Meet Linux Viruses

Meet Linux Viruses

There exists a conventional wisdom that Linux viruses are non-existent entities. For most Linux users this might be surprising that Linux viruses do exist! Though not in wild, and they are so less in number (when compared to counterpart OSs) that they can be counted on fingers! The post introduces to some popular Linux viruses detected to date on Linux systems to enlighten you with realistic facts so that you can even improve your security!

Linux Operating system is generally thought of as “Virus Proof”; It is indeed a very secure Operating system but to think Linux Virus does not exist or Linux is virus-proof is being overly naïve. Researchers have shown that Native ELF Linux Viruses are technically possible. So far, Linux viruses are either prependers or regular file infectors that change entry and alter the actual host code. We have compiled he list of prominent Linux virus show up to date. Let’s investigate the viruses and risk posed by them.

Alaeda (Virus.Linux.Alaeda)
Shown in: 2003
Risk Level: low
Wild Level: low
Platform: Linux
Threat Description: Alaeda is a non-resident virus that infects systems ELF format files in the current directory in a system running Linux [ELF is the most commonly used Linux file type: short for Executable and Linkable Format. ELF supports 32- as well as 64-bit objects.] Before infecting, the victim machine will be checked to see if it can be infected. The .text section of the file to be infected must be of a minimum size for malicious code to be injected. Once the virus infects the file it shall modify the entry point of the original file (the file’s ELF header) consequently transferring control to the infection routine.

Badbunny (Perl.Badbunny)
Shown in: 2007
Risk Level: low
Wild Level: low
Platform: Linux, Windows
Threat Description: Badbunny is the first worm that specifically targets the open-source office package OpenOffice. It displayed a pornographic picture of a man in a bunny suit with a woman in a forest. “A new worm is being distributed within malicious OpenOffice documents. The worm can infect Windows, Linux and Mac OS X systems,” according to a Symantec Security Response advisory. “Be cautious when handling OpenOffice files from unknown sources.”

Shown in: 2002
Risk Level: low, non-destructive ELF executable virus
Wild Level: low
Platform: Unix
Threat Description: Linux.OSF.8759 is a virus with backdoor capabilities that replicates on Linux systems and infects ELF executables. Once executed, it infects all files in the current directory. Thanks to the user privileges in Linux system that the virus is practically non destructive however if run from a root account the virus will attempt to infect the files from the “/bin” system directory along with the current directory that can cause some trouble. In all cases no more than 201 files are infected in one run.

Vit virus (Virus.Linux.Vit.4096)
Shown in:1999
Risk Level: low for Linux users
Wild Level: low
Platforms: Unix, Linux, Windows and MSD0S
Threat Description: Vit virus is one of the popular crossplatfrom virus that is nonmemory resident parasitic in nature. The virus has the internal ELF format, replicates under Linux OS and infects Linux executable files. Vit virus is the second known virus for Linux operating system after “Linux.Bliss”. the virus can only infect the files and directories that are declared as “write-able” for the current username owing to tight security (i.e access-protection) of Linux. Nonetheless if the current username has total access (system administrator, that is rare), the virus will infect all the files on a computer. As an average user does not have root access the virus has minimal risk level.

Shown in:1996
Risk Level: low
Wild Level: low ( It has not been detected in the wild since its initial outbreak)
Platforms: Linux
Threat Description: Staog was the first virus written specifically for systems running on Linux. The virus operated by exploiting vulnerabilities in the kernel that allowed the virus to stay resident in the memory. While residing in the memory it infected executable binary files. The virus functionality depended upon bugs that was immediately fixed by software upgrade. Also Staog inefficiently replicated itself. The virus was written by VLAD, a well known Australian based group from the hacking community that was known writing Boza, the first known Winodows 95.

Shown in: in February 1997
Risk Level: low
Wild Level: low
Platforms: Linux
Threat Description:Bliss is the first computer virus that is known to infect Linux systems. The Bliss virus is thought to be written in order to prove that Linux is not virus proof and that it can be infected. Bliss virus immediately gained popularity not because it caused any damage to Linux systems, but because then it was conventionally thought that Linux is virus proof. Bliss when executed attaches itself to Linux executable files rendering the files unable to execute this draws user’s attention immediately. Mainly because the virus does not propagate very effectively (thanks to the Linux’s user privilege system) the Bliss virus never became widespread. Bliss virus, to date remains chiefly a research curiosity. The classification of the virus is controversial and often confused as worm or torjan. Debian still registers itself as being vulnerable to this virus nevertheless the risk is minimal.

Shown in: in 2000
Risk Level: low
Wild Level: low
Platforms: Linux
Threat Description:This is a harmless non-memory resident parasitic Linux virus. It is very very small in size for a Linux virus that is just about 341 bytes (in the known virus version).

Shown in: in 2001
Risk Level: low
Wild Level: low
Platforms: Linux
Threat Description:It is harmless Linux virus affecting ZIP archives. When the virus is activated, it searches for ZIP archives located in the current directory and add its copies to there. The virus files in archives have one of five possible names:
>Ten motives why linux sux!
>Why Windows is superior to Linux!
>Is Linux for you? Never!
>Is Linux immune to virus? NO!

Satyr:( Virus.Linux.Satyr.a)
Shown in: in 2001
Risk Level: low
Wild Level: low
Platforms: Linux
Threat Description:This is a harmless non-memory resident parasitic Linux virus. The virus targets the Linux executable module (ELF file) and searches for other ELF files in the system, and then infects them.

Ramen virus ( Ramen worm)
Shown in: in 2001
Risk Level: low
Wild Level: low
Platforms: Linux (Red Hat)
Threat Description:Ramen affects systems running default installations of Red Hat Linux 6.2 and 7.0. The nature of the worm/virus is complex and is widely known as virus, incorrectly when it is a worm as it spreads via computer network. It attempts to infect the system by exploiting three know security vulnerabilities wu-ftpd, rpc.statd and lpd services and spreads through brute force technique. First the replaces all “index.html” pages from the system, including the web server that contains the following text.

Shown in: in 2010
Risk Level: low
Wild Level: low
Platforms: Windows, Mac and Linux
Threat Description:The koobface virus became immensely popular virus that spreads through social networking sites and targets platforms like Windows, Mac and even Linux computers. Once infected, the virus attempts to gather login information for FTP and social networking sites. Once your password has been compromised the virus will send an infected message to all of your friends in your social network.

Shown in: in 2006
Risk Level: low
Wild Level: low
Platforms: Linux
Threat Description:Linux.Backdoor.Kaiten is a Trojan horse that opens a back door on the compromised computer.

Shown in: in 2003
Risk Level: low
Wild Level: low
Platforms: Linux
Threat Description:Rike is a virtually harmless non-memory resident parasitic virus that is just about 1627 bytes written in the Assembler programming language. Rike virus prior to infecting it searches for Linux executable files in the current directory; once it finds it prey then writes itself to the middle of the file consequently increasing the size of the last section. Then virus writes itself to the free space and then inserts a Jump command to the Entry Point address. The virus writes its label to the ELF header. The label is the string “RIKE”.
Most of the viruses target the ELF files.

As Linux is opensource documented ELF file format might increase virus risk.
So, viruses for Linux are not non-existent entities they exist, but thankfully, the risk posed by these viruses are minimal in fact negligible in most cases. This is why we say Linux is virus-proof; by that we mean Linux has a very strong architecture. However it’s always a good practice to keenly observe the content you surf on internet and your attachments and downloads. Also as Linux is gaining popularity it is very much possible that hackers engage more and more to find vulnerabilities in the system. Therefore having an infection-checker installed wont being any harm!

In his book “Online!” John Dvorak (American technology columnist), says that “Linux cannot be absolutely immune to viruses. Even if Linux’s non-susceptibility seems to be absolute there is no guaranteeing that tomorrow…someone won’t find a tiny hole to push an elephant through. ”

Note: The post only lists popular Linux viruses. A more populated list can be found here
Reference: All the virus definitions have been taken from

  • David

    Thanks. Was a good read

  • Mari

    Before read this post, i think we only have 3 or 4 viruses, wow.. we have 13 :D.

    Honestly I’m not worry about virus, but I more worry with third party community repository. How we know if script in community website like :, *, cinnamon-spice, etc is secure or not? The good thing they usually release their code in open source (right?), so every one can see the code. But afaik there is no official reviewer.
    In the future I’m afraid some bad guys start to include keylogger or something like that in their script.

    (yeah..  sorry for my bad grammar)

  • Bill

    Was very interesting, but disappointing that the “Threat Description” section was incomplete. How can a description end with “contains the following text.”. What following text? There was none.

  • Ayesha-ahmad

    Due to a technical issue the image “containing the text” wasnt showing i have updated the image. Thankyou for pointing out.

  • Wendell Anderson

    If most readers had noticed most of these so-called Linux viruses – which do not apply to general Linux using public, but some esoteric experiment are dated between 1999 and 2007.

    Since the Linux kernel, the gcc system, the file systems – from ezt2 to btrfs, and other critical components have changed considerably or even been re-invented, the article is bogus.

    Furthermore, as each distribution keeps user space files in different places with varying file system arrangements – one using /usr/lib and another using /usr/local/lib, etc. the feasibility of such viruses infecting Linux further diminishes.

    I am fully aware of and accept that malware does exist that could possibly devastate many Linux based machines at some point – although not for very long, but I reject crap of  such point taken by writer.

    Fortunately those “knowledgeable” about Linux – as opposed to Microsofties who are generally quite ignorant about Windows internals – pass over this dribble.

  • Bill

    Your welcome and thanks for the blog post. It was a good read.

  • Amir6723

    all of them are nearly harmless! Linux is generally secure. more than 17.7 million windows viruses vs 13 linux viruses!! good job Microsoft!

  • Pingback: Meet Linux Viruses()

  • Bpcomp

    “contains the following text.” was an image that showed a simple webpage with a small amount of text.

  • Legion

     Linux is made by hackers and they already find vulnerabilities and fix them quick.
    Just look at videos from Defcon to see attack vectors on Linux, without malware.

  • Pingback: Linux | Pearltrees()

  • shadowguy14

    I love how the risk level is low. That’s why I like Linux

  • Qwert

    Not Microsoft fault, you now that.

  • Amir6723


  • James

    Linux does tend to be secure. With open source, more people are looking at code more often. That does not mean Linux is invulnerable.  Severs, which are targets, run anti virus in general. For the desktop user, the problem will come from third party applications, web browsers, flash, and other add-ons. Personally I would like to see Linux developers partner more closely with anti-virus companies. I know Avast and Micro-trend offer free Linux anti virus programs. To me Clam AV has a ways to go, but some one in the community will pick up virus protection if it is needed.

  • Corfy

    I’ve always said that Linux is “malware resistant”. I don’t believe any operating system can be completely free of malware, especially trojans (which often are the fault of the user installing something they shouldn’t, not a problem with the OS itself). But I’ve been happily using Linux for seven years and never had an infection (I do run scans, but the only malware I ever found on my system was on a couple of attachements to emails that were sitting in my spam folder).

  • Vanessa Deagan

    I’m just waiting for someone to jump in with the “…it’s only because of market penetration…” argument.

  • Pingback: – Reshared post from Timothy Jeter()

  • Neticis

    In general, when security  hole is found, arms race is started. Good guys start patching system, bad guys start writing virus for it. In open source ecosystem good guys have superiority, as code is available to any, but in closed source only few in company can do it.
    So, for Linux or BSD (or any other open source operating system) patches tend to appear much earlier than viruses for particular vulnerability, but for closed source systems (Windows, MacOS) — vice versa.
    All described viruses can live only in greenhouses, where old unpatced Linuxen are feed to them, not in real wild life.

  • Notreal

    What are you talking about? They are the ones who dont patch their software… How is it /not/ their fault?

  • Nom

    … The newest one listed here is 2007, and the posting date is 2012. Someone call Doc!!! The Author is stuck in 2007, we have to save him!

    Also, why is there a screen shot of `internet explorer’ as an example of a Linux Virus… Is this entire post a bad joke? Or am I being too critical when I expected to read about ACTIVE Linux viruses… that you know, infect Linux?

  • Steve Ballmer

    Not Microsoft’s fault that their OS is vulnerable to 17.7 million viruses and the same is not true of Linux? Linux OS must just be lucky.

  • Panos Georgiadis

    If you don’y update your system regularly, then you are doomed, either Linux, MS or OSX.

  • Pingback: La pequeña historia de los virus en Linux()

  • brentrbrian

    The biggest linux virus is behind the keyboard.  

  • Zero Ryogi


  • Pingback: Linux Viruses! « matwada_word()

  • Pingback: Meet Linux Viruses « pacesettergraam()

  • Pingback: Top 5 security Myths about Linux; and their realities « Linux « Technology « Theory Report()

  • JD

    Its not like that. Linux community is more robust and think out of box then those couch potatoes.

  • Name

    It seemed to be talking about a virus that targeted websites powered by red hat, so the author showed it in a browser. and for some reason, decided internet explorer was good.

  • Pingback: The "Linux questions (and other stuff)" thread - Android Forums()

  • linuxLover

    There are anti-virus programs for Linux… they remove Windows viruses to prevent spreading them to other Windows computers. Isn’t that sweet?

  • rv

    Sweet indeed.

  • Pingback: Linux, virus e minacce varie. Parliamone un po' - Ressource Info()

  • Pingback: Apparently This Trojan Virus May Have Infected Linux Systems For Years()