Talk:Linux malware

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computing / Security (Rated C-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 Low  This article has been rated as Low-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computer Security (marked as Low-importance).
WikiProject Linux (Rated C-class, Top-importance)
WikiProject icon This article is within the scope of WikiProject Linux, a collaborative effort to improve the coverage of Linux on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 Top  This article has been rated as Top-importance on the project's importance scale.

Linux/Lupper not a Linux vulnerability[edit]

Linux/Lupper is not a Linux doesn't affect the Linux kernel or any GNU tools. It attacks poorly written (and outdated, mind you) PHP and CGI blogging scripts. If you were to place it under the category of a Linux virus, that would also mean that Windows and the Mac OS are also vulnerable. This is fallacy.

You didn't sign. And I'm not a citeable person, no blog or anything. But attacking the kernel itself is actually quite rare. It's much more common for a virus or exploit to attack software running on the target machine. So yes, that's a virus. And yes, Windows and Mac OS are also vulnerable. Look at the Pwn2Own competition for an example, most of the attacks can be used on any of the OS's. I don't have a source, haven't bothered looking to be honest, but to reject something as a virus because it does not attack the kernel is naive. Chrissd21 (talk) 03:20, 6 October 2009 (UTC)
Read above: or any GNU tools. PHP and CGI scripts are not part of the operating system. Of course it may be worth mentioning that Linux doesn't make third party add ons safe (and neither do the Linux distributions). --LPfi (talk) 00:26, 7 October 2009 (UTC)


Many linux virus scanners are actually designed to stop windows viruses passing through linux email servers —Preceding unsigned comment added by (talk) 22:03, 3 January 2008 (UTC)

Proposed move[edit]

The list here is a small fraction of the viruses out there, and years out of date. There are virus databases that have current info on that subject. What should be the fate of the article? I'm considering a move to "Notable Linux computer viruses". Presumably virus notability comes under WP:SOFTWARE, although the criteria don't quite fit. Probably only viruses with mainstream press coverage really are notable. Comments? --John Nagle 17:53, 20 April 2006 (UTC)


I agree that this list is uninformative und would better be integrated somewhere else. I have nto fully understood, what your proposed article aims at: More warning about current virii -or- a sort of tracked list of virii (for example with a date of 1st occurrence and a date since when it is fixed in the distributions)? I personally would opt for the 2nd one because it provides it can provide an archive as well, thus replacing this outdated article nicely. -- And the list is not supposed to grow fast, I assume. ;-) Madmaxx 21:54, 25 May 2006 (UTC)

Agree too. An outdated list is misleading, as users may infer it is an exhaustive list. --Outlyer 17:17, 29 June 2006 (UTC)

Aren't most of these worms anyway, not viruses?

The maybe viruses should be replaced by malware. --Outlyer 17:17, 29 June 2006 (UTC)

And most, if not all, of the exploits that the virus/worms use have been fixed in newer versions of the kernel. --Jdm64 03:59, 11 January 2007 (UTC)

Multi-user does not prevent spread of malware / Article oversimplifies a complex subject[edit]

The following quote from the article makes a very silly assumption....

Like other Unix systems, Linux implements a multi-user environment where users are granted specific privileges and there is some form of access control implemented. As such, viruses typically have less of an ability to change and impact the host system. That is why none of the viruses written for Linux, including the ones below, have ever propagated successfully to a large number of machines. Also, the security holes that are exploited by the viruses have been fixed shortly after (or more often, before) the viruses started spreading. So the viruses listed no longer pose any concern as long as the Linux system is updated regularly.

Malware does not need "root" access to a linux machine to spread itself. For example, no special privileges are needed to send an email with an attachment out, or download a file from the internet. As to vulnerabilities, most malware is spread via social engineering, not software vulnerabilities, and even if vulnerabilities are patched right away there is still the problem of users not installing security updates in a timelyt manner.

Like most writing about computers security on the net I've seen on the net, this article is oversimplifying a very complex subject.

I won't try to make a correction, since I think this article shouldn't exist or should be integrated somewhere else.

Have a great day! :) Toadlife 01:01, 30 October 2007 (UTC))

Actually, a worm does need access to spread via the mechanism that is usually used on Windows systems, some sort of network connection One of the problems of creating something like the web browser this is being typed in or a mail client like Thunderbird is that a normal user does not usually have the ability to create a network socket. A worm spreads via network connections it can open and since a normal user on Unix or Linux can not just open a socket at will this cuts off one of the avenues of spreading and severely limits it. Then there is the matter of the MAC (Mandatory Access Control) which are the rwx (Read, Write, and eXecute) flags of the file system. You can not just go writing files any place you want to on a Linux / Unix system. Windows could also have had this enhanced security but the people in Redmond had limited experience working with something like Unix, IBMs OS/400 or MVS or VM/CSE, DEC's OpenVMS and similar systems. So Microsoft did not wait when IBM said, let us implement some sort of MAC control for the HPFS. So out the door the incomplete HPFS went which became the NTFS. If Microsoft had waited the virus world would be an entirely different place than what we have today.

I also disagree that this article is not apropos. I think it should be retained and enhanced. For example, the Linux Malware Detect shows a missing link. I found it here: . The other thing that would be useful is to see just how much worse the situation has become. It may be that nobody is writing malware for Linux because they don't see the percentage, but I find it hilarious that VirusTotal always asks me if I am submitting Linux / Unix malware. For me personally, WHAT LINUX MALWARE? Other than rootkits and the associated software that goes with them there isn't any. I have always missed the boat getting it and it is gone when I get there. Not only that but I am the creator of a blocking hosts file and I go through 2000-3000 host names per month both going and coming that are infected by infected Windows machines. That is something that has happened since this was written. The one point the article is in error on is that the Linux web-servers are kept up to date. They aren't, but the malware they are spreading attacks not Linux, but Microsoft Windows. Not only that, but since 2007, the Windows malware situation has got infinitely worse and if anything the Linux malware situation has got better except for these injected web servers. It is not that the Linux machine itself is infected. It is that links and Windows malware are forced into the web server pages. This article needs to be expanded to show this interplay and make a plea to Web Service Providers to keep their web server software UP TO DATE. That applies to both IIS and Apache, but of the two, out-of-date Apache is what I encounter most of the time.

Retain the article but upgrade it. For example, I would like to see how a top security consultant for Kaspersky sees the situation today. hhhobbit (talk) 01:43, 28 May 2010 (UTC)

Guideline on linux virus protection[edit]

Perhaps the advice should be included that a on-acces virusscanner is not required given that:

  • so little linux virusses exist and
  • given that due to permission restrictions even these can do little harm

Instead, regular or monthly schedualed virusscanning would suffice (and offcourse no firewall or other implementations regularly seen with Norton Antivirus, ... is required.

Hope you include this advice (would make sure linux is not made sluggish by inexperienced users. Cheers, (talk) 16:51, 27 December 2007 (UTC)

Edit: already included information myself and tried to be as objective as possible. The rewrite is as follows:

The Linux operating system, along with Unix and other Unix-like computer operating systems, are generally regarded as well protected against computer viruses.

This good protection linux has against virusses from the moment it is installed is due to the fact that :

  • Like other Unix systems, Linux implements a multi-user environment where users are granted specific privileges and there is some form of access control implemented. As such, viruses typically have less of an ability to change and impact the host system. That is why none of the viruses written for Linux, including the ones below, have ever propagated successfully to a large number of machines. The viruses below still pose a potential, although minimal threat to Linux. If an infected binary containing one of the below viruses was run the system would be infected. The infection level depends on what user runs the binary. A binary run under the root account would be able to infect the entire system.
  • Very little virusses that are written for linux exist anyhow [1]

However, despite this limited risk, viruses can potentially damage insecure Linux systems and impact their operation, and even possibly spread to other systems. As such, aldough the risk is small enough to make continuous or on-access virusscanning not required regular or monthly schedueled virusscanning is still best incorporated. The virusscanner used herefore may be minimal aswell (no firewall, ... is required). As such, virusscanners as Clamav do well enough and have the added advantage of being totally free of charge and open-source.

Re-wrote it to be more encyclopedic, there shouldn't be a list or even guide lines on protection. Wolfmankurd (talk) 02:19, 29 December 2007 (UTC)

The following is a list of known Linux malware:

Wait.. You removed any mention of a firewall? *cringes*

Think of it like this. Your machine is a house, you're holding a party. The firewall is the bouncer, he makes sure that all the suspicious and unruly crowds are turned away at the door BEFORE THEY GET IN!!!. The antivirus is your doting father with a notepad, on that notepad are photos of people he thinks you shouldn't be hanging around with. Anyone who's face matches a photo will be kicked out. You want to stop a threat BEFORE it gets into your machine. And that list only works on known viruses. No offence, but your an idiot and lacking a great deal of knowledge if you say that people should run an antiviruse programs (AV from now on) and no firewall.

If you're going to include references to AV's, then you need to at least link to IP Tables, or a third party firewall for Linux systems. [2] Above link is a list of Linux malware, as you can see, the most recent in there as of 06/10/2009 is 2009-07-14. And this list isn't little known malware, it's about big bugs. Both an AV and properly configured firewall/IP Tables are important to safe computing. Wrong topic but most viruses won't attack the kernel, they attack software, and the one thing consistent about a Linux distro is that it will be running certain software on it. If this article is a list only, an encylopaedic archive, then there is no need to mention AV or firewalls. If you are going to include a list of AV's, then at the very least include a link to IP Tables with something like "it is also reccomended the user properly configures IP Tables or installs a 3rd party firewall as they offer protection from more than just malware, and do not show a marked decrease in performance on the machine". And if the user only runs a scan for viruses once a week or so, then they are getting all the protection from the AV and no decrease in performance. —Preceding unsigned comment added by Chrissd21 (talkcontribs) 03:52, 6 October 2009 (UTC)


  • L10n (also known as Linux/Lion)
  • Kork (also known as lpdw0rm, lpdworm, Abditive)
  • Cheese
  • Adore (also known as Red)
  • Ramen
  • Slapper (also known as Cinik, Unlock, bugtraq.c, Apache/mod_ssl worm)
  • Mighty (also known as Devnull)
  • Adm (also known as ADMworm, ADMw0rm)
  • SSHD22
  • Millen (also known as Millenium, MWorm, Mworm)
  • Sorso
  • Lupper (also known as Lupii, Plupii, Mare)

Computer viruses[edit]

External links[edit]

Linux computer viruses and worms

Linux-stub ru:Список компьютерных вирусов и червей под Linux tr:Linux bilgisayar virüsleri ve kurtçukları listesi

;Provide suggestions at this talk page or alter the edit (while leaving my advice) at the article page. Thanks.

No attack on Ubuntu mirrors?[edit]

AFAIK there has never been a (successful) attack on the Ubuntu mirrors, and the following seems to confirm this: —Preceding unsigned comment added by (talk) 01:45, 18 February 2008 (UTC)

I can't find any info either to confirm this ever happened. I believe it may have been put in the article in error. Besides that a mirror attack is not relevant to this article on viruses. I will removed it as "unsourced" - Ahunt (talk) 12:40, 20 February 2008 (UTC)
So what? Ubuntu is not Linux, it is *one* Linux distro, only.-- (talk) 04:13, 11 October 2008 (UTC)

Article name[edit]

Since this article contains a lot more information than just a simple list of Linux viruses I am wondering if the article name shouldn't be changed to something more along the lines of "Linux computer viruses and worms" to better reflect the content? I would like some input from other editors watching this article to get a consensus on this. - Ahunt (talk) 12:20, 6 March 2008 (UTC)

I agree that the name should be changed. I'd suggest "Linux malware", as malware includes viruses and worms, and also spyware, etc. WalterGR (talk | contributions) 11:21, 8 March 2008 (UTC)
That is a nice short title! I like it! Anyone else have any thoughts on this? - Ahunt (talk) 15:24, 8 March 2008 (UTC)
Lacking any objections to renaming, I will go ahead and carry it out. - Ahunt (talk) 11:41, 10 March 2008 (UTC)
Thanks for doing that! WalterGR (talk | contributions) 12:01, 10 March 2008 (UTC)
No problem - thanks for suggested the best name! I changed all the links to it that I could find as well. - Ahunt (talk) 14:13, 10 March 2008 (UTC)

Removal of the Granneman quote[edit]

I removed the Granneman quote.

  • It's quite old (from 2003) and was written when Windows XP was Microsoft's main consumer OS.
  • As such, it doesn't take e.g. Vista into account, where the user isn't admin by default.
  • Some pretty important portions of the article were incorrect, and later corrected.
  • The article is largely about Windows susceptibility to e-mail attachments containing malware, rather than the security/insecurity of the platform as a whole.

I'm sure there are better references out there for why malware isn't as common on Linux.

WalterGR (talk | contribs) 06:37, 8 March 2008 (UTC)

No problem, if you think the quote is not helpful then it should go. I have changed the ref on the remaining quote so that the footnote works right. I have also removed the one-source tag, since there are currently three refs. I will also probably work on the external links in the list as they should be refs as well instead. - Ahunt (talk) 21:12, 8 March 2008 (UTC)
Thanks for fixing the broken ref! I just did "preview" on the section I edited so I didn't notice I had screwed it up. :/ WalterGR (talk | contributions) 21:15, 8 March 2008 (UTC)
That is the one problem with "section editing" - you don't see the refs! - Ahunt (talk) 22:17, 8 March 2008 (UTC)

Misc Comments[edit]

I think the article is too oversimplifying in the sense that it neither gives a non-techical user information about the real threat-level his/her gnu/linux system (this article doesn't even draw a clear line between the kernel and user-mode program) nor for technical users an overview of possible malware categories. Fri Apr 11 14:13:43 CEST 2008 —Preceding unsigned comment added by (talk) 12:15, 11 April 2008 (UTC)

Feel free to expand it to make it better, as long as you have references! - Ahunt (talk) 13:10, 11 April 2008 (UTC)


This article is a load of biased cr*p. I'm using Linux myself and I'm sort of embarrassed to see this sort of propaganda in Wikipedia. Obviously, the primary reason that Linux is not as malware troubled as Windows is that Linux is installed on less than 5% of all desktops in the world. If you want to cause grief on the desktop, Linux is a poor target, simply because there is almost no Linux desktops out there. In other words, malware is not produced for Linux. Linux has good security, but that is most definitely a secondary reason. Also, please let go of the citations of some Linux zealot's blog - those are not reliable sources. —Preceding unsigned comment added by (talk) 05:40, 2 July 2008 (UTC)

Anyone can call an article "load of biased cr*p". If you have references to back up your contention that it is the low level of usage rather than inherent security features incorporated in Linux that results in its virus non-susceptibility then let's by all means have a look at them and amend the article. Also please sign your posts with 4 tildes, it saves the SineBot from tracking you down! - Ahunt (talk) 10:58, 2 July 2008 (UTC)
It is incorrect to say that the low usage share of linux is the primary reason it has little malware threat. there are over 800 malware apps for linux and of these, none have become widespread or caused significant impact. on the other hand, if you consider the wildlist for windows viruses, a decent percentage have become widespead and an even higher percentage have caused significant impact. (I haven't included the actual numbers because the stats I am reading are from a restricted access thesis which I can't reference) Xavier Orr (talk) 00:56, 27 September 2008 (UTC)
Regardless of whether GNU/Linux is more or less secure than Windows, it's inherently biased to have this article but no Windows malware article. Superm401 - Talk 03:25, 19 December 2008 (UTC)
That may be true, but tagging this article as "POV" will not address that problem. There is an article addressing Windows viruses, it is Computer virus, because largely the history of computer viruses is a history of Windows viruses. In a way this article is just a subset of that article. If you think that Windows viruses need better coverage as a subject then it should either be a new article or an expanded section at Computer virus. Either way that will not impact this article. - Ahunt (talk) 11:17, 19 December 2008 (UTC)
Actually the unsigned person has a point. The main reason Linux systems aren't targeted are 1: Its low market share, if you attack you want to hit as many machines as possible. 2: Linux is an umbrella term, there is no one Linux, as such, there is no one way of setting things up. The systems differ from distro to distro, in how folders are organised (and thus the pathnames), in the console commands, etc. For a virus to work on a Linux system, it would have to target the kernel only (rare in the virus world, much more common to attack 3rd party software) and also have at least 2 different pathnames to try out, Red Hat, Ubuntu, then more for other distro's. Windows has just as much security built into it as your typical Linux system, taking into account that XP is over a decade old of course. Chrissd21 (talk) 03:28, 6 October 2009 (UTC)
There seems to be little evidence for the low market share argument. Linux isn't much targeted as a server either, although having quite a big market share.
The diversity is actually regarded as one of the strengths of Linux security wise. That means that even with 90 % market share for Linux any Linux variant would be a "low market share" target. It is of course possible to write Linux malware for any Linux installation having a targeted vulnerability – is there a shortage of common (unpatched) vulnerabilities?
--LPfi (talk) 00:41, 7 October 2009 (UTC)

Linux is not Unix[edit]

It's a Unix-like system, but it's not Unix. It's based on Minix, which also is not Unix. —Preceding unsigned comment added by (talk) 21:57, 3 July 2008 (UTC)

  • Linux is not based on Minix at all... (talk) 16:20, 10 July 2008 (UTC)
No, but that's a red herring here. Any Linux Standard Base system meets the same criteria as the Single Unix Specification -- since that's the underpinning of LSB -- and could therefore *legally* be called Unix if someone wanted to pay for the formal test suite to be run by SUS's owners, The Austin Group. Therefore, it's pretty reasonable to say that Linux *is* UNIX, certainly in the general sense in which we say that BSD, SCO, or Solaris are, but in the more specific "UNIX is a registered trademark" sense, as well.
--Baylink (talk) 22:24, 14 November 2009 (UTC)

Actually I think what both of you are trying to get at is Linux and Unix are both POSIX compliant operating systems. A Book by Mark G Sobell

A Practical Guide to Linux Commands, Editors, and Shell Programming [3] Supernix (talk) 00:16, 31 July 2010 (UTC)

Malware can auto-start without root[edit]

The article says that Linux malware is not normally able to become root, preventing it from auto-starting. In KDE you can do the following without being root - create a symbolic link or executable for the malware under ~/.kde/Autostart. This ensures the malware runs every time the user logs in, which is good enough to help it monitor keystrokes, send spam, etc.

This should be fixed - while Linux servers may not have someone logged in using a GUI, Linux desktops/laptops mostly will have. —Preceding unsigned comment added by (talk) 16:19, 10 July 2008 (UTC)

Most Linux systems do probably have cron available for any normal user. Any malware can restart itself from ~/.profile, ~/.xinit or similar. Whether it starts at boot or when the user logs in is usually of little importance.
The important thing about not being root is that root can find any anomalities, such as unusual activities or weird files, without having to boot from a trusted medium. Steps taken to hinder the user himself from finding the malware may make it more easily found by root. Suspicous software can also easily be run from limited accounts (the malware may of course have privilage escalation features).
--LPfi (talk) 10:42, 6 September 2008 (UTC)
Su and Sudo are also commands found on Linux and Unix systems which can be exploited by malware to gain temporary root access. Most users also won't properly configure the commands, so all you have to do is run them to gain root.

However, that's besides the point. You don't need root to infect a machine. Yes, it helps. A lot. But you can do without it. The article states "To gain control over a Linux system or cause any serious consequence to the system itself, the malware would have to gain root access to the system". That is wrong. That is very, very wrong. I would like to point out that the article cited is a Linux site and as such is highly likely to be biased. As a security enthusiast, currently studying IT Security at uni, the main reasons Linux isn't targeted are not it's wonderfully secure setup. Windows has a very similar setup, as does Mac OS. But I'm straying here.

tl:dr You don't need root to run a virus, you can get root easily using improperly configured Su/Sudo/etc commands, the article cited backing that claim up is over 4 years old and has a marked bias. Chrissd21 (talk) 04:02, 6 October 2009 (UTC)

"To gain control over the system" you need root. Not to run a virus. Isn't that pretty much what was written above and in the article? And there are ways to get root, at least if you compromise the account of the administrator. These issues are well known. Read the section Linux malware#Viruses and trojan horses. Is there some specific threat that is not handled well enough in the article? --LPfi (talk) 01:00, 7 October 2009 (UTC)

And the user can infect some linux computer by booting without noticing he left a pendrive connected.... if the boot sequence is the proper one. — Preceding unsigned comment added by (talk) 04:32, 30 November 2014 (UTC)

Virus vs trojan[edit]

A virus is self spreading while a trojan requires the user to install it. I'm not sure if this article is clear with this or if it just calls any malware a 'virus'. So are the hundreds of viruses cited and the listed viruses all real viruses? Because I find it hard to believe that the much-less-frequently-used Linux had 800 viruses by the end of 2005 while in 2006 Sophos claimed to find the first Mac virus (which some still argue is just a trojan). What's up? Is the article inaccurate or not precise, or do people just love writing Linux viruses, or is OS X more secure? I'm not writing this as a point of conversation, but to make sure the article is correct. Althepal (talk) 18:37, 21 August 2008 (UTC)

A quick check on the ref cited in that para shows that it actually says:

"In a report titled "2005: *nix Malware Evolution," the Russian antivirus software developer pointed out that the number of Linux-based malicious programs -- viruses, Trojans, back-doors, exploits, and whatnot -- doubled from 422 to 863."[2]

I have amended the para accordingly.- Ahunt (talk) 18:53, 21 August 2008 (UTC)

Linux Market Share[edit]

Is it really impossible to get a reasonable estimation of the market share of Linux from a quality source? My googling doesn't return anything good.

The hitlink reference now used doesn't tell what was measured or how it was measured. I suppose it tells about operating systems used for browsing, but whether clients are counted based on hits, sessions, individual users, individual hosts or something else isn't reported, neither how (or whether) the estimates are corrected for obvious errors (is there some explanation somewhere on the site?).

I suppose these statistics are collected and put on the net primarily to advance use of the firm's technology, and so the site is interested in good-looking statistics, not in reporting the problems involved, and not necessarily in the correctness of the figures.

Apart from that, share in different markets is interresting for makers of different malware. Exploiters of browser bugs would be primarily interrested in individual browswer's market share, those using worms probably in server market share and so on.

I think market share (in different markets) indeed is important for writers of malware, but research discussing how important that is, and what other factors there are, would of course be interestesting.

--LPfi (talk) 10:17, 6 September 2008 (UTC)

Cuckoo's Egg attack not on linux[edit]

in the 1st paragraph

"The Linux operating system, Unix and other Unix-like computer operating systems are generally regarded as well-protected against computer viruses.[1] There have been successful attacks, however, on both Linux and Unix systems, the most notable perhaps being the Cuckoo's Egg attacks on Unix systems in the 1980s."

The cuckoo's egg attack was a hacker breaking into unix systems in the 1980s, before linux was even conceived. it is not suitable for this article on linux malware and should be removed. Xavier Orr (talk) 02:16, 26 September 2008 (UTC)

I agree it is not relevant - removed. - Ahunt (talk) 11:34, 26 September 2008 (UTC)

cross-OS antivirus aspects[edit]

Do most/all Linux anti-virus tools scan just for Linux viri, or all known including windows? If I boot a Linux livecd to rescue a windows system, will it find the windows infections if it includes antivirus tools? These kinds of OS-related and cross-OS matters should be mentioned in all of the antivirus articles. Including virtual OSes running within the same and other OSes, and simpler matters like WINE within Linux... - (talk) 21:21, 2 December 2008 (UTC)

That is a good question and you are right, the article should address it. There are so few Linux viruses and none in the wild right now that a Linux-virus-only scanner wouldn't be much use, so Linux scanners like AVG and ClamAV scan for all known viruses, that is to say mostly Windows viruses. These are mostly used on Linux mail servers anyway, where they might be forwarding mail onto Windows PCs - Ahunt (talk) 00:31, 3 December 2008 (UTC)
I managed to find a ref and add a paragraph to the article. I hope that answers your question? - Ahunt (talk) 00:42, 3 December 2008 (UTC)

Vulnerabilities vs. viruses[edit]

There's a difference between number of viruses, and the number of critical bugs. I read a count that there are more, and more severe bugs in Linux than in ... I think it was Windows XP ... it's just that they haven't been exploited. (Does somebody have this reference? I read it about three years ago.) Anyhow, I remember showing this article to my not-very-OS-literate boss, who wanted to get rid of all the Windows computers because "Linux was better". He couldn't seem to wrap his head around the fact that all OS's have severe vulnerabilities. Piano non troppo (talk) 07:43, 29 December 2008 (UTC)

Not sure I see a point to your message, so you might should read WP:NOTFORUM (:p) but just for your information:
I'd bet there have been more (non-critical) "bugs" (this word has specific meaning in the open source world; a 'bug' does not require anyone to have ever complained about it, for example) found in Linux (probably either kernel or OS in general) code than Windows code, because people actually bother to look for them on purpose, undoubtedly at least partially because anyone can. They tend to be patched before most people could ever have a problem with them, and again, anyone can make the patch. All software is going to be vulnerable to something at some point, but try not to choke on the Microsoft propaganda. Do you think using Linux makes a person a "communist", too? (nevermind the question of whether communism is fundamentally bad or not)... that's another claim emanated from Microsoft. :p (good for a laugh :p ¦ Reisio (talk) 11:12, 29 December 2008 (UTC)
Wow.. Reisio, you're choking on Linux propaganda there. I'm a security enthusiast, so I try to get by without any bias towards a single distro, and Piano has a point. Linux systems have been known to have extremly bad bugs (talking about security exploits here, not a software bug), and they have been left for a very long time before being patched. There was an article written back around when you commented, that showed a bug that had been in the Linux kernel itself since the very start. There was quite a bit of discussion about why that had not been exploited, but ignoring that, it's propaganda and bias to assume one OS is inherently secure because it is not a MSFT system. And it's very bad form to quote wiki rules but then prove to be absolutely incompetent and biased that you cannot make a coherant comment. "so you might should read" for example. Chrissd21 (talk) 04:11, 6 October 2009 (UTC)

Too few details[edit]

It seems the anti-malware manufacturers have authored this article, not neutral editors.

The article doesn't build a picture that supports the intro. The intro says that Linux is vulnerable (and idiotically alleges that Linux has a 0.93% market share, which is pure bogus and irrelevant in this context because there's a lot of Linux web servers that can potentially be exploited) and that Linux users shall beware, lest evil viruses will invade their computers en masse in the future. That might be true, but the rest of the article doesn't support any statement at all: it just lists viruses and malware. To improve matters, the rest of the article should try to analyse important malware, time when first seen, how extensive the spread, how many infected computers, etc. One tough trouble for the anti-virus manufacturers is that an entire operating system upgrade will accomplish very much the same as installing and running an antivirus program, but it will also accomplish so much more. It would be important to know how upgrading the OS inhibits the malware spreading opportunities, and that this fact might actually be a reason why malware constructors cannot be very successfull on Linux and other free Unix lookalikes. ... said: Rursus (bork²) 08:47, 23 January 2009 (UTC)

Why it is very hard to know the estimates of Linux users: HERE!. Desktop market share numbers of 0.93% is:
  1. temporary,
  2. misleading,
  3. irrelevant in this context, since servers are more likely to be directly connected to the web.
... said: Rursus (bork²) 08:57, 23 January 2009 (UTC)

Removed biased strawman quote[edit]

I removed this: One of the vulnerabilities of Linux is that many users think it is not vulnerable to viruses. Tom Ferris, a researcher with Mission Viejo, California-based Security Protocols, said in 2006, "In people's minds, if it's non-Windows, it's secure, and that's not the case. They think nobody writes malware for Linux or Mac OS X. But that's not necessarily true ..."[4]

Who are those people who believe that nobody writes malware for Linux? He just made them up. There are people who believe that virus are a non-issue on Linux -- I'm one of them. We certainly don't believe there's no malware, however. The problem is that this guy, along with many other trying to sell their snake-oil, equate virus with malware when it suits them. Antivirus software generally only protect about actual viruses, not other classes of malware. Niczar ⏎ 19:15, 22 May 2009 (UTC)

Niczar.. Wtf was that? Virus is a subtype of malware. To say malware is perfectly acceptable. And the "if it's not MSFT based it's secure" is a very common mindset. Why was that comment removed? It could have been the saving point of this page. As it is, all I see are biased editors who have no idea about what they're doing. Leave your bias outside before removing comments. If no-one objects, i'll place that comment back in. When I figure out the wiki rules on doing so of course.. Chrissd21 (talk) 04:16, 6 October 2009 (UTC)
Well the proper response according to verifiability policy would be to say neither unless a proper source is cited. And even then, a proper source should be more than an editorial, but perhaps someone who's studied the prevalence or various malware. I'll see if I can look into it more. —Preceding unsigned comment added by HamburgerRadio (talkcontribs) 04:46, 6 October 2009 (UTC)

Moved quote[edit]

Granneman quote at end of Linux malware#Anti-virus applications doesn't sit right. I found a better home for it just before Linux malware#Viruses and trojan horses.--Rfsmit (talk) 15:47, 14 July 2009 (UTC)

Makes sense to me. - Ahunt (talk) 15:50, 14 July 2009 (UTC)

Software Installation Method is the Linux Advantage Here[edit]

Is not the real reason for a low malware count on Linux the fact that most distributions install software from a central repository and the fact that Linux users are not using technologies like ActiveX, which appears to even more of an issue than Javascript and Java in MS browsers? This is also an advantage for any of the BSD variants and most UNIX systems in general. The real dangers for Linux still come from potential future drive by downloads due to bugs in the Javascript and Java in web browsers, so using noscript is really necessary for Linux as well I would think. —Preceding unsigned comment added by (talk) 05:30, 4 November 2009 (UTC)

That is certainly one advantage, but the permissions environment certainly plays a big role as well. - Ahunt (talk) 12:47, 4 November 2009 (UTC)

Deployment of programs (including viruses) on Linux is hard[edit]

Another reason for lack of viruses could be that it's hard to write a program that works on all Linux systems, and is easy to install everywhere. [3]

— Preceding unsigned comment added by Mainbegan1 (talkcontribs)

Probably true, but anonymous blogs aren't WP:RS. See also WP:SPS. If you have a reliable source this can be added in. - Ahunt (talk) 16:48, 6 February 2011 (UTC)

Irrelevant comments[edit]

Why this comment is relevant: "These are the equivalents of User Account Control and Windows Update in modern Windows operating systems"?

It doesn't clarify anything, nor it needs to, the terms used in the article are generic and self explaining...

I'm removing the comment. --Ismael Luceno (talk) 13:32, 22 February 2011 (UTC)

Removing that makes sense to me! - Ahunt (talk) 15:17, 22 February 2011 (UTC)

Dead link[edit]

Reference 66 is a dead link. Not sure how to remove it. — Preceding unsigned comment added by (talk) 09:56, 26 May 2011 (UTC)

Thanks for pointing that out. It isn't available on so it gets tagged as per WP:LINKROT. - Ahunt (talk) 12:36, 26 May 2011 (UTC)

Should Android malware be included here?[edit]

Seeing as though Android is Linux-based, should the vast cocktail of malware that has been written for Android be included here? It would definitely make sense, wouldn't it? --Kenny Strawn —Preceding undated comment added 20:27, 10 August 2011 (UTC).

It would, but if there is enough documented text perhaps it would be more useful to have an Android malware article linked from this one. - Ahunt (talk) 20:33, 10 August 2011 (UTC)
I'd leave it out. The Android kernel is not the same kernel that people use outside of Android when they use Linux, with large portions of the Android kernel being completely new -- the Android "linux" simply isn't what people get when they download the source from Any Android virus which doesn't actually exploit problems in the kernel is simply not a Linux virus -- also if it's not exploiting something that also exists in the mainline kernel, it's simply not relevant to Torvald's version. — Preceding unsigned comment added by (talk) 11:23, 26 January 2012 (UTC)
I think it should be left out, as detailed bellow. --SF007 (talk) 09:27, 13 March 2012 (UTC)

Scott Granneman ref[edit]

One IP editor keeps removing the Scott Granneman assertion that Linux is more secure than Windows with edit summaries like "Source article's arguments involve social engineering/end-user attacks and third party or optional software. Does not discuss native OS protection mechanisms..." Clearly the ref deals with fundamental flaws in the operating system as it discusses root user accounts and the flaws in native application software included in Windows. As far as I can see Granneman's criticisms were valid when he wrote that in 2003 and they have not been addressed. As a result there is no reason to remove this other than to avoid making Windows look bad. - Ahunt (talk) 11:08, 11 January 2012 (UTC)

The question is whether they have been addressed. I have not looked at the latest versions of Windows, but I'd have a hard time believing there isn't at least claims they have been addressed. A newer cite would be good to have. On the other hand I have seen no news about viruses not anymore plaguing Windows or having become a real problem on GNU/Linux. --LPfi (talk) 12:31, 13 January 2012 (UTC)
The evidence is in the virus count - there are more than a million Windows viruses now and the list is growing fast. There is no evidence that the problem has been addressed, although if a ref showing this can be located then the text can be updated, but not removed. Old information doesn't just get removed from Wikipedia, if it is dated then this should be indicated in the text, but the history should be retained. Even if an actually secure version of Windows were invented then the text should indicate that "until Windows X came along Linux was more secure than older versions of Windows..." or something similar. As far as can be discerned Granneman's comments from 2003 are still valid, which says something important by itself and should be retained in the article. - Ahunt (talk) 12:49, 13 January 2012 (UTC)
Okay with more than a week passed I think we now have a consensus to reinstate the deleted text. - 19:28, 19 January 2012 (UTC)
That text made two statements, one is attributable to the source and is a Linux advocates opinion, not any kind of fact. The second "nothing has changed since" is NOT attributable to the source and is WP:OR, and also ridiculous. SchmuckyTheCat (talk)

Should Android malware be considered Linux malware?[edit]

Since Android is based (albeit loosely) on Linux, I am asking for your opinions here: Should Android malware actually be included in this article, or is Android so different from upstream Linux that you don't think it's an issue? Thank you. Kenny Strawn (talk) 01:54, 7 March 2012 (UTC)

We already had this discussion two sections up, but did not reach a conclusion. - Ahunt (talk) 13:05, 7 March 2012 (UTC)

Lets see... malware is "malicious software", so by definition all Android malware is Android software... So lets try to answer (the more general):

"Is Android software Linux software?"

  • From a purely technical perspective, a "typical" Android app is "running on" the Dalvik VM, which itself is "running on" the Linux kernel. The app does not know about the kernel, nor should it care anything about it. In theory, since Android is open source and documented, it should be perfectly possible to create an "alternative Dalvik VM", running on a completely different system like the ipad, in fact, that is exactly what "Alien Dalvik" seems to be trying to do.[4]. I dare to say, then, that this "typical app" is not really a "Linux App" (regardless of the interpretation of "Linux"), sure, it may "run (indirectly) on Linux", but that is hardly relevant since it can provably run on a completely different kernel ("Alien Dalvik"). So the answer would be: No
  • From a "marketing perspective" - Is "Android software" usually referred to as "Linux software"? As far as I know, this never happens, so the answer would be: No
  • From a trademark/legal perspective - I doubt any end-user application todays exists that is both certified "Linux Standard Base"-compatible and "Android"-compatible. So the answer would be: No
  • From a common sense / popular usage perspective - Do people refer to "Android software" as "Linux software"? I don't think that is common, or even used, so the answer would be No

Of course, talking again specifically about malware, if a malicious exploit targeted a specific version of the linux kernel used by a specific Android version (2.3.x for example), then, from a "common sense" perspective we could label it both "Linux malware" and "Android malware", but I don't think that is the case for most (if any) Android malware. So my conclusion is that we avoid labeling "Android malware" as "Linux malware", unless supported by reliable sources. --SF007 (talk) 09:26, 13 March 2012 (UTC)

See also list[edit]

Is there any reason why an IP editor keeps reverting the see also list so it reads:

Each one of these is a redirect to List of computer viruses. What is the point of having six links to the same article? - Ahunt (talk) 20:34, 29 September 2012 (UTC)

Okay since there doesn't seem to be any immediate discussion on this topic I propose removing all these links but the first one, since they all redirect to the same place. - Ahunt (talk) 12:47, 1 October 2012 (UTC)
With no objections or discussion for over a week, as per WP:SILENCE we have consensus to go ahead and remove these. - Ahunt (talk) 12:27, 9 October 2012 (UTC)

Malware in Hosting environments[edit]

IMHO there should be a separate section in the article talking about hosting-environments.
Thats because there is a bunch of Malware targeted to attack Hosting-Environments. As an example there are lots of PHP-Shells, like WSO and other. Once uploaded on a server they will help you gain further access or host malware on the compromised website.
These threads are quite different from those targeted at personal computers and unfortunately often neglected.
I think it is important to talk about this kind of malware, because to cut down the overall level of malware one step is to secure webservers and prevent them of being compromised and starting to distribute malware.

Usually the existing AV-Scanners are really bad at detecting stuff like that.
One Software, that was made to detect this kind of malware would be Linux Malware Detect. It can be used in combination with ClamAV.
Here is a HowTo, that also includes a short statement in how Linux Malware Detect differs from common AV-Scanners.
Trumpf Puur (talk) 10:41, 19 November 2012 (UTC)

Rick Moen quote no longer relevant?[edit]

At the top is a block quote from Rick Moen rebutting the market share argument, saying that most servers are Linux and could be infected by Linux malware, "yet it doesn't happen." Maybe not when that was written, but it happens frequently now. Just this spring, over 20,000 Apache servers were compromised by "Darkleech." Compromised servers are very common, and most user infections now come from compromised websites (run by compromised servers).

We should definitely give a view opposed to the market share argument, but that one just doesn't seem realistic anymore. Anyone opposed to replacing it with something else? And if so, any suggestions for what to replace it with?

--Qwerty0 (talk) 22:23, 7 August 2013 (UTC)

Well I think one way to deal with it is to show how the perspectives have changed at different times, retaining the Moen quote, but indicating the dates involved. it is still worth noting that there seems to be few threats at present to desktop Linux use. - Ahunt (talk) 22:26, 7 August 2013 (UTC)
That sounds like a great compromise. Absolutely true about desktop malware. Both the proponents and detractors of the market share argument agree that there isn't much desktop malware. But the particular point Moen makes against the market share argument just isn't the reality anymore. Linux has a large market share on servers, and it also has a large share of the malware.
As for writing the article, obviously I know how time has made his point moot, and I can write that. But if anyone could provide an updated perspective from the market share argument doubters, that'd be helpful.
--Qwerty0 (talk) 06:42, 8 August 2013 (UTC)
I think that will work best. Since Wikipedia is an encyclopedia, it is important to focus on the history of each subject and not just where it is today! - Ahunt (talk) 15:32, 9 August 2013 (UTC)

Who counters what, now?[edit]

On the section Linux Vulnerability, Shane Coursen is quoted suggesting that the increase in Linux malware is a direct result of the increase in Linux usage, particularly as a Desktop OS. This is followed by a quote from Rick Moen that is said to "counter" the one from Shane Coursen. But reading the source, Rick Moen is actually addressing this question: "Isn't Microsoft Corporation's market dominance, making Linux an insignificant target, the only reason it doesn't have a virus problem?" As you can see, he's responding to a statement that is almost the opposite of Shane Coursen's comment. Reading the two together makes Rick Moen sound deaf and distracted, but I can't think of a better way to phrase it. I'm just going to do a quick edit now, but if someone would like to restructure the section to make more sense, it is sorely needed. 12:18, 27 August 2013 (UTC) — Preceding unsigned comment added by (talk)

Comodo and ESET Linux binaries[edit]

I would like to have some of the content in

incorporated into this article,

particularly the links to where to download Linux binaries from Comodo and ESET.

Plus, does anyone know how to obtain Sophos's client-side/end-user GNU/Linux binaries?

Speaking of Sophos, they offer a "Cloud" anti-malware solution. This is an emerging thing that is part of the broader increase in Virtualisation / Cloud / Service-orientated architecture (trend in I.T.).

--Fleetwoodta (talk) 11:55, 11 June 2014 (UTC)

I reverted your additions. External links are not used in article text and your additions fall afoul of WP:SPAM, WP:SPS and WP:EL. They are not appropriate to include. - Ahunt (talk) 18:28, 12 June 2014 (UTC)

External links modified[edit]

Hello fellow Wikipedians,

I have just added archive links to 4 external links on Linux malware. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

YesY An editor has reviewed this edit and fixed any errors that were found.

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

If you are unable to use these tools, you may set |needhelp=<your help request> on this template to request help from an experienced user. Please include details about your problem, to help other editors.

Cheers. —cyberbot IITalk to my owner:Online 16:08, 18 October 2015 (UTC)

- Ahunt (talk) 17:03, 20 October 2015 (UTC)