Linux is malware-free — or so many believed for many years. The delusion arose from three bases. First, Linux was a niche system, used far less commonly than Windows. Second, it was used mainly by IT pros, who are savvier than the average user. And third, given the specifics of the system architecture, malware would have to obtain root permissions somehow to cause damage, greatly complicating attacks.
However, times change, and nowadays, Linux-based systems are catching up with Windows in some areas, having long overtaken it in others. What’s more, many developers are trying to make their systems more end-user friendly by providing graphical shells and tools that at first glance are indistinguishable from easy-to-use Windows systems. That has greatly increased the popularity of Linux, but it’s also attracted more error-prone users. And the increasing popularity of Linux — in the strategically important server niche as well as in workstations — has drawn more cybercriminal attention.
Admittedly, we haven’t seen a single large-scale epidemic affecting Linux-based systems — yet. The masterminds behind targeted and APT attacks are creating ever more tools tailored specifically for this family of operating systems. Having analyzed numerous sophisticated threats in recent years, our colleagues from the Global Research and Analysis Team (GReAT) found that most of today’s attacker groups are seriously interested in Linux.
Winniti (aka APT41 or Barium), Cloud Snooper, DarkHotel, Equation, Lazarus, Sofacy, The Dukes, The Lamberts, Turla, WildNeutron, and many others all have tools for attacking Linux-based machines. Another developer of tools targeting Linux is HackingTeam, a company that sells software for so-called legal surveillance to governments and law enforcement agencies. It was hacked a few years ago, and some of its know-how ended up in the hands of cybercriminals. For a more detailed description of attacker groups and their tools, see our Securelist blog report.
Linux security tips
Our experts have developed a set of recommendations to help minimize threats to Linux systems.
- Create a list of trusted software sources for Linux and block the installation of software and the running of scripts from third-party sources;
- Update the software in good time — set it to update automatically, and avoid updates over unencrypted channels;
- Carefully configure the firewall, making sure it keeps logs and blocks all unused ports;
- Use two-factor authentication and hardware tokens;
- Be prepared for insider attacks: Use encryption, Trusted Boot, and hardware integrity control tools;
- Periodically audit all systems, check logs for indicators of attack, and carry out penetration testing;
- Use a Linux server security solution.
In particular, our corporate solution, Kaspersky Total Security for Business, includes components for protecting mail servers and gateways. You can find more detailed advice and recommendations in this Securelist post.