The Anti-virus Times

Thursday, March 16, 2023

It so happens that in our issues of the Anti-virus Times, we pay more attention to the Microsoft Windows OS family. And that is hardly surprising since it is the most common OS among home users—therefore, it has always been the focus of virus writers, and the most massive virus attacks have most often been carried out on Windows-running devices. In this regard, a wide range of ordinary users and computer specialists believe that attackers can compromise Windows, literally in the snap of a finger.

Indeed, most malicious programs are created to run on Windows, and mass use is the cornerstone of a system’s vulnerability. But, in the world of computers, there exists a no less important family of OS: so-called UNIX-like operating systems, known as the Linux family. Historically, Linux is not so popular among ordinary home users, but it is widely used for business purposes—as an operating system for various servers, workstations and terminals. Linux is often considered a more protected and secure alternative to Windows, including for desktops. In today's article, we will briefly analyse whether Linux systems are exposed to virus threats, and whether users of this OS often encounter malware.

As mentioned above, Linux is not a single operating system. This is a family of OSs that are united by one core, while having some differences. Ubuntu, Debian, Fedora, CentOS are just some of the most common Linux “versions”, called distributions. We will not go into the details of Linux's rich history and its features as we would go far beyond the scope of this article, but it is worth noting that these operating systems are, as a rule, distributed free of charge and have open source code. Also, there exist a huge number of enthusiasts who contribute to the development of this family.

Let's try to understand why Linux is often believed to be a more secure system. For quite some time, a statement that was popular in computer circles sounded like this: “No viruses exist for Linux!” This could particularly often be heard from experienced Linux users who watched how their “Windows” friends kept reinstalling Windows after a repeat infection. But here it is important to remember about the mass scale factor. Even if we disregard targeted attacks, usually virus writers count on infecting as many random devices as possible. Therefore, computers running Windows are a logical target.

Another reason why Linux-targeting malware is less common is that, for the most part, Linux users have a competent knowledge of computer security. Unlike Windows, Linux is rarely used as an entertainment platform. By working with Linux, users can gain a deeper knowledge in the field of operating systems and computers in general. Obviously, on average, Linux users fall less for the tricks of criminals. All of these factors make developing malware for Linux on a mass scale less cost-effective than creating trojans and viruses for Windows.

Linux operating systems are also known for their mechanism for differentiating system access rights. Access with the highest privileges is called root access or superuser mode. And the first rule for working in Linux goes like this: do not work in a system with root access. Oddly enough, users really try to follow this rule. Thus, a running malicious program cannot infect an entire system; its activity is limited by the user's permissions. Of course, similar functionality exists in Windows, but, for some reason, it is often ignored by home users. How often do you, your friends, or even your colleagues use the administrator mode in Windows? It should be remembered that working in a system with the rights needed to perform a task is a basic principle of security.

Another argument that can often be heard in favour of using Linux: the open-source code, which allows the community of developers and enthusiasts to monitor malicious code, backdoors and vulnerabilities as they appear in system components or Linux programs. However, in our opinion, it is still a matter of trust. Do you trust proprietary software and a specific development company? Or, on the other hand, do you feel yourself more at peace knowing that the security of a huge array of code is monitored by the so-called maintainers of the Linux community? In both cases, you won't be able to independently check all the programs you use or make sure that the Linux kernel does not contain vulnerabilities.

So, from a technical point of view, of course, malware for Linux exists. With that, it increases in number every year, as these operating systems are getting popular. Trojans, backdoors, malicious scripts, exploits, spyware, and even encryption ransomware, potentially threaten users of Linux computers and can cause as much trouble as in Windows systems. The methods and further scenario of infection will depend on how protected a computer is and how competent the user is. If an OS is launched with root permissions, a rights-differentiation system will be of no help.

The functionality of malware written for Linux is quite diverse. For example, cybercriminals can infect a device to track user actions and intercept keyboard characters. The situation is complicated by the fact that a trojan does not usually need superuser privileges to operate. In addition, Doctor Web's virus analysts have encountered instances of proxy servers being deployed on a device to hide malicious actions, and also devices being infected to carry out DDoS attacks. One such program is Linux.BackDoor.Dklkt.1.

Of course, don't forget about vulnerabilities. There are even cases when malicious programs were able to elevate their OS access rights to the superuser level, which allowed attackers to execute arbitrary code. Unfortunately, not all vulnerabilities are quickly discovered by specialists. However, if a problem affects a relatively large number of users, the errors are quickly corrected by the next software update.

It is worth mentioning another class of devices for which different versions of Linux serve as an operating system. Until now, we've talked about home PCs running a variety of Linux distributions. But Linux’s real turf is server solutions and the Internet of Things (IoT devices). Therefore, criminals have become increasingly interested in this platform. Unprotected and vulnerable IoT devices are often used by attackers to create botnets and carry out DDoS attacks. Linux.Mirai became a well-known representative of such malware. Its functionality was based on network distribution and cracking weak device passwords. After being attacked, an infected machine became part of a botnet network, and its computing power and network access were used for carrying out DDoS attacks. At least hundreds of thousands of devices were infected around the world.

With their growing popularity, Linux-like operating systems are becoming more tempting targets for attackers. As we can see, Linux itself is not a closed and a priori protected system. We've talked about some factors that really do slow down the spread of Linux malware; however, taking trends into account, it's entirely likely that the significant difference in the number of threats between Linux and Windows will almost disappear over time.