Is 2009 the year of Linux malware?

It is common knowledge that Linux users needn't worry about viruses because users don't run as root. I've never understood the reasoning behind this. Here are a few of the malicious things that a program can do without being root on Ubuntu 8.10:

• Start a program every time you login
  Add an entry to .config/autostart
• Configure firefox to route all traffic through a remote proxy
  Change a line in .mozilla/firefox/*/prefs.js
• Replace everything in your "System Settings" menu with a command that asks you for your password, then does something else before invoking the real program.
  Add a file to .local/share/applications
• Download and install other programs in the background
  Putting them in .gnome2/system32 seems somehow appropriate
• Run a server of any kind (web/ftp/irc/etc)
  Just pick a port above 1024, and update the firewall with uPnp
• Install a new firefox plugin
  put it in .mozilla/firefox/*/extensions/
call it "Ubuntu System Integration Plugin Helper"

Once malware has its grubby code all over your home folder, you are one fake dialog box away from giving it complete control over your system:

If you have ever run a program or script that wasn't included in your distribution, then you could have been infected with malware. (You weren't.)

• Have you installed a zipfile full of video codecs from somewhere?
• Have you ever run a script from ubuntuforums that promised to make it easy to get something working?
• Have you ever been told by a web site to add a line to your sources.list file? Instant rootkit!

If you are interested in more examples, The Malware Project (PDF) is a great read that takes you step by step through an actual social engineering experiment with users. The results will surprise you.

Ubuntu in particular must be very enticing for malware writers, because:

• It is easy to get new users to run things. There are thousands of annoyances with desktop linux that can only be fixed by dropping to the command line, or downloading something to do it for you.
• It has a rich, portable API. Malware writers have access to all unix commands and a rich programming environment that is guaranteed to be available on every desktop, allowing them to search and change any file in your home folder, or even implement complex network protocols.
• Open source makes it easy to copy other programs. If you can change sources.list, you can then replace top, ps, and System Monitor with exact clones that neglect to display your processes. This is much easier than hacking up the Windows Task Manager internal memory. Or just do everything in kernel mode for ultimate captcha cracking, DDOS power.
• People are unprepared. The "fact" that linux can't get viruses is constantly repeated all over the web.

Is 2009 the year of the linux desktop malware? How long until we see headlines like, "Researchers find massive botnet based on linux 2.30"?

Further Reading

• How to write a Linux virus in 5 Easy Steps - Desktop launchers will be the first wave of attack. You can send a launcher by email. Gnome will execute it regardless of permissions, and the icon and extension can be anything you want!