Linux malware

Template:Short description Template:Use dmy dates Template:Use American English Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.<ref name="Granneman">{{#invoke:citation/CS1|citation |CitationClass=web }}</ref><ref name="Yeargin">{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

Linux vulnerabilityEdit

Like Unix systems, Linux implements a multi-user environment where users are granted specific privileges and there is some form of access control implemented. To gain control over a Linux system or to cause any serious consequences to the system itself, the malware would have to gain root access to the system.<ref name="Yeargin"/>

In the past, it has been suggested that Linux had so little malware because its low market share made it a less profitable target. Rick Moen, an experienced Linux system administrator, counters that:

<templatestyles src="Template:Blockquote/styles.css" />

Template:ErrorTemplate:Main other{{#if:|{{#if:|}}

— {{#if:|, in }}Template:Comma separated entries

}}

{{#invoke:Check for unknown parameters|check|unknown=Template:Main other|preview=Page using Template:Blockquote with unknown parameter "_VALUE_"|ignoreblank=y| 1 | 2 | 3 | 4 | 5 | author | by | char | character | cite | class | content | multiline | personquoted | publication | quote | quotesource | quotetext | sign | source | style | text | title | ts }}

In 2008 the quantity of malware targeting Linux was noted as increasing. Shane Coursen, a senior technical consultant with Kaspersky Lab, said at the time, "The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system ... The use of an operating system is directly correlated to the interest by the malware writers to develop malware for that OS."<ref name="Patrizio">{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

Tom Ferris, a researcher with Security Protocols, commented on one of Kaspersky's reports, stating, "In people's minds, if it's non-Windows, it's secure, and that's not the case. They think nobody writes malware for Linux or Mac OS X. But that's not necessarily true."<ref name="Patrizio"/>

Some Linux users do run Linux-based anti-virus software to scan insecure documents and email which comes from or is going to Windows users. SecurityFocus's Scott Granneman stated:

<templatestyles src="Template:Blockquote/styles.css" />

Template:ErrorTemplate:Main other{{#if:|{{#if:|}}

— {{#if:|, in }}Template:Comma separated entries

}}

{{#invoke:Check for unknown parameters|check|unknown=Template:Main other|preview=Page using Template:Blockquote with unknown parameter "_VALUE_"|ignoreblank=y| 1 | 2 | 3 | 4 | 5 | author | by | char | character | cite | class | content | multiline | personquoted | publication | quote | quotesource | quotetext | sign | source | style | text | title | ts }}

Because they are predominantly used on mail servers which may send mail to computers running other operating systems, Linux virus scanners generally use definitions for, and scan for, all known viruses for all computer platforms. For example, the open source ClamAV "Detects ... viruses, worms and trojans, including Microsoft Office macro viruses, mobile malware, and other threats."<ref name="ClamMan0.96">{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

Cases of malware intended for Microsoft Windows systems posing a danger to Linux systems when run through compatibility layers such as Wine, while uncommon, have been recorded.<ref>Template:Cite journal</ref>

Viruses and trojan horsesEdit

The viruses listed below pose a potential, although minimal, threat to Linux systems. If an infected binary containing one of the viruses were run, the system would be temporarily infected, as the Linux kernel is memory resident and read-only. Any infection level would depend on which user with what privileges ran the binary. A binary run under the root account would be able to infect the entire system. Privilege escalation vulnerabilities may permit malware running under a limited account to infect the entire system.

It is worth noting that this is true for any malicious program that is run without special steps taken to limit its privileges. It is trivial to add a code snippet to any program that a user may download and let this additional code download a modified login server, an open mail relay, or similar program, and make this additional component run any time the user logs in. No special malware writing skills are needed for this. Special skill may be needed for tricking the user to run the (trojan) program in the first place.

The use of software repositories significantly reduces any threat of installation of malware, as the software repositories are checked by maintainers, who try to ensure that their repository is malware-free. Subsequently, to ensure safe distribution of the software, checksums are made available. These make it possible to reveal modified versions that may have been introduced by e.g. hijacking of communications using a man-in-the-middle attack or via a redirection attack such as ARP or DNS poisoning. Careful use of these digital signatures provides an additional line of defense, which limits the scope of attacks to include only the original authors, package and release maintainers and possibly others with suitable administrative access, depending on how the keys and checksums are handled. Reproducible builds can ensure that digitally signed source code has been reliably transformed into a binary application.

Worms and targeted attacksEdit

The classical threat to Unix-like systems are vulnerabilities in network daemons, such as SSH and web servers. These can be used by worms or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords.

Web scriptsEdit

Linux servers may also be used by malware without any attack against the system itself, where e.g. web content and scripts are insufficiently restricted or checked and used by malware to attack visitors. Some attacks use complicated malware to attack Linux servers, but when most get full root access then hackers are able to attack by<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref> modifying anything like replacing binaries or injecting modules. This may allow the redirection of users to different content on the web.<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref> Typically, a CGI script meant for leaving comments, could, by mistake, allow inclusion of code exploiting vulnerabilities in the web browser.

Buffer overrunsEdit

Older Linux distributions were relatively sensitive to buffer overflow attacks: if the program did not care about the size of the buffer itself, the kernel provided only limited protection, allowing an attacker to execute arbitrary code under the rights of the vulnerable application under attack. Programs that gain root access even when launched by a non-root user (via the setuid bit) were particularly attractive to attack. However, as of 2009 most of the kernels include address space layout randomization (ASLR), enhanced memory protection and other extensions making such attacks much more difficult to arrange.

Cross-platform virusesEdit

An area of concern identified in 2007 is that of cross-platform viruses, driven by the popularity of cross-platform applications. This was brought to the forefront of malware awareness by the distribution of an OpenOffice.org virus called Badbunny.

Stuart Smith of Symantec wrote the following:

What makes this virus worth mentioning is that it illustrates how easily scripting platforms, extensibility, plug-ins, ActiveX, etc, can be abused. All too often, this is forgotten in the pursuit to match features with another vendor... The ability for malware to survive in a cross-platform, cross-application environment has particular relevance as more and more malware is pushed out via Web sites. How long until someone uses something like this to drop a JavaScript infecter on a Web server, regardless of platform?<ref name="Smith">{{#invoke:citation/CS1|citation

|CitationClass=web

}}</ref>

Social engineeringEdit

As is the case with any operating system, Linux is vulnerable to malware that tricks the user into installing it through social engineering. In December 2009 a malicious waterfall screensaver that contained a script that used the infected Linux PC in denial-of-service attacks was discovered.<ref name="UbuntuUser12Dec09">{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

Go-written malwareEdit

The IBM Security Report: Attacks on Industries Supporting COVID-19 Response Efforts Double had as a key point that "Cybercriminals Accelerate Use of Linux Malware – With a 40% increase in Linux-related malware families in the past year, and a 500% increase in Go-written malware in the first six months of 2020, attackers are accelerating a migration to Linux malware, that can more easily run on various platforms, including cloud environments." That these cybercriminals are increasingly using Linux and Unix to target hospitals and allied industries (that rely on these systems and cloud networks) that they are increasingly vulnerable during the COVID-19 crisis, such as the Red Cross cyberattack.<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

Anti-virus applicationsEdit

There are a number of anti-virus applications available which will run under the Linux operating system. Most of these applications are looking for exploits which could affect users of Microsoft Windows.

For Microsoft Windows-specific threatsEdit

These applications are useful for computers (typically, servers) which will pass on files to Microsoft Windows users. They do not look for Linux-specific threats. Template:Columns-list

For Linux-specific threatsEdit

These applications look for actual threats to the Linux computers on which they are running.

• chkrootkit (free and open source software)<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

• ClamAV (free and open source software)<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

• Comodo (proprietary)<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

• Crowdstrike (proprietary)
• Dr.Web (proprietary)<ref name="auto"/>
• ESET (proprietary)<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref><ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref><ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref><ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>Template:Citation needed

• Kaspersky Virus Removal Tool (KVRT) for Linux (free)<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

• Linux Malware Detect<ref>https://www.rfxn.com/projects/linux-malware-detect/ Template:Webarchive R-fx Networks project page of LMD</ref>
• lynis (open source auditing)<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref><ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

• rkhunter (free and open source software)<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

• Samhain (free and open source software)<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

• Sophos (proprietary)<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref><ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

Linux malware can also be detected (and analyzed) using memory forensics tools, such as:

• Forcepoint (proprietary)<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

• Volatility<ref>volatilesystems.com Template:Webarchive</ref> (free and open source software)<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

ThreatsEdit

The following is a partial list of known Linux malware. However, few if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat. Known malware is not the only or even the most important threat: new malware or attacks directed to specific sites can use vulnerabilities previously unknown to the community or unused by malware.

BotnetsEdit

• Mayhem – 32/64-bit Linux/FreeBSD multifunctional botnet<ref>Kovalev et al (17 July 2014), Mayhem – a hidden threat for *nix web servers Template:Webarchive, Virus Bulletin</ref>
• Linux.Remaiten – a threat targeting the Internet of things.<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref><ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref><ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

• Mirai (malware) – a DDoS botnet spreads through telnet service and designed to infect Internet of Things (IoT).<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref><ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref><ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref><ref name="wired">Template:Cite news</ref>

• GafGyt/BASHLITE/Qbot – a DDoS botnet spreads through SSH and Telnet service weak passwords, firstly discovered during bash Shellshock vulnerability.<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

• LuaBot – a botnet coded with modules component in Lua programming language, cross-compiled in C wrapper with LibC, it aims for Internet of Things in ARM, MIPS and PPC architectures, with the usage to DDoS, spreads Mirai (malware) or selling proxy access to the cyber crime.<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref><ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

• Hydra,<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref> Aidra,<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref> LightAidra<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref> and NewAidra<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref> – another form of a powerful IRC botnet that infects Linux boxes.

• EnergyMech 2.8 overkill mod (Linux/Overkill) – a long-lasting botnet worm designed to infect servers with its bot and operated through IRC protocol, for the purposes of DDoSing and spreading itself.<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

RansomwareEdit

Template:Columns-list

RootkitsEdit

• Snakso – a 64-bit Linux webserver rootkit<ref>Leyden, John ( 21 November 2012), Evildoers can now turn all sites on a Linux server into silent hell-pits Template:Webarchive, The Register, retrieved 21 November 2012</ref>
• Pigmy Goat - used in Sophos Firewall in 2024 <ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

TrojansEdit

Template:Columns-list

VirusesEdit

Template:Columns-list

WormsEdit

Template:Columns-list

See alsoEdit

• Botnet
• Comparison of computer viruses
• Computer virus
• Computer worm
• Dirty COW
• Ransomware
• Spyware
• Timeline of computer viruses and worms
• Trojan horse (computing)

ReferencesEdit

Template:Reflist

External linksEdit

• Linuxvirus on the Official Ubuntu Documentation

{{#invoke:Navbox|navbox}} Template:Malware