Re: Linux viruses -- everything you need to know!

Read and become enlightened: RootSudo

Re: Linux viruses -- everything you need to know!

i'm very new to Linux, but some make it seem like its impossible to get malware, then some mentioned not to click on unkown apps, don't run root...etc.

So is it impossible to get malware on linux or not?
If its possible, then no guarantees of anything.....what about firewalls? should i use a firewall?

Re: Linux viruses -- everything you need to know!

Before reading what follows, understand that I am one of those people who think that a pound of prevention is better than an ounce of cure (yes I said that right).

1. Computer security begins with the user. Ultimately, YOU are responsible for the security of your system, not any program or software. So security begins with not doing stupid things -- don't open those emails from Britney, don't visit those FreeXXX websites, never give out your passwords and account information, etc. Many computer attacks are really based on human psychology and not technical vulnerability, and no software will prevent you from giving out your personal information, only YOU can do that.

2. Firewalls are good. Linux ships with a built-in firewall (iptables), and there are several frontends that make it somewhat less difficult to use -- gufw, kmyfirewall, firestarter. But you have to take the time to learn how to use them. Firewalls are most important on systems that are left running all the time, like servers, and somewhat less important on desktops that are turned on and off. It's still a good idea to have one installed, but be aware that if you don't configure it properly, it may not do its job, and at worst, can break you internet access. It's not plug-and-play.

3. Linux systems are often attacked, just like windows, with modified programs that attempt to get root access. The Ubuntu family of linuxes have built in methods of trying to minimize that problem (mostly, by disabling the root account) but the threat still exists. This is where you come in -- don't just download and install stuff from the internet. Do the research first -- make sure the source is reputable, check for reviews of the software, etc. Pretty much everything in the standard repositories is safe, but buggy programs from other sources can do just as much damage as intentional malware.

4. Rootkit attacks are less common, but do happen. Install rkhunter, and let it do its thing automatically once a day. It will check for file modifications that could be from rootkit attacks. rkhunter will send a daily email to the root account explaining what it has found, and you will need to read that email. Several ways to do that. sudo mail will get you into the root email account; installing alpine makes reading the mail a little easier. You can also install a .forward file in the /root directory that points to your own account (username@localhost), and then read the mail from your user account.

5. The debsecan program looks for important programs that have security flaws and available updates. But doing daily updates tio your system probably minimizes the need for such.

6. Depending on how you set up your email, there are various email filters you can use. If you are using a POP3 account directly, such as with thunderbird, they won't help, but there are thunderbird extensions that will. If you are using one of linux's email systems, then you need to do some research -- packages are available in the repositories for spam, phishing, etc.

7. The clamav packages check mostly for windows viruses -- even though windows viruses are unlikely to damage a linux system, a linux system can propagate them. So scanning your software with clamav, or one of the commercial scanners, is a good idea if you share a network with windows based systems.

8. To reiterate, security starts with YOU. Use good judgment, and take precautions about what you get on the internet, and where you get it from, and that will prevent 99 percent of the problems.

Edit: I forgot to mention, there are also several network security programs, such as snort, that check for net-based attacks. But using them is a fairly advanced matter. If you are running a desktop that is turned on and off frequently, probably not necessary, but they are there.

Re: Linux viruses -- everything you need to know!

The above post is the best linux security summary I've ever read. Informative without droning on. Thanks doctordruidphd for the time and contribution to the general knowledge. I will be answering those linux "virus" questions with this post!

Re: Linux viruses -- everything you need to know!

Possible? Yes.
Probable? Unlikely.

You experience is probably with Windows. Linux security is entirely different.

Unlike Windows, in Linux EVERYTHING is a file. To be a file it must exist on the HD. IF it is on the HD it has an owner and it is a member of one or more groups. It also has a set of permissions which limit what can be done with or to that file. Only a file on the HD can be executed, depending...

In Linux, executables are files on the HD that either are an ELF binary or a script file with "#!/bin/bash" as the first line and valid bash commands making up the rest of the script. Even then, in order to be run an executable file must have its execute permission bit(s) set. There are three possibilities: owner (or user), group and world. Even the owner of an executable CANNOT execute it IF the execute bit is not set. If you are not the owner (or in the owner''s group) for an executable you cannot execute it even if the owner's execute bit is set. There are also read and write permission bits. The read bit permits one to open a file and read it, IF they are the owner or in the owner's group) and the write bit allows one to make changes and save the changes IF they are the owner or inn the owner's group. Let's say that you create a file, test.txt in your home directory. Here is what the system will create for you:
The left set of characters are the permissions set for the owner, group and world. A full set of permissions would be "rwx" for each set. The file's owner is "jerry" and the file is in the "jerry" group. the first set of permissions, "rw-" says that jerry can read and write test.txt, but I cannot execute it, because the execute bit is "-". The second set of permissions, "r--", says that anyone in the "jerry" group can read the file but they cannot write (change) it or execute it. The third set of permissions, "r--", says that members of the world group (everyone else besides "jerry" and members of "jerry's" group) can only read the file. They cannot change it or execute it. Files that are owned by root or are members of the root group cannot be run by anyone except root or members of the root group. The three sets of permissions combined with the power of "group"ing give Linux a very fine grained security model.

The "extension" of a file (*.sh, *.txt, etc...) play NO part in determining what a file is or what it does. Extensions are just arbitrary conventions that give the user an indication of what is in the file, or what it is about. That's why you often do not see an extension like ".exe" on a Linux binary executable. Some use a "*.bin" extension to indicate that the file is an executable, but not always. And, a "bin" extension doesn't mean anything. You could rename the file without the extension and if the execute permission is set it will still execute. One could create a file with the name of "text.txt.exe", but having multiple extensions mean nothing to Linux and would not deceive the OS. In Windows such a file would be displayed as "text.txt" but the Windows OS would see the ".exe" at the end as the identifier of what the file is for. A Windows user, seeing that file attached to an email message would think it is a text file and click on it to open and read it. The Windows OS, seeing the "exe" terminal extension would attempt to execute it. IF it were an executable file it would execute, even though it is NOT a file on the HD because Windows executes based on the extension designation, not the location or permission.

When you hover your mouse over a link in an email or html page Windows will (does it still?) display the domain name in the URL. Linux will display the ENTIRE URL. So, in Windows you might see "http://paypal.com" while hovering over a link. In Linux you'd see "http://172.224.1.34/paypal.com/...".
The apparent URL is of a well known commercial website. The Linux user see's that the URL is a ruse and won't click on it. IF they did, however, they might be presented with a fake login screen that is a screen scrape of the real paypal site. IF the Linux user enters their name and password anyway then they just gave away the money in their paypal account or even worse, their CC info. Neither Windows nor Linux security can compensate for user stupidity.

In order to get infected by a malware email attachment while using Linux you must, as the user, take three steps:
1) save the attachment to the HD, thus making it a file.
2) the file will have default permission bits of "rw-r--r--". In order to make the saved attachment executable the user must change the permission bits to "rwxr--r--".
3) the user must then MANUALLY execute the file.

Even then the risk is usually limited to what the user can do, and the worst it can do is steal private information and/or delete the user's home account. Most malware will try to "escalate" their privileges. That is, they try to change the ownership of the running process from that of a user to "root". Root is god on the system, and can do anything. Rather than maliciously destroy files the most likely use would be to use the now compromised Linux box as a "control" box on a Windows bot farm, because Linux boxes are very difficult to hack into if properly secured, and hackers are usually very good at security boxes, especially if they are good enough to hack into a Linux box.

You already have a firewall running and more than likely will not have to take additional measures. Go to grc.com and run "ShieldsUp!". If you get an entirely green board then your box is invisible on the internet and it will not respond to hacker's automated probes, so your IP address will not end up on an automated list of IP addresses the hacker will look at in the future.

So, I've discussed emails and remote hacker attacks. The third threat is "Local" attacks. That is, threats from PEOPLE who have PHYSICAL access to your computer. Either you have created an account for them to log into when you are not using your box, or you have given them your account name and password. It generally does not matter if local exploits are available or not. IF you have an untrustworthy user, or an ignorant user, you have problems.

I was getting ready to shut down my computer last night and go to bed when my phone rang. It was a user I support who lives over 1,000 miles away. While he was gone his son-in-law "used" his system. Not being familiar with Linux he looked for apps with familiar Windows names. And, when he plugged in the ISP connection he got it backwards and couldn't get to the internet. He ended up changing keyboard model to one which made the characters so small they looked like dots. He tried to run Skype, which was already running. When he fired the second copy it erased the password and unchecked the automatic login. He tried to enter the Skype password, which he didn't know but was guessing at. Not being able to see what he was typing he simply turned off the system without doing a normal shutdown. I imagine he though "Linux su***".

My friend reversed the cable connection and got the Internet up. We connected via Skype and I guided him to the "Keyboard Model" location and changed it back to "generic 104 key PC", which gave him is characters back. We unchecked the automatic login and set it to display no name on log in, forcing the user to enter the correct name and password, which he changed to something more difficult.

Retired, as a former machinist, he is into rebuilding old cars, specifically 1966 Dodge SuperBee's. He hits a lot of sites that have the old "Your Windows is Infected!" scams that don't let him leave the site without closing FireFox. I showed him how to use multiple tabs to browse sites, keeping his google search list entact, and removing a tab if one of those website lock-in tricks appear.

He's a happy camper again.

Re: Linux viruses -- everything you need to know!

over my head by the 3rd paragraph.
Anyway, so i assume there is no way of me knowing if i get infected or not...so i need an AV are there any AV's for Kubuntu?

Re: Linux viruses -- everything you need to know!

In simple terms, you don't need an AV when running *buntu. The default protection that is installed - iptables - even without any user customization, is more than sufficient to protect your system. That's all I have to protect my system.

Re: Linux viruses -- everything you need to know!

No. The only reason to run an AV app in Linux is to protect Windows users if you happen to forward an infected email to them. Email attachments cannot harm your Linux system UNLESS you
1) save the attachment
2) change its permission to execute
3) run it.
If you don't do those three steps, and if you don't understand them it isn't likely you will do them, you have nothing to worry about.

And even then, it will only hurt your Linux system IF it is an ELF binary or executable script. Giving execute permission to a Windows exe won't matter because Windows executables cannot execute in Linux. (If you don't have WINE installed.).

And, if you have rkhunter installed it will check your system every day for signs of intrusion, and notify you if it finds any.

So, don't work about email infections or hacker break-ins. In a recent attack, which was a brute force password attack carried out over a period of 6 MONTHS, the attackers managed, out of the millions of computers running Linux, to hijack only 700 of them.

Just don't do those three steps on email attachments and you'll have little to worry about. This isn't Windows.

Re: Linux viruses -- everything you need to know!

Bottom line firefly: As long as you're aware of what not to do - giving out your passwords and the stuff GG pointed out. You'll likely never have a problem that originates from an outside source.

I can't speak for others, but I have been strictly linux for 10 years and have never had a virus or malware and I've never used any sort of additional (other than right out of the box) security. In the past, I even used to remove iptables because I felt even that unnecessary.

Re: Linux viruses -- everything you need to know!

As my signature shows, I've been running Linux since March 2007. I've never been infected by a virus or malware since running Linux, and I've visited sites known to be highly infected with such, sites that had I been running Windoze, would have resulted in instant infection.

Re: Linux viruses -- everything you need to know!


I do plan to run wine, so any issues there?

but if it was hidden, how would you really know without something or someway to tell you? I had some kind of zombie thing before for months and had no clue it was ever there...it was a random scan i did when testing out some online malware scanner that actually caught it and logs indicate it was put on there over 4 months prior...yet i never installed anything.

I'm not new to security or anything, been using computers since 1985. just sayin cause i've seen posts in other forums from windows users who brag they know so much about security blah,blah that they don't use AV and have never been infected which always souned extremely arrogant to me. I know AV is a cat and mouse game, but still IF its possible to be infected, i wanted to learn ways i would know if i was or not cause its not always about knowing your processes or looking for odd behavior. special software to monitor things that can't be seen is handy

but currently i'm not using a permanet install, i'm trying to learn the ins and outs first but forgive me if i don't trust peoples over confidence

Re: Linux viruses -- everything you need to know!

And you shouldn't. But as I'm sure you've been told/heard, Linux is not Windoze. Viri and malware makers target Windoze systems because they are exploitable, and in many cases, exploitable in not very complicated ways. It's a 'target rich' environment. Not so with Linux.

Re: Linux viruses -- everything you need to know!

Hi @f1refly

using linux sence 2005 and as far as I can tell have never had a virus/root kit sence.
I do run rkhunter and chkrootkit ...but have never seen eneything.

when I was runing windows I became annoyed with having to run an ativirus that would eat up a lot of the system's resources (I use old hardware) after switching to linux my old box was MUTCH more stable and responsive.

I even use the linux limewire client (limewire=windows virus cesspool) and am still clean

I personally still recommend a router between the box and the net and the use of rkhunter but that's about it........well and like GG sead don't go setting the execute bit on thing's your not sure about or installing things from just eneyware.

VINNY

Re: Linux viruses -- everything you need to know!

firelfy,
I've been using Linux since the spring of 1998. I have NEVER had an infection of ANY kind, and half that time I ran without firewalls or AV. I still run without AV but Kubuntu automatically installs the ufw (ubuntu firewall using iptables).

And, I use to use WINE to test out Windows viruses. Using IE under WINE I'd download a virus and let it infect my WINE installation (in which "C:\" is a hidden directory under ~/.wine). After it ran I'd examine the "windows file structure" and see what was saved, moved, destroyed, etc... what the payload was. When I was done I'd delete WINE, and with it went the viruses, and reinstall it again. Then try another virus. I found that viruses were pretty much the same, and used the same eight vectors for infection, so it got boring and I quite it. During all that experimenting with Windows viruses using WINE my Linux installation wasn't harmed in any way.

IF you need to use "WINE" allow me to suggest CrossOver from CodeWeaver's. It is commercial, but it is the best "WINE" implementation available, IMO.

Re: Linux viruses -- everything you need to know!

Another use for AV on your linux machine. I have clamav installed. I am often called on to repair a windows system that has been infected with malware. Sometimes these systems won't even boot up properly, and if they boot they run extremely slow and you find that access to many of the more popular malware removal tools has been blocked. I don't even try to work on them until I have removed the hard drive, mounted it in my machine and run clamav on it. I have adapters to allow me to mount just about any hard drive. This works great. You can also backup any personal files while the drive is mounted in anticipation that you may have to reinstall Windows. I almost never have to "nuke and pave" as many so called computer repair shops do routinely.