Meet Linux Viruses

There exists a conventional wisdom that Linux viruses are non-existent entities. For most Linux users this might be surprising that Linux viruses do exist! Though not in wild, and they are so less in number (when compared to counterpart OSs) that they can be counted on fingers! The post introduces to some popular Linux viruses detected to date on Linux systems to enlighten you with realistic facts so that you can even improve your security!

Linux Operating system is generally thought of as “Virus Proof”; It is indeed a very secure Operating system but to think Linux Virus does not exist or Linux is virus-proof is being overly naïve. Researchers have shown that Native ELF Linux Viruses are technically possible. So far, Linux viruses are either prependers or regular file infectors that change entry and alter the actual host code. We have compiled he list of prominent Linux virus show up to date. Let’s investigate the viruses and risk posed by them.

Alaeda (Virus.Linux.Alaeda)
Shown in: 2003
Risk Level: low
Wild Level: low
Platform: Linux
Threat Description: Alaeda is a non-resident virus that infects systems ELF format files in the current directory in a system running Linux [ELF is the most commonly used Linux file type: short for Executable and Linkable Format. ELF supports 32- as well as 64-bit objects.] Before infecting, the victim machine will be checked to see if it can be infected. The .text section of the file to be infected must be of a minimum size for malicious code to be injected. Once the virus infects the file it shall modify the entry point of the original file (the file’s ELF header) consequently transferring control to the infection routine.

Badbunny (Perl.Badbunny)
Shown in: 2007
Risk Level: low
Wild Level: low
Platform: Linux, Windows
Threat Description: Badbunny is the first worm that specifically targets the open-source office package OpenOffice. It displayed a pornographic picture of a man in a bunny suit with a woman in a forest. “A new worm is being distributed within malicious OpenOffice documents. The worm can infect Windows, Linux and Mac OS X systems,” according to a Symantec Security Response advisory. “Be cautious when handling OpenOffice files from unknown sources.”

OSF.8759
Shown in: 2002
Risk Level: low, non-destructive ELF executable virus
Wild Level: low
Platform: Unix
Threat Description: Linux.OSF.8759 is a virus with backdoor capabilities that replicates on Linux systems and infects ELF executables. Once executed, it infects all files in the current directory. Thanks to the user privileges in Linux system that the virus is practically non destructive however if run from a root account the virus will attempt to infect the files from the “/bin” system directory along with the current directory that can cause some trouble. In all cases no more than 201 files are infected in one run.

Vit virus (Virus.Linux.Vit.4096)
Shown in:1999
Risk Level: low for Linux users
Wild Level: low
Platforms: Unix, Linux, Windows and MSD0S
Threat Description: Vit virus is one of the popular crossplatfrom virus that is nonmemory resident parasitic in nature. The virus has the internal ELF format, replicates under Linux OS and infects Linux executable files. Vit virus is the second known virus for Linux operating system after “Linux.Bliss”. the virus can only infect the files and directories that are declared as “write-able” for the current username owing to tight security (i.e access-protection) of Linux. Nonetheless if the current username has total access (system administrator, that is rare), the virus will infect all the files on a computer. As an average user does not have root access the virus has minimal risk level.

Staog
Shown in:1996
Risk Level: low
Wild Level: low ( It has not been detected in the wild since its initial outbreak)
Platforms: Linux
Threat Description: Staog was the first virus written specifically for systems running on Linux. The virus operated by exploiting vulnerabilities in the kernel that allowed the virus to stay resident in the memory. While residing in the memory it infected executable binary files. The virus functionality depended upon bugs that was immediately fixed by software upgrade. Also Staog inefficiently replicated itself. The virus was written by VLAD, a well known Australian based group from the hacking community that was known writing Boza, the first known Winodows 95.

Bliss
Shown in: in February 1997
Risk Level: low
Wild Level: low
Platforms: Linux
Threat Description:Bliss is the first computer virus that is known to infect Linux systems. The Bliss virus is thought to be written in order to prove that Linux is not virus proof and that it can be infected. Bliss virus immediately gained popularity not because it caused any damage to Linux systems, but because then it was conventionally thought that Linux is virus proof. Bliss when executed attaches itself to Linux executable files rendering the files unable to execute this draws user’s attention immediately. Mainly because the virus does not propagate very effectively (thanks to the Linux’s user privilege system) the Bliss virus never became widespread. Bliss virus, to date remains chiefly a research curiosity. The classification of the virus is controversial and often confused as worm or torjan. Debian still registers itself as being vulnerable to this virus nevertheless the risk is minimal.

Virus.Linux.Winter.341
Shown in: in 2000
Risk Level: low
Wild Level: low
Platforms: Linux
Threat Description:This is a harmless non-memory resident parasitic Linux virus. It is very very small in size for a Linux virus that is just about 341 bytes (in the known virus version).

Zipworm
Shown in: in 2001
Risk Level: low
Wild Level: low
Platforms: Linux
Threat Description:It is harmless Linux virus affecting ZIP archives. When the virus is activated, it searches for ZIP archives located in the current directory and add its copies to there. The virus files in archives have one of five possible names:
>Ten motives why linux sux!
>Why Windows is superior to Linux!
>Is Linux for you? Never!
>Is Linux immune to virus? NO!
>zipworm!

Satyr:( Virus.Linux.Satyr.a)
Shown in: in 2001
Risk Level: low
Wild Level: low
Platforms: Linux
Threat Description:This is a harmless non-memory resident parasitic Linux virus. The virus targets the Linux executable module (ELF file) and searches for other ELF files in the system, and then infects them.

Ramen virus ( Ramen worm)
Shown in: in 2001
Risk Level: low
Wild Level: low
Platforms: Linux (Red Hat)
Threat Description:Ramen affects systems running default installations of Red Hat Linux 6.2 and 7.0. The nature of the worm/virus is complex and is widely known as virus, incorrectly when it is a worm as it spreads via computer network. It attempts to infect the system by exploiting three know security vulnerabilities wu-ftpd, rpc.statd and lpd services and spreads through brute force technique. First the replaces all “index.html” pages from the system, including the web server that contains the following text.

Koobface
Shown in: in 2010
Risk Level: low
Wild Level: low
Platforms: Windows, Mac and Linux
Threat Description:The koobface virus became immensely popular virus that spreads through social networking sites and targets platforms like Windows, Mac and even Linux computers. Once infected, the virus attempts to gather login information for FTP and social networking sites. Once your password has been compromised the virus will send an infected message to all of your friends in your social network.

Kaiten
Shown in: in 2006
Risk Level: low
Wild Level: low
Platforms: Linux
Threat Description:Linux.Backdoor.Kaiten is a Trojan horse that opens a back door on the compromised computer.

Rike
Shown in: in 2003
Risk Level: low
Wild Level: low
Platforms: Linux
Threat Description:Rike is a virtually harmless non-memory resident parasitic virus that is just about 1627 bytes written in the Assembler programming language. Rike virus prior to infecting it searches for Linux executable files in the current directory; once it finds it prey then writes itself to the middle of the file consequently increasing the size of the last section. Then virus writes itself to the free space and then inserts a Jump command to the Entry Point address. The virus writes its label to the ELF header. The label is the string “RIKE”.
Most of the viruses target the ELF files.

As Linux is opensource documented ELF file format might increase virus risk.
So, viruses for Linux are not non-existent entities they exist, but thankfully, the risk posed by these viruses are minimal in fact negligible in most cases. This is why we say Linux is virus-proof; by that we mean Linux has a very strong architecture. However it’s always a good practice to keenly observe the content you surf on internet and your attachments and downloads. Also as Linux is gaining popularity it is very much possible that hackers engage more and more to find vulnerabilities in the system. Therefore having an infection-checker installed wont being any harm!

In his book “Online!” John Dvorak (American technology columnist), says that “Linux cannot be absolutely immune to viruses. Even if Linux’s non-susceptibility seems to be absolute there is no guaranteeing that tomorrow…someone won’t find a tiny hole to push an elephant through. ”

Note: The post only lists popular Linux viruses. A more populated list can be found here
Reference: All the virus definitions have been taken from securelist.com