the only Linux antivirus…
Your desktop might not need it, but Linux has antivirus software too.
many of the popular Windows antivirus programs have a Linux equivalent (Sophos,
ESET NOD32, Comodo, F-PROT). But more often than not these do little more than scan for signatures of Windows viruses. This doesn’t mean they should be disregarded outright; if you use Wine to run Windows programs then you could inadvertantly use it to run Windows malware. Also, if you run an email server then it’s absolutely in your interests to scan incoming messages for Windows threats. Even if you don’t, maybe you’d rather know if that file you can’t remember downloading contains a Windows nasty, and maybe you’d feel safer scanning it from Linux.
We’re going to look at what appears to be the only open source antivirus software, Clamav. We actually looked at this way, way back in LXF131 and to be honest, barring a higher version number, it hasn’t changed that much. The Ubuntu 19.04 repositories include a nearly up-to-date version of Clamav (0.100.3 versus the 0.101.2 available on its website). Older versions of the program are available for previous Ubuntu releases, or you can compile it yourself if you’re feeling brave – the PPA no longer exists. Generally speaking you’re fine with an older version since it will still download up-todate definitions. Installation is just a matter of:
$ sudo apt update
$ sudo apt install clamav
The core of Clamav features three main components:
clamscan – a command line tool for scanning files and directories.
clamd – a daemon that runs in the background allowing files to be scanned on access.
freshclam – a tool to update the virus signature database.
The daemon is included in a separate package, so if you’re not interested in on-access scanning (which may slow down your system or use lots of memory), don’t follow up with:
$ sudo apt install clamav-daemon
You can run:
$ sudo freshclam
manually to update the database, but a systemd service file is provided to do this automatically. As it turns out, if you try to run that command while the server is running, you’ll get an error. Said service can be stopped with the command:
$ sudo systemctl stop clamav-freshclam
This may be of interest for people that want to set up a cron job (in the spirit of LXF131). Meanwhile, let’s get on with testing our glorious antivirus. We’ll download the EICAR test file, which contains a (harmless!) signature that Clamav ought to recognise:
$ wget https://www.eicar.org/download/eicar.com. txt
$ clamscan eicar.com.txt You should see output matching the screenshot (see top right). For general on-demand use, you can just call
clamscan with the file(s) or directories you’d like to scan. For delving into directories, or entire filesystems, use the command:
$ clamscan --recursive /
If you’re feeling paranoid, a number of third-party signatures can be downloaded from the repository at
https://github.com/extremeshok/clamavunofficial-sigs. These come from various sources (including the Linux-focused Linux Malware Detect, another open source malware scanner), and will increase the chances of false positives, but may also increase your peace of mind.
Windows anti-malware programs are characterised by over-the-top GUIS and paranoid ‘Threat Detected’ klaxxons. Clamtk is a graphical interface to Clamav, but it is much more reserved in its appearance. It comes in its own package, clamtk , and can also be found in the Ubuntu Software Centre. There are also dedicated Linux programs, a couple of which deserve a mention here, if only because they’ve been around for a long time: rkhunter and chkrootkit. These are command-line tools for the detection of rootkits and other nasties.
secure your servers
Linux servers offer a much more juicy target than Linux desktops, and potentially are more useful than taking over a Windows desktop machine too. There are a lot of Linux servers on the internet, many of them housing considerable computing power and attached to very fat pipes. So they’re ideal targets for cryptojacking attacks or turning into spam-spewing zombies.
Such machines may never be turned off and only rarely rebooted, so if compromised they can be used in long-running attacks. It’s quite inconvenient for a hacker if the machine they’ve compromised suddenly disappears or changes IP address as home machines are wont to do. Sadly, a lot of the Linux servers on the internet live a life of neglect. Deprived of regular updates, they become sitting ducks for script kiddies who have got their grubby paws on the latest weaponised proof of concept code.
System administrators can be socially engineered into giving up passwords or running dodgy programs in the same way as home users can (although they should feel ashamed when they do), but another avenue is to attack the services running on their servers. The open source software that powers popular websites – Apache, Drupal, PHP, MYSQL, Wordpress and pretty much anything else you could care to name – has at some stage suffered from some kind of vulnerability. So has other software found commonly on Linux boxes; vulnerabilities in OPENSSH and Bash led to more than their fair share of sysadmin hair loss when the Heartbleed and Shellshock vulnerabilities struck in 2015 and 2014.
Besides conventional Linux servers, the burgeoning world of the Internet of Things offers a new kind of (often) Linux-based target. This situation is in some ways opposite to hijacking a server. To an attacker, the server is a single, powerful machine. However, if an attacker finds a vulnerability in, say, a popular brand of home security camera, then they can – through the magic of services like www.shodan.io, a search engine for servers and IOT devices – find and take over a sizeable army of these (not very powerful) things. Collectively, they might have a considerable amount of computing power (hello Bitcoins!–ed) or bandwidth which is now at the attacker’s disposal.
This is precisely how the Mirai botnet was able to launch a huge DDOS (Distributed Denial of Service) attack against DNS provider Dyn, causing major websites to disappear from the internet in 2016. Mirai
(see interview LXF244) was able to become so large because so many devices run an easy-to-find telnet server with well-known, often hardcoded, username and password combinations. The Mirai source code is easy to find online, and new variants of it are still appearing
the threats never end “The burgeoning world of the Internet of Things offers a new kind of (often) Linux-based target.”
today. In 2017 one was spotted infecting Huawei routers. In 2018, one, known as Satori, even attacked cryptocurrency mining operations through a vulnerability in the popular Claymore’s Miner software, interfering with payment addresses for nefarious profit.
If security-conscious people had their way, IOT devices would never ship with default credentials, but it seems marketing people have got their way. Coming up with new credentials before you can use your fancy internet-enabled fridgecam (or whatever) is, it would seem, deemed user-unfriendly. It’s well worth going out of your way to change any default passwords on webcams, routers, NAS devices and the like.
For devices where these things are hardcoded, the device should be firewalled so that it’s not accessible from the outside world – or possibly taken back to the shop. It’s also worth running a portscan on your network to see what services are running on what devices. Our favourite tool for this purpose is Nmap, which you can find in all good repos, and which will tell you all about your network with something like:
$ sudo nmap 192.168.0.*
Running it as root thusly allows Nmap to identify devices through MAC descriptors.