By Kurt Seifried [email protected]
Linux is not as susceptible to viruses in the same ways that a
Dos/Windows or Mac platform is. In UNIX, security controls are a fundamental
part of the operating system. For example users are not allowed to write
promiscuously to any location in memory that they choose to, something that
Dos/Windows and the Mac allow.
To be fair there are viruses for UNIX. However the only Linux one I have seen
was called "bliss", had an uninstall option ("--uninstall-please") and had to be
run as root to be effective. Or to quote an old Unix favorite "if you don't know
what an executable does, don't run it as root". Worms are much more prevalent in
the UNIX world, the first major occurrence being the Morris Internet worm which
exploited a vulnerability in sendmail. Current Linux worms exploit broken
versions of imapd, sendmail, WU-FTPD and other daemons. The simplest fix is to
keep up to date and not make daemons accessible unless necessary. These attacks
can be very successful especially if they find a network of hosts that are not
up to date, but typically their effectiveness fades out as people upgrade their
daemons. In general I would not specifically worry about these two items, and
there is definitely no need to buy anti-virus software for Linux.
Worms have a long and proud tradition in the UNIX world, by exploiting known
security holes (generally, very few exploit new/unknown holes) and replicating
they can quickly mangle a network(s). There are several worms currently making
their way around Linux machines, mostly exploiting old Bind 4.x and old IMAP
software. Defeating them is as easy as keeping software up to date.
Trojan horses are also popular. Recently ftp.win.tue.nl was broken into and
the TCP_WRAPPERS package (among others) was modified to email passwords to an
anonymous account. This was detected when someone checked the PGP signature of
the package and found that it wasn't quite kosher. Moral of the story? Use
software from trusted sites, and check the PGP signature(s).
Disinfection of viruses / worms / trojans
Back up your data, format and reinstall the system from known good media.
Once an attacker has root on a Linux system they can literally do anything, from
compromising gcc/egcs to loading interesting kernel modules at boot time. Do not
run untrusted software as root. Check the PGP signatures on files you download,
etc. An ounce of prevention will pretty much block the spread of viruses, worms
and trojans under Linux.
The easiest method for dealing with viruses and the like is to use system
integrity tools such as tripwire, L5, and Gog&Magog, you will be able to
easily find which files have been compromised and restore/replace/update them.
There are also many Anti-Virus scanners available for Linux (but generally
speaking there aren’t any Linux viruses).
Virus Scanners for Linux
As stated above viruses aren't a real concern in the Linux world, however
virus scanners that run on Linux can be useful. Filtering email / other forms of
content at the gateways to your network (everyone has Windows machines) can
provide an extra line of defense since the platforms providing the defense
against the threat cannot be compromised by that threat (hopefully). You may
also wish to scan files stored on Linux file servers that are accessed by
Windows clients. Luckily there are several good anti-virus programs available
Sophos Anti-Virus is a commercial virus scanner that runs on a variety of
Windows and UNIX platforms. It is free for personal use and relatively
inexpensive for commercial use. You can get it at: http://www.sophos.com/.
AntiVir is another commercial virus scanner that runs on a variety of Windows
platforms and Linux. You can get it from: http://www.hbedv.com/.
Trend Micro has ported this product to Linux and offers it for free download
on their site. You can get it from: http://www.antivirus.com/products/isvw/.
Data Fellow's has ported their anti-virus scanner to Linux as well. You can
get it at: http://www.datafellows.com/products/
Kaspersky lab's has also ported their anti-virus scanner over to Linux,
currently in beta, available at: http://www.kaspersky.com/products.asp
Virus scanning of email
virus scanning of incoming email (very useful if you have windows clients).