Can an anti-virus protect me from KillDisk, malware for Linux?

security malware antivirus

A relative of mine has recently sent me an email. He recently came across this alarming head-line from anti-virus vendor ESET:

KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt

The email goes on to describe a piece of software that encrypts the contents of the disk and demands a ransom.

My relative is alarmed and feels that surely an anti-virus is now needed.

I feel strongly that an anti-virus is not needed on Ubuntu. Rather, I feel that the best protection for an Ubuntu user is to install security updates promptly, to keep regular backups and to only install software from trusted sources like the Ubuntu Software Centre. Is that advice now out-of-date with the advent of KillDisk?


Solution 1:

The email goes on to describe a piece of software that encrypts the contents of the disk and demands a ransom.

How does it do that? (of course the article does not mention that ...). From the link ...

The main encryption routine recursively traverses the following folders within the root directory up to 17 subdirectories in depth:

/boot /bin /sbin /lib/security /lib64/security /usr/local/etc /etc /mnt /share /media /home /usr /tmp /opt /var /root

According to researchers, the victim's "files are encrypted using Triple-DES applied to 4096-byte file blocks," and "each file is encrypted using a different set of 64-bit encryption keys."

We need to know how they believe they can circumvent the admin password ...

  • Does it require a sudo password?
  • Or does it attempt to brute-force the sudo password? If so how good is your password?
  • Does it require you to download this malware from the mail and run it? (...) If so... don't :-P

Best method to counter this: create regular backups and keep more than 1 backup of anything important to you. It is always possible to format a disk and reinstall and to restore a clean backup.

I feel strongly that an anti-virus is not needed on Ubuntu.

Me too! But a virus is just a small part of all malware. You also got rootkits, and crapware like what you describe above.

Is that advice now out-of-date with the advent of KillDisk?

No! That advice is the best you can get. At the moment we can consider Ubuntu Software Center free from malware. That article and similar articles I found all lack 1 bit of information: how does it actually encrypt our disks.

Solution 2:

As obvious, Linux is not entirely secure, but the need for anti-virus software should not arise given that security patches are downloaded regularly. Also the KillDisk ransom ware has surfaced recently and is known to target only business organizations and companies hosting servers. Home Linux users should be safe as of now. More importantly, all Linux users must get to know how much difference superuser/root privileges can make, if permissions are granted to unknown, malicious programs (results can be completely undesired or even devastating). Of course, maintaining regular back-ups should not be a problem for regular users.

Solution 3:

This answer will assume that the malware is actually a trojan, ie it revolves around the user actively running (perhaps as root) something suspicious.

There are a few reasons Linux is said to be more virus-proof than Windows. None of them are that Linux is inherently more secure than Windows. While it is true that Linux distros tend to protect operating system files much better than Windows does (though this is more thanks to Windows needing to be backwards-compatible with older software than any inherent difference), in any case that doesn't protect you from attacks against your personal files, or being part of a botnet, which are the two things that are all the rage in viruses these days.

No, the main reasons are:

  1. Much smaller user-base for possible attacks. While there have been plenty of attacks that target Linux servers, those are not amazingly relevant here, since they tend to exploit boxes that are deliberately left exposed to the internet, and so the means of exploitation are totally different. Linux on the desktop is so small a target it's usually not really worth it.

  2. Linux distros have a much stronger sense of installing software from trusted sources. You don't have to worry about Sourceforge injecting malware into your installers, or the website of an old project having been hacked and the downloads replaced with malware, because this isn't the standard place to get software from.

So, the latter is very important. If your habit is to use Ubuntu like you would use Windows - downloading software haphazardly from the web, from random sources, and trying to get them to install nicely in your distro - you're going to have a bad time. You should try to install as many things as are feasible from Ubuntu's software repositories, which are much more carefully vetted and very unlikely to contain malware. If you do need to download software from external sources, you should use as much due care and attention as a careful Windows power user user would - make sure you have a reasonable way of trusting the source, and don't just blindly run commands you found on the internet without understanding what they're doing! Be especially wary of anything that requires root (sudo), but keep in mind that even things without root can do a lot of damage to things that matter.

Related

Share installed libraries between Debian and Ubuntu
What GUI libraries are the JetBrains using?
What is public/manifest.json file in create-react-app?
Why always ./configure; make; make install; as 3 separate steps?
How to install a node.js module without using npm?
It has a DefiningQuery but no InsertFunction element... err
Using map() on an iterator
RESTful Login Failure: Return 401 or Custom Response
Linq to Objects: does GroupBy preserve order of elements?
Spring Scheduled Task running in clustered environment
Best design for a changelog / auditing database table? [closed]
Is VB really case insensitive?