Skip to content
Naked Security Naked Security

Malware on Linux – When Penguins Attack

If you really want to fan the flames of controversy, ask the question, "What about malware on Linux?" We asked...here's what we found out.

Attack penguin courtesy of Shutterstock

Regular Naked Security readers will know that some security topics cause more friction that others.

Lately, artificial intelligence has provoked its fair share of excitement.

Surveillance and privacy are other topics that draw out some very varied viewpoints.

But if you really want to fan the flames of controversy on Naked Security, put on your asbestos underwear [they don’t use that any more – Ed.] and ask the question…

What about malware on Linux?

Here’s how the argument might go if you were to ask that question:

  • Malware is impossible on Linux because Linux is secure by design, unlike Windows.
  • Even if Linux malware were possible, users would have to agree to run it, so that wouldn’t count.
  • Even if users agreed to run it, they wouldn’t be root, so that wouldn’t count.
  • Even if they were root, who cares? There isn’t any malware for Linux, so there.

The simple truth, of course, is that Linux is much more similar to Windows – in design, implementation and real-world security – than it is different.

As a result: there is malware for Linux; it can do plenty of harm even if you aren’t root; and it may be able to infect without you realising.

Just like on Windows.

For all that, the “malware scene” on Linux simply never unfolded like it did on Windows, because the vast majority of Linux computers are servers, not desktops.

What happened instead? How big is the malware scene on Linux? How much risk does it pose? What could that do to your business? What can you do about it?

Sophos security expert and fellow Naked Security writer Chester Wisniewski set out to answer all those questions.

And in this fascinating podcast, intriguingly entitled When Penguins Attack, Chester explains what he found:

LISTEN NOW

Malware on Linux – When Penguins Attack

(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)

SOPHOS LINUX PROTECTION

Are you a security sysadmin?

Sophos Cloud Server Protection now supports Linux, so you can protect your Linux servers (and desktops!) from the same console that you use to look after your Windows and OS X computers.

Are you a Linux user?

If you don’t need a management console, you can use Sophos Antivirus for Linux Free Edition – on desktops and servers, at home and at work.

Want to improve your Linux security?

Linux fan Paolo Rovelli of SophosLabs gives you 5 tips to improve your Linux security.

25 Comments

“Just like on Windows.” No, not even close.

Not to be picky, but you *might* want to help me through your reasoning a bit…I’m not entirely clear on it at the moment :-)

FWIW, we’ve seen cross-platform malware that can work on both Windows and Linux, which seems to support my “just like on Windows” suggestion fairly strongly.

Note that I am not saying that the malware *scene* on Linux is “just like Windows,” mainly because the whole point of the article is that is *isn’t* – the crooks have taken to Linux in a completely different way, and the podcast explains how and why.

I’m just saying that the stuff crooks do with Windows malware *could* be done on Linux if they felt like it. (And might very well be if there were enough money in it.)

For example, imagine trying to write a keylogger for Linux. Ah, there is one already…it’s called “script.” Imagine trying to write a TLS-based data exfiltrator. Ah, you’d just use cURL or WGET. One of them will be there, like as not. Or imagine trying to run a process in the background so it isn’t obvious. Or wanting to set a script to run whenever you log in.

See where this is going? Sadly, a lot of malware is surprisingly like decent software, just that it’s deployed by crooks, unnoticed by trusting users, and communicates back to dodgy web sites.

I tried sophos AV for linux. It was difficult to get working, flakey, and generally much too hard for an ‘ordinary’ user (even with 40+ years experience). I had to give up on it. Even posting on their open forum failed to resolve the problems I had.

Thanks for the feedback. Sorry to hear the tool wasn’t effective. I will make sure to pass along your feedback to our free tools team. If you’d like to send us more details, we’d be very grateful – you can send that to tips@sophos.com. Thanks.

I too agree that antivirus and malware solutions require too much thought and attention on Linux. Viruses and Malware are not enough of a threat to invest money to solve the problem. I only use Linux for a secondary desktop and home server, which are not on 24/7. I do not use any 3rd party security tools, just the built-in firewall and various Ubuntu server configurations to secure it as best as possible.

I hear you, but I think you might be over-estimating how much “thought and attention” is needed, at least for Sophos Anti-Virus for Linux (though I am not convinced that thought and attention are best avoided, anyway :-)

The complaint we used to hear is that “there’s no malware for Linux,” even as the crooks stormed in and stole bandwidth and server space left, right and centre. (Some users still seem to think malicious code on their computer that can only harm other people isn’t their problem, and thus isn’t a problem at all.)

Then it was “anti-virus slows Linux down,” which many people repeated because it was what they’d heard, not what they had measured. When they did, they often found that the overheads were as good as irrelevant.

I’m intrigued to see that we’ve moved onto “it needs too much mental effort, so not worth it.”

Why not try it and see…once you’ve got the thing installed, it mostly looks after itself. And it’s free, which reduces the money you have to invest a fair bit.

I may be biased here, but if you can handle iptables, you can *definitely* deal with Sophos on Linux :-)

BUT – can we get an even more interesting “picture”?

Of those – say 80% – that were more or less using LINUX/UNIX – can we find out how many were using a version of SELinux / MAC / FMAC and not just “vanilla” DAC, as per old time UNIX? In other words, as pointed out during those long ago (15 years) days of the proposal to get SELinux up and accepted, does it really demonstrate what it was supposed to do – simply, full, mandatory and enforced tagging just really reduces (stops?) most if not all current malware attempts at the server (or even client) level where SELinux is properly deployed?

As Chester explained in the podcast, he was super-conservative about how he estimated how his list of sites got pwned. He looked legally at externally-visible content only.

So we can’t answer that question, though it is a good one to ask. (I think I’d hazard a guess that sysadmins who are up to the task of mandatory access control are probably willing and able to patch known holes within a year, and not to upload new JavaScript to their CMS using FTP :-)

There’s also the fact that the strongest security on your servers doesn’t help if your site makes use of third party ad networks that serve up some of your content (including stuff like JavaScript and Flash), deciding on the fly what to choose for this or that visitor. The crooks just go and poison today’s advertising queue, and you get “infected by proxy,” as it were.

Malvertising, as it’s known, is a royal pain for malware researchers because one poisoned ad could appear in millions of web pages ostensibly from safe sites, yet – by accident or by design – might never show up at all when the researchers try to track it down.

Exactly Paul. In fact, my company secures Linux servers with least privileged, role based access controls…yet about a month ago, an ad appeared at the bottom of our site selling custom bobble heads!

Ah, you never know when you’ll need a customer bobble head!

(Actually, I don’t even know what a bobble head is, let alone why I might want one. I suppose those guys aren’t marketing at people like me.)

“The simple truth, of course, is that Linux is much more similar to Windows – in design, implementation and real-world security – than it is different.”

God will forgive for the truth you not known Ducklin. However me and the world of Linux would not.

How come such a responsible blog allows these kind of garbage, under developed, non-researched, kid’s stories? To increase their sales on Anti virus software?

Simple truth is, there isn’t any system, platform, framework that can flag as secure, every system has its own weak points and plus points.
When its come to Linux + Security, it also has weaknesses. However when its compares to the Microsoft/Closed source world it is like coffee bean compares to an apple.

However why should we purchase a license, when we have sophisticated systems to overcome these matters in open source way?

It’s funny that you ask “why should we purchase a license” when Sophos Anti-Virus for Linux Free Edition is, well, free :-)

Aaaaargh! It’s happened again. I got trolled, didn’t I?

Nothing is free in our days.
Free antiviruses are actually acting as an keylogers and telemetry collectors to supply you with ads later.
Nothing is free!

If you wish to make public accusations like that (with the clear implication that Sophos’s anti-virus is logging keystrokes for nefarious purposes)…

…I do wish you would produce some real evidence :-)

(Yes, part of the cost of “free” with our product is that we do collect telemetry, and that helps you and everyone else – it is, if you like, a community service for free users that also, admittedly, helps our paying customers too. I think you will find that the sort of data we collect is pretty well depersonalised. For example, we might know that you had a specific EXE file on your computer, but nothing more about it. If we later figure out that file, by its hash, happens to be NOTEPAD.EXE, we know your IP address had NOTEPAD lying around somewhere at a given time and date. But if we figure out that hash is now known to be malware, because we saw it on another infected computer 74 seconds earier, we can help you block it *immediately* without waiting for SophosLabs to publish an update, or for your computer to consume it. I think we are pretty open about what and when we collect, what we do with it, and what benefit you get from it. As for “the ads we might supply you later” – you can probably guess what they might be. In fact, they’re already on this very page, down towards the bottom.)

I wish you had put more actual info in the article instead just using it as a teaser for a podcast. Its an interesting premise and I would like to learn more but I hate to listen to podcasts so I guess I will never know.

Chester has a way with words and it’s a pleasure to listen to him explain things at talking speed. Many people find that listening helps them learn and recall facts more easily than reading – so sometimes we do articles which are geared towards those people, to go alongside the hundreds of written articles geared towards people like you.

(As an aside, you could at least try listening for a minute or two out of politeness, instead of just telling us you hate our work pre-emptively. FWIW, this is *not* an hour-long rambling riff-session like you might have heard in other podcasts. It’s tightly edited and sounds like a decent science program on BBC Radio 4. Well, we think so, anyway :-)

Oh, by the way…you could also try clicking the link that says “read the transcript.” Then you could read the transcript.

What a great article!

Waking up this morning prior to daylight due to a coughing fit……it’s freezing here under the southern cross these days…….I just quickly read this article as I am not a Linux user……,But…….as I scrolled quickly down the iPad to vote, I Accidentally clicked onto the podcast on the way through.

How pleased I was that I stayed on the podcast with Chester and Paul………….No doubt about it…..

Equivalent to BBC Radio 4!

I learnt so much that I can use……fantastic…….and I reckon a lot of it I can pass on to some of my recalcitrant friends, other oldies like me…….who proudly tell me they don’t trust updates, then phone me when they have a problem!

Thank you Paul and Chester.

Of course it’s in Sopho’s interest for people to buy anti virus software. I work in IT and have been a specialist in Open Source software for nearly 20 years. Not once have I had a virus on a Linux machine. You do need to take precautions, but Unix/Linux based operating systems are build with security in mind. Windows was designed for ease of use and security took a back seat IMHO.

What appears to be taking place here is your attempting to tell the consumer that they have a problem that you are willing to take care of… as opposed to providing a solution for a problem that the consumer recognizes they have… I see it as being akin to a plummer telling you that your sewer lines will plug up… So we have a solution for you that will keep them open 24/7 (that is free by the way)…

Errr, is that criticism or praise? I think it’s praise (a free plumbing solution that would keep your sewerage system clear so you’d never need to call out a plumber sounds like a good, preventative approach to me :-)

To be fair, this podcast is aimed more at sysadmins who look after Linux in organisations – where they will probably be running a bunch of public-facing servers – than it is at consumers who run Linux at home.

Having said that, Sophos for Linux is free for home or business use, so…if you’re worried about those sewer pipes clogging up, this one’s for you :-)

Weak closed-source software is exactly what makes Linux unsafe. Whether the driver is, or often unsafe programs such as antivirus software running with root rights. Recently, there was an in-depth analysis of Android gaps, such as Stagefright and Co, which were more than 80% due to closed manufacturer drivers, which have no influence on Android. This means that closed drivers are basically a mistake, and especially with short development times as under Android. Similarly, this means that Android without closed gum drivers would be much better off in terms of security.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?