10

Which file formats are used to make viruses in Ubuntu? For example, most Windows viruses are written in .exe format, but I can’t identity the usual format in Ubuntu.

TRiG
  • 1,910
Eshan Malimbada
  • 143
  • 3
    There are no virus for Linux in the wild. –  Sep 29 '16 at 10:31
  • 20
    @CelticWarrior Of course there is Viruses for Linux and quite a lot too https://en.wikipedia.org/wiki/Linux_malware Eshan: Viruses are not limited to a file type, on Ubuntu or Windows, there is not a certain type of file to avoid or anything like that, read the link in this comment for some information – Mark Kirby Sep 29 '16 at 10:39
  • @MarkKirby that is an answer (and a good one), not a comment. – don.joey Sep 29 '16 at 10:48
  • 1
    I am not voting to close this question as it is a fair question: are there specific file formats that would contain viruses in linux. Also @MarkKirby has answered it. – don.joey Sep 29 '16 at 10:48
  • @don.joey Done the answer :) Also, I agree, this is not too broad, it asks "should I be careful of any types of file, in case of viruses" and to me, that is quite specific. – Mark Kirby Sep 29 '16 at 10:55
  • 5
    Biggest issue I have: where are these virusses suppose to originate from? The official repo's? (I really am skeptic that will happen) Launchpad? (possible, but doubtful since their track record is good on this. The again it is easy to live with a system sticking to the official repo's.). Random scripts? We don't do that ... we are not the average windows users ... When a virus can't reach a system or is limited to 1 system it is malware not a virus ;-) – Rinzwind Sep 29 '16 at 12:53
  • You can write a virus in any format that is executed by something. The obvious would be an executable - ie. ELF-or aout-format. But it can also be written i scripting-programs like bash-script, perl or python. Or as "macros" which "runs-in" some application - eg. OpenOffice or emacs. That said, Linux would limit "infection" to the user running them - assuming root is careful about what he installs and runs. Thus on Linux it's more popular to gain root-access in some way - and perhaps install a rootkit - than it is to create viruses. – Baard Kopperud Sep 29 '16 at 19:02
  • @CelticWarrior Many windows viruses are spread by infected linux servers. – mchid Oct 05 '16 at 18:42
  • File extensions such as exe aren't usually necessary in linux because file headers typically include this stuff. Also, text files and other files such as binary ELF etc are recognized by the system without a file extension. I tried to open a text file in windows not long ago that didn't have the txt extension in the file name and, to my surprise, windows didn't know what to do with it. – mchid Oct 05 '16 at 18:55

5 Answers5

27

Contrary to popular belief there are Viruses for Linux and quite a lot too. While they are much less common on Linux and require you to allow them into the system most of the time, they still exist.

Viruses are not limited to a file type, on Ubuntu or Windows. There is not a certain type of file to avoid or anything like that, just be careful. Linux is secure, as long as you are careful.

Some things you can do to be safe are:

  1. Don't download from 3rd parties unless you trust what you're downloading.
  2. Use apt or Launchpad (Ubuntu's code hosting service) and similar services to get software from the source.
  3. Avoid copying and pasting terminal commands you find online, especially if you don't understand them.

You can also use an anti virus like clamav if you want to scan your system for any threats.

sudo apt-get install clamav

Install clamtk for a gui.

Here is some reading on common linux viruses and how to deal with them.

Community
  • 1
Mark Kirby
  • 18,529
  • 19
  • 78
  • 114
  • 5
    They just never have the impact on Linux as on Windows and almost all (if not all) require you yourself to install them. – Rinzwind Sep 29 '16 at 11:22
  • @Rinzwind Good point, added it to the answer. – Mark Kirby Sep 29 '16 at 11:27
  • 3
    @Rinzwind Most viruses on any OS require the user to install them; they just trick the user into thinking they're doing something else. Alternatively, they exploit bugs in specific software (e.g. browsers, mail clients) to acquire elevated privileges. – IMSoP Sep 29 '16 at 17:49
  • @IMSoP again how: thing is... we, linux users, are, in my opinion, better educated. I hear your argument more but besides someone using 12345 as a password (or something similar) those exploits never seem to work. – Rinzwind Sep 29 '16 at 19:39
  • 1
    "Linux is secure as long as you are careful" - so is Windows (since Microsoft started caring about security) – user253751 Sep 29 '16 at 20:53
  • @immibis Sure is but people turn of UAC and leaves it open to attack – Mark Kirby Sep 29 '16 at 20:54
  • 1
    @MarkKirby UAC doesn't accomplish much on a single-user system; a program can still encrypt all your important files without triggering a UAC prompt. It does prevent it from hooking into the system and making itself unremovable, so that you can remove it, but by that point your files are already encrypted. – user253751 Sep 29 '16 at 21:13
  • Isn't clamav pretty useless against Linux threats and more for scanning Windows malware? – Byte Commander Sep 29 '16 at 21:21
  • @ByteCommander Really? I have never used it, I am just careful, I just assumed it was for Linux threats. Seems to be the case looking at their site https://www.clamav.net/ – Mark Kirby Sep 29 '16 at 21:24
  • That was more of a question than a definite statement, I just have heard that several times... Might be relevant: http://askubuntu.com/q/10373/367990 – Byte Commander Sep 29 '16 at 21:30
  • 1
    @Rinzwind It doesn't make a lot of sense to say "Linux is more secure because Linux users are more educated". If your education is what's providing the protection, then Windows with you using it would also be secure. Viruses exploit bugs, and bugs are everywhere. A macro-based virus could be entirely resident in one application's settings and file formats, and happily spread across multiple platforms. – IMSoP Sep 29 '16 at 21:32
  • @immibis Most of Linux's security focuses on restriction and localization of language, so damage is limited to your user — the system is still unharmed. –  Sep 30 '16 at 01:00
  • @BharadwajRaju You probably meant to say "damage" instead of "language", but anyway, who cares whether the system is harmed if all your data is gone? Sure the restrictions mean you can create another user account and probably keep using the computer, but on a single user system that's no better than having to reinstall the OS. – user253751 Sep 30 '16 at 01:12
  • 1
    @IMSoP yes it does. It is the -whole- package that matters: Linux is set up as multi-user system from the start. So security inside the system is a big deal to begin with. So users are limited, and (more importantly) know they are and also why they are. Not getting virusses on a linux system is part of the mindset of the userbase. And it also translated to the desktop: generally we do not download crap (as much as) windows users do. – Rinzwind Sep 30 '16 at 05:39
  • 1
    @immibis and that's why you make (offline stored) backups. I agree with Bharadwaj Raju to an extend (you don't want it to happen but it is not a disaster if it does. Backups is key here ;-) ) – Rinzwind Sep 30 '16 at 05:41
  • We don't need to download crap as much as windows users do because of application package management. With that said, I believe most of the downloaded stuff is source code anyhow so it can be audited before installation for the most part. I'll just say this: my linux box got a popup for the crypto-lock malware, I closed the webpage and traced the ip of the URL and reported it; I would have been really compromised if I were using windows but Ubuntu would (should) require a password at least before encrypting the hard drive as far as I know (although, there is always a backdoor somewhere). – mchid Oct 05 '16 at 18:50
  • Not to mention the fact that we can just completely wipe and re-install the system again without having to shell out a couple of hundred dollars for installation media. – mchid Oct 05 '16 at 18:58
13

Extensions mean nothing. While windows cares about em, there's non .exe viruses. In linux, your extension matters little. "What kind of file" is a little more elemental.

Essentially in linux, its likely to be some flavour of ELF binary, perhaps as a static or shared object.

It might even hook into the kernel as a module or otherwise as a rootkit, or simply replace a core operating system tool or component with its own one.

Not all of them are though - there's java viruses, as class files, assembly based shellcode exploits or even the possibility of malware written in bash (though how it would be run to start with would be interesting).

So essentially, if you arn't sure, don't trust it ;)

Community
  • 1
Journeyman Geek
  • 3,013
6

I'm going to address malware in general for this answer, not just viruses.

Viruses on Linux are not restricted to a particular file extension / type.

To better understand what we're talking about, we first need to understand the link between extensions and file types and how viruses actually work.

In Windows, .exe files contain files in a PE (Portable Executable file format, which is a format that contains binary executable data. This executable data gets loaded into memory and is then executed by interpreting the instructions in that data.

This means that the easiest way to run your code is to package it into an .exe. There's other ways as well, however. PDF files are notoriously insecure because they contain parts that can be interpreted by the reader. This means that an embedded script can abuse weaknesses in the reader's security and for example search for and modify other PDF files on the system.

It can get even worse. You can abuse programming mistakes in applications to inject malicious code directly into the computer's memory. Once it's there, those instructions can be run as native code and often with high privileges, with devastating results.

So how does this work under Linux?

Linux, like Windows, has a binary executable format. Windows has the PE format, Linux the ELF format. Unices in general have a much less pronounced file extension requirement, so ELF files usually are extension-less. Linux uses Magic Numbers to identify those files, which is why it doesn't need the extensions.

Binaries are, however, not at all popular as a malware distribution method under Linux. This is because end-users very rarely actually manually open binaries they receive. Binaries are installed and managed by the package manager, not the end-user. So the malware needs other attack vectors to inject its code onto the victim.

This means that those other methods (code injection, scripting) are much more popular as malicious code carriers.

detuur
  • 161
2

The distinction here is not done by file extension, but by a file property set by a command 

chmod +x filename

This way you can make executable from a binary file as well as from a script file.

With

ls -l

you can list the file properties by a safe manner before execution.

Also, you can run:

file filename

to display more detailed data about a file.

mchid
  • 43,546
  • 8
  • 97
  • 150
kukulo
  • 2,015
  • 4
    I get what you are saying here, "permissions are important to security, more than file types" and that is a very good point but perhaps you could explicitly state that. Always assume anyone reading has no prier knowledge of the the subject :) Make a simple edit to just clarify that and I will vote this up. – Mark Kirby Sep 29 '16 at 11:13
1

Extensions and executables have little or nothing to do with each other on Windows or Linux, and extensions have nothing at all to do with virus's. When given an explicit file to act on, both operating systems look at the file's header to decide what to do with it. When there is ambiguity in the file name, the two OS's use slightly different strategies to identify the intended target. For example, if you type "echo hello" into the windows run box, the windows terminal or a linux terminal, both will look in each directory in the PATH environment variable for a file called "echo" that has execute permission and attempt to execute it with the argument "hello". Windows will also look for the file "echo.com", "echo.exe", "echo.bat", "echo.cmd", "echo.vb" and a bunch of other extensions that I can't remember off hand, plus any extensions mentioned in the PATHEXT environment variable, before it moves on to the next directory and if it finds a match, it will attempt to execute that.

Paul Smith
  • 130
  • 4
  • 1
    Windows never looks at the file header. It uses only the extension. –  Sep 30 '16 at 00:55
  • Sorry @BharadwajRaju but you are mistaken. As I explained, in windows the extension is used to 'improve' the path search but once a suitable candidate is found, it is passed to the loader which examines the 'header' of the file to determine what to do with it. On more recent versions of Windows, that loader is a set of functions contained in ntdll.dll (another executable extension). – Paul Smith Sep 30 '16 at 09:08
  • It changed? I see... So can Windows now open files without extensions? –  Sep 30 '16 at 16:10
  • There have been changes but this has been the basic behavior since the days of MS_DOS and CP/M before it. – Paul Smith Oct 03 '16 at 13:56
  • @PaulSmith Although windows can open a file without an extension, windows typically won't know what to do with the file that has no extension unless you tell it to open with such and such an application. – mchid Oct 05 '16 at 19:03