Linux Malware

For a long time, users and enthusiasts mistakenly thought that Linux malware did not exist and that Linux and Unix like systems enjoyed some sort of immunity from malware.

While the knowledgeable always knew that this was not true the enthusiasts seem to forget that one of the earliest known malware spreading over the Internet was the Morris Worm of 1988 that attacked Unix systems and brought down much of the Internet.

Linux based system are often used as web servers and routing devices. As such they present a target to would be hackers 24x7. Since many of them host ecommerce sites, getting access to a Linux based web server is lucrative.

Often the attack targets the applications running on the Linux host. Such attacks include SQL injection attacks or known vulnerabilities in popular Web programs like Wordpress.

The most effective defense against Linux malware is to provide as the smallest attack surface possible. This can be done by running only the services that are needed, and restricting access to the services that are running to only the IP addresses that need to access those services.

Running each publicly available service in a virtualized container offers great security. FreeBSD has this light weight virtualization in the form of its jails functionality.

Malware targeting Linux sometimes uses brute force attacks against weak passwords. This was the case with the ELF_TSUNAMI.R malware. The attack was carried out from infected PCs and then targeted Linux based routers. You can ensure that your system has strong passwords by running your system passwords through a password scanner that will help weed out weak password, and by having a password policy.

One of the oldest ways to detect if a Linux system has been infected with malware is to use an intrusion detection system that generates a snapshot of file signatures after a fresh installation of the system. This snapshot is kept offline and is updated whenever a legitimate change is made to the files. Periodically, once every day or once every few hours, file signatures are computed on each file and directory, and compared with the offsite snapshot. If a discrepancy exists it is an indicator of unauthorized changes in the file system. Various open source and commercial software exist that perform this in one form or the other.

OSSEC is a well known free, open source intrusion detection system.

Return from Linux Malware to Security and Privacy Software