The myths about malware in Unix / Linux

Is it possible for my Linux box to become infected with a malware?

I haven’t heard of it happening to anyone I know, and I’ve heard quite a few times that it isn’t possible. Is that true?

If so, what’s up with Linux Anti-Virus (security) software?

Asked By: Stefan


Viruses for Linux are possible in principle and there have been some, however in the wild, there are no widespread Linux viruses. The Linux user base is pretty small and under Linux it is much harder for a virus to do much harm as the user model is pretty restrictive in contrast to e.g. Windows XP. Therefore virus authors normally target Windows.

There is Linux Anti-Virus software, e.g. from McAfee, but no Linux user I know uses such software. It is by far more important to install only software from trustworthy sources and keep your system always up to date by installing security updates in a timely manner.

Answered By: fschmitt

As a historical note, the first Internet worm, the Morris Worm, spread through vulnerabilities in Unix utilities. It predates Linux, but shows that it is possible for Unix based systems to be infected.

Answered By: KeithB

First, it’s certainly possible to have viruses under Unix and Unix-like operating systems such as Linux. The inventor of the term computer virus, Fred Cohen, did his first experiments under 4.3BSD. A How-To document exists for writing Linux viruses, although it looks like it hasn’t had an update since 2003.

Second, source code for sh-script computer viruses has floated around for better than 20 years. See Tom Duff’s 1988 paper, and Doug McIllroy’s 1988 paper. More recently, a platform-independent LaTeX virus got developed for a conference. Runs on Windows and Linux and *BSD. Naturally, its effects are worse under Windows…

Third, a handful of real, live computer viruses for (at least) Linux have appeared, although it’s not clear if more than 2 or 3 of these (RST.a and RST.b) ever got found “in the wild”.

So, the real question is not Can Linux/Unix/BSD contract computer viruses? but rather, Given how large the Linux desktop and server population is, why doesn’t that population have the kind of amazing plague of viruses that Windows attracts?

I suspect that the reason has something to do with the mild protection given by traditional Unix user/group/other discretionary protections, and the fractured software base that Linux supports. I mean, my server still runs Slackware 12.1, but with a custom-compiled kernel and lots of re-compiled packages. My desktop runs Arch, which is a rolling release. Even though they both run “Linux”, they don’t have much in common.

The state of viruses on linux may actually be the normal equilibrium. The situation on Windows might be the “dragon king”, really unusual situation. The Windows API is insanely baroque, Win32, NT-native API, magic device names like LPT, CON, AUX that can work from any directory, the ACLs that nobody understands, the tradition of single-user, nay, single root user, machines, marking files executable by using part of the file name (.exe), all of this probably contributes to the state of malware on Windows.

Answered By: user732

The simple answer is that no operating system is 100% secure, unless it reads itself from read-only medium at startup is 100% secure.

However, Windows has more vectors for infections, those vectors are more readily accessible, and once infected can do much more harm. This can be readily seen by reading the “RootKit Arsenal” or other books.

The number of exploits on any machine is roughly proportional to (ave gain for rooting one machine ) * number of machines/(cost to create rooting malware).

Since the number of exploits is proportional to the number of computers it makes sense that the amount of malware is greater on Windows.

But, it is stupid to assume the only reason. Windows has more viruses is because there are more computers running it. Note that in Linux getting infected with malware is much less costly then in Windows because the damage is more contained. Conversly the amount gained by one rooting is smaller). Note also that the cost of rooting is higher because of the reasons I mention in the first paragraph.

Keep in mind this is true as of now. At this point linux is a better architected system then Windows. There are however forces saying that we need more rapid development of user friendly features. This can lead to making it easier for bugs to exist and viruses to be created. Already I find Ubuntu to be almost as buggy as Windows.

Answered By: HandyGandy

In my opinion, there is one more reason, beside those mentioned in other answers, that Linux platform does not have much viruses. Source code of almost all the components of Linux is freely available.

Say, a team of 5 members develop an application. We include testers and few others in the list and at most 10 person will know the code. Out of these ten, chances are some will have not enough detailed knowledge of the code. Hence the number of people who know code good enough to point out bugs, security holes is very less.

Now if this code is made free/open source, the pair of eyes that will review it increases drastically. Hence the probability of finding security holes also increases.

These new contributors bring their experience with them, and often fresh eyes are able to notice loopholes that originally developers ignored/took for granted/missed.

The more popular the application is, the more contributors it has. I think this freedom/openness contributes to less number of vulnerabilities of Linux platform.

Answered By: Andrew-Dufresne

It helps prevent the spread of viruses in Windows

Remember that Linux is used in many ways, such as file and email servers.

Files in these servers (MS Office files, outlook messages, EXE programs) can be stored with an infection.

Even though they should not affect the servers themselves, one could configure the server to check every file at the moment that is stored to make sure that it is clean and prevent future spread when they are moved back to a Windows machine.

I myself have it installed for when a friend asks me to check why their Windows machine is not working, or for when I plug my pen drive on a Windows machine.

Answered By: lamcro

There are already good answers but I’d still like to contribute something.

Including the simple security practices that are still better than windows even after all this time, and all those viruses, I also believe the issues are largely social.

I believe that the main factor is the diversity of distros. This raises the labour involved in making sure that a virus has what it needs to spread. This combined with the demographics of linux users who are not as likely (imho) to click on a dodgy email or generally put themselves at risk means that the success of a virus is further inhibited.

People are also arguably more motivated to attack windows.

Answered By: barrymac

While yes, there are a few viruses for Linux, you don’t need to worry too much about them. They are uncommon enough to likely miss you entirely.

What you can, and should worry about though, is worms. These programs, unlike viruses that usually take user interaction to infect, spread all by themselves between servers, exploiting vulnerabilities in services and platforms. Worms search for more servers to infect, install themselves on vulnerable machines and frequently modify their behavior – e.g. to serve viruses to visiting Windows clients.

Answered By: SF.

Other answers have provided good historical references for viruses on Unix and Linux. More contemporary examples include the “Windigo” and “Mayhem” malware campaigns. These have infected many thousands of systems. Mayhem has been reported to be using the Shellshock vulnerability to spread.

As for Linux malware detection software, you have both open source and commercial alternatives. The most effective, in my biased opinion, is Second Look. It uses memory forensics and integrity verification to detect Linux malware. I am a developer of Second Look.

Answered By: Andrew Tappert
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.