The magazine of the Melbourne PC User Group
Virus and Root Kit Protection in Linux (Part 1)
Dennis Parsons		  

 

Part of being a responsible computer user is keeping your system free from malware, viruses and worms. Not only does this protect your own system, you help protect the systems of those around you by not becoming a vector for more infections, or used as an distribution point for spam or malicious attacks.

While using Linux is a great start, it is just that, a start. Yes, compared with Windows there is much less malware written for Linux, and the structure and diversity of Linux makes it less susceptible to attack, but attacks can and do happen.

As ever with safe and secure computing, complacency and ignorance are the biggest dangers. If you were a Windows user at any time I'm sure you were well and truly aware of malware and had a complete toolbox of software to counter it. While the Linux toolbox might be lighter, tools do exist and in this series I'll be running through installing and using a few.

You probably feel very safe using Linux and that's what everyone tells you, but ask yourself "How much of that safety comes down to the fact that your system simply isn't Windows?". There is much argument over this point. Linux fans like to argue that superior security, and fewer bad habits (like routinely operating as super user) are the reasons for Linux's lower susceptibility to attack.

Windows fans like to argue it's mainly the small number of users that makes Linux an undesirable target and this advantage will diminish with an increase in the number of users. Both arguments have merit. Using Linux won't save you from yourself; if you're stupid and careless while online you'll still come undone, perhaps just not as quickly as you would with Windows. Also, the Linux user base is changing. Linux is moving from being the sole domain of "geeks" to including many more users who would be considered your "average" user, probably increasing the risk of Linux specific malware spreading.

Anti-Virus

Many Linux based anti-virus products are aimed squarely at the server market and not the desktop user, so they are not really suitable for individual purposes, plus they tend to be quite expensive. However, there are a number of suitable programs available from both commercial and open sources, that are free of charge for personal use.

Some of the programs offer "on-demand" scanning only (manually running a scan of files), which is probably adequate for Linux at present. Those that offer "on-access" scanning (automatic scanning of files on access or execution) use a third party tool named Dazuko to achieve this. On-access scanning isn't recommended for use on slower or production systems such as servers, as there can be quite a performance hit involved. However, performance degradation isn't drastic enough to present too much of a problem for the desktop user with a newer system. That said, it's debatable whether on-access scanning is absolutely necessary for the Linux desktop at present. So, if you are willing to tolerate some degradation in system performance (as they say, "your mileage may vary") then there is no harm in being ahead of the main game with protecting your system.
 
One point to consider here is that while a Linux system may not be vulnerable to most malware at present, because it's designed for and aimed at Windows, Linux is capable of passing on those programs. You can very easily download an infected file and send it on without knowing, simply because it wasn't scanned by your system. This was demonstrated recently with an exploit involving JPEG images http://secunia.com/advisories/12528.

Installation of the on-demand scanners is fairly straight forward, either via RPM or from a tar.gz compressed file. Installation of Dazuko for on-access scanning requires recompilation of the kernel (on Mandrake at least) which sounds daunting but is really quite simple, just a little time consuming. If nothing else it's a useful learning exercise and I'll run through that process in Part 2 of this series.

While it's possible to achieve inline e-mail scanning by using sendmail (or similar) combined with suitable scripts (such as AMaViS), that's outside the scope of this article. A recent update to KMail is able to make use of various popular Linux virus scanners to scan e-mail, so it might be worth considering using KMail as your e-mail client, especially if you're concerned about e-mail worms. As Melb PC e-mail is already scanned the risk of receiving an infected message is minimal. However, mistakes can happen and a rapidly spreading worm can beat the update of virus definitions, and many people have several e-mail accounts, and not all ISPs scan e-mail on the server.

Preliminaries

Linux can run commands or scripts at a particular time by using what are called cron jobs. cron reads the schedule from a crontab file which you need to create or edit by using the command
    crontab -e

By default it uses vi, a powerful but complicated editor, so we'll change that to a more user friendly editor, mcedit, as follows:
    export VISUAL=mcedit
To make this permanent edit /etc/profile and add the above line.
The entries in crontab take the form of a time and date (in a specific format), and the command to run:
 

* * * * * command to be executed
- - - - -
| | | | |
| | | | +-- day of week (1 - 7) (monday = 1)
| | | +--- month (1 - 12)
| | +---- day of month (1 - 31)
| +----- hour (0 - 23)
+------ min (0 - 59)		  

    eg. 01 0,6,12,18 * * * /usr/local/virus_updater

As you see in this example you can specify multiple hours and an asterisk (wildcard) indicates all values (ie. every day, every month, etc.). It will run at 00:01, 06:01, 12:01 and 18:01 every day.

A handy feature is sending an e-mail of any output from a cron job to your user account on your system, showing the success or failure of an update. Add the line MAILTO=username at the start of the root crontab, replacing "username" with your Linux username. "mail" will display unread messages.

For example:
 

MAILTO=dennis
01 02 * * * /usr/local/virus_updater

A good idea is to stagger the start times of jobs, particularly where downloading is involved to avoid congestion. "man 5 crontab" or use Google to discover more options.

You can also use kcron, a graphical tool, to edit crontabs. "su" to root user and run "kcron" to edit root's crontab - required for updating virus definitions. "urpmi kdeadmin" will install kcron if it isn't already.

F-Prot

http://www.f-prot.com

FRISK, producer of F-Prot, has been a long time provider of anti-virus software and its Linux offering is a simple and effective on-demand command line scanner that requires no additional software to use. Registration is required prior to download.

To install, as root:
    rpm -Uvh fp-linux-ws.rpm
To manually update:
    /usr/local/f-prot/tools/check-updates.pl (as root user)

To automatically update:
   "crontab -e": 01 0,6,12,18 * * * /usr/local/f-prot/tools/check-updates.pl -cron (as root user)

To scan:
    f-prot -report=f-prot.log /home ("f-prot -?" for more options)

AntiVir

http://www.free-av.com

AntiVir by H+BEDV is a fully featured virus scanner which, in addition to command line based on-demand scanning has a graphical interface available. It is also capable of on-access scanning using Dazuko. For the on-demand component no additional software is needed. However, annual registration is required (which is free) to obtain a key that enables the program to use updated virus definitions. Copy the key file that H+BEDV e-mails you (hbedv.key) to /usr/lib/AntiVir.

To install, as root:
    tar zxvf antivir-workstation-pers.tar.gz
   cd antivir-workstation-pers
   ./install

Select automatic updates if desired, although creating a cron job is more flexible.

Do not install AVGuard - on-access scanning to be covered next month.

To manually update:
   antivir --update (as root user)
To automatically update:
"crontab -e": 01 0,6,12,18 * * * /usr/lib/AntiVir/anitvir --update (as root user)

To scan:
    antivir -s -rf /home ("antivir --help" for more options)

TkAntivir

http://www.sebastian-geiges.de/cms_e

TkAntivir is a third party graphical front end for AntiVir enabling on-demand scanning for those who prefer using a GUI tool.

To install, as root:
    md tkantivir
   mv tkave.tgz tkantivir
   cd tkantivir
   tar zxvf tkave.tgz
   ./configure

To run:
    tkantivir

BitDefender

http://www.bitdefender.com.au

BitDefender is another command-line only, on-demand scanner. Again, it's simple and easy to use. Interestingly there is also a bootable Linux based CD available named LinuxDefender Live! that supports writing to NTFS partitions, making it a potentially handy tool for disinfecting a Windows system if it won't boot. I haven't tested this.

For Mandrake 10.1 download:
   BitDefender-Console-Antivirus-7.0.1-3.linux-gcc3x.i586.rpm

To install:
    rpm -Uvh BitDefender-Console-Antivirus-7.0.1-3.linux-gcc3x.i586.rpm

To manually update:
    bdc --update (as root user)

To automatically update:
    "crontab -e": 01 0,6,12,18 * * * /opt/bdc/bdc --update (as root user)

To scan:
    bdc --log /home ("bdc" for more options)

ClamAV

http://www.clamav.net

Unlike the other virus scanner already mentioned, ClamAV is an open source project, and features both on-demand scanning from the command line and on-access scanning with the aid of Dazuko (to be covered next month). Virus definition updates are released frequently and updating is handled automatically by the freshclam daemon, if enabled.
 
Mandrake/Mandriva RPMs are available from: ftp://ftp.neocat.org/pub/
 
- download clamav, clamav-db, clamd and libclamav1

To install: (this is all one command)
    rpm -Uvh clamav-0.84-0.1.101mdk.i586.rpm clamav-db-0.84-0.1.101mdk.i586.rpm
     clamd-0.84-0.1.101mdk.i586.rpm libclamav1-0.84-0.1.101mdk.i586.rpm

To manually update:
    freshclam (as root user)

To scan:
    clamscan -r -l clamscan.log /home ("man clamscan" for more options)

How Often Should I Update?

Anti-virus software becomes increasingly ineffective if the definitions aren't updated, and the more frequently the better, I'd suggest at least daily, so run a cron job or use automated updating with a time interval to suit your Internet connection.

dial-up:
   every hour or two (to ensure you update while connected)
broadband:
   once per day if your system is always on
   every 6 or 12 hours if you turn it off
Tailor the update times to suit your connection habits.

Adding a cron job for a full system scan at least once per week is also a good idea. Schedule it for a quiet time when you won't notice the activity. I'd also suggest not using a log file as any output will then be included in the e-mail report of the cron job.

These e-mails can be read using "mail" or "elm", or if you prefer a graphical interface use KMail, which fully supports this sort of account (set up a new account using the Account Type "Local Mailbox"). Sylpheed is another graphical option.

To read old messages in mail use "mail -f" or view ~/mbox ("~" is your home directory) and for elm users, "elm" then at the command: prompt enter "c" then "=received".
 
Scanning from the command line probably seems a little unfriendly, especially if you're used to a graphical environment, but in reality it's providing the same information, only in a different format. All of the virus scanners mentioned can produce log files, as shown in the examples, or you can redirect the output to a file e.g

   clamscan -r /home > clamscan.log

Saving the Best Until...

Next month I'll be covering re-compiling your kernel, enabling you to run Dazuko for on-access virus scanning. I'll be writing about root kits - what they are, what they do, how to detect them and what to do if you find you have one.

Note: Mandrake has a new name, now Mandriva and the latest release, Mandriva LE2005 Download Edition, is currently available, updating Mandrake 10.1.

Reprinted from the June 2005 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[ About Melbourne PC User Group ]