backdoor or spyware in it?

The malware in this case is a trojan. While an AV software may have alerted the admin, it was the admin the first place that installed the malware. This is why you should only use software from trusted sources.

See this topic about it: http://www.linuxquestions.org/questi...go-4175498662/

More to the point, that's a malware that targets mostly servers by hacking OpenSSH and spreading by hand (with stolen credentials from that hacked ssh)... Actually, the first method of getting that malware would be to use an already infected system in order to login to another (uninfected?) one.. An AV would probably just alert you (if it knows about that specific malware) and at the level it's deployed, it should be presumed that the owners of the system know how to keep it safe.. Basically, the infected systems are infected because "kids" try to play to big software and completely ignore their security documentation.. There is no AV against that..

Actually no (the admin did not install it)

From the article: "No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged."

http://www.welivesecurity.com/wp-con...on_windigo.pdf

They had root to the box,.. so,.. aide or some other intrusion detection would have worked. But not a virus scanner.

"They had root to the box ..." There you go. A classical penetration technique second only to exploiting Plesk.

AV algorithms could be valuable ... perhaps, very valuable ... say in a document-storage application (or a blog) to detect suspicious content before it is disseminated for public use. However, it is both snake-oil and smoke to say that such tools are "necessary" or that they "protect you" from anything at all.

For world-facing services, I used a few different techniques that rely on occasionally taking prod servers out of the LB group, doing some remote MD5/CRC checking on files/directories and some secret stuff, that lets me know if anything has changed.

The new way of doing things is to have a server that boots off of a read only BLU-RAY drive, that then brings up images in our cluster once a day. So even if you do find a way to break in, within 12 hours I will be putting out a new VM with new keys and passwords. The gold image BLURAY is modified, updated and secured on a daily basis according to security standards and alerts, in a sterile no-internet environment.

And of course the hourly AIDE checks, Firewalls, IDP appliances, and network monitoring help as well.

and rootkit hunter's wonderful

AVG

How do you think of dr. web?

I run ClamAV with ClamTk as my main solution with cronjobs at targeted intervals. I also have RkHunter setup equally as a supplement.

I have used BitDefender before. It's nice, but I like ClamAV's daemon modes and background scanners better.

It would be nice if GNU/Linux got On-Access/Execution scanning via ClamAV. That way it could scan binaries, libraries, and configuration files and scripts upon access and execution. I might be mistaken, but BitDefender might have this now for Gnome, Xfce, and KDE desktops via a plugin now in the latest versions, or it's just a plugin to allow alt-click scanning options for files.

GNU/Linux and *BSD are starting to become a target anymore by malware and other bad software. Would be nice to gain a solid foothold in protection before they do.

Is ClamAV good enough for desktop users?

I use a combination of linux and trusted packages from the arch repository as my anti-virus. If I happen to be running windows then it's avg.

Ok, let me try exemplify what security in Linux-world is focused on vs. security in other OSs

Here's a current MS Internet explorer bug: https://technet.microsoft.com/en-us/...y/2963983.aspx
Basically, it a common memory overflow bug with very bad consequences that pretty much allows a remote web-side to execute code on your computer... This is a common thing amongst browsers or even important services (in one way or the other, with different levels of severity).. In Windows, the end-user (and sometimes even the professional) is battered with third-party security products that normally intervene after the system was compromised if a known malicious code was put in there..
Actually, because in Windows, most of the systems are using a day-to-day Administrator account, that penetration can have huge consequences on the whole system and maybe the whole network.. Thus making complicated heuristic based AVs or other security tool an important must-have in order to limit such invasion...

On the other hand, on Linux systems, people use normal accounts.. The whole security concept is started and based on proactive and protective approach..
Important services that are are actually started by root, only bind ports and drop the privileges themselfs.. And the system is build in such a way that normal accounts can't install dangerous stuff like keyloggers even if they would want to without proper permissions.
There is also a limited amount of power a process has to "hide" itself.. This basically means an AV solution will only provide redundancy for a limited number of possible infections.. It also means that, on a normal desktop system, if the AV catches some infection it's almost always possible to fix the system live and the malicious code is almost always contained.. On the other hand, Linux has by default many services, and a lot of the security talk has to do with configuring those services.. All infections I've seen until now are due to misconfigurations.. Unfortunately, AVs aren't really useful in that situation..

Please keep in mind that I'm not saying similar proactive security measures can't be taken in Windows.. I'm just saying that, coming from an OS in which AV tools have such a big influence because the imposed security model of the OS has such big flaws, it can be hard to understand why AVs in Linux are implemented and mostly used in way different setups than normal, day-to-day desktops..

This isn't true anymore for Windows versions newer than XP.