Hate UML?

Draw sequence diagrams in seconds.

Is 2009 the year of Linux malware?
Posted on: 2009-04-03 23:24:27

It is common knowledge that Linux users needn't worry about viruses because users don't run as root. I've never understood the reasoning behind this. Here are a few of the malicious things that a program can do without being root on Ubuntu 8.10:

  • Start a program every time you login
    Add an entry to .config/autostart
  • Configure firefox to route all traffic through a remote proxy
    Change a line in .mozilla/firefox/*/prefs.js
  • Replace everything in your "System Settings" menu with a command that asks you for your password, then does something else before invoking the real program.
    Add a file to .local/share/applications
  • Download and install other programs in the background
    Putting them in .gnome2/system32 seems somehow appropriate
  • Run a server of any kind (web/ftp/irc/etc)
    Just pick a port above 1024, and update the firewall with uPnp
  • Install a new firefox plugin
    put it in .mozilla/firefox/*/extensions/
    call it "Ubuntu System Integration Plugin Helper"

Once malware has its grubby code all over your home folder, you are one fake dialog box away from giving it complete control over your system:

Firefox with suspicious dialog box asking for root password

If you have ever run a program or script that wasn't included in your distribution, then you could have been infected with malware. (You weren't.)

If you are interested in more examples, The Malware Project (PDF) is a great read that takes you step by step through an actual social engineering experiment with users. The results will surprise you.

Ubuntu in particular must be very enticing for malware writers, because:

  • It is easy to get new users to run things. There are thousands of annoyances with desktop linux that can only be fixed by dropping to the command line, or downloading something to do it for you.
  • It has a rich, portable API. Malware writers have access to all unix commands and a rich programming environment that is guaranteed to be available on every desktop, allowing them to search and change any file in your home folder, or even implement complex network protocols.
  • Open source makes it easy to copy other programs. If you can change sources.list, you can then replace top, ps, and System Monitor with exact clones that neglect to display your processes. This is much easier than hacking up the Windows Task Manager internal memory. Or just do everything in kernel mode for ultimate captcha cracking, DDOS power.
  • People are unprepared. The "fact" that linux can't get viruses is constantly repeated all over the web.

Is 2009 the year of the linux desktop malware? How long until we see headlines like, "Researchers find massive botnet based on linux 2.30"?

Further Reading

Want more programming tech talk?
Add to Circles on Google Plus
Subscribe to posts

Post comment

Real Name:
Your Email (Not displayed):

Text only. No HTML. If you write "http:" your message will be ignored.
Choose an edit password if you want to be able to edit or delete your comment later.
Editing Password (Optional):

Brandon Thomson

2009-04-04 15:47:05
Linux is not immune and your points are correct and well taken. However... malware will only become a significant problem if linux gets more market share. Malware writers target Windows because that's where they get the most leverage.

So unless 2009 is also the year of the linux desktop in a big way...


2009-04-04 21:22:50
That's factually a very serious problem. Not yet. But it will become.

Once Linux catches a significant market share, less technically informed users will use it. They are obvious targets for social engineering and malware scams.

It's still more difficult to install malware by the commandline. People that actually tinker with sources.list and terminal commands are expected to have a greater understanding of involved risks.

However with new users, this won't be the case. As you describe, some with copy and paste code and commands from formus/bbs.

There is nothing we can do about that. It's inevitable. Maybe the major forums are self-regulating, and malware trickery won't have as a large impact as with the Windows environment. Still, some user education might be in order. As you conclude, we are absolutely unprepared for when that starts.


2009-08-05 16:42:09
I agree with everyone else too, as long as everyone refuses to install linux, you don't have to worry about linux malware. No need to make any effort to protect your identity or banking info requried. :)

Are people out there that dumb? You've just made a very short list of how easy it is to install malware to keylog someone's banking info if they wanted on linux and it doesn't sink in. Great article!


2010-01-13 13:28:50
Where is the malware ?


2010-01-17 23:14:38
I agree that it is not immune to virus. But if i were a virus writer, which version of linux would I write it for? There are a gazillion different distributions with gazillion different versions of desktop.

Statistically if I chose to write for say opensuse, then I infect a few opensuse users. Not to mention a patch will come out as soon as its detected. A virus can be written but its damage will be contained, so quickly and easily.


2010-04-30 09:18:38
Where is the PDF you have linked to here (called the TheMalwareProject);I tried clicking on the link through a Windows XP SP3 machine with Internet Explorer 7.0 /Opera 10.52.I am not able to access this file.

Please tell me what is the best way to access this file.I am interested in learning more about this issue.




Steve Hanov

2010-04-30 13:17:47
"The Malware Project" was not really a PDF file. When you downloaded it and double clicked it, it would "infect" your Ubuntu system by popping up a notification, creating some files, and bringing you to a web page that says "Thanks for participating in the experiment."

It only got a few hits and it's hard to keep up to date, so I haven't maintained it.


Other posts by Steve

Yes, You Absolutely Might Possibly Need an EIN to Sell Software to the US How Asana Breaks the Rules About Per-Seat Pricing 5 Ways PowToon Made Me Want to Buy Their Software How I run my business selling software to Americans 0, 1, Many, a Zillion Give your Commodore 64 new life with an SD card reader 20 lines of code that will beat A/B testing every time [comic] Appreciation of xkcd comics vs. technical ability VP trees: A data structure for finding stuff fast Why you should go to the Business of Software Conference Next Year Four ways of handling asynchronous operations in node.js Type-checked CoffeeScript with jzbuild Zero load time file formats Finding the top K items in a list efficiently An instant rhyming dictionary for any web site Succinct Data Structures: Cramming 80,000 words into a Javascript file. Throw away the keys: Easy, Minimal Perfect Hashing Why don't web browsers do this? Fun with Colour Difference Compressing dictionaries with a DAWG Fast and Easy Levenshtein distance using a Trie The Curious Complexity of Being Turned On Cross-domain communication the HTML5 way Five essential steps to prepare for your next programming interview Minimal usable Ubuntu with one command Finding awesome developers in programming interviews Compress your JSON with automatic type extraction JZBUILD - An Easy Javascript Build System Pssst! Want to stream your videos to your iPod? "This is stupid. Your program doesn't work," my wife told me The simple and obvious way to walk through a graph Asking users for steps to reproduce bugs, and other dumb ideas Creating portable binaries on Linux Bending over: How to sell your software to large companies Regular Expression Matching can be Ugly and Slow C++: A language for next generation web apps qb.js: An implementation of QBASIC in Javascript Zwibbler: A simple drawing program using Javascript and Canvas You don't need a project/solution to use the VC++ debugger Boring Date (comic) barcamp (comic) How IE <canvas> tag emulation works I didn't know you could mix and match (comic) Sign here (comic) It's a dirty job... (comic) The PenIsland Problem: Text-to-speech for domain names Pitching to VCs #2 (comic) Building a better rhyming dictionary Does Android team with eccentric geeks? (comic) Comment spam defeated at last Pitching to VCs (comic) How QBASIC almost got me killed Blame the extensions (comic) How to run a linux based home web server Microsoft's generosity knows no end for a year (comic) Using the Acer Aspire One as a web server When programmers design web sites (comic) Finding great ideas for your startup Game Theory, Salary Negotiation, and Programmers Coding tips they don't teach you in school When a reporter mangles your elevator pitch Test Driven Development without Tears Drawing Graphs with Physics Free up disk space in Ubuntu Keeping Abreast of Pornographic Research in Computer Science Exploiting perceptual colour difference for edge detection Experiment: Deleting a post from the Internet Is 2009 the year of Linux malware? Email Etiquette How a programmer reads your resume (comic) How wide should you make your web page? Usability Nightmare: Xfce Settings Manager cairo blur image surface Automatically remove wordiness from your writing Why Perforce is more scalable than Git Optimizing Ubuntu to run from a USB key or SD card UMA Questions Answered Make Windows XP look like Ubuntu, with Spinning Cube Effect See sound without drugs Standby Preventer Stock Picking using Python Spoke.com scam Stackoverflow.com Copy a cairo surface to the windows clipboard Simulating freehand drawing with Cairo Free, Raw Stock Data Installing Ubuntu on the Via Artigo Why are all my lines fuzzy in cairo? A simple command line calculator Tool for Creating UML Sequence Diagrams Exploring sound with Wavelets UMA and free long distance UMA's dirty secrets Installing the Latest Debian on an Ancient Laptop Dissecting Adsense HTML/ Javascript/ CSS Pretty Printer Web Comic Aggregator Experiments in making money online How much cash do celebrities make? Draw waveforms and hear them Cell Phones on Airplanes Detecting C++ memory leaks What does your phone number spell? A Rhyming Engine Rules for Effective C++ Cell Phone Secrets