[sf-lug] Linux Anti-Virus tool - comments requested...

Rick Moen rick at linuxmafia.com
Fri Jul 27 00:22:41 PDT 2018


Quoting Robert Johnson (emailbox6357 at gmail.com):

> About six months ago or so I remember reading a story in one of the
> computer magazines - can't remember which one - and someone reported
> that a Linux server was "infected" and hacked in some fashion and the
> business had to pay to get back control of their server.  They also
> mentioned, surprisingly, that the company had not updated the server
> in several years!  If it ain't broke, right?!?!  Thanks for the info
> on your "rant" page.

Yr. very welcome!

One can make a good argument for searching _some_ Linux machines for
MS-Windows malware, specifically Linux machines that handle files
destined for Windows machines, e.g., Linux SMTP servers processing
incoming mail for Windows users, and Linux Samba servers providing file
and printing shares intended to appear in Network Neighborhood.  Because
so many Windows boxes are operated in a manner vulnerable to malware
aimed at them, and run by users who'll never learn how to simply 
_avoid running_ such malware, the need is widely perceived to filter out
arriving Windows malware before it reaches them.

As it happens, there's a pretty decent and 100% open source virus
scanner that looks for MS-Windows malware on Linux (and other OSes).
It's called ClamAV.  Not (IMO) in the least bit coincidentally, ClamAV
is almost the _only_ malware scanning program that warned users about
Sony's infamous corporate-issued BMG rootkit in 2005.  Practically 
all the others corruptly (or incompently, take your pick) ignored Sony's
corporate malware.

About that magazine story you mentioned:  As most folks are aware,
reporters at magazines and newspapers are almost always starved for
easily usable material and must find enough of it, just about invariably
on short deadline.  And there, like a miracle, there appear press
releases from AV/security companies.  Do they mind the reporter
copy/pasting and publishing the press releases as news?  Heck no.
That's basically what they're there for.

As you suggest, a Linux server unmaintained for long periods of time is
at even greater risk (generally speaking) of security compromise than a
Linux desktop box given the same treatment.  So, the course of action 
that follows tends to be as follows:

1.  After years of neglect (accumulating unfixed security bugs in 
    public-facing software), someone finds a path in.

2.  That person probes the system's security from _inside_[1] to 
    escalate privilege to superuser authority.

3.  Then, still later, the intruder installs custom software to
    hide his/her presence (a 'rootkit').

4.  Then, still later, the intruder installs a backdoor feature
    to permit re-entry if discovered and ejected.

5.  Much later, the backdoor is discovered and proclaimed a 'virus',
    and the rootkit is maybe discovered and called 'malware'.

6.  Some antivirus company then writes a press release about this, 
    carefully omitting the entire history up to step #4[2] and acting
    like it was incomprehensible black magic.

7.  Profit!


> About a year ago I switched to Bitdefender because they have a package
> that is Linux compatible.  I never purchased it, but I kept thinking
> about it.  Everytime some new virus was discovered I would think about
> it. 

My own view about that, which I offer for your kind consideration, to
agree with or not:  IMO, the only truly interesting question about a
piece of malware is this one -- how does it get loaded and run?

Code that isn't ever loaded and run is by definition _inert_.  E.g.,
starting back in the 1980s when I was IT staff at a software firm, I had
a 'library' of dozens of MS-Windows viruses stored on a stack of
floppies (plus a separate stack of MacOS viruses), that I'd captured
copies of for my ongoing amusement.  People visiting my desk would see
the floppies and ask if I weren't afraid of them.  Me:  'What, because 
they're going to leap out and bite me?'  The visitors were making no
effort to understand _mechanism_.  Just sitting there, the files were
obviously dead.  Only if _executed_ on a compatible OS, with adequate 
system authority to do mischief, could they do anything at all.
Obviously, part of the entire point of my zoo of viruses was that I was
_not_ going to go way out of my way to run them.  They were viruses
under glass, pinned to a specimen display.

Every time you read an article announcing 'new virus discovered', read
carefully to find the detail about how it gets loaded and run.  99 times
out of 100, you'll find that detail utterly missing (or that what is
said makes no sense).  _If_ you are able to track down 'how does it get
loaded and run', inevitably you find either:

a) User has to carry out extremely and obviously foolhardy actions, or
b) User left the machine wide-open to intrusion, and the intruder 
   got in through means unrelated to the malware, seized control of
   the machine, and _then_ installed the malware.  (Thus Moen's 
   Third Law of Security, cited in the footnotes below.)



[1] http://linuxmafia.com/~rick/lexicon.html#moenslaw-security1

    Moen's First Law of Security

    "It's easier to break in from the inside."  E.g., many Internet
    break-ins result from masquerading as a legitimate user to gain
    user-level access, e.g., with sniffed passwords.[link]  The 
    attacker then has a dramatically wider selection of system weak 
    points he/she can attack, compared to penetrating from outside.



[2] http://linuxmafia.com/~rick/lexicon.html#moenslaw-security3

    Moen's Third Law of Security 

    "Malware is _not_ a security problem; malware is a secondary 
    _after-effect_ of a security problem."
    [...]




More information about the sf-lug mailing list