previous article
next article

Linux Malware And Antivirus

Article posted 12/06/2014

by Devyn Collier Johnson

All computer systems can suffer from malware and viruses, including Linux. Thankfully, very few viruses exist for Linux, so users typically do not install antivirus software. It is still recommended that Linux users have antivirus software installed on Linux systems that are on a network or that have files being transfered to the device. Some users may argue that antivirus software uses up too much resources. Thankfully, low-footprint software exists for Linux. To better understand antivirus programs, it may be beneficial to understand malware itself.

Types of Malware:

Malware - Simply, malware is "bad" software. Malware includes any software that harms a system, data, or processes/applications. Many of the malware categories overlap like trojans and spyware.

Trojan - In a simple summary, trojans hide in applications to get into a user's system or they act as a program themselves. This malware does not replicate. For illustration, a hacker could make a password manager that will supposedly store the users passwords and enter them in for the user. Instead, the username, site, and password combinations are sent to the trojan maker instead of storing the data - this would be a spyware trojan. Additionally, the hacker can hack a real application that handles sensitive data. The data would then be sent to the hacker. Trojans not only take private data, but they may sneak in ads or destroy the system.

Spyware - This malware gathers a user's private data (financial info, passwords, usernames, etc.) and sends it to the spyware maker or other entity that will use the information. Spyware can be trojans and some trojans can be spyware.

Adware - Software that displays ads is considered adware. Not all adware is bad. For instance, Flashget is a freeware Windows application that is adware. The program is safe to use. The ads just fund the development of Flashget. Because most Linux developers make applications open-source, not very many Linux adware programs can be found.

Worms - A computer worm is a replicating program that spreads to other computers. Most rely on networks for transportation. Many readers may ask "What is the difference between a virus and worm?". Simple, viruses attach to programs and worms are standalone software. Viruses come on programs that users download and worms break in through the network. As a general rule, if a user brought it into the system, then it is a virus, else if the malware got in without user intervention, then it is a worm.

Viruses - Computer viruses are replicating code that spread by hiding inside of infected applications and installers.

Zombies - Computer zombies are computers that are controlled by a malicious hacker, trojan, or computer virus to complete malicious tasks.

Riskware - Software with unintended malicious potential. These applications can be used by malware to cause a lot of damage. Because this software is not malware, but can be dangerous it is called riskware.

Scareware - Malware that scares users into downloading malicious software or paying money for the fix is scareware. For illustration, scareware may pop up a message that says something like "Your data will be deleted unless you pay $100.". Scareware may also come in the form of a free virus scan over the Internet. This virus scan does not scan the system, but pretends to do so. The scanner will say it found a virus. The scanner then asks the user to pay money to have the virus removed. In summary, scareware scares computer users into paying money or installing malware to protect themselves against a nonexistent threat.

Ransomware - Ransomware is similar to scareware. Ransomware locks the computer and files and will not lift the restrictions until the user pays a ransom. Ransomware really locks the system while scareware bluffs.

If a user is unsure if an application is malware, then they can scan the software for viruses and sandbox the program. Sandboxing is a security mechanism where the sandboxed application is being executed with restricted resources. Malware cannot harm the system because the restrictions keep the malicious code from completing its tasks or executing at all. If the system detects that the application running in the sandbox is trying to perform malicious tasks, then the user or security system can delete the program.

Antivirus Software/Virus Scanners:

Virus scanners are security applications that search the system for malware. The scanners look for certain patterns of code or specific characteristics of malware. Depending on the threat potential, virus scanner, and settings, the malware may be deleted instantly or the user will be asked what to do with the malicious software.

ClamAV - The most popular Linux antivirus software is ClamAV. ClamAV is a command-line antivirus program with a small resource footprint. This software is completely free and open-source under the GPL license. The updates are also free. ClamAV's web-address is http://clamav.net. Users can go to the site for downloads to install the software or they can type the following command:

sudo apt-get install clamav clamav-daemon clamav-freshclam

ClamAV's definitions are updated via freshclam. Type "sudo freshclam" to update the virus scanner's definitions.

ClamTK - ClamTK is a free frontend for ClamAV. ClamTK is licensed under the GPL license. ClamTK passes parameters to ClamAV, but ClamTK does not perform the scan or any other task itself. To install ClamTK, go to http://clamtk.sourceforge.net and download the software or type the command below:

sudo apt-get install clamtk

Avast - Avast is a freemium antivirus software. Avast is not open-source and uses up resources like RAM. Many users feel that Avast offers more protection than ClamAV. The paid version of Avast offers numerous features that ClamAV lacks. For instance, Avast can sandbox applications. To obtain Avast, visit http://avast.com and download the application.

AVG - Anti-Virus Guard is a proprietary virus scanner that can be downloaded from http://free.avg.com/us-en/download.prd-alf.

Comodo - Comodo is a proprietary scanner that can be downloaded from http://comodo.com/home/internet-security/antivirus-for-linux.php

Kaspersky - Kaspersky is a proprietary scanner that can be found on this link - http://kaspersky.com/product-updates/linux-file-server-antivirus.

Protecting and Repairing:

The best way to protect a system against viruses is to only download and install software from trusted sites and developers. For example, get programs from your distro's official repository before using a program obtained from some third party site.

There are two ways to remove malware. The first method includes using a virus scanner to find and remove the malware. The second way is to delete the executables manually that are known to be the culprits.

To repair damaged executables, reinstall the infected or damaged software. For example, if a virus infected a Firefox executable, then re-download and install Firefox.

Also, when protecting yourself against malware, it is important to know that malware can only be in an executable or be the executable itself. For instance, a PNG, MP3, and FLV files cannot be viruses. An application simply opens the files for the user to see or listen. In addition, remember that most screensavers are executables, so malware may hide in screensavers.

Even though Linux has very few viruses, all computers and servers should have some form of protection against malware. Knowing how malware works and how to protect computers will aid in protecting many systems.


About the author

Devyn Collier Johnson is a programmer, technical author, and a fan of Linux. He attends college as a commuting student maintaining the Dean's list. He majors in electrical technology engineering and plans to earn several other degrees in computers technology and programming. Currently, Devyn is one of the authors for Linux.org, but he occasionally contributes to other Linux websites. Devyn Collier Johnson has learned many computer languages, bindings, data structures (like SQLite3), and APIs.
Email: DevynCJohnson@Gmail.com
Learn more about Devyn on his Launchpad profile - https://launchpad.net/~devyncjohnson-d

Tags: linux security foss antivirus malware
blog comments powered by Disqus