Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux operating system. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.
As of 2018 there had not yet been a single widespread Linux virus or malware infection of the type that is common on Microsoft Windows; this is attributable generally to the malware's lack of root access and fast updates to most Linux vulnerabilities.
- 1 Linux vulnerability
- 2 Anti-virus applications
- 3 Threats
- 4 See also
- 5 References
- 6 External links
Like Unix systems, Linux implements a multi-user environment where users are granted specific privileges and there is some form of access control implemented. To gain control over a Linux system or to cause any serious consequences to the system itself, the malware would have to gain root access to the system.
In the past, it has been suggested that Linux had so little malware because its low market share made it a less profitable target. Rick Moen, an experienced Linux system administrator, counters that:
[That argument] ignores Unix's dominance in a number of non-desktop specialties, including Web servers and scientific workstations. A virus/trojan/worm author who successfully targeted specifically Apache httpd Linux/x86 Web servers would both have an extremely target-rich environment and instantly earn lasting fame, and yet it doesn't happen.
In 2008 the quantity of malware targeting Linux was noted as increasing. Shane Coursen, a senior technical consultant with Kaspersky Lab, said at the time, "The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system ... The use of an operating system is directly correlated to the interest by the malware writers to develop malware for that OS."
Tom Ferris, a researcher with Security Protocols, commented on one of Kaspersky's reports, stating, "In people's minds, if it's non-Windows, it's secure, and that's not the case. They think nobody writes malware for Linux or Mac OS X. But that's not necessarily true."
Some Linux users do run Linux-based anti-virus software to scan insecure documents and email which comes from or is going to Windows users. SecurityFocus's Scott Granneman stated:
...some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance, may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel, that contain and propagate viruses. Linux mail servers should run AV software in order to neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express users.
Because they are predominantly used on mail servers which may send mail to computers running other operating systems, Linux virus scanners generally use definitions for, and scan for, all known viruses for all computer platforms. For example, the open source ClamAV "Detects ... viruses, worms and trojans, including Microsoft Office macro viruses, mobile malware, and other threats."
Viruses and trojan horses
The viruses listed below pose a potential, although minimal, threat to Linux systems. If an infected binary containing one of the viruses were run, the system would be temporarily infected, as the Linux kernel is memory resident and read-only. Any infection level would depend on which user with what privileges ran the binary. A binary run under the root account would be able to infect the entire system. Privilege escalation vulnerabilities may permit malware running under a limited account to infect the entire system.
It is worth noting that this is true for any malicious program that is run without special steps taken to limit its privileges. It is trivial to add a code snippet to any program that a user may download and let this additional code download a modified login server, an open mail relay, or similar program, and make this additional component run any time the user logs in. No special malware writing skills are needed for this. Special skill may be needed for tricking the user to run the (trojan) program in the first place.
The use of software repositories significantly reduces any threat of installation of malware, as the software repositories are checked by maintainers, who try to ensure that their repository is malware-free. Subsequently, to ensure safe distribution of the software, checksums are made available. These make it possible to reveal modified versions that may have been introduced by e.g. hijacking of communications using a man-in-the-middle attack or via a redirection attack such as ARP or DNS poisoning. Careful use of these digital signatures provides an additional line of defense, which limits the scope of attacks to include only the original authors, package and release maintainers and possibly others with suitable administrative access, depending on how the keys and checksums are handled. Reproducible builds can ensure that digitally signed source code has been reliably transformed into a binary application.
Worms and targeted attacks
The classical threat to Unix-like systems are vulnerabilities in network daemons, such as SSH and web servers. These can be used by worms or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords.
Linux servers may also be used by malware without any attack against the system itself, where e.g. web content and scripts are insufficiently restricted or checked and used by malware to attack visitors. Some attacks use complicated malware to attack Linux servers, but when most get full root access then hackers are able to attack by modifying anything like replacing binaries or injecting modules. This may allow the redirection of users to different content on the web. Typically, a CGI script meant for leaving comments, could, by mistake, allow inclusion of code exploiting vulnerabilities in the web browser.
Older Linux distributions were relatively sensitive to buffer overrun attacks: if the program did not care about the size of the buffer itself, the kernel provided only limited protection, allowing an attacker to execute arbitrary code under the rights of the vulnerable application under attack. Programs that gain root access even when launched by a non-root user (via the setuid bit) were particularly attractive to attack. However, as of 2009 most of the kernels include address space layout randomization (ASLR), enhanced memory protection and other extensions making such attacks much more difficult to arrange.
An area of concern identified in 2007 is that of cross-platform viruses, driven by the popularity of cross-platform applications. This was brought to the forefront of malware awareness by the distribution of an OpenOffice.org virus called Badbunny.
Stuart Smith of Symantec wrote the following:
As is the case with any operating system, Linux is vulnerable to malware that tricks the user into installing it through social engineering. In December 2009 a malicious waterfall screensaver that contained a script that used the infected Linux PC in denial-of-service attacks was discovered.
There are a number of anti-virus applications available which will run under the Linux operating system. Most of these applications are looking for exploits which could affect users of Microsoft Windows.
For Microsoft Windows-specific threats
These applications are useful for computers (typically, servers) which will pass on files to MS Windows users. They do not look for Linux-specific threats.
- Avast! (proprietary; freeware version available)
- AVG (proprietary; freeware version available)
- Avira (proprietary; freeware version was available, discontinued due to lack of demand)
- BitDefender (proprietary; freeware version available)
- Comodo (proprietary; freeware version available) 
- ClamAV (free and open source software)
- Dr.Web (proprietary) 
- F-Prot (proprietary; freeware version available)
- F-Secure Linux (proprietary)
- Kaspersky Linux Security (proprietary)
- McAfee VirusScan Enterprise for Linux (proprietary)
- Panda Security for Linux (proprietary)
- Sophos (proprietary) (versions for UNIX and Linux too)
- Symantec AntiVirus for Linux (proprietary)
- Trend Micro ServerProtect for Linux (proprietary)
For Linux-specific threats
These applications look for actual threats to the Linux computers on which they are running.
- chkrootkit (free and open source software)
- ClamAV (free and open source software)
- Comodo (proprietary) 
- Dr.Web (proprietary) 
- ESET (proprietary) (detects OS X, Windows malware as well)
- Linux Malware Detect
- rkhunter (free and open source software)
- Sophos (proprietary) (versions for UNIX and Windows too)
- lynis (open source auditing) 
Linux malware can also be detected (and analyzed) using memory forensics tools, such as the following.
The following is a partial list of known Linux malware. However, few if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat. Known malware is not the only or even the most important threat: new malware or attacks directed to specific sites can use vulnerabilities previously unknown to the community or unused by malware.
- Mayhem - 32/64-bit Linux/FreeBSD multifunctional botnet
- Linux.Remaiten - A threat targeting the Internet of Things.
- Mirai (malware) - A DDoS botnet spreads through telnet service and designed to infect Internet of Things (IoT).
- GafGyt/BASHLITE/Qbot - A DDoS botnet spreads through SSH and Telnet service weak passwords, firstly discovered during bash Shellshock vulnerability.
- LuaBot - A botnet coded with modules component in Lua programming language, cross-compiled in C wrapper with LibC, it aims for Internet of Things in ARM, MIPS and PPC architectures, with the usage to DDoS, spreads Mirai (malware) or selling proxy access to the cyber crime.
- Hydra, Aidra, LightAidra and NewAidra - Another form of a powerful IRC botnet that infects Linux boxes.
- EnergyMech 2.8 overkill mod (Linux/Overkill) - A long last botnet designed to infect servers with its bot and operated through IRC protocol for the DDoS and spreading purpose.
- Effusion - 32/64-bit injector for Apache/Nginx webservers, (7 Jan 2014)
- Hand of Thief - Banking trojan, 2013,
- Kaiten - Linux.Backdoor.Kaiten trojan horse
- Rexob - Linux.Backdoor.Rexob trojan
- Waterfall screensaver backdoor - on gnome-look.org
- Tsunami.gen — Backdoor.Linux.Tsunami.gen
- Turla — HEUR:Backdoor.Linux.Turla.gen
- Xor DDoS A Trojan malware that hijacks Linux systems and uses them to launch DDoS attacks which have reached loads of 150+ Gbps.
- Hummingbad - has infected over 10 million Android operating systems. User details are sold and adverts are tapped on without the user's knowledge thereby generating fraudulent advertising revenue.
- NyaDrop - a small Linux backdoor compiled from a Linux shellcode to be used to infect Linux boxes with bigger size Linux malware.
- PNScan - Linux trojan designed to aim routers and self-infecting to a specific targeted network segment in a worm-like form
- SpeakUp - is a backdoor Trojan that infects six different Linux distributions and macOS devices.
- Alaeda - Virus.Linux.Alaeda
- Binom - Linux/Binom
- Bliss - requires root privileges
- Caveat 
- Cephei - Linux.Cephei.A (and variants)
- Coin 
- Hasher 
- Lacrimae (aka Crimea) 
- MetaPHOR (also known as Simile)
- Nuxbee - Virus.Linux.Nuxbee.1403
- Podloso - Linux.Podloso (The iPod virus)
- RELx 
- Rike - Virus.Linux.Rike.1627
- RST - Virus.Linux.RST.a (known for infecting Korean release of Mozilla Suite 1.7.6 and Thunderbird 1.0.2 in September 2005)
- Vit - Virus.Linux.Vit.4096
- Winter - Virus.Linux.Winter.341
- Winux (also known as Lindose and PEElf)
- Wit virus
- Zariche - Linux.Zariche.A (and variants)
- ZipWorm - Virus.Linux.ZipWorm
- Adm - Net-Worm.Linux.Adm
- Bad Bunny - Perl.Badbunny
- Cheese - Net-Worm.Linux.Cheese
- Linux.Darlloz - Targets home routers, set-top boxes, security cameras and industrial control systems.
- Mighty - Net-Worm.Linux.Mighty
- Millen - Linux.Millen.Worm
- Ramen worm - targeted only Red Hat Linux distributions versions 6.2 and 7.0
- SSH Bruteforce
- Comparison of computer viruses
- Computer virus
- Computer worm
- Dirty COW
- Timeline of computer viruses and worms
- Trojan horse (computing)
- Granneman, Scott (October 2003). "Linux vs. Windows Viruses". Retrieved 2008-03-06.
- Yeargin, Ray (July 2005). "The short life and hard times of a linux virus". Archived from the original on 1 May 2008. Retrieved 2015-12-06.
- "Virus Department". Retrieved 2015-12-24.
- Patrizio, Andy (April 2006). "Linux Malware On The Rise". Retrieved 2008-03-08.
- ClamAV (2010). "Clam AntiVirus 0.96 User Manual" (PDF). Retrieved 2011-02-22.
- Prince, Brian (5 January 2013). "Stealthy Apache Exploit Redirects Victims to Blackhole Malware".
- Prince, Brian (May 1, 2013). "Stealthy Apache Exploit Redirects Victims to Blackhole Malware". eWeek. Retrieved Nov 19, 2014.
- Smith, Stuart (June 2007). "Bad Bunny". Archived from the original on 2008-03-24. Retrieved 2008-02-20.
- Kissling, Kristian (December 2009). "Malicious Screensaver: Malware on Gnome-Look.org". Retrieved 2009-12-12.
- "Discontinuation of Antivirus solutions for Linux systems on June 30th 2016".
- Comodo Group (2015). "Comodo Antivirus for Linux". Retrieved 17 October 2012.
- "ClamAV". Retrieved 2011-02-22.
- "Dr.Web anti-virus for Linux". Dashke. Retrieved 2010-05-25.
- FRISK Software International (2011). "F-PROT Antivirus for Linux x86 / BSD x86". Retrieved 13 December 2011.
- "Kaspersky Linux Security - Gateway, mail and file server, workstation protection for Linux/FreeBSD". Kaspersky Lab. Retrieved 2009-02-11.
- "McAfee VirusScan Enterprise for Linux". McAfee. Retrieved 2012-12-27.
- "Panda Security Antivirus Protection for Linux". Panda Security. Retrieved 2009-01-13.
- Symantec (January 2009). "System requirements for Symantec AntiVirus for Linux 1.0". Archived from the original on 2007-04-29. Retrieved 2009-03-07.
- "COMODO Antivirus for Linux (CAVL) v1.1.268025.1 is released!". comodo.com. 2013-02-28. Retrieved 2014-06-12.
- "Dr.Web anti-virus for Linux". Dashke. Retrieved 2010-05-25.
- "ESET File Security - Antivirus Protection for Linux, BSD, and Solaris". Eset. Retrieved 2008-10-26.
- "ESET Mail Security - Linux, BSD, and Solaris mail server protection". Eset. Archived from the original on 2008-05-12. Retrieved 2008-10-26.
- "ESET NOD32 Antivirus for Linux Gateway Devices". Eset. Archived from the original on 2008-05-10. Retrieved 2008-10-26.
- "ESET NOD32 Antivirus 4 for Linux Desktop". Eset. Retrieved 2014-06-12.
- https://www.rfxn.com/projects/linux-malware-detect/ R-fx Networks project page of LMD
- "Root Kit Hunter". Archived from the original on 2013-03-05.
- "Botnets, a free tool and 6 years of Linux/Rst-B | Naked Security". Nakedsecurity.sophos.com. 2008-02-13. Retrieved 2013-08-11.
- "Sophos AV for Linux".
- "Lynis Github".
- "Second Look".
- volatilesystems.com Archived 2011-02-17 at the Library of Congress Web Archives
- Kovalev et al (17 July 2014), Mayhem – a hidden threat for *nix web servers, Virus Bulletin
- Michal Malík; Marc-Etienne M.Léveillé. "Meet Remaiten - a Linux bot on steroids targeting routers and potentially other IoT devices". WeLiveSecurity. Retrieved 4 November 2018.
- "Threat Detail - ESET Virusradar". virusradar.com. Retrieved 3 April 2016.
- Mohit Kumar (31 March 2016). "Advanced Malware targeting Internet of the Things and Routers". The Hacker News. Retrieved 3 April 2016.
- njccic (December 28, 2016). "Mirai Botnet". The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). Retrieved 28 December 2016.
- Krebs, Brian (September 21, 2016). "KrebsOnSecurity Hit With Record DDoS". Brian Krebs. Retrieved 17 November 2016.
- Hackett, Robert (October 3, 2016). "Why a Hacker Dumped Code Behind Colossal Website-Trampling Botnet". Fortune.com. Retrieved 19 October 2016.
- Newman, Lily Hay. "What We Know About Friday's Massive East Coast Internet Outage". WIRED. Retrieved 2016-10-21.
- "Dyn | crunchbase". www.crunchbase.com. Retrieved 2016-10-23.
- Liam Tung (September 25, 2014). "First attacks using shellshock Bash bug discovered". ZDNet. Retrieved 25 September 2014.
- Catalin Cimpanu (September 5, 2016). "LuaBot Is the First DDoS Malware Coded in Lua Targeting Linux Platforms". Softpedia. Retrieved 5 September 2016.
- Catalin Cimpanu (September 17, 2016). "LuaBot Author Says His Malware Is "Not Harmful"". Softpedia. Retrieved 17 September 2016.
- Infodox (June 12, 2012). "Hydra IRC bot, the 25 minute overview of the kit". Insecurety Research. Retrieved 12 June 2012.
- Dan Goodin (March 21, 2013). "Guerilla researcher created epic botnet to scan billions of IP addresses". Ars Technica. Retrieved 21 March 2013.
- John Leyden (September 9, 2014). "Use home networking kit? DDoS bot is BACK... and it has EVOLVED". The Register. Retrieved 9 September 2014.
- John Leyden (October 31, 2016). "A successor to Mirai? Newly discovered malware aims to create fresh IoT botnet". The Register. Retrieved 31 October 2016.
- unixfreaxjp (November 28, 2016). "MMD-0061-2016 - EnergyMech 2.8 Overkill Mod". MalwareMustDie. Retrieved 28 November 2016.
- "Linux.Encoder.1". drweb.com. Retrieved 10 November 2015.
- Lucian Constantin (10 November 2015). "First Linux ransomware program cracked, for now". Computerworld. Retrieved 10 November 2015.
- Leyden, John ( 21 November 2012), Evildoers can now turn all sites on a Linux server into silent hell-pits, The Register, retrieved 21 November 2012
- Kovalev et al Effusion – a new sophisticated injector for Nginx web servers, Virus Bulletin
- rsa.com. "Thieves Reaching for Linux—"Hand of Thief" Trojan Targets Linux #INTH3WILD » Speaking of Security - The RSA Blog and Podcast". Blogs.rsa.com. Archived from the original on 2013-08-15. Retrieved 2013-08-11.
- Vaughan, Steven J. "Linux desktop Trojan 'Hand of Thief' steals in". ZDNet. Retrieved 2013-08-11.
- Florio, Elia (February 2006). "Linux.Backdoor.Kaiten". Retrieved 2008-03-08.
- Florio, Elia (December 2007). "Linux.Backdoor.Rexob". Retrieved 2008-03-08.
- Vervloesem, Koen (December 2009). "Linux malware: an incident and some solutions". Retrieved 2010-09-16.
- "Backdoor.Linux.Tsunami.gen". Securelist. Retrieved 2014-05-09.
- "The 'Penquin' Turla - Securelist". securelist.com. Retrieved 10 November 2015.
- Joey-Elijah Sneddon. "Yes, This Trojan Infects Linux. No, It's Not The Tuxpocalypse - OMG! Ubuntu!". OMG! Ubuntu!. Retrieved 10 November 2015.
- unixfreaxjp.wirehack7,shibumi (September 29, 2014). "Linux/XOR.DDoS : Fuzzy reversing a new China ELF". MalwareMustDie. Retrieved 29 September 2014.
- Akamai Technologies (29 September 2015). "OR DDoS Botnet Launching 20 Attacks a Day From Compromised Linux Machines, Says Akamai". Retrieved 18 March 2016.
- Samuel Gibbs. "HummingBad malware infects 10m Android devices". Retrieved 2016-07-06.
- David Bisson (October 17, 2016). "NyaDrop exploiting Internet of Things insecurity to infect Linux devices with malware". Graham Cluley. Retrieved 4 November 2018.
- Catalin Cimpanu (August 25, 2016). "PNScan Linux Trojan Resurfaces with New Attacks Targeting Routers in India". Softpedia. Retrieved 25 August 2016.
- Tara Seals (February 4, 2019). "SpeakUp Linux Backdoor Sets Up for Major Attack".
- William Moseley (February 4, 2019). "SpeakUp – New Linux Backdoor Trojan Discovered By Security Experts".
- herm1t (August 2008). "Linux.42: Using CRC32B (SSE4.2) instruction in polymorphic decryptor". Archived from the original on 2012-02-27.
- Ferrie, Peter (September 2008). "Life, the Universe, and Everything".
- herm1t (August 2006). "Infecting ELF-files using function padding for Linux". Archived from the original on 22 January 2012.
- Kaspersky Lab (May 2007). "Virus.Linux.Alaeda". Archived from the original on 13 July 2009. Retrieved 2008-03-08.
- McAfee (December 2004). "Linux/Binom". Archived from the original on 2005-01-24. Retrieved 2008-03-08.
- Rieck, Konrad and Konrad Kretschmer (August 2001). "Brundle Fly 0.0.1 - A Good-Natured Linux ELF Virus". Archived from the original on May 14, 2008. Retrieved 2008-03-08.
- de Almeida Lopes, Anthony (July 2007). "Project Bukowski". Retrieved 2008-03-08.
- herm1t (February 2008). "Caveat virus".
- Ferrie, Peter (July 2009). "Can you spare a seg?". Archived from the original on 2012-01-17.
- TMZ (January 2019). "Linux.Cephei - ESET Virusradar". Archived from the original on 5 July 2018.
- herm1t (October 2007). "Reverse of a coin: A short note on segment alignment".
- Ferrie, Peter (September 2009). "Heads or tails?". Archived from the original on 2012-01-17.
- herm1t (October 2007). "Hashin' the elves".
- Ferrie, Peter (August 2009). "Making a hash of things". Archived from the original on 2012-01-17.
- herm1t (June 2008). "README". Archived from the original on 2012-02-06.
- Ferrie, Peter (February 2008). "Crimea river". Archived from the original on 2012-01-17.
- The Mental Driller (February 2002). "Metamorphism in practice or "How I made MetaPHOR and what I've learnt"". Archived from the original on 2007-06-02. Retrieved 2008-03-08.
- Kaspersky Lab (December 2001). "Virus.Linux.Nuxbee.1403". Archived from the original on 2 March 2012. Retrieved 2008-03-08.
- herm1t (November 2007). "INT 0x80? No, thank you!".
- Ferrie, Peter (September 2009). "Flying solo". Archived from the original on 2012-01-17.
- Ferrie, Peter (April 2007). "Linux.Podloso". Retrieved 2008-03-08.
- Ferrie, Peter (April 2007). "The iPod virus". Archived from the original on 2008-03-02. Retrieved 2008-03-08.
- herm1t (December 2009). "From position-independent to self-relocatable viral code".
- Kaspersky Lab (August 2003). "Virus.Linux.Rike.1627". Archived from the original on 2 March 2012. Retrieved 2008-03-08.
- Kaspersky Lab (January 2002). "Virus.Linux.RST.a". Archived from the original on 2007-11-07. Retrieved 2008-03-08.
- "The ways of viruses in Linux HOW SAFE?" (PDF). Archived from the original (PDF) on 2014-05-17. Retrieved 2009-08-21.
- Kaspersky Lab (March 2000). "Virus.Linux.Vit.4096". Archived from the original on November 7, 2007. Retrieved 2008-03-08.
- Kaspersky Lab (October 2000). "Virus.Linux.Winter.341". Archived from the original on 2007-11-10. Retrieved 2008-03-08.
- Rautiainen, Sami; et al. (March 2001). "F-Secure Virus Descriptions: Lindose". Archived from the original on June 21, 2008. Retrieved 2008-03-08.
- "The Wit Virus: A virus built on the ViT ELF virus" (PDF). Retrieved 2008-12-31.
- TMZ (January 2015). "Linux.Zariche - ESET Virusradar".
- Kaspersky Lab (January 2001). "Virus.Linux.ZipWorm". Archived from the original on 13 July 2009. Retrieved 2008-03-08.
- Kaspersky Lab (May 2001). "Net-Worm.Linux.Adm". Archived from the original on 2007-10-30. Retrieved 2008-03-08.
- Rautiainen, Sami (April 2001). "F-Secure Virus Descriptions: Adore". Retrieved 2008-03-08.
- Smith, Stuart (May 2007). "Perl.Badbunny". Retrieved 2008-03-08.
- Kaspersky Lab (May 2001). "Net-Worm.Linux.Cheese". Archived from the original on 2007-10-28. Retrieved 2008-03-08.
- Rautiainen, Sami (April 2001). "F-Secure Virus Descriptions: Kork". Retrieved 2008-03-08.
- Mohit Kumar (2013-11-30). "Linux worm targeting Routers, Set-top boxes and Security Cameras with PHP-CGI Vulnerability". The Hacker News. Retrieved 2013-12-04.
- Joe Casad (3 December 2013). "New Worm Attacks Linux Devices". Linux Magazine. Retrieved 4 December 2013.
- McAfee (June 2005). "Linux/Lupper.worm Description". Archived from the original on 2005-11-24. Retrieved 2010-10-10.
- Kaspersky Lab (October 2002). "Net-Worm.Linux.Mighty". Archived from the original on 2007-11-07. Retrieved 2008-03-08.
- Perriot, Frederic (February 2007). "Linux.Millen.Worm". Retrieved 2008-03-08.
- Rautiainen, Sami; et al. (September 2002). "F-Secure Virus Descriptions: Slapper". Retrieved 2008-03-08.
- Voss, Joel (December 2007). "SSH Bruteforce Virus by AltSci Concepts". Retrieved 2008-03-13.
- Linuxvirus on the Official Ubuntu Documentation