Anti-Virus, Anti-Spyware, and Rootkits in Linux
Last night a user joined up to the #fedora-security channel and sent the following:
Not trying to troll here, but after reading Sparks Blog regarding security it i started thinking again about Fedora and Linux in general if you DO get infected. If i understand correctly, if your infected with a rootkit your basically screwed. There is no way to really remove it or be sure that you’ve removed it.
In windows on the other hand ( I you believe the antivirus/Trojan/etc programs are telling you the truth ) it is possible to completely remove a virus/etc from windows. So lets say that in the “Year of the Linux Desktop” some not so nice programs start installing rootkits.
Everybody infected world have to reinstall Fedora. Imagine if all windows users had to reinstall after an infection. There would be a lot of angry users. I sure would really like to read a blog entry about Trojan Removal and Linux from Sparks.
This was interesting and if it hadn’t been so late at night (for me) I’d probably have responded better. But I didn’t and so now I sit at my desk at work contemplating what was asked and said.
As a prior Windoze administrator (servers and clients) I can say that I have NEVER been able to recover a Windoze computer from a rootkit or any other kind of virus. I’ve come close, I think, but after working for over six hours trying to recover the computer I ended up trashing it and re-imaged the system.
Now I’ve never had to recover a Unix/Linux system from a rootkit or other virus but I can imagine that it would be much easier. All you would have to do is remove and reinstall the particular package from one of the mirrors or other trusted source which is hashed and checked once downloaded for accuracy. You could potentially have your problem fixed in less than a minute once you realized you had a problem.
Ahh! First you have to figure out that you have a problem! Introducing AIDE! Now AIDE is nothing new and it is quite simple to setup and to use. Basically AIDE will scan your system every x minutes (you set it up with a cron job) and will compare a hash of the files you told it to keep a track of with the current hash of that file. It will tell you if something changed via an email.
I’m just shooting from the hip on this but I think I’m going down the right path here. I’d like to hear from others on the Red Hat Security Team and the Fedora Security Team to see how “on track” I am.
UPDATE: As mdious pointed out… Would I trust a rooted system if I hadn’t reinstalled the OS from scratch? The answer: NOPE! :)