[Rustington] Linux Malware Is On The Rise ?

Stuart McFadyen stuart.624mcfadyen at btinternet.com
Mon Mar 7 16:28:57 UTC 2022

Linux malware is on the rise. What should you do?
Sandra Henry-Stocker

/By Sandra Henry-Stocker/

Threats to Linux systems used to be relatively mild because Windows was 
such a larger target, outnumbering Linux systems by a huge percentage.

Not any longer. Linux has become a much bigger target due to its 
increasingly significant role on Internet of Things (IoT) devices, 
virtual machines, containers, cloud services, and supercomputers.

To put this into perspective, Linux now runs on more than 70% of IoT 
devices. It also accounts for something like 90% of cloud infrastructure 
and runs on every one of the top 500 supercomputers. Given Linux's 
prominence in these areas, it has become a lucrative target for many 
types of cybercrime.

Some recent cybercriminal activity has shown that IoT devices can be 
recruited to participate in attacks, even if the commands they can run 
are severely limited. Just a handful of essential functions can be 
enough to turn IoT devices into a powerful force for conducting 
distributed denial of service (DDoS) attacks.

In addition, cybercriminals are going after both Linux servers and cloud 
infrastructure to launch ransomware, cryptojacking (unauthorized use of 
devices such as computers, tablets, and smartphones to mine for 
cryptocurrency), and other types of attacks.

We can't say that attackers are shifting from Windows to Linux in 
droves, but we /are/ seeing a significant increase in attacks on Linux. 
In 2021 alone, Linux malware events rose by 35%.

How does this impact Linux PCs?

The Linux PC in your home or on your desk at work won't fit into many of 
the categories mentioned above — IoT, virtual system, cloud, etc. But it 
could still be more at risk than it was in the past because a good 
portion of the focus of cybercriminals drifts over to Linux in its many 
forms. With the rising threats, the focus of Linux developers is already 
a much more serious look into all aspects of security.

There are many free and open-source tools you can use to address a 
variety of threats on your Linux system, and many things you can do to 
help keep your system safe from attack.

One of the places to start is by following a set of good security 
practices. Some rules of thumb for guarding the security of your Linux 
system include:

 1. Install only the tools that you need. Unneeded software is just
    another potential risk.
 2. Disable *login as root* and use *sudo* instead when you need to use
    root privileges. On top of that, use root authority only when you
    really need it. Mistyping a command as root will have far greater
    consequences than mistyping a command as a normal user.
 3. Require good passwords of yourself and other users. Standard
    guidance applies — longer passwords, upper- and lowercase letters,
    digits, special characters.
 4. Protect your passwords and make sure they are only stored in
    encrypted form.
 5. Use a firewall (e.g., firewalld or UFW) to reduce your system's
    external profile. Only those ports that require access from outside
    the system should be accessible from outside the system.
 6. Configure user accounts with good security settings (permissions,
    etc.). Use groups only if users need to share files.
 7. Review account security and privileges from time to time. Close
    accounts that are no longer active or needed.
 8. Do regular backups so that you can always recover important files
    that might be deleted or corrupted.
 9. Install updates on a regular basis. You can't take advantage of
    frequent security fixes if you don't apply the updates.

You should also choose your browser wisely and be smart about the sites 
that you visit.

Tools to install and use

You can equip your Linux system with some excellent tools for detecting 
viruses, rootkits, and other malware. There are many such high-quality 
tools available for Linux. Here are some of the tools — open-source and 
free — that you should consider.

*ClamAV* is an antivirus tool that runs through whatever portion of the 
file system you select, examining files for potential viruses. Depending 
on the size of your file system, it can take hours to run but is easy to 
install and use. The database it uses to recognize viruses needs to be 
periodically updated so that it recognizes newer viruses. The tool's 
*freshclam* command will do this for you.

The *chkrootkit* tool detects rootkits. It uses C and shell scripts to 
run a detailed process check. It also scans a system's binaries to 
detect rootkit signatures. This tool will be updated during regular 
system updates.

The *rkhunter* tool is another rootkit hunter. It scans for rootkits, 
backdoors, and sometimes local exploits as well. By comparing the hashes 
of important files with the legitimate hashes available in an online 
database, it can recognize problems. It can also note when files have 
incorrect permissions or are "hidden," and it may find suspicious 
strings in kernel modules. It is sometimes included by default when a 
Linux system is installed.

*Wireshark* looks at traffic on your local network. It provides network 
monitoring, packet sniffing, and protocol analysis. In fact, it is 
probably the most widely used packet sniffer available. This tool 
captures packets, analyzes them by using filters, and helps you 
visualize what is happening on your network. It is available not only on 
Linux but also on Windows, Unix, MacOS, etc.

*Nmap* is a tool for network exploration and security auditing. It can 
run on large networks or on single systems. It can tell you what hosts 
are on the local network, which services they are offering, which OS 
they use, and which firewall they are using. Though intended for 
security audits, Nmap is also useful for getting a view of the local 
network and planning upgrades or future projects.

*Snort,* an intrusion prevention system, installs with rules allowing it 
to detect malicious activities on a network. It requires the network 
interface to be put into promiscuous mode, allowing it to see all 
traffic on the network rather than only packets that it would normally 
see. It uses traffic analysis and packet logging to recognize network 

*Lynis* is a security tool for systems running Linux, macOS, or Unix. It 
performs extensive health scans to support system hardening and 
compliance testing.

Some additional tools to consider include:

*Firejail* reduces the risk of security breaches by restricting the 
running environment of untrusted applications. Thouigh it's not 
open-source, it is free and easy to use.

*Tripwire* is an intrusion-detection program that is very popular on 
Linux systems. It detects unauthorized filesystem changes that occur 
over time.

Note: There are also a number of commercial products that can be used to 
help ensure security on Linux. The focus of this article is on free 
tools for use on individual Linux systems.


Protecting yourself from cyberthreats is more critical than ever, but 
the best protection is a mix of being careful, managing your system 
well, and using tools that can alert you to problems or help you avoid them.

Remember that it's not your computer that you're protecting — it's yourself.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/rustington/attachments/20220307/b9d6843d/attachment.htm>

More information about the Rustington mailing list