LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-01-2009, 01:23 AM   #1
abd_bela
Member
 
Registered: Dec 2002
Location: algeria
Distribution: redhat 7.3, debian lenny
Posts: 594

Rep: Reputation: 31
several questions about viruses on linux


Hi,
I am asking if there is a virus on my machine how to detect it.
the command ps aux gives all running processes, all really all? or it may be a hidden process running on background.
Until now, I considered that a virus doen't affect a system if you work as simple user,
and can't damage system without root permission, am I right, or virus can get root privileges ??
another thing on linux, the program can't run if it not executable, it must have the "x" permission, if we copy a file normally it looses the x permission.
This is what I believe up now, am I right??
thanks for help
bela
 
Old 12-01-2009, 02:11 AM   #2
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
basically.. virus is a made of script-kiddie, designed to destroy data. or do some other very stupid things.
backdoors/trojans are a gateways into your system for some more mature guys, probably hunting for your data or just your system resources(network channel, CPU).
but what you are looking for is rootkits.
rootkits can hide own/desired processes, files, directories and other objects. google for linux rootkits. i'm sure you will find all the answers you need.
 
Old 12-01-2009, 08:58 AM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Script kiddies aren't usually bright enough to create viruses on their own. Viruses are normally created by the more intelligent of the darkside. Script kiddies tend to 'borrow' technology from their more intelligent counterparts.

Conficker is a virus (been using the Conficker example in my last few posts). It doesn't care who is on the other end. Viruses usually affect systems with code vulnerabilites (Blaster/Sasser), or buffer overflows, or a combination. What makes viruses successful at infection is the fact that they need to be executed with system and/or admin/root privileges. Normally, a normal user account won't be sufficient to hose a whole system...the compromise needs system-level privileges to take control of system processes. Normal users normally have limited privileges. Viruses propagate on their own.

Trojans and other malware also work in a similar manner but usually use user stupidity/ignorance to gain access. They can also be transferred manually to an already compromised machine. SubSeven and BackOrifice are trojans that rely on a malicious user sending the trojan to an unsuspecting individual. The trojan may be named "funny.exe". The receiver double-clicks the file (and may well be doing it using an Admin account) and activates the trojan. The trojan can keylog or look for activation/registration codes. It can gather credit card info or log personal information. It can turn the compromised machine into a bot and have it join a botnet. Trojans propagate normally via social engineering, but can be manually installed (once the malicious user has a proper way into the system...bruteforcing accounts, for example).
 
Old 12-01-2009, 11:41 AM   #4
scourge99
LQ Newbie
 
Registered: Jun 2009
Posts: 24

Rep: Reputation: 16
Quote:
Originally Posted by unixfool View Post
Script kiddies aren't usually bright enough to create viruses on their own. Viruses are normally created by the more intelligent of the darkside. Script kiddies tend to 'borrow' technology from their more intelligent counterparts.

Conficker is a virus (been using the Conficker example in my last few posts). It doesn't care who is on the other end. Viruses usually affect systems with code vulnerabilites (Blaster/Sasser), or buffer overflows, or a combination. What makes viruses successful at infection is the fact that they need to be executed with system and/or admin/root privileges. Normally, a normal user account won't be sufficient to hose a whole system...the compromise needs system-level privileges to take control of system processes. Normal users normally have limited privileges. Viruses propagate on their own.

Trojans and other malware also work in a similar manner but usually use user stupidity/ignorance to gain access. They can also be transferred manually to an already compromised machine. SubSeven and BackOrifice are trojans that rely on a malicious user sending the trojan to an unsuspecting individual. The trojan may be named "funny.exe". The receiver double-clicks the file (and may well be doing it using an Admin account) and activates the trojan. The trojan can keylog or look for activation/registration codes. It can gather credit card info or log personal information. It can turn the compromised machine into a bot and have it join a botnet. Trojans propagate normally via social engineering, but can be manually installed (once the malicious user has a proper way into the system...bruteforcing accounts, for example).
I often hear Unix supporters claim that Unix systems "can't get viruses" like Windows does because of something inherently different between the two. While I agree that Windows is more prone to viruses because of its market share and fundamentally different set of vulnerabilities, I don't believe this makes Unix systems any less capable of contracting and spreading viruses. Perhaps they are referring to something more specific? Could anyone shed some light on this?
 
Old 12-01-2009, 11:58 AM   #5
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
Perhaps they are referring to something more specific? Could anyone shed some light on this?
Windows has in the past been configured "out of the box" to be more insecure than Unix/Linux. That is, by default many more things are set to an insecure setting than is the case in U/L. A knowledgeable administrator can make Windows as secure as U/L, but has to change many settings to do so. An untrained newbie can make U/L as insecure as Windows, but has to change many settings to do so.

Thankfully, Windows is becoming more secure out of the box. But as a result of it's unsecure reputation and broad market share, many more attacks (virii, trojans, malware, etc.) have been specifically written for the Windows platform than have been written for the U/L platforms, and most of those written for Windows will simply not run on U/L (unless Windows code has been introduced into U/L via WINE or some similar program).

If you set up two identical servers, one running the latest version of Windows server using default settings and the other running the latest version of any major distribution of Unix or Linux, using default settings, both will hit by attacks, and both will likely succumb. But the Windows server will be hit by more attacks, and a greater variation of attacks, than the Unix/Linux server.
 
Old 12-01-2009, 12:26 PM   #6
scourge99
LQ Newbie
 
Registered: Jun 2009
Posts: 24

Rep: Reputation: 16
Quote:
Originally Posted by Jim Bengtson View Post
Windows has in the past been configured "out of the box" to be more insecure than Unix/Linux. That is, by default many more things are set to an insecure setting than is the case in U/L.
Out of curiosity what are some of these things?

I know that Windows didn't have the ring structure that Unix uses implemented very well until recently: admin, user, guests.

If you know of anything off the top of your head or can refer me to something that XP, Vista, or Win7 is lacking in comparison to standard Unix distros that would be great.

Quote:
Originally Posted by Jim Bengtson View Post
most of those written for Windows will simply not run on U/L (unless Windows code has been introduced into U/L via WINE or some similar program).
How about Vice-versa? Is malware written for Linux easily compatible with Windows? I would think not.
 
Old 12-01-2009, 12:41 PM   #7
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Here's an article on the subject:

Linux vs. Windows: Which Is Most Secure?
By Kenneth van Wyk, eSecurityPlanet.com
http://www.esecurityplanet.com/views...ost-Secure.htm

He also compared Windows to Mac, and Mac to Linux.
 
1 members found this post helpful.
Old 12-01-2009, 01:14 PM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
The Linux version of a Windows virus is an malicious LKM trojan. (Loadable Kernel Module) An attacker needs to exploit a service to gain root access and then replace one of your kernel modules with his own version. Also, if an attacker gets root access, he will replace utilities such as ps and top to try to conceal his own processes.

One defense used for servers is to compile a flat kernel that doesn't have LKM support.

You can use rkhunter and chkrootkit to try to detect the presence of a root kit. Even more important, these programs check for security issues that could lead to a compromise. There is also Aide, which performs an md5sum on important system files. It is best performed after a clean install with the database saved on write-once media such as a CDROM.

You can do the same thing yourself manually, and compare the files in /lib/modules/, /bin/, /sbin/ and /usr/sbin/ with newly computed results. For maximum assurance, do so with the filesystem off-line, from a live CD.

Most importantly, use a new version of Fedora. Your Red Hat 7.3 is ancient. Apply security updates promptly and don't disable SELinux protection.
 
Old 12-01-2009, 01:45 PM   #9
MBybee
Member
 
Registered: Jan 2009
Location: wherever I can make a living
Distribution: PC-BSD / FreeBSD / Debian / Ubuntu / Win7 / OpenVMS
Posts: 438

Rep: Reputation: 57
Quote:
Originally Posted by jschiwal View Post
The Linux version of a Windows virus is an malicious LKM trojan. (Loadable Kernel Module) An attacker needs to exploit a service to gain root access and then replace one of your kernel modules with his own version. Also, if an attacker gets root access, he will replace utilities such as ps and top to try to conceal his own processes.

One defense used for servers is to compile a flat kernel that doesn't have LKM support.

You can use rkhunter and chkrootkit to try to detect the presence of a root kit. Even more important, these programs check for security issues that could lead to a compromise. There is also Aide, which performs an md5sum on important system files. It is best performed after a clean install with the database saved on write-once media such as a CDROM.

You can do the same thing yourself manually, and compare the files in /lib/modules/, /bin/, /sbin/ and /usr/sbin/ with newly computed results. For maximum assurance, do so with the filesystem off-line, from a live CD.

Most importantly, use a new version of Fedora. Your Red Hat 7.3 is ancient. Apply security updates promptly and don't disable SELinux protection.

Just to build on these points, part of the reason isn't the ring/security structure (NT actually has a finer-grained and more comprehensive ACL and security setup than most Unix implementations) it's the way the systems are used.

Unix is just far older. Most of the good tricks to secure a Unix system have been well known for longer than Windows has existed. Some of these have had to be re-learned in the Linux era (since Linux isn't actually a Unix port, it's a reimplementation from scratch). Some of these have even been abandoned outside of 'production' environments entirely because users are lazy.

Here's a few things that can help armor a Unix system:
1) A properly configured system has /usr, /boot, and sometimes even /etc mounted read only. The only way to update or change files here is to unmount and remount the volumes... as root, of course. Yes, that means every time you install a (well-tested) update.
2) No user has root escalation except for a tiny subset of admin users - and those users are heavily audited.
3) Jails are used to prevent processes from 'climbing' the tree and accessing files they shouldn't be allowed to access.
4) No processes run as root if it can possibly be prevented (some things require root - but it's a super short list).
5) Surface area reduction is done by removing all extraneous daemons (services), executables, users, and components. A properly configured Unix box should never answer on any port except for the ones it is intentionally hosting (http/db/ssh/nfs, etc).
6) All user processes run as the owner, and the owner has rights to essentially nothing outside of their home share and possibly a 'group' share.
7) Everything is audited and tracked, and alerts are generated.


Things like this are inconvenient under a desktop Linux, but there are guides to help any user do this. It doesn't require any really specialized knowledge, just care.
http://www.debian.org/doc/manuals/se...-debian-howto/
http://security.freebsd.org/

For what it's worth, Windows servers can be (and often are) likewise hardened. It's the desktops that are often the problem.
http://www.nsa.gov/ia/guidance/secur...html#microsoft

The thing is, most people running Linux just install everything into one giant partition, don't encrypt swap, give their passwords to everything that prompts for it, browse the web (with Flash enabled) as high priv users, and generally just make a mess of things. This same behavior under OSX and Windows leads to their relative 'virus prone' states. In this mode, Linux and OSX are only slightly harder to penetrate than Windows 7/Vista, and easier than XP only if you use a default admin user. The inherent safeguards have all been removed in the name of expedience.

<edit> One thing worth noting though - using a 'pluggable' kernel model (like LKM, mentioned by the prev poster) also opens some holes. It's why the BSD guides often recommend disabling this feature. I don't think that's even possible under Windows </edit>

If you care to take time, any OS can be made reasonably secure.

Last edited by MBybee; 12-01-2009 at 02:00 PM. Reason: Forgot to mention the pluggable kernel modules the prev poster mentioned
 
1 members found this post helpful.
Old 12-01-2009, 06:18 PM   #10
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,264

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
Quote:
I often hear Unix supporters claim that Unix systems "can't get viruses" like Windows does because of something inherently different between the two.
That's probably a slight misquote/mis-hear. U/L systems can't get MS(!) viruses, because MS binary executables won't run under Linux (unless inside eg Wine or eg VMWare) due to a completely different definition of what a binary executable looks like in Linux.
Something like 99% of the viruses in the wild are MS specific.
 
Old 12-01-2009, 11:34 PM   #11
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by chrism01 View Post
That's probably a slight misquote/mis-hear. U/L systems can't get MS(!) viruses, because MS binary executables won't run under Linux (unless inside eg Wine or eg VMWare) due to a completely different definition of what a binary executable looks like in Linux.
Something like 99% of the viruses in the wild are MS specific.
I don't remember the OP saying that *nix systems can get viruses designed for MS OSs. I read what he posted differently.

My answer to the OP would probably be that the two systems handle permissions very differently. One could also argue that because the userbase for MS OSs is very large (with a generally ignorant population) which makes them easier to take advantage of. It can also be said that the codebase of MS products (ALL software) is large enough to where it is difficult to evaluate the code properly. Also, OSS has a VERY large pool of people that can peer review *nix code...any issues are usually discovered and fixed quickly (and with the least amount of red tape).

But here's something I just HAVE to share:

There IS malware that will attack *nix machines. Remember back in the day when someone released CodeRed and Nimda (Windows-based attacks that took advantage of holes within applications...Win32 software but an example that this type of attack, in concept, will work on a Linux install)? That's a ways back, but not every attack will be kernel related. How about Lupper? OpenSSL worms? How about PHP-based attacks in general. A lot of these are automated (scripted). Although some of these examples of malware take advantage of misconfigurations, they are considered malware nonetheless. Look at the history of this forum and you can see a LOT of examples of *nix-based machines getting utterly compromised. Anything installed on a hard disk that is software may contain bugs. Simple buffer overflows can sometimes escalate privileges...its not as simple as saying that Linux is invulnerable or less of a target. The only reason people think Linux is less exposed is because MS is scrutinized more, they're well-known (my mom doesn't know WTF Linux is but she definitely knows what "Windows" is), and because MS has a majority of the market share, its almost too easy to target the company. If I had a fishing net and saw a large school of fish in a lake, my chance of catching dinner would be far greater than honing in on the one fish at the edge of the lake.

Just my thoughts...

Last edited by unixfool; 05-12-2010 at 04:23 PM.
 
2 members found this post helpful.
Old 12-02-2009, 02:11 PM   #12
varshovi
LQ Newbie
 
Registered: Nov 2009
Distribution: slackware
Posts: 5

Rep: Reputation: 0
check for rootkits

While the discussion by friends here seems complete (about taking care of permissions and so on) to reduce the risk of viruses, I also recommend you two open source tools:

1.chkrootkit available at: http://www.chkrootkit.org/
which is a shell script to detect known rootkits.

2. OSSEC available at: http://www.ossec.net/ which is a Host-Based IPS/Integrity Checker if you need extra control over your system security.

Regards.
 
  


Reply

Tags
linux, malware, trojan, virus


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Why does Linux not get Viruses? online-pharmacy Linux - Newbie 15 09-03-2009 05:59 AM
Linux Viruses? gael33 Linux - Newbie 27 04-03-2009 03:11 AM
Linux viruses PastorWirl Linux - Newbie 8 09-23-2007 04:10 AM
Questions about Linux Viruses m_shroom Linux - Security 10 06-08-2005 02:16 AM
Questions about viruses, compiling, customizing/building distros, etc. timswim78 Linux - Newbie 4 03-03-2005 08:55 PM


All times are GMT -5. The time now is 10:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration