From MEPIS Documentation Wiki
The expression computer virus, which at one time was a term for a specific type of software program that acted like a biological virus, has come to be a generalized concept that encompasses any software that is designed to infiltrate a computer system without the knowledge or consent of the user. In general, such software is unwanted, intrusive, and, at the very least, annoying. Unfortunately, in most cases, such software was written for a malicious purpose such as stealing passwords or acquiring personal information to facilitate identity theft. At a global level, malicious software, also known as malware, can be, and has been, used for cyber warfare and cyber espionage. As an example, malware can be used to compromise a large number of computers, effectively turning them into zombie-like slave devices that can then be used in denial-of-service attacks on a target computer system or network. To mitigate the seriousness of these risks, a prudent computer user should take steps to guard against malware through the use of antivirus software and diligent attention to secure operational practice when accessing other systems outside his or her trusted network.
Malware comes in a range of forms and functions and is constantly being modified to exploit the latest weaknesses in operating systems and applications. Generally, malware can be identified by one of the following broad classifications.
- Computer Viruses -- A virus is a computer program that infects a "host" computer and then replicates (i.e., makes copies of itself) that, in turn, infect other computer systems spreading from one to the next in a manner similar to a biological virus. Infection transmission is through the Internet, networks, or removable media.
- Worms -- Like a virus, a computer worm self-replicates to spread the infection and almost always has malicious intent. It is different from a virus in that it isn't parasitic (i.e., It is stand alone code that does not need to attach to an existing program). Worms tend to attack networks, while viruses modify or corrupt files on the host computer.
- Trojan Horses -- Trojan horse malware is designed to appear benign or beneficial, performing a desirable function, to fool the user into executing the program. Usually, the goal of a Trojan horse is to facilitate unauthorized access to the computer system in a clandestine manner, running without the user's knowledge.
- Adware -- Adware is advertising-supported software that is downloaded and installed on a computer system usually without the user's consent or knowledge. It quickly makes itself known when advertising starts popping up on the desktop and in applications. For the most part, adware is usually not malicious, just annoying and can significantly slow down the operating system. It is usually very difficult to remove once a computer is infected.
- Spyware -- Spyware is a clandestine form of malware that is usually coupled with adware. It is designed to monitor and collect information about the user's computer activities (e.g., websites visited, keystroke logging, etc.) without the user's knowledge. Since subterfuge is the key to the success of spyware, it is usually very difficult to detect. It is classic surreptitious privacy invasion software.
- Rootkits -- Rootkit malware is designed to surreptitiously take over root (i.e., administrative) control of an operating system. Since rootkits operate as root, the malware has complete access to the entire computer system and can be designed to compromise a variety of components within the system such as the bootloader, the kernel, BIOS, hypervisor, and libraries. Rootkits are considered the most dangerous and damaging threats to Linux systems.
Why are there so many Windows viruses?
Normally, discussion of Windows (with the exception of moving from Windows to Linux) is limited on the Mepis wiki; however, in this case, the question as to why there are so many viruses in Windows provides context and contrast as to why there are essentially no viruses in Linux. Although the answer to this question is certainly open to debate, there is some general agreement on three main points.
First, by design, Windows is a fairly open operating system. The company maintains that allowing a more open interaction (.i.e., a less restrictive environment) provides a richer experience for Windows users and have designed a range of integrated applications that freely share data across not only the platform but also with remote computers across networks and the Internet that host the same software. While this no doubt can increase the ease of use for more complex operations, it also opens up a monolithic information interchange environment that is extremely vulnerable to widespread outbreaks of malware.
Second, unlike Linux, the user almost always has full administrative privileges, in many cases, without even password protection. Malware that gains access to a user account has complete control of the operating system. And, finally, Windows has a dominant market share of over 90% as of this writing. Malware that can break into the Windows data interchange environment can literally spread around the globe within days. For these reasons, Windows is a very attractive target for malware developers and is plagued by thousands of malicious software applications.
Why are there no Linux viruses?
Well, to be completely accurate, there are prototype Linux viruses that have been demonstrated in the lab. However, as of this writing, there are no Linux viruses "in the wild" (i.e., circulating on the Internet). As one might expect, the topic of Linux viruses is the subject of much debate but, most people agree on at least three main reasons for the lack of Linux malware; permissions, root/user access, and a wide range of Linux variants. In each of these areas Linux is the antithesis of Windows.
First, Linux supports file-specific restrictions known as "permissions". Although Windows also supports permissions, the casual Windows user rarely deals directly with such file restrictions, instead relying on default settings that are less restrictive (and less secure) than Linux permissions. Permissions specify what a user can do with a file: read, write, and execute it. In addition, permissions are further delineated by three levels of access; the root user, the individual user, and everyone else. Malware trying to compromise a Linux system would require root execute permission to run. In other words, you, running as root, would have to explicitly give malware permission to infect your system because newly downloaded email and web browser files are never given execute permission.
Second, also unlike Windows, Linux users do not normally have root (administrative) privileges. Users are educated and encouraged to never run as root and, accordingly, very few do. This strong separation between users and root means that even if a user, running in user mode, were to run malware the damage would be limited to his or her home folder and would not impact the operating system itself. So, in order for malware to compromise a Linux system, the following would have to occur. The user would have to view a web file link or read an email, save that file or the email attachment, become root and give that file or attachment execute permission, and then run the file or attachment. In Windows, simply clicking a link can infect the operating system.
And finally, unlike Windows, Linux has a myriad of variants, running many architectures, supporting disparate packaging systems and shells. Furthermore, beyond the Linux kernel, there is no one single overreaching standard for Linux applications. Of course, there are data standards and formats, but nothing like the fundamental monolithic information interchange environment that is defined by Windows. A Linux malware developer is presented with the much more difficult problem of writing malicious software that is specific enough to target an exploit while being generic enough to infect a range of Linux variants. So even if a user were foolish enough to run malware, it is highly unlikely that the code would spread beyond a limited number of machines.
With no Linux viruses, why do I need to run antivirus software?
The answer to this question is pretty straight forward. Even though you, as a Linux user, are "immune" to Windows viruses, your machine can easily become a "carrier", receiving and re-transmitting malware. As a carrier, you are just as much at fault in spreading the malicious code as a user of a compromised Windows machine. By not scanning incoming files and emails, you may be responsible for infecting your friends' Windows machines and, thus, assisting in the spread of a malware outbreak. So, having said this, there are two practical uses for a Linux antivirus application; namely, to scan a local Windows drive on your PC and/or Windows machines on a network for viruses, and to scan files and emails that you send to other people. From a more theoretical (and highly unlikely perspective), your antivirus software can also scan for new Windows viruses that might run in Wine...and there is also the possibility that that first Linux virus might show up.
List of Antivirus Software
The following is a partial list of antivirus software currently available for Linux operating systems. Only software that is free or free for non-commercial use is shown.
- Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. This is currently the RECOMMENDED antivirus software for Mepis and can be installed through Synaptic.
- KlamAV is a graphical user interface front end to ClamAV that serves as an anti-virus manager for the KDE desktop. KlamAV can be installed through Synaptic.
- ClamTk is also a graphical user interface front end to ClamAV based on gtk2-perl. ClamTk can be installed through Synaptic.
- Avast! Linux Home Edition is offered free of charge but only for home, non-commercial use. It can be downloaded as a .deb package from the Avast! website.
- AVG Anti-Virus Free Edition can be downloaded as a .deb package from the AVG website.
Avira AntiVir Personal
- Avira AntiVir Personal is a free personal antivirus application that provides basic protection against a range of malware. It can be downloaded and installed using a TAR'ed bin package with install script and uninstaller from the Avira website.
- F-PROT Antivirus for Linux Workstations is free for use by personal users on personal workstations. It is only available as a GZIP-ed TAR file that can be downloaded from the F-PROT website.
- XFProt is a graphical user interface front end for F-PROT. It can be downloaded as a .deb package from the XFProt website.
Linux Malware Detect
- Linux Malware Detect is a free, open source, restriction free, tool for Linux that focus on malware detection. It is only available as a GZIP-ed TAR file that can be downloaded from the Linux Malware Detect website.
As mentioned previously, unlike the absence of Linux viruses, rootkits are indeed a dangerous threat that can be extremely damaging to Linux systems. Rootkit malware is designed to surreptitiously take over root (i.e., administrative) control of an operating system. Since rootkits operate as root, the malware has complete access to the entire computer system and can be designed to compromise a variety of components within the system such as the bootloader, the kernel, BIOS, hypervisor, and libraries. Although, placing a rootkit in a Linux system is difficult, Linux users tend to view this as a threat not to be ignored. Accordingly, several Linux rootkit scanners have been developed with the two most widely used being:
- chkrootkit is a command line tool that searches the local system for signs that it is infected with a rootkit. chkrootkit can be installed through Synaptic.
- Rootkit Hunter (rkhunter) is a Unix-based command line tool that scans for rootkits, backdoors, and possible local exploits. rkhunter can be installed through Synaptic.
Related Mepis Wiki Links
- ClamAV -- an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. This is currently the RECOMMENDED antivirus software for Mepis.
- chkrootkit -- command line tool that checks for rootkits on local system.
- rkhunter -- command line rootkit and vulnerability scanning tool.
- RootKit Detector -- Mepis Wiki Rootkit Detector Page.
- Mepis Wiki General Knowledge Database -- Security section of the general knowledge database Mepis Wiki page.
- Mepis Wiki Linux Software -- Security section of the linux software Mepis Wiki page.
- Mepis Wiki: ICDL Using a Computer Chapter 4. Viruses
Other Related Resources
- Clam AntiVirus Homepage
- ClamAV Manual
- ClamAV Wiki
- KlamAV Homepage -- a graphical user interface front end to ClamAV that serves as an anti-virus manager for the KDE desktop.
- ClamAV and KlamAV Wikipedia
- ClamTk Homepage -- a graphical user interface front end to ClamAV based on gtk2-perl.
- Avast! Linux Home Edition Homepage
- AVG Anti-Virus Free Edition Homepage
- Avira AntiVir Personal Homepage
- F-PROT Antivirus for Linux Workstations Homepage
- XFProt Homepage
- XFProt Ubuntu Wiki Documentation
- Linux Malware Detect Hompage
- Linux Malware Detect Wiki
- chkrootkit Homepage
- chkrootkit Wikipedia Page
- Rootkit Hunter (rkhunter) Homepage -- Site of current project.
- Old rkhunter Webpage
- rkhunter Wikipedia Entry