# Gentoo Linux & Viruses...?

## shgadwa

Whats the current status on Linux & Viruses??

While I'd like to think that Mac OS X, Linux, as well as all BSD OSes do not get viruses/spyware/malware/etc... thats not always true. As I understand it, it seems that its just that its harder to crack Mac OS X, Linux, and such... and building a virus would take much more time. Is that right?

Anyhow, I was browsing www.gentoo-portage.com and I found that there are some antivirus/anti-spyware apps that you can install on Linux. My question is first, is Linux starting to get more and more viruses (as I hope not), and secondly, why would these apps exist (for both linux and Mac OS X), if they are un-needed? Thirdly, should I install anti-virus software? I sure hope not!

----------

## eccerr0r

Linux can't get viruses?

BSD can't get viruses?

MacOS can't get viruses?

All are false.

In my books, if anyone doesn't understand how a computer works enough to understand the risks and avenues a virus can take to infect, as well being able to fix the problem (at least be able to solicit help and find out how to do it) on the operating system of their choice, that person is not allowed to run that OS.

It's no harder to write viruses for one system or another, it's more of the virus finding exploits to infect a particular machine; keep in mind user-level access is plenty of access for some viruses.  System/rootkit viruses may or may not be harder to write... but the key thing is that virus writers want to be lazy and infect the largest number of machines possible - that happens to be Windows first.  I think MacOS and Linux may be tied - MacOS may have higher share but Linux tends to be servers, where juicy data can be found.

Most of the antivirus software for Linux was meant to look for Windows viruses oddly enough.  There are a few signatures for Linux viruses and worms though.  That's why I tend to not run antivirus on my Linux machines, however I tend to be very wary of installing/running software and keep a close eye on what it's doing.  I also try to be quick on spotting and fixing issues if I do get infected.  I watch the LAN activity light, check logs for suspicious activity.  Is it enough?  Don't know, but these latest destructive viruses tend to more likely try to infect other machines and that's my main method of detection - when it spreads.

----------

## kernelOfTruth

they exist for those windows boxes

think of an email with an included virus: those antivirus apps cleanse those emails of those viruses so if you forward these emails those windows boxes stay clean ...

no real need for an antivirus program (yet)

----------

## Mistwolf

A lot of people (me included) run antivirus software in Linux for one simple reason: email.

Yes, most virus will not harm your Linux box (with proper precautions), but if you get an email that has a virus and you forward it to your friends/family/etc, then you are helping the virus spread.

Other than scanning email, I use it to scan windows files that I receive on CD/usb drives before installing/copying to any windows based machine.

Hope this helps.

----------

## Jaglover

The whole idea of anti-virus as primary defense does not pass common sense test. Would you protect a restricted building by checking everybody against a blacklist of known thugs? Nope, you wouldn't call this building secure. For *NIX computers the policy is "default denied", add here significantly less major security flaws plus fast reaction fixing them and you'll get an OS that is drastically more secure than MS crap.

Fact: "Hackers kits" to penetrate Windows are sold with 6-month warranty. Meaning if MS happens to fix the flaw they exploit your kit will be upgraded to use the next one. Ridiculous, isn't it?

----------

## d2_racing

Is there any virus on Linux, because right now, I think that the biggest virus is when someone run a bash file with the root account and he ran that line :

```

# rm /home/you_user /

```

And voila, your Gentoo box is long gone.

----------

## eccerr0r

 *Jaglover wrote:*   

> The whole idea of anti-virus as primary defense does not pass common sense test. Would you protect a restricted building by checking everybody against a blacklist of known thugs?

 

[Devil's Advocate]

One issue with viruses that isn't like thugs - that sometimes the same thug tries tens of thousands of buildings trying to find one that would let them in, hoping for just that one that will... Antivirus would at least tell all buildings to look out for a particular guy that was known to be a problem ("WANTED poster" distribution).

However, honestly I do agree with this - antivirus by itself is insufficient.   It should be complimented with your own personal checks, such as a whitelist (which also isn't foolproof by itself!)  The weakest link to any security system is the people running it.

PEBKAC.

Need to do something about the keyboard and chair...

----------

## tomk

Moved from Gentoo Chat to Networking & Security.

----------

## krinn

 *d2_racing wrote:*   

> 
> 
> ```
> 
> # rm /home/you_user /
> ...

 

nah it's safe as long as -f isn't used it will just drop you a note it won't do it on directories

ps: just to kid you  :Smile: 

----------

## Jaglover

It's written 5 years ago but still worth reading if you are new to POSIX and afraid of viruses.

http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/#bursting

----------

## strubbldesign

 *d2_racing wrote:*   

> Is there any virus on Linux, because right now, I think that the biggest virus is when someone run a bash file with the root account and he ran that line :
> 
> ```
> 
> # rm /home/you_user /
> ...

 

only if it removes recursiveley and with force

rm -rf /root/

the user is also not esentially needet ( .ssh config file in /home/your_name/.ssh/....)

but if the root user is getting removed the system down

----------

## eccerr0r

Just wondering why people are infatuated by "rm -rf /" where real viruses rather you not know that you've been infected so they can continue to propagate or allowing someone else to stealthily use your computer...  Most Linux viruses strive to create a root account for the attacker... echo 'toor::0:0::/:/bin/sh' >>/etc/passwd is more likely (since /etc/shadow would also need to be modified, better yet, just open a custom, key-protected port that doesn't need an account, less likely to be detected.)

Be very afraid of viruses, no matter what OS you use... Though security by obscurity is not security, obscurity does help increase the amount of time between successful attacks...

----------

## d2_racing

Yeah I know strubbldesign, but I didn't want to post the real command that kill a Linux box.

----------

## cach0rr0

Linux on the desktop has such a minuscule market share, there is little point in coding a virus for it in this day and age. 

The hacks you'll see are typically targeted at Linux servers. 

This does not mean that Linux desktops are impervious to viruses; in fact with an open source platform, *in theory* it should be easier to craft a virus you know is going to work, because you can read every piece of dependent code. 

The reality of it, however, is that viruses nowadays are not written by 12 year olds looking to ruin someone's system, or wipe their hard drive. 

Nowadays malware creation is a big money industry, employing professional coders, with the main aim being clandestine control, not destruction. 

Even the worst signature-based AV solutions get definitions out within a week of a new virus's release. 

It is not a wise investment of your time to create a virus that is going to be obsolete a week after its release, when it only runs on desktops that have <1% of the market share. 

With that much money involved, you target the biggest chunk of the market first and foremost - Windows. 

After that you target the second largest - Mac

So how well would Linux desktops perform if they held the majority market share? Who knows. I don't think we'll ever know, unless the Utopian dream of proprietary OSes dying and the majority ending up using BSD or Linux (or any open source *nix) ever comes to fruition - and it won't. 

Now in many respects Linux distros in general are well-designed enough that getting viruses to run without user interaction can be a challenge. 

But they are not impervious to infection - nothing is. You have a few advantages over Windows and Mac systems in that a)you're typically dealing with superior code behind your apps, b)you are not a big enough target to be worthwhile for someone whose paycheck is dependent on the number of hosts they are able to infect. This is the main point to take away from my post. 

And again, I'm speaking only of desktops - servers are a completely different ball game. It is very difficult to actually infect a gentoo-hardened system that is properly configured. You may end up with some manner of backdoor that runs as the logged-on user's account, but actually getting root as a result of a software flaw with a hardened-sources kernel and a hardened userland, is a fairly difficult proposition. It does happen, but such things greatly limit the attack vectors. 

The other bit with servers, the market share is drastically different. I don't have any statistics handy, but I would wager the majority of public-facing servers out there are some *nix variant. 

I have to stop there, typing this from the shitter and my right leg just fell asleep. Hopefully that post is useful enough, I have to go hobble around for a bit until the blood gets back to my leg.

----------

## xibo

Of cause linux configurations can get viruses, there is no reason at all why they shouldn't.

E.g. our dormitory's DNS server was somehow returning random SSH certificates ( but only if your way to it went through the tftp port of it's besided switch - ARP spoofing? ) when i decided to walk over and take a closer look on that box until someone else igores it and logs in ( multiple people administrate it ), i had to login as non-super user since the root password had been modified and the /proc filesystem was being weird while ps didn't show all processes any more ( on windows systems missing/inaccessible vital files and proccessess being hidden is a quite obvious symptome ).

Another time we had snort reporting about Srizbi botnet interactions with a mac os x user - who was running infected windows binaries in cedega or whatever macos' wine clone is called.

Also, anyone with a static ip address can probably tell how much ssh bruteforce is going on through the net. i wonder what those "peers" would do if they managed to successfully log in ...

IMO, it's actually quite more interresting to write a linux, bsd or mac os worm/trojan than a windows one, since

1.) windows people trash their installations more regulary and therefore have to reinstall

2.) bsd or linux systems have a much higher probability to have a high bandwidth and/or good QoS internet connection which alllows them to spread themselves ( or their spam ) faster

3.) most linux/bsd/mac os desktop users feel untouchable - often enough to an extent where they allow javascripts to access their filesystem with super user priviledges.

4.) even though most of linux/bsd software is fos, most of it's ( especially desktop ) users don't care about what they're executing - at all. skype quite well proves it.

----------

## Jaglover

Some posters here seem to think writing a virus is barely a question of skill. Computer virus is not swine flu that just comes and infects you. To have a working virus you need to exploit a vulnerability in your target software. This is why there is so much evil-ware for Windows - endless list of security flaws. Some of them 6 months old or even older. MS doesn't care, there is a balance between profitability and high-quality software creation expenses. Until now they have been happy with their crappy product and high profits.

Theoretically FOSS should be easier to breach because you can look at the source, yes. The trouble here is you can look at the source until you are blue, if there is no flaw you are screwed. To save your dignity and mental health you just sit down and write a virus for Windows.

----------

## gerard27

Jaglover,

++

Gerard.

----------

## xibo

 *Jaglover wrote:*   

> To have a working virus you need to exploit a vulnerability in your target software.

 

How about using bugs in your buddy's linux-running skype to get super user access his machine ( EADS has a paper on their page on that topic ) ? Or adobe flash?

 *Jaglover wrote:*   

> This is why there is so much evil-ware for Windows - endless list of security flaws. Some of them 6 months old or even older. MS doesn't care, there is a balance between profitability and high-quality software creation expenses. Until now they have been happy with their crappy product and high profits.

 

In the times of windows xp there had been [s]known bugs[/s] knowledgebase articles for misfunctions that were around for 6 years... The problem is, if microsoft would majorly change windows people wouldn't use it any more - not that they would use mac os, linux or any other unix instead but they would keep using their old (and bugged) windows. vista proved that quite well.

 *Jaglover wrote:*   

> Theoretically FOSS should be easier to breach because you can look at the source, yes. The trouble here is you can look at the source until you are blue, if there is no flaw you are screwed. To save your dignity and mental health you just sit down and write a virus for Windows.

 

When writing a trojan, having the source code is quite handy - when writing a virus on the other hand, the bug databases on security problem (fixes), which often also contain example code/testcases on how to produce misbehaviour is much more handy then the actual code that you would need to analyze first. And most large foss projects maintain quite detailed bug tracking systems, while at the same time many distributions often take ages to apply the patches to their repositories or to versionbump to the next minor release where it's fixed.

For a virus, the ext2 corruption bug ( was fixed somewhen in may iirc ) should be a nice start - any kernels < ~2.6.29 should be affected unless they got patched, testcases are on the mailing list, doesn't need super user priviledges to work ( `mmap`, `open` and `write` only iirc plus the obvious socket functions to spam itself around until commiting suicide with the host file system ). now all you need is someone to execute an suspicious email attachment ... and after i saw people "trying to ignore" windows update which was asking to install like 30 (!) updates, or others uninstalling the the windows mallicious software removal tool because "it was annoyingly refusing me to execute that program" [ he pirated on edonkey ], i doubt all of the unix users would think twice before running an unknown application either.

----------

## dE_logics

 *Mistwolf wrote:*   

> A lot of people (me included) run antivirus software in Linux for one simple reason: email.
> 
> Yes, most virus will not harm your Linux box (with proper precautions), but if you get an email that has a virus and you forward it to your friends/family/etc, then you are helping the virus spread.
> 
> Other than scanning email, I use it to scan windows files that I receive on CD/usb drives before installing/copying to any windows based machine.
> ...

 

Well...let them get a lesson and lean not to use Windows!

----------

## gr0x0rd

belikeyeshua,

I haven't heard of any linux-specific viruses, pretty much for the reason that cach0rr0 stated. For a virus to be successful, it has to be able to procreate, and this is a lot tougher to do on linux systems. That said, linux does have a structural commonality that makes it vulnerable to attacks even if you are willing to go to measures to obscure it like eccerr0r mentioned.

The best things you can do? Protect yourself by being diligent, just like eccerr0r suggested. Using some of the free tools at your disposal doesn't hurt either. Here are a few packages you can use to make your life easier.

app-admin/syslog-ng

The first step in protecting yourself, other than being vigilant, is to give yourself a trail to follow if something bad happens. If you don't have a system logger, you need one. 

app-admin/conky

Conky is a system monitor that can display system resource usage and port traffic on your desktop in realtime. Basically, it can save you hunting through your logs if you think something fishy is going on; often, you'll even see incoming attacks as they happen. It is extremely configurable, and there are plenty of threads on this forum on that.

app-antivirus/clamav

clamav is a simple virus scanner for linux that automatically updates its virus database regularly using the freshclam service. Simply installing it and adding it to startup only gives you a tool to detect and remove viruses; you can achieve additional protection by creating a cron job to routinely scan the areas of your system where virii are likely to land, such as /home and /tmp.

net-firewall/iptables

You probably have a router with a hardware firewall, but an additional layer of redundancy never hurts. Having a configurable software firewall at your disposal adds another line of defense. It is also used in conjunction with other programs to drop port traffic from unwanted sources, such as...

net-analyzer/fail2ban

I only discovered this recently so I'm only starting to discover what a great tool this is. The most common point of entry for anything that may compromise your system is via ssh, and as long as you have a system logger in place, you can always review who is trying to log in and from where. fail2ban matches log entries using regular expressions, bans baddies using the method of your choice, and even sends you an email notification if you like. You could even use fail2ban to examine logged output from clamAV to send you email if a virus has been detected on your system.

Hope these help! I'm sure there are plenty of other gentooers here that can chip in a few more great ways to protect yourself...

----------

## d2_racing

Hi, if you don't want to use fail2ban and you want to protect your ssh server, you can use this line :

```

# Brute force protection

iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -m state --state NEW -m recent --set

iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 5 -j DROP

```

----------

## shgadwa

Hey thanks for all the tips...

Actually, right now I'm just about finished setting up a pfsense router/firewall. Pfsense is based on freeBSD, fyi. I have to say I'm very impressed with it. At first it did not work with my 802.11n wireless card, but then I did an update to 1.2.3-RELEASE and its working great... but only in 802.11g mode.

Right now I've got squid working great on it. I'm going to get squid caching videos, and I have to install some kind of network monitor thing on it. I also want to install HAVP. Its a virus scanner that scans everything that goes in and out of the network, apparently behind the scenes and not making the net any slower.

I think with a little tweaks, we should have a fairly secure system.

I do have one question though... why would I want to do system logs and make sure that nobody sshes into my computer if I'm behind a router? Currently I'm actually behind two routers but I can't wait to get this pfsense box where this junky netgear router is, then I'll be behind one router. I mean like, are there ways that they can somehow crack the system and get into our network when my WAN blocks all incoming traffic?

I'd want to say that nobody is going to be interested in my stuff, or in spying on me but I know from experience that thats not always true. Just 2-3 months ago somebody somehow figured out the password to a old email address that I've not used in over a year. Then they started emailing everyone in my contact list (both friends, foes, and people who I don't even know)... they were sending emails that only had a link in them and nothing more. And I'm pretty sure the link was some kind of virus/spyware thing. Whats worse I was getting lots of emails from people, some even those who I know very well, telling me things like "please do not send me any more of your emails trying to sell me something."

That said, I'll do what I can do to secure my network.

----------

## cach0rr0

 *belikeyeshua wrote:*   

>  Just 2-3 months ago somebody somehow figured out the password to a old email address that I've not used in over a year. Then they started emailing everyone in my contact list (both friends, foes, and people who I don't even know)... they were sending emails that only had a link in them and nothing more. And I'm pretty sure the link was some kind of virus/spyware thing. Whats worse I was getting lots of emails from people, some even those who I know very well, telling me things like "please do not send me any more of your emails trying to sell me something."
> 
> 

 

That unfortunately requires no compromise of your password. 

E-mail is painfully easy to spoof - rather, the return address is painfully easy to spoof. 

http://en.wikipedia.org/wiki/Joe_job

```

$ telnet mx.blah.com 25

EHLO mate

MAIL FROM:<obama@whitehouse.gov>

RCPT TO:<yourfriend@theirdomain.com>

DATA

From: "Almighty President Obama" <obama@whitehouse.gov>

To: "Victim" <yourfriend@theirdomain.com>

Subject: did you vote for me?

I heard you voted for McCain. I should slap you for that

Warmest Regards,

BH Obama

.

```

and voila, an e-mail from the President!

SPF/Sender-ID/Domain Keys, all supposed to in theory cut down on that, but it requires adoption by the recipient's server. People have been slow to adopt. 

Anyway, you and your friends should be aware such a thing exists.

----------

## Jaglover

 :Very Happy:  This resurrects memories of misdirecting usenet followups to create a stir.

----------

## gajop

 *cach0rr0 wrote:*   

>  *belikeyeshua wrote:*    Just 2-3 months ago somebody somehow figured out the password to a old email address that I've not used in over a year. Then they started emailing everyone in my contact list (both friends, foes, and people who I don't even know)... they were sending emails that only had a link in them and nothing more. And I'm pretty sure the link was some kind of virus/spyware thing. Whats worse I was getting lots of emails from people, some even those who I know very well, telling me things like "please do not send me any more of your emails trying to sell me something."
> 
>  
> 
> That unfortunately requires no compromise of your password. 
> ...

 

that works in theory, in reality many of the major SMTP servers do not accept relaying, plain text or mail being sent from dynamic IPs

----------

