The term malware encompasses a large range of unwelcome software that is designed to damage a computer. A partial list of malware might, for example, include viruses, spyware, Trojan horses, and worms. The rapid proliferation of such software is enough to concern users of all levels, from novices to seasoned administrators. The impact of malware ranges from essentially harmless pranks to the theft of personal information, such as banking details, or a denial of service.
\nAlthough the level of scaremongering in the news ebbs and \ufb02ows, every good sysadmin knows that there\u2019s no such thing as a completely secure system. Despite the massive number of virus and malware threats that target Windows machines, all users of Unix-type machines should remember that these threats also exist for their systems.
\nOne popular, sophisticated software package called Linux Malware Detect (LMD), from R-fx Networks (https:\/\/www.rfxn.com), helps to mitigate malware threats on Linux systems. Let\u2019s look at how you can effectively protect Linux machines against malware using the LMD package, which only focuses on malware, unlike other more diluted solutions.<\/p>\n
Definition Update Frequency<\/strong><\/p>\n It is critical that malware signature updates be performed frequently; in fact, your system may be vulnerable if you have missed the latest update. The architecture of the detection software itself is of little value if current threats are not detected. Fortunately, LMD frequently pulls in its updates, from which it generates signatures, from community data, user submissions, and the \ufb01rewall data of active malware threats.<\/p>\n Malware Hash Registry<\/strong><\/p>\n A well-respected security website called Team Cymru provides a Malware Hash Registry (www.team-cymru.org\/MHR.html), which provides a lookup service to compare malware infections. According to LMD, over 30 major antivirus companies use this data to populate their databases. From the LMD website, you can see the current number of reported threats as follows: % AV DETECT (AVG): 58<\/p>\n % AV DETECT (LOW): 10<\/p>\n % AV DETECT (HIGH): 100<\/p>\n UNKNOWN MALWARE: 6931<\/p>\n Prevalent Threats<\/strong><\/p>\n At the time of writing, LMD claims to hold 10,822 malware signatures within its database. Looking at the contents of Figure 8.1, you can see a list of the top 60 most prevalent threats within the LMD database. As you might expect, the world\u2019s most popular server-side scripting language, PHP (https:\/\/www.php.net), is a common attack vector. The powerful Perl language also features heavily.<\/p>\n Monitoring Filesystems<\/strong><\/p>\n One modern method of watching for changes on \ufb01lesystems is by using notify. You need a compatible kernel for this functionality to work correctly. Fear not, because notify is reportedly included in kernels from version 2.6.13 and after, so most Linux builds will have this capability. Reporting Malware<\/strong><\/p>\n You\u2019ve seen how sophisticated and well-constructed LMD is, and it should, therefore, come as no surprise that LMD provides a simple mechanism for uploading suspicious \ufb01les for analysis. If they prove to be infected with an unknown variety of malware, then new signatures may be created and added to LMD\u2019s known threats in order to identify malware for other users. The method to send \ufb01les back to LMD for checking is as follows, using the –checkout feature, which is also written as the -c option: <\/p>\n","protected":false},"excerpt":{"rendered":" The term malware encompasses a large range of unwelcome software that is designed to damage a computer. A partial list of malware might, for example, include viruses, spyware, Trojan horses, and worms. The rapid proliferation of such software is enough to concern users of all levels, from novices to seasoned<\/p>\n","protected":false},"author":3,"featured_media":986,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[5],"tags":[],"class_list":["post-984","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/06\/What-is-Malware.jpg?fit=600%2C300&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7ISfL-fS","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":792,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/stopping-malware-propagation\/","url_meta":{"origin":984,"position":0},"title":"Stopping malware propagation","author":"Daniel Draga","date":"December 8, 2016","format":false,"excerpt":"The use of mobile devices in our everyday lives has become widespread. In recent years, the number of smartphones sold globally has surpassed the number of desktop computers sold. Malware authors have followed this and developed sophisticated malware addressed both at the mobile device platforms as well as desktop platforms.\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/browser-redirects-hijacking-malware-virus-1024x787.jpg?fit=1024%2C787&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/browser-redirects-hijacking-malware-virus-1024x787.jpg?fit=1024%2C787&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/browser-redirects-hijacking-malware-virus-1024x787.jpg?fit=1024%2C787&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/browser-redirects-hijacking-malware-virus-1024x787.jpg?fit=1024%2C787&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":789,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/malware-attack-on-virtual-machines\/","url_meta":{"origin":984,"position":1},"title":"MALWARE ATTACK ON VIRTUAL MACHINES","author":"Daniel Draga","date":"December 6, 2016","format":false,"excerpt":"Server-oriented malware is actually more likely to infect a virtual system than a physical one in many organizations. Now what? This expert e-guide provides the real story of how malware is adapting to virtual environments, so you can ensure protection going forward. \u00a0 Enterprises are increasingly adopting virtualization technology, according\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/mobile-malware_126852062-thumb-380xauto-2252.jpg?fit=380%2C304&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":1040,"url":"https:\/\/www.virtono.com\/community\/internet-and-technology-news\/locky-ransomwares-authors-big-fans-of-game-of-thrones\/","url_meta":{"origin":984,"position":2},"title":"Locky Ransomware’s Authors : Big Fans of Game Of Thrones","author":"Daniel Draga","date":"September 26, 2017","format":false,"excerpt":"One of the most viewed T.V shows of our time\u00a0Game Of Thrones has found its viewers in all forms of diversities the most recent ones are criminal-type more particularly the Authors of\u00a0Locky Ransomware. Researchers at PhishMe have found the names of various\u00a0Game Of Thrones characters and other references in the\u2026","rel":"","context":"In "IT News"","block_context":{"text":"IT News","link":"https:\/\/www.virtono.com\/community\/category\/internet-and-technology-news\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/WhatsApp-Image-2017-09-25-at-07.12.16.jpeg?fit=768%2C254&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/WhatsApp-Image-2017-09-25-at-07.12.16.jpeg?fit=768%2C254&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/WhatsApp-Image-2017-09-25-at-07.12.16.jpeg?fit=768%2C254&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/WhatsApp-Image-2017-09-25-at-07.12.16.jpeg?fit=768%2C254&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1060,"url":"https:\/\/www.virtono.com\/community\/internet-and-technology-news\/freemilk-new-phishing-campaign-to-hijack-email-conversations\/","url_meta":{"origin":984,"position":3},"title":"FreeMilk : New phishing campaign to hijack email conversations","author":"Shreyash Sharma","date":"October 8, 2017","format":false,"excerpt":"A new threat has been identified by\u00a0\u00a0Palo Alto Networks security researchers, it is a\u00a0phishing campaign used by hackers to intercept ongoing email conversations between individuals and hijack them to deploy malware.The focus on even now believes they are in contact with the particular person they had been at first messaging,\u2026","rel":"","context":"In "IT News"","block_context":{"text":"IT News","link":"https:\/\/www.virtono.com\/community\/category\/internet-and-technology-news\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/FreeMilk_1.png?fit=571%2C879&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/FreeMilk_1.png?fit=571%2C879&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/FreeMilk_1.png?fit=571%2C879&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":749,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/hunt-down-apts-with-big-data-analytics\/","url_meta":{"origin":984,"position":4},"title":"HUNT DOWN APTs WITH BIG DATA ANALYTICS","author":"Daniel Draga","date":"November 11, 2016","format":false,"excerpt":"ORGANIZATIONS THAT START to address information security in a meaningful way will come to a point in their maturity when they have a lot of machine data. The challenge many CISOs face is how to leverage that data quickly and correlate events dynamically across the enterprise to track down advanced\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/dataintegration2.jpg?fit=1200%2C500&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/dataintegration2.jpg?fit=1200%2C500&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/dataintegration2.jpg?fit=1200%2C500&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/dataintegration2.jpg?fit=1200%2C500&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/dataintegration2.jpg?fit=1200%2C500&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":784,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/targeted-attacks\/","url_meta":{"origin":984,"position":5},"title":"Targeted Attacks.","author":"Daniel Draga","date":"December 2, 2016","format":false,"excerpt":"More Data than Sense. As we look at the responses, most of these detection and correction efforts combine human expertise with tools and data. All efforts can be improved through access to and better interpretation of relevant data, policy-based workflows, and appropriate and facilitated automation. So what\u2019s holding these valiant\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/984","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/comments?post=984"}],"version-history":[{"count":1,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/984\/revisions"}],"predecessor-version":[{"id":987,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/984\/revisions\/987"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media\/986"}],"wp:attachment":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media?parent=984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/categories?post=984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/tags?post=984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nDETECTED KNOWN MALWARE: 1951<\/p>\n
\nThe sophisticated notify can monitor, in real time, both single \ufb01les and entire directories for changes, alerting con\ufb01gured software if any changes are discovered. If a piece of userspace software is caught making changes, then notify will consider it an event and report it immediately.
\nBy creating a watch list, notify can keep track of unique watch descriptors that it associates to each item on its watch list. Although notify won’t pass on details about the user or process that has changed a \ufb01 le or directory, the fact that a change has taken place is enough to satisfy most applications. If notify isn\u2019t available, then the older approach of polling a \ufb01lesystem or manually running scans will usually apply. In the case of checking for changes on networked \ufb01lesystems, any con\ufb01gured software will need to resort to polling the \ufb01lesystem using a predetermined frequency. This is because remote \ufb01lesystems are harder to keep track of.
\nUnfortunately, the pseudo \ufb01lesystems, which include \/proc, \/sys, and \/dev\/pts, aren\u2019t visible to notify. This shouldn\u2019t be of too much concern, however, because \u201creal\u201d \ufb01les don\u2019t exist in these paths, but rather the ephemeral workings of a system, which change frequently.<\/p>\n
\n# maldet -c suspicious_file.gz When you execute this command, your \ufb01 le will be submitted to rfxn.com and checked in due course.<\/p>\n