Anti Virus and Ubuntu

Posted: October 3, 2011 in Random pontifications
Tags: , , , ,

Users migrating from Windows to Ubuntu are constantly asking, “which is the best anti-virus for Ubuntu?” Or, “Do I need anti-virus for Ubuntu?” The only constant is the replies that are given on support forums and IRC chat rooms. The basic consensus is that Ubuntu is more secure, and isn’t plagued by malware like Windows is. Now while that is true to an extent, I am hesitant to build any security model on the “honor system”. A system that says , we don’t need anti-malware solutions because the bad guys aren’t targeting us. That sentence should actually read: “the bad guys aren’t targeting us today“.

Quite simply put, if malware developers were to decide tomorrow that they wanted to target the Linux or Ubuntu desktop user base, it wouldn’t be that hard. It’s really no different than targeting Windows, the only real difficulty is that memory addressing across distributions for vulnerable applications might change considerably. However, with the readily available supply of free open source software, modifying exploit code to exploit vulnerabilities in a multi-distro environment really wouldn’t be all that difficult.

So what we are going to look at today is a typical Ubuntu 10.04.3 LTS install, fully updated running no services. We are going to compromise it and install malware. Then we are going to see which (if any) of the three leading free anti-malware solutions can find and eliminate our malware. The three solutions we will be testing today are AVG Home Linux edition, Avast! Linux edition and the ever popular ClamAV.

The Victim

As always we have our victim set up, this is a standard desktop install of Ubuntu 10.04.3 LTS, fully update, running no services, all applications are unmodified and downloaded from the repositories.

What this system looks like to an external attacker

What we’ve done here, quite simply is to create a site that creates a shell by loading malicious javascript and injecting a payload. This is nothing new, in fact it’s pretty typical and is often called a “Drive-by-download”. This works under Ubuntu because our payload is crafted to work under Linux. Once we have the shell we are then free to do as we please (note we are walking through this manually all of this could be automated).

*note : If we were using NoScript here the compromise would not have occured.

Now our malware is installed, again this would normally be an automated process, however we’re breaking it down to understand the different steps that occur here. Our malware is pretty simple in this case, it does only a few things, it key logs so that we can capture credentials, and it opens a reverse shell and a bind shell. This allows the attacker to read the keylogs and escalate privileges once a password has been uncovered. The malware being “trapped” in the home directory perpetuates itself by adding itself to the compromised user’s .bash_profile.

Now that we have installed our malware, and we can see it’s working, we will try out the top three free Anti Malware solutions, for Linux/Ubuntu. They should find two files suspicious in nature linuxmalware and libowned-4.0.0.so.

What this system looks like for us after the compromise

Avast!

So, I have the latest version of Avast! for Linux available, and I updated the definitions. I did a scan of our home folder, where our malicious files are stored /home/.mozilla/firefox to be precise. The results, Avast! found nothing wrong whatsoever.

AVG Anti-Virus

I would have liked to have gotten the results from AVG, however the current version of AVG did not work when installed under Ubuntu 10.04.3 LTS, either from .deb or compiled from source. If someone knows how to stop it from segmentation faulting on scan, please inform me, I would love to know if it detected this, as the Windows version does detect these files as malicious.

ClamAV

As we can see, ClamAV also did not find our files particularly malicious or interesting in nature.

Conclusion

Seeing as though none of our scanning engines detected a reverse shell, bind shell, or keylogger. We can pretty much say that the Ubuntu community is NOT properly prepared if malware authors DO start targeting our desktop systems. The past few years have seen marginal increases in Linux based malware threats, and as the operating system becomes more popular in the home user space I’m sure it will begin to draw the attention of malware developers.

I keep harping on these points in my posts for two reasons. One — Malware can be propogated in Linux the same way it can be in Windows, it just isn’t. Two , if it ever is, the Linux community will be unprepared for it. So the next time you’re arguing why mainstream developers don’t go near Linux, keep in mind, its security may be highly over-rated.

I also highly recommend that you use NoScript, since these types of attacks can very easily be targeted at the Ubuntu and Linux communities. The fact that they aren’t is sheer luck in my personal opinion.

Advertisements
Comments
  1. A.Y. Siu says:

    I love this test, but I would draw a different conclusion altogether—antivirus applications are basically useless and do not proactively protect you from new threats.

    The best thing you can do to protect yourself is run Firefox with NoScript and stick to installing only repository applications.

    • dangertux says:

      That was kind of my point. Honestly a proactive solution would be better, I would hate to see us all end up playing catch up like in the Windows world.

      EDIT: To clarify what I mean by a proactive solution is that Anti-Malware solutions CAN protect you from new threats. Keep in mind Anti Malware is monitoring what hits the hard drive. So via heuristics, matching behavior that is suspicious like key logging. You don’t have to know the exploit method to deem something malicious. This also does increase the risk of false positives though.

      Even IPS can monitor in a signature based manner, you’re not wanting to monitor based on the whole you are looking for actions that appear malicious. For instance, 4096xA being sent as user input is malicious (this is simplified). Just like keylogging is malicious in nature. Just a thought.

  2. Luigi says:

    Try NOD32 for linux. Should be interesting to see if a ” cross platform commercial anti virus is able or not to intercept your malware test”

    • dangertux says:

      I am fairly certain it would : virus total showed NOD32 detecting both files. I think my main concern is that the “free” solutions kind of stink in comparison to Windows alternatives. For instance, AVG actually RUNS on Windows 😛

      I have no doubt that most of the higher end solutions would find these rather easily (they were built on meterpreter and not encoded). My concern is that Linux solutions are so far behind the curve it’s not even funny.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s