Wednesday, July 21, 2010

How useful is anti-virus in Linux? (Part 2)

In Part 1 I wrote about Linux malware found in a screensaver. In this post, I'm going to talk about a more recent story of a Trojan horse found in a Linux distribution. The story was picked up with glee by Ed Bott:
Every time I write about Windows security software, I get a predictable flood of responses from Linux advocates who claim that they don’t need any such protection. Today comes a shining example of why they’re wrong.
Then Adrian Kingsley-Hughes jumped on the FUD wagon. So should Linux users all be installing anti-virus software? I decided to investigate. With a bit of searching, I found an analysis of the malware script concerned. Submitting the script to VirusTotal produced no detections, but I'd found this blog post from Sophos describing how they detect the malware as Troj/UnIRC-A. Another analysis suggested the malicious package was still available for download. I checked, and it was. The file had already been submitted to VirusTotal in February 2010, when there had been four detections. (A reanalysis didn't produce any more.)

Despite the rather gloating blog from Sophos above, they only added their detection for this malware on the day the story broke. F-Secure added their detection the day after. I don't know when Comodo and Panda added their detections, but I'm guessing they too added their detections after the story broke.

So should Linux users be installing anti-virus products, and combing their systems for malware? There are two points to make here:
  • There's no evidence that any anti-virus product would have detected this malware before it was discovered and reported.
  • Well over a month after the malware was discovered, it's detected by a tiny minority of anti-virus programs.
The real moral of the story seems to be (as the Sophos blog points out) for administrators to check signatures and checksums of files when using a distro like Gentoo. [Some background I picked up reading the comments sections of various articles about the story: Gentoo is a far from mainstream distro which requires users to compile everything from tarballs.]
In more mainstream distros, software in repositories is digitally signed by the developer, so it is not possible for a package to be replaced with malware. When enabling additional repositories, or trusted third-part repositories, always may sure the appropriate key is installed so software can be authenticated. The following warning means the appropriate key has not been installed, and you are at risk of installing a possibly insecure passage:
You are about to install software that can’t be authenticated! Doing this could allow a malicious individual to damage or take control of your system.
See here for an example.

No comments:

Post a Comment