they are intrusive, bog down the PC and aren’t needed on Linux – yet.

All you need is a Basic manual scanner that will scan the downloads before you execute or send them to your friends who use Microsoft Windows.

The ClamAV solution from the Linuxvirus works well enough but has one disadvantage – it’s a command line operated scanner. There is a GUI interface for it but that doesn’t always work. I’ve been disapointed on more than one occasion.

I’ve discovered a simpler solution that has the advantage of being usable from both the Linux and Windows sides of a dual-boot system, has a clean GUI interface and won’t conflict with the full featured Anti-virus program on the Windows side.

ClamWin Portable. A “portable” application is one desinged to be run without being installed on your system. The programs are self-contained and are usually on a USB FlashDrive. With portable software you can use a public PC at an Internet Cafe or Library and use your webrowser with your bookmarks.

In one of the next articles I’ll show in detail how to run a Windows Anti-Virus (ClamWin Portable ) on Linux using the Wine “Not an Emulator” Emulator. It’s a clean, simple solution to the Virus and MalWare hazard that could “bite” you or your friends.

Here is ClamWin 0.97.2 running on Ubuntu Linux


Enhanced by Zemanta

Popular Posts:

Flattr this!

  14 Responses to “Virus Scanning on Linux”

  1. Hi dude,
    i think your article is awfull. Normally there is a pakage in your distro, with which you can install clamav.
    The next thing that you know nothing about rookits in linuX is just a shame.
    I hope you don’t get a new virus when trying clamwin with wine in Ubuntu.
    By the next time check out clamtk, which is a nice frontend for clamav, if you are too lacy to understand the command line 🙁

    The TheJ3rk

  2. The main reason I run ClamAV on my Linux computers is because the network is shared with a bunch of Windows machines that I don’t want to have to disinfect later if infected files get transferred around. It’s not enough to have one secure computer that happens to be running Linux, you have to think about the security of all the computers on your network and if you have a family or friends visiting many of those machines will be using a more vulnerable OS.

  3. Install Klam frontend.

  4. If ClamAV is troublesome, you could give Avast a try.

  5. you sound like one of those windows users that should have stayed on windows, this isn’t an insult targeting Ubuntu, it is linux, and you can get underneath it (this is ofc. 10.10 and below, I cannot stand up for 11.04 and beyond, I need to find a new introduction distro fro friends, email me suggestions please, it’s [email protected], and my website is alec-teal.co.uk so loose the .com obvously (bot prevention :))

    now, yes bad stuff can get onto linux, a program that gets some root privilages can have a go at running “rm -R /” we all know that one, but how can you say a command line program is bad, a few are documented badly, like tar, the man scares the shit out of me, but there are other gudes, all you neex are -x -c and -t!!! and armed with Tab auto-completion, you could take over the world!

    WTF are you on about with wine? Wine is not an emulator, an emulator would mean a VM, an entire x86vm shoved into wine, where windows programs would be loaded and run! this would be beyond stupid, WINE is a compatability layer, function calls’ pointers are in adresses in memory (read up on what linkers do) WINE puts adresses to it’s functions here, where the windows ones would normally be, so consider opening a file, rather then the “windows” function, it calls the “wine” one, which responds to exactly the same input, wine translates it, and builds a file descriptor windows style of whatever directory it corresponds to, and gives back the result.

    Additionally! rootkits as mentioned above! Why should windows users fear a memory stick we give them, the standard tricks that naughty software uses may not even work on Linux, as it has WORKING file permissions, that memory stick as harmful as ANY OTHER memory stick, but lets say you save an open office document, and there’s a “virus” (lets use laymans terms) on there, it can’t even run under anything not-windows, let alone attach itself there. while download sharing, the windows machine running them, you make it sound like memory sticks from a Linux machine are spoons of poison for windows machines, this is not true….

    anyway, /rant

    • Thanks for the long “rant”, the are some useful info in it.
      For your friends try mint, it’s pretty similar to Ubuntu (if you like Ubuntu), or go for something different like PCLinuxOS or ElementaryOS.

      Clamwin can be a good solution for people used to it on windows side and moving to Linux.
      A stick from a Linux machine could have a virus, the owner of the Linux box is probably not interested, because it’s a windows Virus, and so testing all the downloaded files could help in not infecting a friend using Windows.

      • Other people were quite rude in their comments, I am usually more polite, but I agree that there are wrong points in your article. The biggest it wine: it is a nonsense to use it to run a windows software that is already available natively for linux! I do not see any reason: just opening a terminal and starting “clamscan -r” in the directory of interest is not impossible even for novice users. I do not understand this sort of fear of the command line…

        • I understand your point. This is for me a solution that can help people having a dual boot ssytem and that want to keep the same antivirus on both systems.
          Anyway soon i’ll do also an article on Clamav with the command line.

          Best regards

  6. Running a portable virus scanner through WINE isn’t a clean and reliable solution.
    Also I find ClamAV to be lacking some features for example it won’t scan inside iso-files (so it isn’t reliable enough as a virus scanner).
    I, however, do use is and it the only scanner installed on my distro.
    Unfortunately it seems to be the best we Linux guys have at our disposal.

  7. Any system where you can install software could be the target for a virus. Linux has been historically safer than Windows and is likely to stay that way in the future. Due to a knowledgeable community and the relatively small install base.
    However safer does not mean it’s immune. If you install software from outside a major distros repositories you take a risk… there was a malicious script in a screensaver on Gnome look a while back. Even the walled garden of a distros repositories is only safe if the people maintaining the repositories are vigilant. My example in this case a Debian developer unintentionally opened up a pretty big security hole.



  8. Why, do you want to use clamwin with wine when you use native clamav with other frontend?
    Mah, you are crazy 🙂

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>