Malware Detection for Linux Desktop

If you’re running Linux on your home or small office desktop PC, you have less to be concerned about when it comes to malware, spyware, scumware, slimeware, viri, etc. But it’s not bulletproof. Your first line of defense should be a secured installation and especially a secured browser* as that’s where trouble is most likely to come from. You’ll also want to run some scans periodically. This is just a quick checklist to help those at least somewhat familiar with Linux on the desktop.

 

Rootkithunter:

To install RootKit Hunter, open a terminal and type: sudo apt-get install rkhunter

The following commands should be on your system as rkhunter uses them to do its job better. You can check for their precense by typing <command> –help for each of the following. So for example type cat –help and if a help screen scrolls by, you know the command is installed and working. Note there are two dashes before help.

cat
sed
head
tail
stat
readlink
md5 or md5sum or sha1 or sha1sum
unhide
unhide-tcp

binutils  (This is a suite of utilities that can be installed via your package manager.)

 

To check the version: sudo rkhunter –version

To check for updates: sudo rkhunter –update

Before scanning for the first time, fill the rkhunter file properties database: sudo rkhunter –propupd

This creates an index of the popular system commands. If later a system update is done, a Warning might appear indicating the file was changed.  However, if you have NOT done an update and a Warning appears, it might be that malicious code has replaced a command. You can re-run this command to update the database at anytime. such as after doing a system update.

To actually scan the system: sudo rkhunter –check

For more information visit their site  http://rkhunter.sourceforge.net/

rkhunter in action.

rkhunter in action.

Check Rootkit:

To install Check RootKit, open a terminal and type: sudo apt-get install chkrootkit

To check the version: sudo chkrootkit -V

To scan the system: sudo chkrootkit

That’s about it, not much to configure on this one.  http://www.chkrootkit.org/

 

Notes:

– If you’re running as root, and you really should NOT be, you don’t have to type ‘sudo’ before every command.

– Investigate any warnings or errors displayed. Many times they’re false positives. Errors regarding java, python and the SuckIt rootkit are not uncommon. Don’t ignore them until you’ve checked them out. Go to your favorite search engine and enter, for example, ‘chkrootkit detecting suckit rootkit’. In this example, and as you can see from the postings, it’s common for chkrootkit to falsely detect it.

 

* Secure the Linux Desktop:

This is just a quick check-list.

1. PC is behind a properly configured router/firewall
a. disable UPnP, telnet and non-https admin access
b. use WPA2/AES, disable Wifi Protected Setup
c. enable an admin password

2. Have a software firewall running. It’s part of Linux but not enabled by default. Gufw is a nice GUI to manage it.

3. Use reasonably strong passwords

4. Do system updates at least weekly, preferably daily

5. Disable remote desktop

6. Avoid file-sharing

7. Try to use only repositories and trusted software sources

8. Use ClamAV/ClamTK or similar anti-virus, especially if you exchange files with Windows machines

Secure the browser:

Even on a Linux machine, the browser is the most likely point of entry for malware. Use security plugins NoScript, Adblock, Ghostery, Better Privacy and https everywhere. Also configure settings to don’t store passwords, deny 3rd party cookies, deny popups and clear all history on exit. Ideally, configure plug-ins to ‘ask to activate’.

 

— Kenn Ranous

Advertisements
%d bloggers like this: