Linux malware
Encyclopedia
Linux malware includes viruses, trojans, worms and other types of malware that affect the Linux
operating system
. Linux, Unix
and other Unix-like
computer operating systems are generally regarded as very well-protected, but not immune, from computer virus
es. According to advocates like Scott Granneman
, Linux provides better protection compared to Microsoft Windows
.
There has not yet been a widespread Linux malware threat of the type that Microsoft Windows software faces; this is commonly attributed to the small number of users running Linux as a desktop operating system, the malware's lack of root access and fast updates to most Linux vulnerabilities.
The number of malicious programs — including viruses, Trojans, and other threats — specifically written for Linux has been on the increase in recent years and more than doubled during 2005 from 422 to 863.
environment where users are granted specific privileges
and there is some form of access control implemented. To gain control over a Linux system or cause any serious consequence to the system itself, the malware would have to gain root access to the system, which requires a users' password and so would be difficult to accomplish.
Shane Coursen, a senior technical consultant with Kaspersky Lab
, claims, "The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system ... The use of an operating system is directly correlated to the interest by the malware writers to develop malware for that OS." Rick Moen, an experienced Linux system administrator, counters that:
Some Linux users run Linux-based anti-virus software to scan insecure documents and email which comes from or is going to Windows users. SecurityFocus's Scott Granneman stated:
Because they are predominantly used on mail servers which may send mail to computers running other operating systems, Linux virus scanners generally use definitions for, and scan for, all known viruses for all computer platforms. For example the open source ClamAV "Detects ... viruses, worms and trojans, including Microsoft Office macro viruses, mobile malware, and other threats."
vulnerabilities may permit malware running under a limited account to infect the entire system.
It is worth noting that this is true for any malicious program that is run without special steps taken to limit its privileges. It is trivial to add a code snippet to any program that a user may download and let this additional code download a modified login server, an open mail relay
or similar and make this additional component run any time the user logs in. No special malware writing skills are needed for this. Special skill may be needed for tricking the user to run the (trojan
) program in the first place.
The use of software repositories
significantly reduces any threat of installation of malware, as the software repositories are checked by maintainers, who try to ensure that their repository is malware-free. Subsequently, to ensure safe distribution of the software, checksum
s are made available. These make it possible to reveal modified versions that may have been introduced by e.g. hijacking of communications using a man-in-the-middle attack
or via a redirection attack such as ARP or DNS poisoning. Careful use of these digital signature
s provides an additional line of defense, which limits the scope of attacks to include only the original authors, package and release maintainers and possibly others with suitable administrative access, depending on how the keys and checksums are handled.
s, such as SSH and web servers. These can be used by worms
or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords
.
script (meant for leaving comments) by mistake allows inclusion of code exploiting vulnerabilities in the web browser.
bit) were particularly attractive to attack. However as of 2009 most of the kernels include address space layout randomization
(ASLR), enhanced memory protection and other extensions making such attacks much more difficult to arrange.
viruses, driven by the popularity of cross-platform applications. This was brought to the forefront of malware awareness by the distribution of an OpenOffice.org
virus called Badbunny
.
Stuart Smith of Symantec
wrote the following:
. In December 2009 a malicious waterfall screensaver was discovered that contained a script that used the infected Linux PC in denial-of-service attack
s.
previously unknown to the community or unused by malware.
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
. Linux, Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
and other Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
computer operating systems are generally regarded as very well-protected, but not immune, from computer virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
es. According to advocates like Scott Granneman
Scott Granneman
Scott Granneman is an author and a monthly columnist at and Linux Magazine. He is also an adjunct professor at Washington University in St. Louis.-Contribution:...
, Linux provides better protection compared to Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
.
There has not yet been a widespread Linux malware threat of the type that Microsoft Windows software faces; this is commonly attributed to the small number of users running Linux as a desktop operating system, the malware's lack of root access and fast updates to most Linux vulnerabilities.
The number of malicious programs — including viruses, Trojans, and other threats — specifically written for Linux has been on the increase in recent years and more than doubled during 2005 from 422 to 863.
Linux vulnerability
Like Unix systems, Linux implements a multi-userMulti-user
Multi-user is a term that defines an operating system or application software that allows concurrent access by multiple users of a computer. Time-sharing systems are multi-user systems. Most batch processing systems for mainframe computers may also be considered "multi-user", to avoid leaving the...
environment where users are granted specific privileges
Privilege (Computing)
In computing, privilege is defined as the delegation of authority over a computer system. A privilege is a permission to perform an action. Examples of various privileges include the ability to create a file in a directory, or to read or delete a file, access a device, or have read or write...
and there is some form of access control implemented. To gain control over a Linux system or cause any serious consequence to the system itself, the malware would have to gain root access to the system, which requires a users' password and so would be difficult to accomplish.
Shane Coursen, a senior technical consultant with Kaspersky Lab
Kaspersky Lab
Kaspersky Lab is a Russian computer security company, co-founded by Natalia Kaspersky and Eugene Kaspersky in 1997, offering anti-virus, anti-spyware, anti-spam, and anti-intrusion products...
, claims, "The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system ... The use of an operating system is directly correlated to the interest by the malware writers to develop malware for that OS." Rick Moen, an experienced Linux system administrator, counters that:
Some Linux users run Linux-based anti-virus software to scan insecure documents and email which comes from or is going to Windows users. SecurityFocus's Scott Granneman stated:
Because they are predominantly used on mail servers which may send mail to computers running other operating systems, Linux virus scanners generally use definitions for, and scan for, all known viruses for all computer platforms. For example the open source ClamAV "Detects ... viruses, worms and trojans, including Microsoft Office macro viruses, mobile malware, and other threats."
Viruses and trojan horses
The viruses listed below pose a potential, although minimal, threat to Linux systems. If an infected binary containing one of the viruses were run, the system would be infected. The infection level would depend on which user with what privileges ran the binary. A binary run under the root account would be able to infect the entire system. Privilege escalationPrivilege escalation
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
vulnerabilities may permit malware running under a limited account to infect the entire system.
It is worth noting that this is true for any malicious program that is run without special steps taken to limit its privileges. It is trivial to add a code snippet to any program that a user may download and let this additional code download a modified login server, an open mail relay
Open mail relay
An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users...
or similar and make this additional component run any time the user logs in. No special malware writing skills are needed for this. Special skill may be needed for tricking the user to run the (trojan
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
) program in the first place.
The use of software repositories
Software repository
A software repository is a storage location from which software packages may be retrieved and installed on a computer.- Discussion :Many software publishers and other organizations maintain servers on the Internet for this purpose, either free of charge or for a subscription fee...
significantly reduces any threat of installation of malware, as the software repositories are checked by maintainers, who try to ensure that their repository is malware-free. Subsequently, to ensure safe distribution of the software, checksum
Checksum
A checksum or hash sum is a fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental errors that may have been introduced during its transmission or storage. The integrity of the data can be checked at any later time by recomputing the checksum and...
s are made available. These make it possible to reveal modified versions that may have been introduced by e.g. hijacking of communications using a man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
or via a redirection attack such as ARP or DNS poisoning. Careful use of these digital signature
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
s provides an additional line of defense, which limits the scope of attacks to include only the original authors, package and release maintainers and possibly others with suitable administrative access, depending on how the keys and checksums are handled.
Worms and targeted attacks
The classical threat to Unix-like systems is vulnerabilities in network daemonDaemon (computer software)
In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user...
s, such as SSH and web servers. These can be used by worms
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords
Password strength
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly...
.
Web scripts
Linux servers may also be used by malware without any attack against the system itself, where e.g. web content and scripts are insufficiently restricted or checked and used by malware to attack visitors. Typically a CGICommon Gateway Interface
The Common Gateway Interface is a standard method for web servers software to delegate the generation of web pages to executable files...
script (meant for leaving comments) by mistake allows inclusion of code exploiting vulnerabilities in the web browser.
Buffer overruns
Older Linux distributions were relatively sensitive to buffer overrun attacks: if the program did not care about the size of the buffer itself, the kernel provided only limited protection, allowing an attacker to execute arbitrary code under the rights of the vulnerable application under attack. Programs that gain root access even when launched by a non-root user (via the setuidSetuid
setuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
bit) were particularly attractive to attack. However as of 2009 most of the kernels include address space layout randomization
Address space layout randomization
Address space layout randomization is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.- Benefits :Address space randomization hinders...
(ASLR), enhanced memory protection and other extensions making such attacks much more difficult to arrange.
Cross-platform viruses
A new area of concern identified in 2007 is that of cross-platformCross-platform
In computing, cross-platform, or multi-platform, is an attribute conferred to computer software or computing methods and concepts that are implemented and inter-operate on multiple computer platforms...
viruses, driven by the popularity of cross-platform applications. This was brought to the forefront of malware awareness by the distribution of an OpenOffice.org
OpenOffice.org
OpenOffice.org, commonly known as OOo or OpenOffice, is an open-source application suite whose main components are for word processing, spreadsheets, presentations, graphics, and databases. OpenOffice is available for a number of different computer operating systems, is distributed as free software...
virus called Badbunny
Badbunny (computer worm)
Badbunny, also known as SB/BadBunny-A and StarOffice/BadBunny , is a multi-platform computer worm written in several scripting languages and distributed as an OpenOffice document containing a macro written in StarBasic....
.
Stuart Smith of Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
wrote the following:
"What makes this virus worth mentioning is that it illustrates how easily scripting platforms, extensibility, plug-ins, ActiveX, etc, can be abused. All too often, this is forgotten in the pursuit to match features with another vendor... [T]he ability for malware to survive in a cross-platform, cross-application environment has particular relevance as more and more malware is pushed out via Web sites. How long until someone uses something like this to drop a JavaScript infector on a Web server, regardless of platform?"
Social engineering
As is the case with any operating system, Linux is vulnerable to malware that tricks the user into installing it through social engineeringSocial engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
. In December 2009 a malicious waterfall screensaver was discovered that contained a script that used the infected Linux PC in denial-of-service attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
s.
Anti-virus applications
There are a number of anti-virus applications available for Linux, most of which are designed for servers, including:- Avast!Avast!Avast! is an antivirus computer program developed by AVAST Software a.s. , a company based in Prague, Czech Republic. It was first released in 1988 although back then it was just a tool to remove the Vienna malware...
(freewareFreewareFreeware is computer software that is available for use at no cost or for an optional fee, but usually with one or more restricted usage rights. Freeware is in contrast to commercial software, which is typically sold for profit, but might be distributed for a business or commercial purpose in the...
and commercial) - AVG (freeware and commercial)
- Avira (freeware and commercial)
- BitDefenderBitDefenderBitDefender is an antivirus software suite developed by Romania-based software company Softwin. It was launched in November 2001, and is currently in its 15 build version...
(freeware and commercial) - ClamAVClam AntiVirusClam AntiVirus is a free, cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses. One of its main uses is on mail servers as a server-side email virus scanner. The application was developed for Unix and has third party versions available for...
(free open source software) - Dr.Web (commercial)
- eScan Anti-Virus for Linux (commercial)
- EsetEsetESET is an IT security company head-quartered in Bratislava, Slovakia that was founded in 1992 by the merger of two private companies. The company was awarded as the most successful Slovak company in 2008, 2009 and 2010...
(commercial) - F-SecureF-SecureF-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...
Linux (commercial)
- Kaspersky Linux Security (commercial)
- Linux Malware Detect (free open source software)
- McAfeeMcAfeeMcAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
VirusScan Enterprise for Linux (commercial) - NORMANNormanNorman or Normans may refer to:* The Normans, a people descended from Norse Vikings who colonised Normandy in France and conquered other lands** Norman architecture, styles of Romanesque architecture developed by the Normans...
Norman Security Suite for Linux (commercial) - Panda Security for LinuxPanda SoftwarePanda Security SL, formerly Panda Software, is a computer security company founded in 1990 by Panda's former CEO, Mikel Urizarbarrena, in the city of Bilbao, Spain...
(commercial) - rkhunterRkhunterrkhunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online database, searching for default directories , wrong permissions, hidden files, suspicious strings in kernel...
(free open source software) - Sophos (commercial)
- SymantecSymantecSymantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
AntiVirus for Linux (commercial) - Trend MicroTrend MicroTrend Micro Inc. is a computer security company. It is headquartered in Tokyo, Japan and markets Trend Micro Internet Security, Trend Micro Worry-Free Business Security, OfficeScan, and other related security products and services...
ServerProtect for Linux (commercial)
Threats
The following is a partial list of known Linux malware. However, few if any are in the wild (with the exception of Android malware), and most have been rendered obsolete by Linux updates. Known malware is not the only or even the most important threat: new malware or attacks directed to specific sites can use vulnerabilitiesVulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
previously unknown to the community or unused by malware.
Trojans
- Kaiten - Linux.Backdoor.Kaiten trojan horse
- Rexob - Linux.Backdoor.Rexob trojan
- Waterfall screensaver backdoor - on gnome-look.org
- Droiddream
- FakePlayer - Trojan-SMS.AndroidOS.FakePlayer.a
Viruses
- 42
- Arches
- Alaeda - Virus.Linux.Alaeda
- Bad BunnyBadbunny (computer worm)Badbunny, also known as SB/BadBunny-A and StarOffice/BadBunny , is a multi-platform computer worm written in several scripting languages and distributed as an OpenOffice document containing a macro written in StarBasic....
- Perl.Badbunny - Binom - Linux/Binom
- BlissBliss (virus)Bliss is a computer virus that infects Linux systems. When executed, it attempts to attach itself to Linux executable files, to which regular users do not have access. In the case of the alpha version, this prevents the executables from running, so users notice it immediately...
- requires root privileges - Brundle
- Bukowski
- Caveat
- Coin
- Diesel - Virus.Linux.Diesel.962
- Hasher
- Kagob a - Virus.Linux.Kagob.a
- Kagob b - Virus.Linux.Kagob.b
- Lacrimae (aka Crimea)
- MetaPHOR (also known as Simile)
- Nuxbee - Virus.Linux.Nuxbee.1403
- OSF.8759OSF.8759OSF.8759 is a computer virus that infects ELF binaries on Linux systems.- Design :The virus increases the size of infected files by 8759 bytes, 4662 of which are a backdoor attached at the end of the binary...
- PiLoT
- Podloso - Linux.Podloso (The iPodIPodiPod is a line of portable media players created and marketed by Apple Inc. The product line-up currently consists of the hard drive-based iPod Classic, the touchscreen iPod Touch, the compact iPod Nano, and the ultra-compact iPod Shuffle...
virus) - RELx
- Rike - Virus.Linux.Rike.1627
- RST - Virus.Linux.RST.a (known for infecting Korean release of Mozilla Suite 1.7.6 and ThunderbirdMozilla ThunderbirdMozilla Thunderbird is a free, open source, cross-platform e-mail and news client developed by the Mozilla Foundation. The project strategy is modeled after Mozilla Firefox, a project aimed at creating a web browser...
1.0.2 in September 2005) - Satyr - Virus.Linux.Satyr.a
- StaogStaogStaog was the first computer virus written for the Linux operating system. It was discovered in the fall of 1996, and the vulnerabilities that it exploited were shored up soon after...
- obsoleted by updates - Vit - Virus.Linux.Vit.4096
- Winter - Virus.Linux.Winter.341
- Winux (also known as Lindose and PEElf)
- Wit virus
- ZipWorm - Virus.Linux.ZipWorm
Worms
- Adm - Net-Worm.Linux.Adm
- Adore
- Cheese - Net-Worm.Linux.Cheese
- DevnullDevnullDevnull is the name of a computer worm for the Linux operating system that has been named after /dev/null, Unix's null device. This worm was found on 30 September 2002....
- Kork
- Linux/LionL10n wormThe L10n worm was a Linux worm that spread in 2001 by exploiting a buffer overflow in the BIND DNS server. It was based on an earlier worm known as the Ramen virus which was written to target systems running versions 6.2 and 7.0 of the Red Hat Linux distribution....
- Linux/Lupper.worm
- Mighty - Net-Worm.Linux.Mighty
- Millen - Linux.Millen.Worm
- Ramen wormRamen wormThe Ramen worm, also referred to as the "Ramen virus", was a worm that spread in January 2001, targeting systems running versions 6.2 and 7.0 of the Red Hat Linux distribution....
- targeted only Red Hat Linux distributions versions 6.2 and 7.0 - Slapper
- SSH Bruteforce
See also
- List of computer viruses
- List of computer viruses (Numeric)
- List of computer viruses (A-D)
- List of computer viruses (E-K)
- List of computer viruses (L-R)
- List of computer viruses (S-Z)