Can an anti-virus protect me from KillDisk, malware for Linux?

security malware antivirus

5,483

Solution 1

The email goes on to describe a piece of software that encrypts the contents of the disk and demands a ransom.

How does it do that? (of course the article does not mention that ...). From the link ...

The main encryption routine recursively traverses the following folders within the root directory up to 17 subdirectories in depth:

/boot /bin /sbin /lib/security /lib64/security /usr/local/etc /etc /mnt /share /media /home /usr /tmp /opt /var /root

According to researchers, the victim's "files are encrypted using Triple-DES applied to 4096-byte file blocks," and "each file is encrypted using a different set of 64-bit encryption keys."

We need to know how they believe they can circumvent the admin password ...

Does it require a sudo password?
Or does it attempt to brute-force the sudo password? If so how good is your password?
Does it require you to download this malware from the mail and run it? (...) If so... don't :-P

Best method to counter this: create regular backups and keep more than 1 backup of anything important to you. It is always possible to format a disk and reinstall and to restore a clean backup.

I feel strongly that an anti-virus is not needed on Ubuntu.

Me too! But a virus is just a small part of all malware. You also got rootkits, and crapware like what you describe above.

Is that advice now out-of-date with the advent of KillDisk?

No! That advice is the best you can get. At the moment we can consider Ubuntu Software Center free from malware. That article and similar articles I found all lack 1 bit of information: how does it actually encrypt our disks.

Solution 2

This answer will assume that the malware is actually a trojan, ie it revolves around the user actively running (perhaps as root) something suspicious.

There are a few reasons Linux is said to be more virus-proof than Windows. None of them are that Linux is inherently more secure than Windows. While it is true that Linux distros tend to protect operating system files much better than Windows does (though this is more thanks to Windows needing to be backwards-compatible with older software than any inherent difference), in any case that doesn't protect you from attacks against your personal files, or being part of a botnet, which are the two things that are all the rage in viruses these days.

No, the main reasons are:

Much smaller user-base for possible attacks. While there have been plenty of attacks that target Linux servers, those are not amazingly relevant here, since they tend to exploit boxes that are deliberately left exposed to the internet, and so the means of exploitation are totally different. Linux on the desktop is so small a target it's usually not really worth it.
Linux distros have a much stronger sense of installing software from trusted sources. You don't have to worry about Sourceforge injecting malware into your installers, or the website of an old project having been hacked and the downloads replaced with malware, because this isn't the standard place to get software from.

So, the latter is very important. If your habit is to use Ubuntu like you would use Windows - downloading software haphazardly from the web, from random sources, and trying to get them to install nicely in your distro - you're going to have a bad time. You should try to install as many things as are feasible from Ubuntu's software repositories, which are much more carefully vetted and very unlikely to contain malware. If you do need to download software from external sources, you should use as much due care and attention as a careful Windows power user user would - make sure you have a reasonable way of trusting the source, and don't just blindly run commands you found on the internet without understanding what they're doing! Be especially wary of anything that requires root (sudo), but keep in mind that even things without root can do a lot of damage to things that matter.

Solution 3

As obvious, Linux is not entirely secure, but the need for anti-virus software should not arise given that security patches are downloaded regularly. Also the KillDisk ransom ware has surfaced recently and is known to target only business organizations and companies hosting servers. Home Linux users should be safe as of now. More importantly, all Linux users must get to know how much difference superuser/root privileges can make, if permissions are granted to unknown, malicious programs (results can be completely undesired or even devastating). Of course, maintaining regular back-ups should not be a problem for regular users.

Solution 4

While agreeing with everyone else, basically, I just want to point out that there is a fundamental error floating here: the assumption that an anti-virus can only improve security (and hence the question being only "do I need an anti-virus or is it unnecessary").

Not only an anti-virus is probably not needed in any current GNU/Linux system, but it's very likely that any anti-virus you may find (and especially one that is advertized loudly) will be detrimental to security (either directly by having exploitable flaws if not backdoors, or indirectly by encouraging you to be more sloppy on security because you think you're protected by your anti-virus).

Solution 5

I'd say, yes, you need an anti-virus of some sort. Everyone saying that "Linux (/Ubuntu) is save to viruses" should give this a read: http://www.geekzone.co.nz/foobar/6229 The examples in the article are for Gnome/KDE, but that's not what matters: It is very possible, it would just work a little different on Ubuntu.

Yes, it will be significantly more hard for you to get a virus in case you do all updates, just download from trusted repositories, etc. But you won't get really secured against viruses. Sure, you aren't completely save with an anti-virus either. But it protects you on even another layer, which is never a bad thing. Maybe there is an infected device in your network? Also, everyone makes mistakes, browses on the wrong website with JavaScript enabled, or whatever.

And ransomware in general doesn't even need special permissions to be executed: As @Jupotter pointed out, it is already a lot of damage possibility if it has default user permissions.

View more solutions

5,483

Flimm

Updated on September 18, 2022

Comments

Flimm over 1 year

A relative of mine has recently sent me an email. He recently came across this alarming head-line from anti-virus vendor ESET:

KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt

The email goes on to describe a piece of software that encrypts the contents of the disk and demands a ransom.

My relative is alarmed and feels that surely an anti-virus is now needed.

I feel strongly that an anti-virus is not needed on Ubuntu. Rather, I feel that the best protection for an Ubuntu user is to install security updates promptly, to keep regular backups and to only install software from trusted sources like the Ubuntu Software Centre. Is that advice now out-of-date with the advent of KillDisk?
- David Foerster over 7 years
  
  Don't worry. They're only asking for that much money because they're targeting institutions that can afford it. Come back in a year or two when the exploit technique has been commodified enough for wide spread and low per-infection yield of ≤1 BTC like we're seeing from other malware. If you're lucky this will never happen to Linux desktop installations because it's more economical for criminals to go after Windows and Android. ;-] Just have a recent offline back-up handy like you should anyway.
- nneonneo over 7 years
  
  Just looking at the code from that article a huge weakness stands out - the authors are using srand(time) and rand to generate the keys! This makes them trivially guessable (by estimating the time of attack of the virus, or just trying all ~2^24 possibilities from the last year), meaning that you should not have much to fear from this particular variant of the virus.
- Flimm over 7 years
  
  @nneonneo To be clear, the authors of the malware have a huge weakness, not the authors of the article.
- John U over 7 years
  
  Weakness of the crypto also mentioned here for further ref: bleepingcomputer.com/news/security/…
Jupotter over 7 years

If the virus can just encrypt the user's home directory, which is, in the end, what the user really care about.
Rinzwind over 7 years

Check the article. it clearly lists directories outside home. And it also suggest grub is being replaced. And again: not a virus. A virus implies spreading. Malware. Yes.
Wildcard over 7 years

@Jupotter, you still have to run the code. Unlike Microsoft, Linux doesn't automatically execute email attachments and the like.
Wildcard over 7 years

This is factually wrong. Antivirus software is an inverted security model. It's very clear that you come from the Windows world, also known as the "security is an afterthought" world. See the page I've just linked.
jpa over 7 years

Do you have a specific reason to expect that an anti-virus program would protect against those threats? "How to write a Linux virus" sounds like every virus will be slightly different and probably not very widespread, thus not detected by anti-virus.
Namnodorel over 7 years

@Wildcard ,jpa The article I linked in my answer tackles exactly the argumentation of your article. Linux/Ubuntu is just as vulnerable against user's stupidity and "convenience stuff". An anti-virus is not just there to protect against bugs in a system that haven't been fixed already, it's also something that a) Can detect existing popular/known viruses b) Scan files for patterns which are dangerous, and c) Stand at least a bit against stupidity by warning the user of malicious files they download.
Rinzwind over 7 years

"Linux/Ubuntu is just as vulnerable against user's stupidity and "convenience stuff"." Of course. If you are told to run software on your machine and it is a virus you screwed yourself (and willingly). Noone will protect you from that. BUT... a virus running wild and infecting 2+ machines from different people is NOT going to happen. We do NOT all run malicious software. Nor does our system let us without our consent. There is the big difference: our system was multi-user from the beginning so has a different approach to scurity. Windows was not.
Wildcard over 7 years

Summarized: "Social engineering can get ignorant people to run destructive code." That's not a virus. And yes, I read the follow-up as well. There's a more extensive article that addresses all these points. A short excerpt: "...the Linux community would see no real distinction between novices who (as root) infect their systems, and those who accidentally type some variation on "rm -rf /" while logged in as root: Both are a result of inexperience and lack of caution. In both cases, education, attention, and experience are a 100% effective cure."
tangrs over 7 years

@Wildcard Does KillDisk exploit any kind of known vulnerabilities within applications for code execution or does it actually require a user to run it?
Rinzwind over 7 years

@tangrs it does not say. In any of the articles I found about this. As far as I can tell we need to execute a script/app/something ourself (and provide our admin password). I consider us Ubuntu users better informed then to do that.
David Foerster over 7 years

@Wildcard: Not entirely true for either of the two. Neither Linux nor Windows explicitly execute e-mail attachments. However, HTML renderers and image decoders tend to have arbitrary code execution vulnerabilities which an attacker could turn into a remote code execution with an e-mail. In the past on Windows the problem just tended to be worse than on Linux because the HTML renderer was hard-wired into the OS. Also, Windows users are more trained to manually click and execute all e-mail attachments and downloaded files. On Linux it's not that simple.
Flimm over 7 years

"That article and similar articles I found all lack 1 bit of information: how does it actually encrypt our disks. " And also how it infects a user's device in the first place.
Flimm over 7 years

How do you know that KillDisk only targets business organisations? Why not individuals as well?
Flimm over 7 years

That's a very good point. Some evidence would be highly welcome and earn my upvote.
50calrevolver over 7 years

In the past, KillDisk has targeted business organizations and companies. Why would a malicious person target a home user? Regular home Linux users can easily create backups and restore them and would by no means pay such huge ransoms. Now large companies face greater issues and take more time and resources while creating backups and if by any chance they are dependent on the wiped data, they would have to restore the data to avoid criminal allegations by customers and being the deadly attack it is, the only easy option would be to pay the ransom.
50calrevolver over 7 years

Also, many home users will choose to lament for a day or do and then move on with their lives instead of paying the huge ransom. KillDisk, if it is actually what sites claim it to be, is more of a high profile attack ransomware aimed at extorting money and not a fun, anarchy creating attack. If it's occurrences grow, security patches will surely come raining down for all distros. Large companies cannot withstand loss of data and hence attackers target them over home users. Also, there is higher chance of further infection at large companies due to several connected networks.
Namnodorel over 7 years

@Rinzwind An antivirus can protect you from that, or at least warn you. But people populating "Linux is so secure, we don't even need an AV" just make it much worse, because it makes people download and run anything because "I got Linux, nothing can happen". If every user on Windows would be well educated about how to protect themselves and what and what not to run, Windows would be completely secure. Nobody would login into an open WLAN-Hotspot without VPN, JavaScript would be disabled by default, etc. But that isn't the case, and it never will be. Just like on Linux.
Namnodorel over 7 years

Also, a virus will be able to spread over multiple machines. But probably not through exploit XY, but most Windows viruses don't do that either. It will happen through social engineering. Again. An AV could flag emails immediately as "spam", " potentially dangerous", etc. and by thus protecting (mostly unexperieced) users from blindly tapping into a trap. And many viruses can act without your knowledge...
Namnodorel over 7 years

@Rinzwind Just so we don't misunderstand each other: I don't mean to say "Linux is bad" - I really like Linux. Yes, Linux is more secure than Windows. Much more. But it is not save. And that's why you need an AV: It won't make your system save, but it is gonna make it more secure. And the more nines are after that 99%, the better (if we even get to 99%)
Rinzwind over 7 years

Linux is as safe as can be. Out of the box. The long history of Linux and the amount of hacks of Linux boxes that did not happen due to human error are just a few. Even heartbleed was human idiocy. An AV is a waste of resources unless you want to scan for -windows- virusses. 100% (yes not a single exception) of all notice from AV up to date are bogus (ie. false positives). The problem with all AV's: they scan linux systems as if they are windows systems. When you stick to USC and do not manually install crapware you can't get crapware on your system.
Namnodorel over 7 years

Without human error, there would be no virus ever possible. Every bug and exploit could've been avoided, etc. And every usual virus will use human error (/social engineering). And that is one of the most important things an AV can do: It will protect you from a number of human errors. It's much harder to not think about what you're doing when you have to remove something from quarantine witn big red flashy warnings than to just have to set that bit and execute (maybe enter a password). Still, we're not talking about experts, but users. People who are unexperienced.
Namnodorel over 7 years

I'd actually say the most secure machine possible would be Linux, running VMs of varying OSes for each program(Windows not excluded). The probability that you'll catch a virus on a Windowsmachine which manages to spread to a different VM on a different OS where you store important files is less then getting struck by lightning.