MX Linux Forum

Hi!

I'm new to Linux in general. I'm coming from Windows after using it for almost 12 years or so. Every try to use Linux failed with some broken system because I didn't know how to use it.
For a few months I use MX Linux KDE only. I like it because you can customize it in the way you want and when found a good configuration you can rebuild your own custom version which is amazing.

But, since I switched to MX Linux KDE there is one single problem that got me focused:

In Windows there are keyloggers, password stealers and also screenshot takers that could be spying on your PC.
They can run hidden or not (but in this case you can see it i the process explorer).
1. They can have the same name as the running services, e.g. svchost.exe or any other system process and you don't know about it.
2.They can write the malicious spying code right inside the system executable so you will never find it as a standalone executable and most of the time you don't even know about it or inject it into the browser and run when it is running.
3. They can be hidden by Task Manager or Process Explorer or Process Monitor so when you run these tools you will not see them.
4. They can run only once (e.g. when you start your system or your browser) so you will not find them running.
5. If they run only once they can take screenshots e.g. while logging in into your bank account or steal your passwords and send this data to the malicious server and that's it. Job is done!

1. What if there is a script that steals your passwords and/or keylogging you and/or take screenshots while you logging into you bank accounts or doing something really important in Linux too?
2. What if they are running hidden by htop or any other task monitors?
3. What if it is injected (in fact, in Linux most of the scripts are plain text so it would be much more easier to write the malicious code just by appending it to the end of the file) in the system executables like avahi, dbus or any others?
4. What if it is not injected by it has administrator privileges given by you when you installed some programs like e.g. your browser or something similar?
5. How to know that there is no script or executable taking screenshots and/or keylogging you just when you do something important and not all the time so you will never see it if you are checking for connections or any active sessions or something like that and how to protect you and your system in any of these possible scenarios?

Thank you in advance!

The malware plague that affects the Microsoft platforms is a problem of their own creation. It does not affect MX or Linux in general. But, you still can get compromised if you obtain software from dodgy sources. Only install packages from our repositories, don't divulge your user or root passwords to anybody and you'll be safe.

Why would companies that develop anti-virus software give up such a considerable share of their revenue, i.e. systems that run on Linux? Maybe viruses are only part of the Windows ecosystem? Maybe viruses are part of the business plan? Maybe viruses (and their "cure", anti-viruses) generate so much money that they have become a driving force of the "windows" ecosystem. Maybe even engineers are paid to develop new viruses for the "anti-virus" companies.
"hey, buddy! The company has spotted you. Write a nice little virus and they'll sign you a contract. As soon as you graduate..."
Maybe even the military and intelligence agencies have took interest in such nasty little pieces of code. You know, "cyberwar".

"Fear and ignorance. Ignorance and fear. These are the two nipples of power."

On a side note, you can run "ClamAV" on Linux.

j2mcgreg wrote: Thu Feb 23, 2023 6:18 am The malware plague that affects the Microsoft platforms is a problem of their own creation. It does not affect MX or Linux in general. But, you still can get compromised if you obtain software from dodgy sources. Only install packages from our repositories, don't divulge your user or root passwords to anybody and you'll be safe.

I know that viruses from Windows can not affect Linux which is a different OS but in Linux world there are a lot of very good programmers too (most of them) why wouldn't be possible for some of them to create malware programs or scripts that run as described above in Linux too?

h3kt0r wrote: Thu Feb 23, 2023 6:25 am Why would companies that develop anti-virus software give up such a considerable share of their revenue, i.e. systems that run on Linux? Maybe viruses are only part of the Windows ecosystem? Maybe viruses are part of the business plan? Maybe viruses (and their "cure", anti-viruses) generate so much money that they have become a driving force of the "windows" ecosystem. Maybe even engineers are paid to develop new viruses for the "anti-virus" companies.
"hey, buddy! The company has spotted you. Write a nice little virus and they'll sign you a contract. As soon as you graduate..."
Maybe even the military and intelligence agencies have took interest in such nasty little pieces of code. You know, "cyberwar".

"Fear and ignorance. Ignorance and fear. These are the two nipples of power."

On a side note, you can run "ClamAV" on Linux.

ClamAV is a free tool. Nobody is paying them to put their 100% effort into that tool to detect any possible of new virus since this implies a lot of money.

In Linux world there are a lot of very good programmers too (most of them) why wouldn't be possible for some of them to create malware programs or scripts that run as described above in Linux too?

What any of these 5 situations described above would not be possible in Linux since there are a lot of programmers that can do it too?

Very good programmers just love Linux. Why would one compromise someone or something he loves ?

@IAMNewbie

In order to make Windows as user friendly as possible, Microsoft chose to take some actions that the other OSes eschewed:

-- they made their office suite a sub-module of the kernel so that its various parts could interoperate seamlessly
-- they chose to put the kernel and the user's home directory on the same partition: C:/
-- they chose to give every home computer owner administrative privileges
-- they imposed no restrictions on password length, type, composition or in the early days even its existence
-- they strongly encouraged home users to use Microsoft Mail and Internet Explorer

So all a hacker had to do was to disguise an email attachment to appear to a firewall (if it existed) as though it was an integral Windows component IE a Word document, an Excel spreadsheet, an Internet Explorer extension etc. Once past the firewall, the payload would be executed because the user was bound to have administrative privileges.

In Linux, Unix, and Apple's IOS, the kernel is isolated on its own partition (root) and nothing can be written / no changes can be made to the kernel without the user expressly providing access: the root password. The privileges granted to the regular Linux user can not be co-opted by a hacker / virus creator to implant his / her payload in the kernel.

It's that simple. Microsoft realized that "user friendliness" would make its operating system and its office suite more sellable and in doing so made its products vulnerable to outside attacks.

edited to remove a orphan word

@j2mcgreg Factually interesting.

h3kt0r wrote: Fri Feb 24, 2023 7:13 am Very good programmers just love Linux. Why would one compromise someone or something he loves ?

Because I suppose they love money too and since this Linux work is free then they need some money. Right?

j2mcgreg wrote: Fri Feb 24, 2023 7:39 am @IAMNewbie

In order to make Windows as user friendly as possible, Microsoft chose to take some actions that the other OSes eschewed:

-- they made their office suite a sub-module of the kernel so that its various parts could interoperate seamlessly
-- they chose to put the kernel and the user's home directory on the same partition: C:/
-- they chose to give every home computer owner administrative privileges
-- they imposed no restrictions on password length, type, composition or in the early days even its existence
-- they strongly encouraged home users to use Microsoft Mail and Internet Explorer

So all a hacker had to do was to disguise an email attachment to appear to a firewall (if it existed) as though it was an integral Windows component IE a Word document, an Excel spreadsheet, an Internet Explorer extension etc. Once past the firewall, the payload would be executed because the user was bound to have administrative privileges.

In Linux, Unix, and Apple's IOS, the kernel is isolated on its own partition (root) and nothing can be written / no changes can be made to the kernel without the user expressly providing access: the root password. The privileges granted to the regular Linux user can not be co-opted by a hacker / virus creator to implant his / her payload in the kernel.

It's that simple. Microsoft realized that "user friendliness" would make its operating system and its office suite more sellable and in doing so made its products vulnerable to outside attacks.

edited to remove a orphan word

Didn't know that. Interesting.
But there is User Account Control in Windows too which gives you privileges or not, the same in Linux, you can use the root account any time you want. So what would be the difference?

Tell me, please, for each one of the situations below:
1. What if there is a script that steals your passwords and/or keylogging you and/or take screenshots while you logging into you bank accounts or doing something really important in Linux too?
2. What if they are running hidden by htop or any other task monitors?
3. What if it is injected (in fact, in Linux most of the scripts are plain text so it would be much more easier to write the malicious code just by appending it to the end of the file) in the system executables like avahi, dbus or any others?
4. What if it is not injected by it has administrator privileges given by you when you installed some programs like e.g. your browser or something similar?
5. How to know that there is no script or executable taking screenshots and/or keylogging you just when you do something important and not all the time so you will never see it if you are checking for connections or any active sessions or something like that and how to protect you and your system in any of these possible scenarios?

Why any of these are not possible since a keylogger can write any script kiddie?

Thank you in advance!

Here you go :
Keyloggers : https://duckduckgo.com/?q=linux+keylogger&t=brave&ia=images
Malware : https://duckduckgo.com/?q=linux+malware&t=brave&ia=web
Viriii : https://duckduckgo.com/?q=linux+viruses&t=brave&ia=web

Let's start by this comprehensive introduction here.

You can open up 'htop' by searching for "process viewer" in the start menu I believe. This will show you absolutely everything that's running and what permissions it has. If you're familiar with all the components of your system it's fairly easy to spot if something strange is running (ie a script you didn't run).

@IAMNewbie wrote:

But there is User Account Control in Windows too which gives you privileges or not, the same in Linux, you can use the root account any time you want. So what would be the difference?

The difference was that Microsoft had an all or nothing approach to user management where the ordinary users were so locked down that they couldn't even change their wallpaper or add a printer. In order to be productive they had to be administrators.

In Linux, Unix, and IOS regular users are given enough access to be productive without them being able to alter the underlying system.
Yes, you can run as root if you so choose, but it's hammered into you from day one that to do so is stupidity itself!

The real problem for Microsoft's platforms is that corporate users are also home users. They take documents home to work on them on their own machines and if their home machines, where they have full administrator privileges, are compromised with malware that malware will be transferred back to their office the next day along with the documents.

Tell me, please, for each one of the situations below:
1. What if there is a script that steals your passwords and/or keylogging you and/or take screenshots while you logging into you bank accounts or doing something really important in Linux too?
2. What if they are running hidden by htop or any other task monitors?
3. What if it is injected (in fact, in Linux most of the scripts are plain text so it would be much more easier to write the malicious code just by appending it to the end of the file) in the system executables like avahi, dbus or any others?
4. What if it is not injected by it has administrator privileges given by you when you installed some programs like e.g. your browser or something similar?
5. How to know that there is no script or executable taking screenshots and/or keylogging you just when you do something important and not all the time so you will never see it if you are checking for connections or any active sessions or something like that and how to protect you and your system in any of these possible scenarios?

Why any of these are not possible since a keylogger can write any script kiddie?

Because all of these scenarios require root access. They are fairly common in the Windows because on some level every user is an administrator either at work, or at home or both and because of the way their office suite and other software was constructed, there are pathways into the kernel space that can be exploited by miscreants.
In Linux, Unix, and IOS, there are no vectors into the kernel without explicitly provided root access.

For people like yourself who are novices at Linux, your biggest hurdle will be unlearning the Microsoft Gospel.

j2mcgreg wrote: Sat Feb 25, 2023 8:36 am For people like yourself who are novices at Linux, your biggest hurdle will be unlearning the Microsoft Gospel.

Bingo. Windows teaches its users to be afraid of their computers (or to be foolish with them).

None of Newbie's concerns apply to desktop Linux in the real world.

I spent a number of years doing computer service and repairs. 90% of my work was disinfecting virus laden Windows systems, many of them multiple times for the same users. For those who had continuing problems and when it was appropriate, I moved them to desktop Linux. Not a single one ever had any issues of that sort ever again.

More interesting info re. the King of the Antitrust lawsuits – and he's still pushing with things like this:
https://forum.mxlinux.org/viewtopic.php ... 80#p707180
maybe secure-boot and likely more, I don't know because I don't follow Bill Shouldbe-Behind Gates Bars' O.S. or B.S.

I only used Windows at work, and I mostly used non Windows' programs and I skipped Gate's criminal OS and bought my first laptop with Ubuntu on it several years ago, I created a username and never used it, within about 5 months it reached EOL, I had to install a new linux OS on it. I'm glad that I did it that way.

h3kt0r wrote: Sat Feb 25, 2023 6:06 am Here you go :
Keyloggers : https://duckduckgo.com/?q=linux+keylogger&t=brave&ia=images
Malware : https://duckduckgo.com/?q=linux+malware&t=brave&ia=web
Viriii : https://duckduckgo.com/?q=linux+viruses&t=brave&ia=web

Let's start by this comprehensive introduction here.

Real-life examples of Linux viruses
While Linux systems are generally considered to be more secure than other operating systems, they are not immune to viruses. There have been several real-life examples of Linux viruses that have been discovered and neutralized over the years. One example is Linux.Wifatch, a worm that spreads through vulnerable Linux-based Internet of Things (IoT) devices. This virus infects devices, such as routers and smart home devices, and then uses them to spread to other devices on the same network. Linux.Wifatch was notable for its use of encryption to hide its code and for its ability to update itself in order to avoid detection.

Another example is Linux.Encoder.1, a ransomware strain that infects Linux systems. This virus encrypts the victim’s files and demands a ransom payment in exchange for the decryption key. Linux.Encoder.1 was notable for its ability to infect servers, which are often critical to the operation of businesses and organizations. While these examples show that Linux systems can get infected by viruses, it is important to note that the number of viruses specifically targeting Linux systems is still relatively low compared to other operating systems, such as Windows. In conclusion, while Linux systems are less susceptible to viruses compared to other operating systems, it is still important to be aware of the potential risks and to take steps to keep your system secure, such as keeping your system up-to-date, following safe computing practices, and only installing software from trusted sources.

https://linuxconfig.org/can-linux-get-v ... ux-systems

So, there are Linux viruses too. And Linux can be infected as well Windows does.
So, how to protect against? But how to really know if there is a spyware on your PC or not?

Further more it says:

Keep your system up-to-date: Regularly updating your system with the latest security patches is one of the most important things you can do to keep your system secure. Linux systems often provide automatic updates, which make it easy to stay up-to-date.
Use a firewall: A firewall can be used to block incoming and outgoing network traffic based on pre-defined rules. This helps to prevent malware from spreading to or from your system.
Avoid running as the root user: By default, Linux systems run with limited user permissions, which makes it more difficult for malware to execute and spread. When possible, avoid running as the root user, which has full administrative privileges, and instead use a standard user account.
Only install software from trusted sources: Linux systems use a package management system to distribute and install software. This system is carefully monitored and curated to ensure that the software is reliable and free of malware. Always install software from trusted sources, such as the official package repositories for your distribution, and avoid downloading and installing software from untrusted sources.
Consider using anti-virus software: While Linux systems are less susceptible to viruses compared to other operating systems, it is still a good idea to consider using anti-virus software to help protect your system. Some popular anti-virus programs for Linux systems include ClamAV and Sophos Antivirus for Linux.

1) "Keep your system up-to-date" ---> this doesn't mean anything. Windows receive updates too and it still can be infected. So, what's the diference?

2) "Use a firewall" ---> There is a firewall running all the time on Windows and also you can install 3rd party firewall too and still can be infected and there are also virsues that can bypass these firewall. So, again, what's the diference?

j2mcgreg wrote: Sat Feb 25, 2023 8:36 am
Because all of these scenarios require root access. They are fairly common in the Windows because on some level every user is an administrator either at work, or at home or both and because of the way their office suite and other software was constructed, there are pathways into the kernel space that can be exploited by miscreants.
In Linux, Unix, and IOS, there are no vectors into the kernel without explicitly provided root access.

3) "Avoid running as the root user" Ok. But you often need to do something that requires root privileges as well. How do you know if there is a trusted program or script or a virus that asks you for that or an infected trusted program or script that do the same and you don't even know? Second, I have seen a video tutorial on youtube about a pentester software called Meterpreter that can create Linux viruses that can bypass root too. So? How to be safe? How to know that the program or script that is asking you for root privileges is safe to run or it is a virus or infected with a spyware or it is a ransomware (which is even more harder to detect, being a simple encryption program) ? How to know if the program or script that is asking you for root access is a safe program but on the other hand it is calling after that the virus to do its job instead?

4) "Only install software from trusted sources" ---> A few years ago a torrent software company recognized that it injected malware (cripto mining) code in its torrent software. Also, I have seen a video about a spyware music player on Linux that had some "extra features" too. So, this means more safety but it is not guaranted to do so.

5) "Consider using anti-virus software" ---> Oh, come one, most people are using antiviruses all the time in Windows and tehy still get infected because there are a lot undetected viruses which are created every day. Antiviruses companies invest milions or maybe hundreds of milions of dollars into their antiviruses in order to detect more and more viruses day by day and you want to think that a FREE and open source antivirus can be as good as the ones that spend hundreds of milions of dolars on this?

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.[1][2]

https://en.wikipedia.org/wiki/Linux_malware

Outlander wrote: Sat Feb 25, 2023 6:48 am You can open up 'htop' by searching for "process viewer" in the start menu I believe. This will show you absolutely everything that's running and what permissions it has. If you're familiar with all the components of your system it's fairly easy to spot if something strange is running (ie a script you didn't run).

There are, like I said above in the first post, viruses that can be invisible (hidden) to task manager in Windows and also to Process Explorer and Process Monitor too. Why they wouldn't reach the same performance to be hidden in Linux too?

@IAMNewbie wrote:

So, there are Linux viruses too. And Linux can be infected as well Windows does.
So, how to protect against? But how to really know if there is a spyware on your PC or not?

There are no viruses / malware that affect Linux. The "studies" that you reference above were done in ideal laboratory conditions (for the researchers). If you were to read the "studies" in their entirety, nowhere would you find an explanation of how root access was obtained IE a complete explanation of the infection mechanism. Without root access, the payload can't be inserted into the kernel and these "studies" are revealed for what they are: the musings of some bored researchers or touts of the anti-virus vendors.

@IAMNewbie wrote:

So, how to protect against? But how to really know if there is a spyware on your PC or not?

The same way I'm careful about the food I eat. I don't just swallow any dirt that will make me sick.
The analogy with computers is clear: don't download anything from dubious sources, don't install
software from strange sites, don't pick up that USB stick lying around on the parking lot floor, etc...
In fact, to a large extent, YOU ARE the anti-virus !

@j2mcgreg wrote:

There are no viruses / malware that affect Linux.

Well, take a look at that for example : link removed
Of course, it is not a virus as such, nevertheless, it must sting a bit...


Moderator Hat On
I removed your link because it's not within the purview of this forum to publish hacking instructions.
j2mcgreg
Global Moderator

Indeed.. what h3kt0r says.

What I know is that usually when people get a virus on their system, the cause is a PEBCAK thing.

(Problem Exists Between Chair And Keyboard)

@IAMNewbie

A few things I see here ..
First - Eadwine Rose and h3kt0r are spot on about where you go and what you do.

Second - Most people on windows use THE WRONG antivirus, and NOTHING will stop everything!

Third - yes, lock your computers down doing some simple steps can help A LOT. Lock them, no root unless truly needed. Do NOT load apps from any source but MX repos,

Fourth - If you WANT segmentation of 'the internet', then USE a VM as your ONLY mail / web browsing entity!!

And lastly, If you really want to KNOW if something is on your computer, get a GOOD firewall / router and then track your logs! SEE what is going OUT of your computers and you will learn more about what is ON them.

and you can also use something like Tripwire to monitor your computers. There is an open source version and it is used by many people to watch over terminals and other PCI required computers.
https://www.tripwire.com/products
https://github.com/Tripwire/tripwire-open-source

and possibly OSSEC too - looking at this now ...
https://forum.mxlinux.org/viewtopic.php?p=714953
https://www.ossec.net/

j2mcgreg wrote: Sun Feb 26, 2023 9:00 am There are no viruses / malware that affect Linux. The "studies" that you reference above were done in ideal laboratory conditions (for the researchers). If you were to read the "studies" in their entirety, nowhere would you find an explanation of how root access was obtained IE a complete explanation of the infection mechanism. Without root access, the payload can't be inserted into the kernel and these "studies" are revealed for what they are: the musings of some bored researchers or touts of the anti-virus vendors.

We have I believe three recent threads going that were started by new adopters coming over from Windows who are bound and determined to prove to us that yes, Linux is vulnerable and you could get pwned in the blink of an eye if you don't take preventive measures. They do not understand that the preventive measures are built in and any "vulnerability" requires proactive root user intervention that no software could prevent. It's the same with those who insist that the latest and greatest software versions must be used because of the "security" issues that have been identified and patched.

I can sympathize. I was once a Windows user who spent an inordinate amount of time and resources doing whatever was necessary to prevent a possible infection. I also made of lot of money fixing computers from those that didn't. Thankfully, I don't have to deal with any of that any more. I just get to use my computer and enjoy the peace of mind that Linux has given me.

Does running browsers in firejail offer much more security?
Any comments on Opensnitch?
Supposedly it's coming to Debian soon. Do you think MX will have it installed via default in the next release?
Devs or Psychics?

Fear is a powerful way (weapon) to manipulate people, especially useful when money is involved. Show the evil lurking out there and this is what is needed to "be safe".

Stuart_M wrote: Sun Feb 26, 2023 12:32 pm Fear is a powerful way (weapon) to manipulate people, especially useful when money is involved. Show the evil lurking out there and this is what is needed to "be safe".

Amen - -

So… I am sure some folks are gonna argue this, but the stand of “linux cannot get infected” is just flat wrong. And, imo, attempting to bring people into this mind set is wrong!

Yes, agreed that linux has built in safeguards to help against this. And I believe linux is stronger in many ways than most os’s, AND it is FAR less prone to attempts to be hacked and compromised.

However, if you have read ANY linux news the last year then you have witnessed at least three times where issues have hit linux machines. (Not theoretical, but actual attacks and compromises.)

Additionally, if linux were the ONLY thing running on the machine it would be much stronger – however, python is heavily used on most machines and python is being brutally attacked at the supply chain level. Complete libraries are being compromised and used to ‘hack’ machines.

AND, you have products such as google chrome which has various issues with allowing malware on board in it’s extensions.

I have spent almost 35 years doing programming and support, and since 1995 have done ONLY programming and support – it has been my sole work and I have brought hundreds of machines back from virused, compromised and malware laden slugs. (including ransomware and destructive viruses) Yes, 99.x% of them have been windows.

HOWEVER, I have worked on several linux servers and several linux desktops that have been compromised too. Not too many, probably less than 10 total, but two workstations that had no root privileges, and were heavily malware and compromised to the point of no longer running. One of these I built approx 6 years ago, and while I am not a linux whiz by any means, the machine was a known, good distro, was properly setup and only * I * had the root login info.

And I can also say I have recovered approx 20 or so MAC’s from being compromised. Many with HEAVILY infected Safari, but also chrome, and several were infected to a point of having to scrap and reload.

Can I say for sure that these machines “had a virus”? No. Can I say for sure something got in and compromised linux? No. However, all of these machines were heavily malware on board for certain, and all of these machines had “something happen” that caused them to not run!

“Fear” .. is warranted if you have been hacked or compromised – ever! And MANY people coming over from Windows have had issues with malware and other problems

If your running Windows on the internet or getting email, you had better be running a GOOD antivirus.

If your running linux, I think that it IS prudent to ask questions and either know or at least have an idea on what to keep an eye out for.