Virus in Linux - new reality

New features which should be implemented in Porteus; suggestions are welcome. All questions or problems with testing releases (alpha, beta, or rc) should go in their relevant thread here, rather than the Bug Reports section.
Falcony
Full of knowledge
Full of knowledge
Posts: 237
Joined: 01 Jan 2011, 12:44
Location: Russia

Virus in Linux - new reality

Post#1 by Falcony » 05 May 2017, 08:53

Dear porteus users,

Please note that statement "Currently under linux there no viruses so you do not need anti-virus" currently do not reflect new reality of of last 2 years.
All dangerous code comes from Android - that also Linux, which very popular.
Seems then code adopting by malicious people for popular distributions, please see https://vms.drweb.com/database/?lng=en
Using keywords:
https://vms.drweb.com/search/?q=Android
https://vms.drweb.com/search/?q=Linux
etc.

Also not in list Crossplatform viruses - but it is hundreds.

And many do not in list as there just not added to database.

It is very ease to catch virus under Linux - just open web-site which was affected by virus - or just open OpenOffice documents.
Malicious code cod work even not using superuser privileges - there many places in Linux from which it could start script - for ex. .bachrc or under scripts X applications.

So you are have warned. Be care.

Dear Developers of porteus and community members,

To prevent virus danger we need to enable auditing option in next releases - to monitor files modification and network establish connection records.
Also may be some free tools of free Anti-virus also need to be included to next releases with DE modules. Not only scanning tools but also real-time file monitoring.

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: Virus in Linux - new reality

Post#2 by brokenman » 06 May 2017, 22:19

Thanks. I remember years ago on the forum making the comment that it is only a matter of time before linux like operating systems become the main target of viruses/malware/worms etc.

Like a living virus, it will go where the population is. The population is moving towards mobile devices in which android has a strong foothold. Thanks for the reminder.
How do i become super user?
Wear your underpants on the outside and put on a cape.

Evan
Shogun
Shogun
Posts: 466
Joined: 11 Apr 2016, 09:00
Distribution: Distribution: *

Re: Virus in Linux - new reality

Post#3 by Evan » 06 May 2017, 22:35

One of the benefits of a Read-Only live system is you can only be infected for that running sessions , unless you are really unlucky to get something memory resident that can survive reboots if you never power off the PC.

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: Virus in Linux - new reality

Post#4 by brokenman » 06 May 2017, 22:40

I remember one unlucky user that apparently received the badbios bug which infected the firmware of his machine. This certainly survives a reboot.
How do i become super user?
Wear your underpants on the outside and put on a cape.

Evan
Shogun
Shogun
Posts: 466
Joined: 11 Apr 2016, 09:00
Distribution: Distribution: *

Re: Virus in Linux - new reality

Post#5 by Evan » 06 May 2017, 23:52

If the News articles about BadBios are true then only a handful of people worldwide have been known to be infected and it was a certain brand of Motherboard via an attachment for Windows 8 and the people in question all seemed to be on a watchlist for being political activists and such.

So it makes you wonder what that user was up to.

Image

*edit*

But then again maybe i'm confusing BadBios with Airgap?

AirGap , BadBios , BadUSb , BadSSD , Heartbleed and now the latest that certain Intel CPU's manufactured since 2010 have a firmware based backdoor that can be exploited without the need of a Host OS at system level it's hard to keep up with it all.

Intel Vpro you can remotley access the PC across a network exactly the same as if you are physically sitting at the PC and physically turn the PC on and off so my point about a read-only live system is pretty pointless under that situation. :)

Falcony
Full of knowledge
Full of knowledge
Posts: 237
Joined: 01 Jan 2011, 12:44
Location: Russia

Re: Virus in Linux - new reality

Post#6 by Falcony » 17 May 2017, 06:00

Evan wrote:One of the benefits of a Read-Only live system is you can only be infected for that running sessions , unless you are really unlucky to get something memory resident that can survive reboots if you never power off the PC.
Depends. 8)

If live is live - and fresh boot - yearrr.. But
If user use some kind porteus saving - which saved all changes during his sessions - then, u see... =@

Other matter - even session if it run and catch ssh certificates or passwords - quite enough to have to be compromised some sensible user data.

And one more - please look at https://vms.drweb.com/virus/?i=7924647&lng=en
it is only beginning/ In future we will be surprised by much more sophisticated dander code - not all under linux 0nly.

Evan
Shogun
Shogun
Posts: 466
Joined: 11 Apr 2016, 09:00
Distribution: Distribution: *

Re: Virus in Linux - new reality

Post#7 by Evan » 17 May 2017, 07:22

It would have been better worded if i said " a read only live system is more difficult to infect " rather than giving the impression that it couldn't be infected.

:good:

Falcony
Full of knowledge
Full of knowledge
Posts: 237
Joined: 01 Jan 2011, 12:44
Location: Russia

Re: Virus in Linux - new reality

Post#8 by Falcony » 30 May 2017, 08:48

Added files changes monitoring and network connection logs in new release of FIDOSlax
and also ClamAv RealTime monitoring.
For details see http://forum.porteus.org/viewtopic.php? ... 525#p55525
And documentation, item 12
https://fidoslax.github.io/fidoslax/FID ... stable.pdf
but it only in Russian but if you take it to Google translater...:)

Bogomips
Full of knowledge
Full of knowledge
Posts: 2564
Joined: 25 Jun 2014, 15:21
Distribution: 3.2.2 Cinnamon & KDE5
Location: London

Re: Virus in Linux - new reality

Post#9 by Bogomips » 01 Jun 2017, 21:09

Thanks for the heads up. We have been informed just what can be infected, which seems just about everything. However feel we are lacking in information on how this is being done. Is the carrier just Javascript, or are there other carriers to watch out for? Also the kind of procedure being used to do this, would also be of interest. :unknown:
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB

Falcony
Full of knowledge
Full of knowledge
Posts: 237
Joined: 01 Jan 2011, 12:44
Location: Russia

Re: Virus in Linux - new reality

Post#10 by Falcony » 02 Jun 2017, 07:03

Bogomips wrote:Thanks for the heads up. We have been informed just what can be infected, which seems just about everything. However feel we are lacking in information on how this is being done. Is the carrier just Javascript, or are there other carriers to watch out for?
Most linux viruses now - is for Linux devices. Known I mean.
For desktop distributions most users assumes that "under linux there no virues" - so they even do not know that their distribution compromised as do not use file and network monitoring tools and antivirus.
As far I read for desktop linux security reviews of antivirus companies some injection comes from java, 0day, from compromised sites or forum, then when you open PDF files or OpenOffice or MS Office files - some scripting which download additional components.

Some info for understanding you could find in English - report of Dr.Web company for 2016 y
https://news.drweb.com/show/review/?lng=en&i=11093
see Linux item in the bottom.

And this
https://news.drweb.com/

links an left pane also could help

Personally me found on one Arch Linux desktop this virus: Linux.BackDoor.Bew.9
It is not described in Dr.Web database - not all signatures are described - as required more human work.
But class of this virus is described: https://translate.google.ru/translate?h ... ckDoor.Bew

I suppose it is has similar function as this virus - see full description
https://translate.google.ru/translate?s ... t=&act=url

Other viruses i found on this arch linux distribution using this free tools from Dr. Web (https://free.drweb.com/aid_admin/?lng=en) was
Trojan.Swrort and JavaBitCoin.Miner.
Also the kind of procedure being used to do this, would also be of interest. :unknown:
Procedure is quite simple.

1) File monitoring done via cli tool which called fatrace (see man page for details) - all changes of files logs to /var/log/files-mon
2) Program monitoring done via netstat - which called each minute and log established connections to log /var/log/program-mon
3) ClamAv Real-Time monitoring - read this
http://blog.clamav.net/2016/03/configur ... lamav.html
Take a note that CONFIG_FANOTIFY_ACCESS_PERMISSIONS kernel option not supported by Linux kernel (i see discussion on kernel.org - developers do not understand that it is needed now and skip it as it could make system bottleneck)

So Real-time monitoring is only for monitoring - it cannot lock virus - only for inform user about.

Dr. Web antivirus which I reviewed is not work for most Linux distributions (as it is only for RPM disros)

4) For showing virus warning and last events of files and network connection monitoring I wrote simple parser on bash - if shows data via root-tail utility
Last edited by Falcony on 05 Jun 2017, 08:27, edited 1 time in total.

Bogomips
Full of knowledge
Full of knowledge
Posts: 2564
Joined: 25 Jun 2014, 15:21
Distribution: 3.2.2 Cinnamon & KDE5
Location: London

Re: Virus in Linux - new reality

Post#11 by Bogomips » 02 Jun 2017, 11:59

^ Thanks for detailing procedure used to combat virus. However I meant the procedure used by the virus to infiltrate the system. There is in java a policy filter which blocks access to local filesytem by default. So how does virus overcome this?

As a rule, do not open the Office(never opened) or PDF files online, due to low spec system. Only rarely pdf files. However then just need to save the file and then run some sort of virus checker on pdf file prior to opening offline, as a precaution.

So, mustn't touch arch packages, or at very least must handle with care.

Any more? :Search:
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB

User avatar
normalGuy
Black ninja
Black ninja
Posts: 52
Joined: 06 Nov 2015, 23:36
Distribution: porteus 3.2 xfce archBang
Location: uk & portugal

Re: Virus in Linux - new reality

Post#12 by normalGuy » 02 Jun 2017, 21:26

Hello,

I'm pretty safe what the the dev's of archlinux will have to say about this...

Are we talking about AUR packages the PPA equivalent, that's other thing: take your on risk: =@

And yes I use(d) anti-virus: from clam to other commercial stuff.

Falcony
Full of knowledge
Full of knowledge
Posts: 237
Joined: 01 Jan 2011, 12:44
Location: Russia

Re: Virus in Linux - new reality

Post#13 by Falcony » 05 Jun 2017, 08:21

Bogomips wrote:^ Thanks for detailing procedure used to combat virus. However I meant the procedure used by the virus to infiltrate the system. There is in java a policy filter which blocks access to local filesytem by default. So how does virus overcome this?
Via security vulnerabilities - know and unknown (0day). And not only java.
Here is the list for Adobe Reader

https://www.cvedetails.com/vulnerabilit ... eader.html
As you see this software is quite vulnerable itself.

Do you have pdf plugin in your browser, it is updated?
If even so there could be 0day in using which you will got code which could run locally.
As a rule, do not open the Office(never opened) or PDF files online, due to low spec system. Only rarely pdf files. However then just need to save the file and then run some sort of virus checker on pdf file prior to opening offline, as a precaution.
As the rule. And do not forget regarding browser plug-ins - very common situation that updated browser has vulnerable popular plugins - like flash, pdf - etc.
So, mustn't touch arch packages, or at very least must handle with care.

Any more? :Search:
No. It is not much related to packages itself or system security - because it is related to you as you do some actions locally. If you check samples of viruses upper - it could work in home directory - with ordinary user's right and after reboot it will be running again.
Then it could enable key logging - and use your password for sudo or use certificates.

Post Reply