The term malware encompasses a large range of unwelcome software that is designed to damage a computer. A partial list of malware might, for example, include viruses, spyware, Trojan horses, and worms. The rapid proliferation of such software is enough to concern users of all levels, from novices to seasoned administrators. The impact of malware ranges from essentially harmless pranks to the theft of personal information, such as banking details, or a denial of service.
Although the level of scaremongering in the news ebbs and flows, every good sysadmin knows that there’s no such thing as a completely secure system. Despite the massive number of virus and malware threats that target Windows machines, all users of Unix-type machines should remember that these threats also exist for their systems.
One popular, sophisticated software package called Linux Malware Detect (LMD), from R-fx Networks (https://www.rfxn.com), helps to mitigate malware threats on Linux systems. Let’s look at how you can effectively protect Linux machines against malware using the LMD package, which only focuses on malware, unlike other more diluted solutions.
Definition Update Frequency
It is critical that malware signature updates be performed frequently; in fact, your system may be vulnerable if you have missed the latest update. The architecture of the detection software itself is of little value if current threats are not detected. Fortunately, LMD frequently pulls in its updates, from which it generates signatures, from community data, user submissions, and the firewall data of active malware threats.
Malware Hash Registry
A well-respected security website called Team Cymru provides a Malware Hash Registry (www.team-cymru.org/MHR.html), which provides a lookup service to compare malware infections. According to LMD, over 30 major antivirus companies use this data to populate their databases. From the LMD website, you can see the current number of reported threats as follows:
DETECTED KNOWN MALWARE: 1951
% AV DETECT (AVG): 58
% AV DETECT (LOW): 10
% AV DETECT (HIGH): 100
UNKNOWN MALWARE: 6931
Prevalent Threats
At the time of writing, LMD claims to hold 10,822 malware signatures within its database. Looking at the contents of Figure 8.1, you can see a list of the top 60 most prevalent threats within the LMD database. As you might expect, the world’s most popular server-side scripting language, PHP (https://www.php.net), is a common attack vector. The powerful Perl language also features heavily.
Monitoring Filesystems
One modern method of watching for changes on filesystems is by using notify. You need a compatible kernel for this functionality to work correctly. Fear not, because notify is reportedly included in kernels from version 2.6.13 and after, so most Linux builds will have this capability.
The sophisticated notify can monitor, in real time, both single files and entire directories for changes, alerting configured software if any changes are discovered. If a piece of userspace software is caught making changes, then notify will consider it an event and report it immediately.
By creating a watch list, notify can keep track of unique watch descriptors that it associates to each item on its watch list. Although notify won’t pass on details about the user or process that has changed a fi le or directory, the fact that a change has taken place is enough to satisfy most applications. If notify isn’t available, then the older approach of polling a filesystem or manually running scans will usually apply. In the case of checking for changes on networked filesystems, any configured software will need to resort to polling the filesystem using a predetermined frequency. This is because remote filesystems are harder to keep track of.
Unfortunately, the pseudo filesystems, which include /proc, /sys, and /dev/pts, aren’t visible to notify. This shouldn’t be of too much concern, however, because “real” files don’t exist in these paths, but rather the ephemeral workings of a system, which change frequently.
Reporting Malware
You’ve seen how sophisticated and well-constructed LMD is, and it should, therefore, come as no surprise that LMD provides a simple mechanism for uploading suspicious files for analysis. If they prove to be infected with an unknown variety of malware, then new signatures may be created and added to LMD’s known threats in order to identify malware for other users. The method to send files back to LMD for checking is as follows, using the –checkout feature, which is also written as the -c option:
# maldet -c suspicious_file.gz When you execute this command, your fi le will be submitted to rfxn.com and checked in due course.
0 Comments