Linux-System virus prevention

I. History of the Linux virus

The STAOG, which appeared in 1996, was the first virus under the Linux system, and it originated in an Australian organization called Vlad. Staog virus is written in assembly language, specifically infected with the binary files, and in three ways to try to get root permissions. Staog virus does not have any material damage to the system, it should be considered a demo version, but it has revealed to the world that Linux may be infected with the potential danger of virus. The second virus found on the Linux system is the Bliss virus, an experimental virus that was accidentally released. Unlike other viruses, the bliss itself has an immune program, so you can restore the system by adding the "disinfect-files-please" option when you run the program.

If the Linux virus showed just one concept at the beginning, the ramen virus, which was discovered in 2001, has started to cause a lot of people to worry. The ramen virus can be transmitted automatically without human intervention, so it is very similar to the Morris worm that had made people suffer greatly in the 1988. It only infects red Hat 6.2 and version 7.0 servers using the anonymous FTP service, which passes through two common vulnerabilities rpc.statd and wu-ftp infection systems. On the face of it, this is not a dangerous virus, it is easily detected and does not do anything damaging to the server. But when it starts scanning, it consumes a lot of network bandwidth. Since 1996, a handful of new Linux viruses have been built, which suggests that Linux is a robust, innate virus-immune operating system. Of course, there are other reasons besides its own excellent design. First of all, Linux early adopters are generally professionals, even today, although its users proliferate, but the typical users are still good computer background and willing to help others, Linux experts are more inclined to encourage novice support such a cultural spirit.

Because of this, a tendency in Linux to use a group is to try to avoid infecting viruses with a safe experience. Second, Young is one of the reasons Linux is rarely attacked by viruses. In fact, all of the operating systems, including DOS and Windows, were rarely harassed by viruses at the beginning of their production. However, in March 2001, the Global Incident analysis Center--giac, the American Sans Institute, found that a new worm, targeting the use of Linux system computers, was rapidly spreading through the Internet, It is likely to cause serious damage to the user's computer system. This worm is named Lion virus, which is very similar to the ramen worm virus. However, the virus is more dangerous, and lion virus can send some passwords and configuration files via email to a domain name located in china.com.

William Stiens, an engineer at the Institute of Safety Technology at Dartmouth College, said: "When the attackers send these files back, they can enter the system again through the gap in the first breakout." This is how it differs from the ramen worm virus. In fact, the ramen virus is a friendly virus that automatically shuts down vulnerabilities when it invades the system. The virus opens up the holes and opens up new loopholes. So that if your system is infected with the virus, we cannot be absolutely sure that the system is worth saving. A more reasonable choice is likely to be to transfer data and reformat the hard drive. "Once the computer is completely infected, the Lion virus will force the computer to start searching for other victims on the internet." However, the system infected with the lion virus is less than the system that infects the ramen virus, but the damage is much larger than the latter.

Second, the virus classification under the Linux platform

The Linux operating system has long been considered a rival to the Windows system because it is not only safe, stable, inexpensive, but also rarely found to be virus-transmitted. However, as more and more servers, workstations and PCs use Linux software, computer virus makers are starting to attack the system. For the Linux system, whether it is a server, or workstation security and permissions control is relatively strong, this is mainly effective in its excellent technical design, not only make its operating system difficult to downtime, but also make it difficult to misuse. After more than 20 years of development and refinement, UNIX has become very strong, and Linux has basically inherited its advantages. In Linux, if it is not superuser, the malicious system files will be hard to get through. Of course, this is not to say that Linux is invulnerable, and viruses are inherently binary executable programs. Malignant programs such as Slammer, Shockwave (Blast), Overlord (Sobig), Rice worm (mimail), and Laura (Win32.xorala) virus do not damage the Linux server. However, it is propagated to the computer that accesses its Windows system platform.

The virus classification under the Linux platform is broadly as follows:

Executable file type virus

Executable-type viruses are viruses that can be parasitic in a file and are primarily infected with files. It is easy for virus makers to infect elf files, no matter what weapons they use, whether they are assembly language or C language. The virus in this area is lindose.

Worms (worm) viruses

After the 1988 Morris Worm broke out, Eugene H. spafford to differentiate between worms and viruses, gave a technical definition of the worm-a computer worm can run on its own, and a version of itself that contains all its functions can be propagated to another computer. Under the Linux platform, worms are rampant, such as ramen, lion, and slapper, which use system vulnerabilities to infect a large number of Linux systems, causing huge losses.

Script virus

There are many more viruses that are written in the Shell scripting language. This type of virus is simpler to write, but the damage is equally shocking. We know that there are many script files in the Linux system that end in. SH, and a few dozen lines of shell scripts can traverse all the script files on the entire hard disk in a short period of time to infect.

Backdoor procedures

In the generalized definition of virus definitions, the backdoor has also been included in the virus category. A backdoor that is active in Windows systems this intruder's weapon is also extremely active under the Linux platform. From the simple backdoor that adds the system super user account to the system service load, the shared library file injection, the Rootkit toolkit, and even the kernel module (LKM), the backdoor technology under the Linux platform is very mature, hidden and difficult to clean. This is a serious headache for Linux system administrators.

Third, the prevention and control of Linux virus

The above introduction can be seen, the overall computer virus on the Linux system is less harmful. But for various reasons in enterprise applications often the Linux and Windows operating systems coexist to form heterogeneous networks, mostly using Linux and UNIX on the server side, using Windows on the desktop side, so the Linux antivirus strategy is divided into Linux itself ( Servers and computers that use them as desktops) guard against policies and two parts of the virus prevention strategy for Windows systems using the Linux server backend, the antivirus software under Linux is also divided into two parts based on open source and commercial software.

Virus prevention strategies for Linux itself (servers and computers that use them as desktops)

For executable file-type virus, worm (worm) virus, script virus protection, by installing the GPL virus software can basically be prevented. The server side can use AntiVir (http://www.hbedv.com/) to avira the virus. It is working at the command line, and the runtime can consume less system resources. Desktop users can choose Tkantivir (http://www.sebastian-geiges.de/tkantivir/), which is written in TCL/TK and can be run under any x-window environment, such as KDE or GNOME.

For backdoor protection, you can use

Lids (http://www.lids.org/) and Chkrootkit (http://www.chkrootkit.org/). Lids is a Linux kernel patch and system Administrator tool (LIDSADM) that strengthens the Linux kernel to protect important files in the dev/directory. Chkrootkit can detect the logs and files of the system, see if any malicious programs are invading the system, and look for signals associated with different malicious programs. The latest version of Chkrootkit0.45 can detect the sniffers, Trojans, worms, rootkit and other 100 kinds of viruses.

In addition, for Linux servers to run the software is mostly open source software, and are constantly upgrading, stable version and the test version alternately appear. In the www.apache.org and other sites, the latest changelog are written in the "Bug fix", "Security bug fix" and other words. Therefore, the Linux system administrator should always pay attention to the relevant website bug fix and upgrade, timely upgrade or add patches, do not report luck. Here's a famous quote: "Your server is likely to be taken over by hackers the next day." ”

Virus protection policy for Windows systems that use Linux server back-end

Many enterprises use proxy server to pick up the Internet, the user's Windows system for HTTP Web browsing and file download is susceptible to virus, so you can put a virus filter on the proxy server, the user to browse the HTTP Web page for virus detection, When a user is found to be infected with a Web page, the virus is blocked by a proxy server, drops a request with a virus, blocks unsafe processes within the proxy server, and disables the transmission of the virus-containing data to the client computer. Squid is a very good proxy server software, but there is no specific virus filtering function. Consider using a Linux-based virus filtering proxy--HAVP (http://www.server-side.de/) developed by the German open source enthusiasts.

HAVP virus filtering proxy software can be used independently or in tandem with squid to enhance the virus filtering function of Squid Proxy server.

Providing mail services is an important application in Linux servers, and you can use ClamAV (http://www.clamwin.com/) to protect against viruses. The full name of ClamAV is Clam AntiVirus, which, like Liunx, emphasizes the concepts of public program code, free authorization, etc. ClamAV can now detect more than 80,000 viruses, worms and Trojans, and update the database at any time. Its virus experts around the world 24 hours to update and maintain the virus database, anyone found suspicious virus can also contact them at any time, update the virus code immediately. This way, in a very short period of time, the network on the use of ClamAV mail server will be able to complete the latest protection.

The above mainly introduces the software based on open source code, commercial anti-virus software vendors Trend Micro, Network Associates, Data Fellows and Sophos also have their own Linux version of the virus detector. In addition, with the development of Linux in China many of our familiar domestic software manufacturers (rising, etc.) also launched the corresponding Linux virus protection software.

User protection.

Compared to Windows viruses, Linux viruses are almost negligible in number, but the creators of Linux viruses do not stop, they are many hackers who are proficient in writing code, The inevitable vulnerability of Linux itself is likely to be exploited by them to write a variety of new Linux viruses. Although the Linux virus has not started flooding, but if the user has no precautionary concept, once a Linux virus outbreak, it is likely to cause serious consequences. So Linux users should pay attention to the problem of Linux virus early. Finally, the author of the Linux Platform for the prevention of viruses summed up the following several suggestions, for reference only:
(1) Do a good job of system strengthening.
(2) Pay attention to the security bulletin, timely correction of loopholes.
(3) Do not use root privileges for daily operation.
(4) Do not randomly install various device drivers of unknown origin.
(5) Do not run some unknown executable program or script on the important server.
(6) Install anti-virus software as much as possible and upgrade the viral code base regularly.
(7) for Linux servers connected to the Internet, regularly detect Linux viruses. Whether worms and Trojans exist.
(8) for Linux servers that provide file services, it's a good idea to deploy software that can both Windows and Linux viruses.
(9) For Linux servers that provide mail services, it is best to use an e-mail virus scanner.
In a word, there are many ways to protect against viruses in Linux, but it is not uncommon for Linux viruses to be taken lightly.

Reference: http://os.51cto.com/art/201205/336907.htm

This article comes from the "Ricky's blog" blog, please be sure to keep this source http://57388.blog.51cto.com/47388/1555087

Linux-System virus prevention