2004.09_Anti Virus-Removing Email Viruses and Trojans on a Linux Box.pdf

ClamAV Antivirus

COVER STORY

Virus Prevention

Malware is more prevalent than at any time previously. Although this has little effect

on a state-of-the-art Linux system, users that run both Windows and Linux can

definitely benefit from a virus filter. BY MARC ANDRÉ SELIG

“The best way to secure a com-

puter is to cut the wires”.

Admittedly, the joke is a bit obsolete. In

an age of high-perfomance batteries and

wireless networking, removing the

power and network cables may not stop

an intruder (see Box 1).

The example on page 20 shows you

how to protect yourself against human

attackers. Firewalls, regular operating

system updates, or sparing use of net-

working services can all help. In this

article, we will be looking at automated

malware, which can attack your

machines without any human help.

There are three main categories: gen-

uine viruses tend to infect executables

on a computer and on any network

shares. They are triggered whenever an

infected program is launched. In con-

trast, Trojans more or less rely on a user

copying them to a machine and launch-

ing them. Worms take this one step

further and propagate by automatically

hacking into vulnerable services or mail-

ing themselves to new targets.

A fully patched Linux distribution

should be more or less immune against

this kind of pest. Viruses in the true

sense of the word have a hard time

attacking Unix anyway. A

non-privileged user run-

ning a program is not

typically allowed to mod-

ify that program. Worms

and Trojans could be

trickier. Luckily, Linux is

(still) regarded as an

unattractive target by the

kind of hackers that put

worms together. Also,

vulnerabilities in Open

Source programs are

typically patched

within a few hours of becoming known.

So you have no need to worry, if your

system is up to date.

Things are not quite that simple if you

use Windows in addition to Linux. Vul-

nerabilities in Microsoft programs often

remain unpatched for months – gaping

holes that provide simple attack vectors.

No matter whether you have a parallel

Windows installation on your computer,

or separate Windows computers on your

home network, Linux can help you pro-

tect these third-party machines. In this

article, we will be

looking at a virus

scanner that

checks incoming

messages, or Win-

dows

accessible

Linux.

Free Virus

Scanner

There are any

number of virus

scanners avail-

able for Linux,

just like for

Windows. Some are free, and others are

commercial [4,5]. Most of them are

designed to track down Windows viruses

and worms. After all, Linux users tend to

remedy vulnerabilities rather than run

around after worms all day.

More specifically, we will be dis-

cussing ClamAV [1], a genuine Open

Source product. If you need more protec-

tion, you might like to use a second

scanner, but the techniques we will be

looking at are generic, and will apply

equally to whatever scanner you choose.

Box 1: How to harden modern operating systems

What intrusions vectors can a malicious

attacker use to compromise your cherished

machine?

The most obvious method is to use a network

service to access your system. Many Unix sys-

tems run a Web server, such as Apache. If this

server has a vulnerability, a malevolent

hacker may be able to attack it by opening a

connection to the Web server and transfer-

ring an exploit . On a private machine, you can

protect yourself against this attack vector by

disabling services or not installing them in

the first place.

In principle, any external data could contain

an exploit. After downloading an email mes-

sage to your own machine, simply viewing

the message may be all it takes to allow an

attacker to exploit a vulnerability. MS Out-

look in particular suffers from known

vulnerabilities of this kind. This is what

makes virus filters for email so important.

Web browsers can also be vulnerable, provid-

ing an attack vector if used to view an

external website. Some of these problems

can be resolved by using a proxy , others can

not.

Until recently, viruses and worms typically

propagated via network filesystems, for

example Windows shares with unrestricted

access. This problem has been mitigated to a

great extent by more restrictive Windows

defaults and the use of packet filters.

Some access vectors are fairly arcane, and

home users will have little in the line of pro-

tection against them. More or less any basic

protocol can be exploited if the software run-

ning on it is vulnerable. History is full of tales

about worms that exploited DNS or some

ICMP protocol.

www.linux-magazine.com September 2004

Fighting Windows viruses on Linux

Y ou may have heard people say

COVER STORY

ClamAV Antivirus

Fully automated virus hunting is no

exception to the “no pain, no gain” rule.

The nastiest thing about the installation

is the fact that ClamAV needs a library

called MP [2], which most distributions

do not install. Check your distribution

archives for the library first, before

attempting to install ClamAV!

The ClamAV install itself follows the

typical Linux approach in most parts.

The manual provides guidelines on

installing the source code package and

Listing 1 gives you an overview. If you

run a stand-alone system, add the cla-

massassin [3] utility. This allows you to

link the virus scanner into your email

system without re-configuring the SMTP

daemon . This is simpler, but also less

efficient than other solutions. Note the

backticks in the “ ln -s ” commands.

You can try ClamAV out right after

completing the install. Assuming that

you have mounted your Windows parti-

tions below /windows , the scan

command is as follows

Figure 1 shows an example for Evolu-

tion. For your Pipe you could use the

following:

sh -c "/usr/local/bin U

/clamassassin | grep -i U

'x-virus-status: yes'"

Listing 1: Installing ClamAV

and Clamassassin

In other words, the message is first sent

to clamassassin ; grep searches for key-

words indicating that a virus has been

found. If this condition is fulfilled, the

offending message is whisked off to a

special virus folder.

01 $ su

02 Password: root-password

03 # groupadd clamav

04 # useradd -g clamav -s

/bin/false clamav

05 # exit

06 $ tar xzf clamav-0.70-

rc.tar.gz

07 $ cd clamav-0.70-rc

08 $ ./configure --

sysconfdir=/etc

09 [...]

10 $ make

11 [...]

12 $ su

13 Password: root-password

14 # make install

15 [...]

16 # exit

17 $ cd ..

18 $ tar xzf clamassassin-

1.0.0.tar.gz

19 $ cd clamassassin-1.0.0

20 $ su

21 Password: root-password

22 # install clamassassin

/usr/local/bin

23 # cd /usr/local/bin

24 # ln -s `which mktemp` .

25 # ln -s `which formail` .

26 # exit

27 $

Keeping Up to Date

As you may be aware from experiences

with Windows, the best virus scanner is

useless if it is not continually updated. In

this case “continually” does not mean

the user running a manual update once a

week, but far more often.

ClamAV provides the freshclam tool for

this, a useful utility that automatically

updates the program’s virus signature

database. Working as the root user, run

the following command

clamscan -ri /windows

Scanning Email

What makes ClamAV really interesting is

its ability to automatically scan incoming

email messages for viruses. It is more or

less a matter of taste how you link this

into your existing mail system.

Many users configure a real mail

server on their local Linux machine. The

Suse YaST utility allows you to do so, for

example. A small tool called fetchmail

collects incoming email messages from

your provider’s server and sends them to

your own mail server. In turn, your mail

server stores the messages in /var/mail

or /var/spool/mail . This leverages the

power of the popular mail software.

The easiest way to add ClamAV on a

stand-alone system set up this way, is to

use procmail . To do so, simply add List-

ing 2 at the start of your ~/.procmailrc .

If this file does not exist in your home

directory, simply create it.

People who prefer a more comfortable

approach and use a GUI-based client

such as Evolution or KMail to pick up

their mail directly from the server, do not

need to do without ClamAV. Of course,

you have to decide whether you really

need a virus filter for email messages if

you only view them on Linux – but it

certainly won’t hurt …

In this variant, procmail never actually

gets to see your mail. So Listing 2 will

not work. The approach here is to set up

a filter directly in your mail program.

/usr/local/bin/freshclam --quiet

about once an hour. You might like to

add the command to your /etc/ppp/ip-up

file to launch the script every time you

open up a PPP connection.

If you have a flat rate, it makes sense

to let the cron daemon do the work. To

do so, add a line such as the following

24 ****root/usr/local/bin U

/freshclam --quiet

Listing 2: ~/.procmailrc for

ClamAV

INFO

[1] ClamAV: http://www.clamav.net/

[2] GNU MP: http://www.gnu.org/directory/

GNU/gnump.html or http://www.swox.

com/gmp/

[3] Clamassassin:

http://drivel.com/clamassassin/

[4] Overview of commercial antivirus prod-

ucts: http://tinyurl.com/33syb

[5] F-Prot by Frisk: http://www.f-prot.com/

products/home_use/linux/

[6] Listings from this article and additional

configuration tips: http://www.seligma.

com/linux-user/virus/

[7] EICAR: http://www.eicar.org/anti_virus_

test_file.htm

01 # Use ClamAV to check incoming

mail

02 :0 fw

03 | /usr/local/bin/clamassassin

05 #Virus found? If so, move to

folder "virus-found"

06 :0 :

07 * X-Virus-Status: Yes

08 virus-found

10 # Deliver other messages as

usual

September 2004

www.linux-magazine.com

ClamAV Antivirus

COVER STORY

9LUXV

Figure 1: Using ClamAV with Evolution.

to your /etc/crontab file. This will update the database 24 min-

utes after every full hour.

The next question is “How good is the virus scanner?”. To

answer this, check out the EICAR file at [7], which was specifi-

cally designed for testing antivirus software.

IRU0DLODQG

)LOH6HUYHUV

■

GLOSSARY

SMTP daemon: The mail server program that handles outgoing (and in

the case of Internet providers) incoming mail as a background task. SMTP

is short for “Simple Mail Transfer Protocol”, the “language” that mail

servers use to exchange messages.

groupadd: A command line tool that creates a new user group,“clamav”

in Listing 1. You may need to specify the full pathname,

“/usr/sbin/groupadd” to call the program.

useradd: A command line program that allows root to create a new user

account. Use the -g flag to specify the group, and -s to specify the login

shell for the user. In Listing 1 “/bin/false” ensures that no-one will be able

to log in using the new clamav account. The account is only required for

running programs.

install: The “/usr/bin/install” program copies the clamassassin tool to the

“/usr/local/bin” directory.

procmail: This powerful Mail Delivery Agent receives incoming email

messages and stores them in a file on your disk. There are any number of

configuration variants, such as sorting email by various criteria. Most

modern Linux distributions enable procmail by default when a user cre-

ates a ~/.procmailrc file. If this is not true of your system, check [6] for

more advice.

Pipe: The pipe character | hands the output from the command on its left

for processing to the command on its right.

Cron: This daemon runs in the background and automatically launches

programs at specific times. This could mean searching for new documen-

tation once a day, or archiving your Web server logfiles once a month.

So-called crontabs contain lists of scheduled tasks, neatly organized by the

user accounts on the machine.

Exploit: A program that attacks a vulnerability in another program, thus

allowing arbitrary code to be run on the victim system.

Proxy: An entity that translates between a local client, e.g. a Web browser

like Mozilla, and a server on the Internet. The proxy accepts the client

requests, and forwards them to the server. It forwards the answers to the

local client. The proxy can check, correct, or simply cache files, apply access

restrictions, and generally enhance security.

DNS: The “Domain Name Service” resolves hostnames, such as www.

abcxyz.com, and IP addresses such as 136.199.85.18. As more or less every

network program needs DNS, errors in the DNS service are particularly

critical.

ICMP: The “Internet Control Message Protocol” is used for network analy-

sis, e.g. to check the connection between two machines, or to discover the

maximum permissible packet size. For example, ping tells you whether a

computer is up, and accessible across a network. Ping bombs can take

down older Windows systems.

9H[LUD $QWLYLUXVIRU0DLO6HUYHUV

DQG)LOH6HUYHUVDUHLQGXVWU\OHDGLQJ

KLJKO\VFDODEOHYLUXVVFDQQLQJ

LVNQRZQDVWKH´EHVWRIEUHHGµLQ

(PDLO6HUYHUV

6HQGPDLO

3RVWÀ[

4PDLO

([LP &HQWUDO&RPPDQG,QF

SKRQHID[

ZZZFHQWUDOFRPPDQGFRP

&HQWUDO&RPPDQG,QF$OOULJKWVUHVHUYHG9H[LUD9H[LUDORJRDQG&HQWUDO&RPPDQG

DUHWUDGHPDUNVRUUHJLVWHUHGWUDGHPDUNVRI&HQWUDO&RPPDQG,QF$OORWKHUWUDGHPDUNVDUH

SURSHUW\RIWKHUHUHVSHFWLYHRZQHUV

6XSSRUWHG26

/LQX[

2SHQ%6'

www.linux-magazine.com September 2004

3URWHFWLRQ

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: