Friday, October 12, 2007

So You Want to Know How to Use Anti-virus Software on Ubuntu?

You've got an Ubuntu system, and your years of working with Windows makes you concerned about viruses -- that's fine. While Ubuntu (and Linux in general) is a very secure system, and Ubuntu comes with no "open ports" (that means avenues by which worms can get into your system without your assistance), there is always a certain danger from malicious software. The following is an overview of the entire list of Linux worms viruses and worms known at this time, courtesy of Wikipedia:
  • Net-worm.linux.adm: This is a worm from 2001 which exploited a buffer overrun (one of the most common methods for viruses). It scans the network for computers with open ports, tries the attack, infects web pages hosted on the system and propogates further. This worm is not dangerous to you because the buffer overruns have been patched for years and you do not have any open ports.
  • Adore: An infected computer scans the network for DNS, FTP, and printer servers, infecting them using various methods. A backdoor is installed and the worm propogates itself. This worm is not dangerous to you because the methods of attack are also from 2001 and have been long patched. Even if the weren't patched, you don't have these services running on your Ubuntu system.

  • The Cheese Worm uses a backdoor which was installed by another worm, removing the backdoor and propogating. It is, in fact, an attempt to clean and already infected system. This worm is not dangerous because the worms it needed to propogate are no longer dangerous. Whether is was ever dangerous in the first place is debatable.
  • Devnull is a worm from 2002 which used an old OpenSSL to infect a system, becmoing part of an IRC controlled botnet. The worm could only propogate if a compiler was present on the system. The vulnerability this worm used has long been patched. OpenSSH is not installed on your system by default.
  • The Kork Worm uses the Red Hat Linux 7.0 print server and needs to download part of itself from a website. That website no longer exists. Red Hat 7.0 is not Ubuntu Linux. You are safe.
  • The Lapper Worm has no information about it at all, anywhere, so I can't give you and information about it, but it was added to the list in 2005, and any vulnerabilities it exploited have almost certainly been patched by now. I can't say for certain whether this worm could affect you or not, but most vulnerabilities are patched within days, not weeks, so two years makes it very unlikely you could be affected by this.
  • The L10n Worm (pronounced "Lion") was active in 2001 and used a printer server for exploit. The vulnerability has been patched and the server is not installed on Ubuntu. This is no danger to you.
  • The Mighty Worm appeared in 2002 and used a vulnerability in the secure session module of the old Apache web server, installing a backdoor and joining an IRC botnet. This vulnerability has been patched, Apache is not installed on your system, and the entire architecture of the web server has changed. You can never get infected.
  • The Slapper Worm used the same vulnerability as the Mighty Worm and operated similarly. You can't get this one, either.
  • The Alaeda Virus is relatively recent (May) and infects other binary (program) files in the same directory. If you run as a normal user doing non-programming work, you should not have any other binaries in your home folder. Alaeda won't have anything to infect. This is a good reason why you shouldn't download and install random files off the Internet. If you don't know why you're typing in your password, don't do it. Realistically, though, ELF files (the Linux equivalent of a Wondows .exe) are pretty picky about what system they run on, so sthe chance of getting infected is slight.
  • The Binom Virus is from 2004 and affected ELF files in a similar manner to Alaeda. The same conditions apply here. You chance of getting infected is zilch if you don't give a password, and not much even if you do. Be safe, though, and don't run random attachments.
  • The Bliss Virus was probably a proof-of-concept by someone from 1997 trying to prove that Linux could be infected. Because of the Linux user privilege system and the thousands of versions of Linux, it didn't do well at all. This one is in the same boat as the two others. Almost nothing about the Linux kernel is the same as it was in 1997. Don't worry.
  • The Brundle-Fly Virus was a research virus for an operating systems course and was never in the wild. It even has a web page and an uninstaller. If you want to get infected by a virus, this one is good. You'll need to compile it for your system, though, so be prepare to follow a lot of complicated instructions.
  • The Diesel Virus is called "relatively harmless" by It's an ELF virus, just like the others, discovered in 2002. No need to be concerned
  • The Kagob Virus comes in two flavors and even contains a copyright notice (2001). There are no symptoms of infection. Interestingly, when run, the virus disinfects the infected file to a temporary directory before running, then deletes the file after it is executed. Same ELF problems as before. You won't get this one, either.
  • The MetaPHOR Virus is another project with its own . The exact function and evolution of the virus is laid out. From 2002, it shouldn't represent any risk, even if you can find one in the wild. If you really want to get infected, download the source and compile it yourself.
  • OSF.8759 is the first really dangerous virus on the list. It not only infects all files in the directory (and system files if run as root), but also installs a backdoor into your system. The backdoor doesn't suffer from the problems of normal ELF viruses because the virus itself loads the backdoor. This means that the virus still needs to work under ELF, though, limiting the chance that it will work on your system. Since the virus is from 2002, there is virtually no chance that it will run on your system. If a new version becomes available, you might need to worry.
  • The RST Virus is also from 2002 and also installs a backdoor. It, however, operates under normal ELF rules, making it virtually harmless to today's sytems.
  • The Staog Virus was the first Linux virus, created in 1996. It used vulnerabilities which have loog been patched. It cannot harm you.
  • The VIT Virus is another ELF virus, this time from 2000. Since Ubuntu didn't exist seven years ago, you won't be running a system that old and won't be infected.
  • The Winter Virus is also from 2000 and is the smallest known Linux virus. It suffers from the same problems as all ELF viruses.
  • The Lindose Virus is another proof-of-concept virus, showing how a virus can be constructed to infect both Windows and Linux computers. It has never been seen in the wild. From 2001.
  • The ZipWorm Virus passes by infection of .zip files. When run, the virus infects all other .zip files in the directory. It has no other ill effects. From 2001, it is unlikely you'll ever run across it.
That's the entire list of Linux viruses and worms. Fewer than thirty. Compare that to the estimated 140,000 viruses for Wndows, and you'll understand why people say you don't need a virus scanner on Linux.

The Reality
If you are going to trade files in a Windows world, you'll need to scan those fies for viruses. You won't get infected, but you may help infect someone else. There are two ways to do this:
  1. Run all the files through a server which checks for you. GMail, Yahoo mail, and Hotmail all have wonderful checking software.
  2. Check the files for viruses yourself. You'll need to go to System -> Administration -> Synaptic Package Manager and search for avscan. Install the package. It won't appear in the menu. Run it by pressing Alt-F2, typing avscan, and pressing Run.

You can now scan files (or your entire system) for viruses and worms.


Zexy said...

Nice rundown on the virus list. Here's a link to the Ubuntu forums with more info regarding anvirus scanners. I'm sure some people coming ffrom Windoze will feel more comfortable with scanner. It shoould also be noted that Ubuntu comes with IPtables(firewall software) and they can use Firestarter for a graphic front end to configure it. Just search "firestarter" over at the Ubuntu forums and I'm sure you will find some discussion on the subject.


A firewall is not imprtant for most Ubuntu users because the stock install only comes with Avahi (called Multicast DNS Service Discovery in the Services dialog) listening on any port. Cups (the printer server) and GDM (the login manager) are on, but not listening by default. Linux is not Windows, and every service can be turned off if a user wants.

Since there are no services listening, there is no need for a firewall.

Advanced users of web servers, print servers, and the like will (should) know about how to protect their systems.

sbt said...

"Advanced users of web servers, print servers, and the like will (should) know about how to protect their systems"

one reason for killing xp services is to free up ram.

regarding open ports', are 'services' in xp the same type critters as 'services' in nix?

Post a Comment

Other I' Been to Ubuntu Stories