Homepage › Forums › Articles › Operating Systems › Linux › Antivirus and Malware for Linux
Tagged: adware, avast, clamav, clamtk, kaspersky, linux, LSM, malware, protovirus, ransomware, riskware, scareware, spyware, trojan, virus, worms, zombie
This topic was published by DevynCJohnson and viewed 1552 times since "". The last page revision was "".
- Topics - 437
All computer systems can suffer from malware and viruses, including Linux. Thankfully, very few viruses exist for Linux, so users typically do not install antivirus software. It is still recommended that Linux users have antivirus software installed on Linux systems that are on a network or that have files being transferred to the device. Some users may argue that antivirus software uses up too much resources. Thankfully, low-footprint software exists for Linux. To better understand antivirus programs, it may be beneficial to understand malware itself.
NOTE: I am not suggesting that people should not use antivirus software. True, malware for Linux exists, but is rare. It is up to the user to decide if they need antivirus software. Personally, I recommend antivirus software for servers and important and business computer systems. For private computers, it is up to the user to determine if they want antivirus software.
Types of Malware
Malware - Simply, malware is "bad" software. Malware includes any software that harms a system, data, or processes/applications. Many of the malware categories overlap like trojans and spyware.
Trojan - In a simple summary, trojans hide in applications to get into a user's system or they act as a program themselves. This malware does not replicate. For illustration, a hacker could make a password manager that will supposedly store the users passwords and enter them in for the user. Instead, the username, site, and password combinations are sent to the trojan maker instead of storing the data - this would be a spyware trojan. Additionally, the hacker can hack a real application that handles sensitive data. The data would then be sent to the hacker. Trojans not only take private data, but they may sneak in ads or destroy the system.
Spyware - This malware gathers a user's private data (financial info, passwords, usernames, etc.) and sends it to the spyware maker or other entity that will use the information. Spyware can be trojans and some trojans can be spyware.
Adware - Software that displays ads is considered adware. Not all adware is bad. For instance, Flashget is a freeware Windows application that is adware. The program is safe to use. The ads just fund the development of Flashget. Because most Linux developers make applications open-source, not very many Linux adware programs can be found.
Worms - A computer worm is a replicating program that spreads to other computers. Most rely on networks for transportation. Many readers may ask "What is the difference between a virus and worm?". Simple, viruses attach to programs and worms are standalone software. Viruses come on programs that users download and worms break in through the network. As a general rule, if a user brought it into the system, then it is a virus, else if the malware got in without user intervention, then it is a worm.
Viruses - Computer viruses are replicating code that spread by hiding inside of infected applications and installers.
Zombies - Computer zombies are computers that are controlled by a malicious hacker, trojan, or computer virus to complete malicious tasks.
Riskware - Software with unintended malicious potential. These applications can be used by malware to cause a lot of damage. Because this software is not malware, but can be dangerous is called riskware.
Scareware - Malware that scares users into downloading malicious software or paying money for the fix is scareware. For illustration, scareware may pop up a message that says something like "Your data will be deleted unless you pay $100.". Scareware may also come in the form of a free virus scan over the Internet. This virus scan does not scan the system, but pretends to do so. The scanner will say it found a virus. The scanner then asks the user to pay money to have the virus removed. In summary, scareware scares computer users into paying money or installing malware to protect themselves against a nonexistent threat.
Ransomware - Ransomware is similar to scareware. Ransomware locks the computer and files and will not lift the restrictions until the user pays a ransom. Ransomware really locks the system while scareware bluffs.
Proto-Virus - Some malware is simply annoying. Malware developers might make a computer virus as a prank to bother people. Such malware does not cause damage. A well-known example is the Cookie Monster virus (http://en.wikipedia.org/wiki/Cookie_Monster_(computer_program)) that simply makes messages saying it wants a cookie.
Antivirus Software/Virus Scanners
Virus scanners are security applications that search the system for malware. The scanners look for certain patterns of code or specific characteristics of malware. Depending on the threat potential, virus scanner, and settings, the malware may be deleted instantly or the user will be asked what to do with the malicious software.
NOTE: I do not support or promote any particular antivirus software. I am listing the ones seen below so readers are aware of many popular antivirus software for Linux.
ClamAV - The most popular Linux antivirus software is ClamAV. ClamAV is a command-line antivirus program with a small resource footprint. This software is completely free and open-source under the GPL license. The updates are also free. ClamAV's web-address is clamav.net. Users can go to the site for downloads to install the software or they can type the following command:
apt-get install clamav clamav-daemon clamav-freshclam
ClamAV's definitions are updated via freshclam. Type "freshclam" to update the virus scanner's definitions.
ClamTK - ClamTK is a free frontend for ClamAV. ClamTK is licensed under the GPL license. ClamTK passes parameters to ClamAV, but ClamTK does not perform the scan or any other task itself. To install ClamTK, go to clamtk.sourceforge.net and download the software or type the command:
apt-get install clamtk
Avast - Avast is a freemium antivirus software. Avast is not open-source and uses up resources like RAM. Many users feel that Avast offers more protection than ClamAV. The paid version of Avast offers numerous features that ClamAV lacks. For instance, Avast can sandbox applications. To obtain Avast, visit avast.com and download the application.
AVG - Anti-Virus Guard is a proprietary virus scanner that can be downloaded from free.avg.com/us-en/download.prd-alf.
Comodo - Comodo is a proprietary scanner that can be downloaded from comodo.com/home/internet-security/antivirus-for-linux.php.
Kaspersky - Kaspersky is a proprietary scanner that can be found on this link - kaspersky.com/product-updates/linux-file-server-antivirus.
Protecting and Repairing
The best way to protect a system against viruses is to only download and install software from trusted sites and developers. For example, get programs from your distro's official repository before using a program obtained from some third party site.
There are two ways to remove malware. The first method includes using a virus scanner to remove the malware. Depending on the antivirus software and the type of malware, some antivirus scanners can repair the infected file. Thus, the file does not need to be deleted. The second way is to manually delete the files that are known to be the culprits.
To repair damaged executables, reinstall the infected or damaged software. For example, if a virus infected a Firefox executable, then re-download and install Firefox. After doing so, the user should probably reinstall various system executables and files like Grub and the Linux kernel.
If a user is unsure if an application is malware, then they can scan the software for viruses and sandbox the program. Sandboxing is a security mechanism where the sandboxed application is being executed with restricted resources. Malware cannot harm the system because the restrictions keep the malicious code from completing its tasks or executing at all. If the system detects that the application running in the sandbox is trying to perform malicious tasks, then the user or security system can delete the program. Some antivirus software supports sandboxing. If not, a sandboxing application can be installed.
Linux Security Modules (LSMs) can help prevent malware from damaging the system too severely if malicious code does find its way into your computer. More about these Linux Security Modules can be found in this article (http://www.linux.org/threads/the-linux-kernel-security.4223/). Some examples of LSMs include SELinux and AppArmor.
Keeping security patches up-to-date and using properly configured firewall can help reduce the chances of getting malware. Installing browser add-ons that prevent users from going to malware sites can provide additional protection. Also, never use Root privileges unless it is needed. The frequent use of Root privileges increases the chance that malware on your system can gain such privileges. This could happen if a user executes or installs malware or infected files.
Knowledge is Power
When protecting yourself against malware, it is important to know that malware is typically in an executable, or the malware is the executable itself. However, malware can exist in non-executable files. This is a fact many people tend to disregard (including myself at one point). For instance, *.doc files, text files, and FLV files could contain viruses, but how? Well, anyone that is familiar with a macros in a word processor (like MS-Word or Libre-Office) is aware of the possibility of macros viruses. A macros virus is simply a virus written using macros code. As for viruses in text files, a user might download a program whose executable gets the code for the virus out of a text file that came with the malicious application. As for FLV, it is possible to make a Flash-virus, so the Flash-player would execute the malicious code that is in the Flash-video file. Another fact to remember, most screensavers are executables, so malware may hide in screensavers.
Some malware might infect your system by sneaking in through an open network connection or hijacking an active connection. This is one reason why some server admins configure unused ports to be closed.
Even though Linux has very few viruses, all computers and servers should have some form of protection against malware. Knowing how malware works and how to protect computers will aid in protecting many systems. Also, keep in mind that crackers (bad hackers) may find clever ways of designing and releasing malware, so be careful.