Why NOD32 for Linux?

I've tested NOD32 for Linux using a free trial and happy it works (with only one minor issue) in Debian and Linux Mint. Now I have to decide is it worth buying? I must admit that I am concerned by the continual increase in malware and knowing how Windows is continually being patched, some criminals will no doubt increasingly focus more on Linux because my observation is that most Linux users are blase about not requiring antivirus protection.

However there is precious little information on Eset's site (unless someone can point me to a page I have missed) which gives me good reasons to buy NOD32 as a desktop Linux user. I know it can help to protect Windows users on the same network but I don't have any.

For example how much Linux malware is included in the signatures? How often do the signatures get updated with new Linux items and how does Eset find out about Linux malware? It seems to me that Eset could usefully add some information to its site to encourage potential purchasers to buy its Linux product.

 

Hello,

You will find information related to ESET NOD32 Antivirus 4 for Linux Desktop here.

 

The reason I have asked this question is that I can't find any real information about Linux detection. The main selling point of NOD32 seems to be various comparisons with other products regarding detection of viruses - which I expect is 99% (or 100%) based on Windows.

The information in this link is remarkably sparse about actual Linux threats.

Detects Multiplatform Threats – ESET's solution for Linux Desktop stops all threats regardless of what operating systems they are targeting - Windows, Linux, or Mac OS ​

Of course a threat may somehow target more than one OS but I would have thought that 99% of threats need to interact with the operating system's services in order to manage themselves. So a threat to Linux must surely be written for Linux. How many are there in NOD32's signatures? Where do new ones come from?

Strong, Proactive Protection – Detecting viruses including new ones in real time, using heuristic analysis of program's ThreatSense® scanning engine ​

According to Wikipedia
http://en.wikipedia.org/wiki/Heuristic_analysis
"heuristic analysis mostly operates on the basis of past experience"
So where does this experience come from in Linux terms?

Where is the information to convince me that NOD32 does anything really useful regarding Linux?

 

It is quite possible for an infection to be cross platform. For example, making use of vounrabilities in Javascript, Flash, ActiveX, or other plug-ins.

An example of this would be the BadBunny Javascript infeciton.

The same signature database is used on NOD32 for Linux as its Windows counterpart, so it is more accurate in saying you are paying for "Eset Protection" for your Linux machine, rather than "Eset protection for Linux".

With regard to heuristic detection, this esentially means that the files are detected by behaviour, which means that samples of any particular infection are not neccesarily required in order for Eset to be able to detect it.

You can have a look at the update info to see exactly what infections are added in each update, and yes, you will note that the majority are Win32/, but this is simply due to the fact that these are the infections that are around at the moment, any Linux infections are added just as quickly and easily to the database.

 

this is correct for multi-OS threats
but no for OS-specific threats targeting just Linux, just mac, or just win64

 

What do you mean? The Windows version will detect Mac / Linux only threats also.

 

exactly, but i mean not only java, html, flash, PDF are threats targeting linux
linux binaries are also affected or the operating system itself by mean of exploits

 

Hello,

Actually, that's quite an interesting question. Malware authors have long targeted Windows (and DOS before that) largely because of Microsoft's large share of the operating system market. Just like other criminals, they have to make decisions about where they are going to expend their effort, and Microsoft Windows typically offers the highest return on investment, by far. That, however, is beginning to change: We've seen the growth of Apple in the personal computer and smartphone markets and the rise of Linux in the enterprise, as well as desktop-friendly distros. On the post-PC front, there's Google's (well, largely Google's) Android operating system, but that's kind of its own separate environment.

As you may (or may not) be aware, the Linux environment is frequently favored by malware operators, not so much as a platform to attack, but for use in their own malware infrastructure (command & control servers for bots, drop zones for stolen data, hosting web and database services and so forth). The efficiency of the Linux network stack (relative to Microsoft Windows, that is) makes it desirable for those types of uses.

Criminals are still going to target services and tools which often run on top of Linux, like Apache, perl, php and so forth, because those let them get at valuable data—sometimes literally, in the case of financial records—as well as serve as attack platforms for the other operating systems. Operating system distributors have responded to this increased pressure by doing things like implementing a SDL to model threats and protect against threats, alert mechanisms with prescriptive guidance and automated (or semi-automated) patching to reduce the exploitation of vulnerable code.

As a result, though, of decreases in operating system-vulnerabilities and market share fragmentation, the criminals have gotten better about "moving up the stack" themselves, attacking scripted languages, document containers, tools and the like, as Nick0 and Toxinon12345 explained. Since these are all largely cross-platform these days, it means that other platforms besides Microsoft Windows are exposed to risk.

When it comes down to it, the criminals involved in the malware ecosystem don't care what operating system you're running; they just want your money, whether its through fraudulent services (fake antivirus programs) or conducting a man-in-the-middle attack as you enter the login credentials to your financial institution's web site. In that context, the fact that the attacked computer is running Windows or Linux is largely irrelevant, it's kind of like having a spirited discussion over the type of knife used in a mugging.

That said, here's a quick (and probably incomplete) list actual Linux-threats I found by searching ESET's virus signature database:

Version=6094 (20110504) Linux/Caem.D
Version=6043 (20110415) Linux/Adm.A (4), Linux/Mighty.A, Linux/Slapper.A
Version=5919 (20110302) Linux/Hydra.A.Gen
Version=5865 (20110211) Linux/Exploit.Bnc.A
Version=5625 (20101116) Linux/Tsunami.C
Version=5388 (20100823) Linux/Exploit.Vmsplice.I
Version=5340 (20100804) Linux/Bofishy.B (2), Linux/Corn (6), Linux/LPRng, Linux/Svat.A
Version=5304 (20100723) Linux/Adm.A, Linux/Svat.C
Version=4848 (2010020 Linux/Exploit.SSHD22.B
Version=4779 (20100117) Linux/Perlexor.A
Version=4493 (20091009) Linux/TrojanDropper.Prl.C
Version=3968 (20090327) Linux/PsyBot.A (2)
Version=3846 (20090211) Linux/Senha.A, Linux/Sicmp.A, Linux/Suffer.A, Linux/Unfstealth.A, Linux/Unk.A
Version=3818 (20090202) Linux/Exploit.Rpc.A
Version=3681 (20081210) Linux/Nkiller.A, Linux/Sk.A
Version=3306 (20080729) Linux/PSW.Small.B
Version=3302 (2008072 Linux/Exploit.Rpc.F
Version=3295 (20080724) Linux/Exploit.Ircd.B, Linux/Exploit.Mirc.B
Version=3292 (20080723) Linux/Exploit.Freeze.A, Linux/Exploit.Interbase.A, Linux/Exploit.OpenSSL.E, Linux/Exploit.Php.A
Version=3291 (20080723) Linux/Exploit.Bonk.A, Linux/Exploit.Nhttpd.A
Version=3288 (20080722) Linux/Exploit.Small.M
Version=3277 (2008071 Linux/Exploit.Mms.A
Version=3276 (20080717) Linux/Zorg.A
Version=3266 (20080714) Linux/RST.B, Linux/Sorso.A (2)
Version=3159 (20080605) Linux/Diesel.976.A (3)
Version=3154 (20080603) Linux/Meche (3)
Version=3152 (20080602) Linux/Tsunami.V
Version=3135 (20080527) Linux/Flooder.Small.P
Version=3119 (20080522) Linux/Tsunami.NAD
Version=3011 (2008040 Linux/Tsunami.NAC
Version=2967 (20080321) Linux/Hacktool.XHide
Version=2953 (20080317) Linux/Fpath.S, Linux/Kayten.A
Version=2846 (20080204) Linux/Tsunami.B
Version=2512 (20070907) Linux/Spy.Alk.A
Version=2489 (2007082 Linux/DDoS.Blitz.C, Linux/Millen.A, Linux/Php.B
Version=2488 (2007082 Linux/SSHLogger.A (2)
Version=2482 (20070824) Linux/Agent.B, Linux/Flooder.Nestea.C, Linux/Kbd.A, Linux/Kbd.B
Version=2434 (20070802) Linux/Chater, Linux/Coptic.A, Linux/Lion, Linux/Ramen
Version=2417 (20070724) Linux/RKSH.A
Version=2339 (20070619) Linux/Thebe.A.gener1
Version=2337 (2007061 Linux/Eternity.A, Linux/Gzid.A, Linux/Podloso.A​

Although it looks like Linux-targeted malware peaked in 2008, declined heavily in 2009 and started to rise back in 2010, I suspect it is more a matter of the criminals who were taking advantage moving to more cross-platform modes of attack, such as IRC, Java, JavaScript, HTML, Office macros, PDF, Perl, PHP, SunOS/Solaris, UNIX and so forth, which I did not look for data on in the virus signature database update listings.

As to where the actual Linux threats came from, pretty much the same as everywhere else: People who found an infection, sample exchanges with other companies or researchers, honeynets and through other means that a Windows-based piece of malware might be submitted.

So, while we can see that the amount of Linux-based malware is quite small compared to that for Windows, there is some. Most Linux users, though, at some point have to connect to the Internet or share files with people who do not use Linux, and those interactions are a source of threats, even if the threat is not a cross-platform one.


Regards,

Aryeh Goretsky