Linux.com

Home Learn Linux Linux Tutorials Myth Busting: Is Linux Immune to Viruses?

Myth Busting: Is Linux Immune to Viruses?

In a word, "no."

Any computer that is attached to a network is not immune to viruses. But, as with everything else, it's relative. If you compare the vulnerability of Linux to Windows, you can understand why so many say Linux is immune. But before we get into any myth busting, let's examine just what a computer virus is.

According to Wikipedia, a virus is a computer program that can copy itself and infect a computer. That's a pretty broad description. Most people would consider a more specific definition. That same Wiki page continues on to say The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, adware and spyware programs that do not have the reproductive ability. Now we're talking.  So with the two definitions combined, you could say a computer virus is any type of malicious code or software that can either infect a computer and replicate/distribute itself or a piece of malicious code or software that can be unwittingly distributed via numerous electronic means.

Means to an End

Computer viruses can be transmitted in many ways, such as:

  • Email attachments.

  • Malicious URLs.

  • Within applications (such as browser add ons).

  • Rootkits.

It will be my attempt, in this article, to show you that although it is very challenging for a virus to infect a Linux machine, that does not mean you should be without protection.

Email Attachments

Why are email attachments not so dangerous in Linux? Well, generally speaking it is because nearly all malicious email attachments target Windows machines. When you get those suspect attachments they are usually in the form of .exe or .zip files (the .zip files containing malicious .exe executable code). When you click on an .exe file in Linux your machine will not really know what to do with it (unless you have Wine installed).

But say that attachment has targeted Linux machines and is in the form of, say, .deb, .rpm, or .bin - what then? Those types of files can be installed on Linux machines. Well, first and foremost - if the file is in .deb format and you are using an RPM-based system, nothing will happen. If, however, you receive an email with a .rpm attachment, and you're using an RPM-based system, what happens? It will ask you for either your root or your sudo password (depending on your security model).

What would be the proper reaction to this? To not proceed. The difference between this model and the traditional Windows model is that when you double click on that attachment in Windows, the installation can proceed without your intervention. In certain instances there is no "sanity" check. Click and BOOM the virus has installed itself and you are infected.

Now naturally, if you are using a Windows machine, you are taking advantage of an anti-virus solution to prevent such issues from arising. What about Linux? Do you need an anti-virus for Linux? You might be surprised when I say "Yes!" But why? If Linux is so much more immune to viruses, why should you employ a virus scanner?

Let me ask you a simple question: Have you ever forwarded anything with attachments to another user? If so, is that user a Windows user? If so, you could very well have given that attachment a chance at a successful infection. So why not add a virus scan to your Linux system to avoid such an issue?

And if you manage your own email server (such as a Postfix or Sendmail server) on a Linux machine, anti-virus scanning is a must have. Just because your email server is a Linux machine does not mean an email containing a virus is non-lethal. That email-strapped virus could easily make its way to a Windows machine where it will happily begin its infectious life.

To that end, you owe it to yourself to install an anti-virus such as ClamAV.

Malicious URLs

I have yet to come across a URL that has done any direct damage to a Linux machine. But harmful URLs are not the only type of malicious URLs. One type of URL is a spoofed address. A spoofed address is a malicious address that masquerades itself as a safe address. These can be in the form of a fake bank account login screen, or Paypal login. Any number of addresses can be spoofed. And any address that requires you to log in with credentials is dangerous when spoofed.

Do these types of threats directly effect the Linux operating system? No, but they do effect the user. Fortunately most modern browsers have add ons to protect your browsing experience. These should not be neglected just because you are using Linux. A good sampling of Firefox add ons can be found in the Firefox Security Add on page.

Application Danger

Because Linux is open source, you can not trust every piece of software out there. You can, however, trust all software that is distributed by your distribution's OFFICIAL channels. For example, any software officially supported within the Ubuntu Software Center will be safe. Once you venture outside of the realm of the "Officially Supported," you risk installing malicious software.

That is not to say you should not trust any software not provided through the official channels of your distribution. Because Linux is open source, software is generally under a lot of peer scrutiny. No one wants to be known as the coder that created malicious Linux software.

But if you are of the paranoid persuasion, as long as you stick with software supported by your distribution, you should avoid installing any malicious code on your machine.

I will warn you, though, there was a proof of concept virus for Linux that took advantage of both GNOME and KDE launchers. This code could be added to either the ~/.config/autostart folder (For GNOME) or ~/.kde/Autostart (For KDE). Anyone really paranoid (using either GNOME or KDE) could create a bash script to search for, and delete, any suspicious files (or links) in that directory. Just be careful writing that script so that you do not delete anything important.

Got Root?

Root kits are the real danger. A root kit is a system of malicious software designed to obfuscate itself such that the user has no idea it was installed and is running. I have been a victim of a root kit (long ago) and strongly suggest the addition of the rkhunter tool. In fact, when installing a new Linux system, rkhunter is one of the first tools I add. And as soon as it is added, it is used.

Root kits are those nasty pieces of software that once installed are really difficult (if not impossible) to remove. And some root kits are so bad they compromise your system such that you can not recover. And if you're wondering how many root kits are out there, install rkhunter, run it, and see how many root kits it checks for. You will be surprised. And root kits do not just attack servers. I have seen desktop machines infected with root kits. This is especially true if your Linux machine lives on a static IP address with no firewall protection between it and the outside world.

Final Thoughts

So, what do you think? Is Linux immune to viruses? I hope your answer is "no." That answer, and the prevention it inspires, will keep your Linux machine virus free for years to come. Personally, I have used Linux for twelve years and not had a virus or any malicious software on any of my personal machines or servers. If you are cautious like me, you too can enjoy virus-free computing for years. But if you fall into the trap of believing that Linux is perfectly immune to viruses, you very well might fall victim to that naivety.


 


 

 

Comments

Subscribe to Comments Feed
  • zolar1 Said:

    Linux is immune to all 'WINDOWS' malware. Since the vast majority of Linux distro's make the user use the OS as a user and not the admin or root user, it is quite difficult to install any malware without entering the root password. Running a distro from a live environment is immune to all malware of any kind. Just restart and it is like nothing happened since everything is erased on restart.

  • Steve Said:

    Not always, The new Ubuntu live USB saves info from the last time it was used.

  • Alex Said:

    You are correct, however this type of device wouldn't be called "live" since it saves everything, it's called "persistent".

  • Joart Said:

    In fact - ClamAv is a anti-windows-virus program. That is if your mailserver serves windowsmachines - its not a Linux question. There are, as far I seen, no anti-virus program for Linux viruses. No real visuses exists. There are some trojans - but in fact - if we talk servers without GUI I never heard of any viruses. There are rootkits and exploits - yes. But that is a security question of another type - to secure software and dont use the root password.

  • Brandon Rinebold Said:

    TLDR: They're not really *immune*, they're just mostly servers and don't do any of the stuff that opens them up for infections. That leaves a number of desktops so small that they're not worth writing a virus for. Not to say they're common but they DO exist. There is nothing inherently more secure anymore about Linux when it comes to infection vectors. The only thing really holding back linux viruses is that it's simply not worth writing a virus payload for the number of linux desktops out there. Linux servers, on the other hand, naturally avoid almost all currently popular infection vectors by virtue of just being servers and not using their web browser and having a competent firewall in place much as Windows and Mac servers do. Viruses 42 [25][26] Arches [27] Alaeda - Virus.Linux.Alaeda[28] Bad Bunny - Perl.Badbunny[6][29] Binom - Linux/Binom[30] Bliss - requires root privileges Brundle[31] Bukowski[32] Caveat [33][34] Coin [35][36] Diesel - Virus.Linux.Diesel.962[37] Hasher [38][39] Kagob a - Virus.Linux.Kagob.a[40] Kagob b - Virus.Linux.Kagob.b[41] Lacrimae (aka Crimea) [42][43] MetaPHOR (also known as Simile)[44] Nuxbee - Virus.Linux.Nuxbee.1403[45] OSF.8759 PiLoT[46][47] Podloso - Linux.Podloso (The iPod virus)[48][49] RELx [50] Rike - Virus.Linux.Rike.1627[51] RST - Virus.Linux.RST.a[52] (known for infecting Korean release of Mozilla Suite 1.7.6 and Thunderbird 1.0.2 in September 2005[53]) Satyr - Virus.Linux.Satyr.a[54] Staog - obsoleted by updates Vit - Virus.Linux.Vit.4096[55] Winter - Virus.Linux.Winter.341[56] Winux (also known as Lindose and PEElf)[57] Wit virus[58] ZipWorm - Virus.Linux.ZipWorm[59] [edit]Worms Adm - Net-Worm.Linux.Adm[60] Adore[61] Cheese - Net-Worm.Linux.Cheese[62] Devnull Kork[63] Linux/Lion Linux/Lupper.worm[64] Mighty - Net-Worm.Linux.Mighty[65] Millen - Linux.Millen.Worm[66] Ramen worm - targeted only Red Hat Linux distributions versions 6.2 and 7.0 Slapper[67] SSH Bruteforce[68]

  • imec Said:

    From what I've gathered over the years, it seems as though Linux is only vulnerable to Trojans, whereas Windows can get infected from all sorts of nasty exploits even when you've never given permission to a program to run on your computer. In fact, I'd say that 90%+ of the viruses that I've ever gotten were from general browsing, not executable; there's no way to do a "sanity check" when everything is coming through the back door. Case in point: I use NoScript religiously, install an AV and disable Java without exception first thing on every Windows install. Can't say that I've ever felt the need to do so with Linux (although I do make sure to keep my Cookies in check). Also, Brandon, to say that Linux has as many infection vectors as Windows is just plain drivel. The permissions system in Linux/Unix is a HUGE roadblock for virus makers. Oh and I can pull stuff from Wikipedia as well: "[That argument] ignores Unix's dominance in a number of non-desktop specialties, including Web servers and scientific workstations. A virus/trojan/worm author who successfully targeted specifically Apache httpd Linux/x86 Web servers would both have an extremely target-rich environment and instantly earn lasting fame, and yet it doesn't happen."

  • Brandon Rinebold Said:

    You're as bad as the 'Macs don't get viruses' people, assuming because something doesn't happen that it must be impossible because of some magic in that system. Flash and java still provide out-of-cycle security updates on Linux. If the flaws only affected Windows, they wouldn't need to do so until the next scheduled feature update. You're being protected by the fact that you're not worth the effort to target. Java droppers execute on Linux systems every day and are stopped by something as simple as there being no %appdata% folder on your linux machine for the dropper to save its payload to. If the malware writer bothered to write a payload for Linux and a bit of code to try to download it to somewhere that actually exists and add it to your user's startup scripts instead of the Windows registry, you'd be just as infected as the Windows user it was built for. It's not your permissions systems that sets you apart anymore, it's your users (and lack of). Windows picked up a convenient equivalent to sudo with Windows Vista and has been capable of running as a limited user and using 'runas' for over a decade. This drivel, as you call it, is truth. Windows has more or less caught up in terms of actual security. Linux had a huge lead for a long time in that area. Your claims were perfectly valid up until about 2003-2005. XP offers an equivalent file permissions system if users are willing to use limited accounts for daily use. Vista made sudo the default.

  • minas Said:

    You clearly don't know what you are talking about. "You're being protected by the fact that you're not worth the effort to target." This is the most stupid answer people give. I don't think these companies are not worth the effort to target. http://wiki.answers.com/Q/What_companies_use_Linux_or_Unix Most big companies use Linux - IT IS worth for viruses to target Linux. Yet Linux is more secure than windows. This means something.

  • Brandon Rinebold Said:

    Let me clarify: only *Desktop Linux* benefits from security by obscurity (since you seem to be shoving those words into my mouth repeatedly as if I were applying them to all Linux systems). Servers, whether Linux or Windows, benefit from security by... well... not letting stupid people log in to browse the Internet while executing miscellaneous scripts automatically and firewalling all nonessential traffic. Desktops are, as a general rule, the almost universal targets of malware. Linux desktops aren't worth the effort to target because they're too uncommon. Servers might be worth compromising but malware isn't an efficient mechanism for doing so because since they're not browsing the Internet, you have to find a security flaw in an internet-exposed service. If you found a flaw in said service, you can most likely export any information in the application it is associated with but you're unlikely to be able to get it to install anything for you since the service should be running with limited permissions. Therefore.. say it with me... you don't see Linux malware because you don't see Linux desktops. It's not magic and it's not immunity, it's just an interaction between the use-cases of Linux and the business decisions of malware writers.

  • Rob Said:

    The conversation is intresting in the fact that it allways comes in to the question about that Linux is better than windows, this was NOT the question the qustion IS do you need antivirus software un Linux and I say Yes since even if the specific virus cant infect the linux host system it could be a store point for the virus so that when a machine such as a windows machine logs on to that machine it could get infected. And where did you get the virus from: the Linux machine even if it was just stored there and not virusscanned on that machine.

  • Toqeer Said:

    For Example If some body want to trace my any type of computer data with a virus can he do Plz tell me????????????????

  • Piece_o_Ham Said:

    There are two reasons why I still feel that Linux is more secure, with number one being that Windows machines often have multiple admistrators, where as on Linux you never actually (are supposed to) run as the root user (I believe some systems don't even let you); Meaning that you must put in your password each time you install something which can make you consider what you are doing a little more. I feel that the "This program needs administrative privileges" warning has become meaningless. The second reason is that Linux updates are usually a lot easier to install and occur more frequently, so if there is a security flaw, it may be fixed by next week. In the end however, you should use whatever OS suits you best regardless of what other people think. And for me that OS would have to be Linux.

  • Maxamoto Said:

    http://en.wikipedia.org/wiki/Linux_malware There, that should put the argument to rest.

  • Herbie Said:

    The enemy's greatest weapon,,, COMPLACENCY.

  • Ole Juul Said:

    I don't think complacency is the worst of it. Trust is. I can't imagine why anybody would be trusting enough to hand over administration to someone else. If I were to see "This program needs administrative privileges", I'd dismiss it in a blink. That would be like an employee telling the bank manager that they need the combination to the vault. As that manager, I'd just look at them and say: "no you don't." - and then promptly fire them for asking.

  • Mike Said:

    So after reading all of these posts, why not just run an av/rk hunter to have an insurance policy, seems pretty harmless as doing an oil change a little sooner..Doe's linux, specifally Kali use any optimizers or registry cleaners ? Is it necessary because I have noticed a slowdown on my laptop, I do clear the cookies..

  • Ole Juul Said:

    You may not realize it Mike, but we can tell that you're not running Linux. :) Nice troll though.


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board