Linux Malware Detect (LMD) Overview

Jarret B

Well-Known Member
Staff member
May 22, 2017
Reaction score

When connecting to the Internet there are many malicious threats which can harm the data on your computer. The Operating System (OS) can become in-operable and require to be re-installed. The OS and data and can be restored from a backup if you are able to perform backups of the OS and data. New threats appear on the Internet daily.

Most people think that if they run Linux then they are free from such troubles. It is true that most of the threats out there are Windows based. What most people do not understand is that 90% of all high-end servers are running Linux. Since more of the high-end servers are Linux there are more threats being made against Linux.

So, what is a threat?

Malware and the like…

Malware is composed of many things. Malware consists of viruses, trojans, worms and more. All a user needs to know is that their system is free of Malware.

To find Malware a scanning program will look over specified folders and/or files. When the program scans, it is looking for signatures. A signature is made from a bit of unique code from Malware. The code is then hashed and placed in a database. The scanning program gets the hash from the database and looks through files to see if the hash exists. If the signature is found then the scanning program can alert the user that a threat has been found. The current Linux Malware Detect signature database contains 5,657,522 signatures.

Some people will take an existing Malware program and use it as a basis for a new one. Since some of the code remains intact, the signature is the same for the new Malware. When an existing signature finds a new piece of Malware it is deemed a Heuristic or Generic Detection. Having the same signature as an existing Malware makes the new Malware within the same family.

A completely new piece of Malware will most likely create a new signature. New signatures will cause the database to be updated. The number of Malware is increasing and the databases are updated constantly. When you have a program to scan your system then you will have new signature database updates often.

NOTE: It is possible for a scanner to find a signature match to a file which is not Malware. This match is a false positive. The reverse is true as well. If a new Malware package has been released and is not in the database then the scanner will return a false negative. For this reason the signature database needs to be updated as often as possible.

Let’s look at an example of Malware.

Malware Example

The list of Malware is quite extensive, especially getting into the whole family of a single signature. Choosing Malware to use as an example can be quite easy because of the number of existing samples. So, let’s look at ‘Linux.Encoder.1’.

The Malware is also known as ‘Elf/Filecoder/A’ and ‘Trojan.Linux.Ransom.A’. The family of these types are extensive. The way it works is that it gets into your system attached to a file downloaded from the Internet. Once on your system it will become active and place a ‘readme’ file in every folder on the system. Other data on the system will be encrypted keeping you from accessing the true contents of the files. The ‘readme’ files contain information on how your data is being held captive and you must pay a ransom to have the files decrypted. When the files were encrypted there was a key sent to the server of the Malware creators. Once you pay the ransom it demands, if one was specified, then your data will be restored. A company named BitDefender has the ability to decrypt the files on your system and remove the Ransom-ware Malware. As usual, it is very important to keep your signature database up-to-date.

Before you can perform updates you do need to have the scanner installed. One good scanner used by the Linux Malware Detect program is ClamAV.

Install ClamAV

The ClamAV program can be installed through the standard repository for both Red Hat and Debian systems.

For Red Hat systems perform the following:

yum -y install clamav clamav-devel clamav-update

Once installed you will need to edit the file ‘/etc/clamav/freshclam.conf’. About seven lines down is a line which is ‘Example’. The line needs to have a ‘#’ placed at the beginning to make ‘#Example’. Further down is a line which starts with ‘#DatabaseDirectory’ with a folder following it. Remove the pound sign (#) at the beginning to uncomment the line. Another line which can be added at the bottom of the file is ‘DatabaseMirror’. Save the file and in a Terminal you will need to issue the following command:

sudo chmod -R 777 /usr/lib/clamav

You should be able to issue the command ‘freshclam’ in a Terminal to update the database of ClamAV.

On a Debian system you need to issue the following command:

sudo apt-get install -y clamav

ClamAV should update automatically every hour by default. The database is locked if you try to perform a ‘freshclam’ command to perform an update.

Now that the scanner is installed you need to install LMD definitions and program.

LMD Installation

Whether in Debian or Red Hat the install will be the same. Perform the following commands in a Terminal.

cd /tmp
tar -xvf maldetect-current.tar.gz
ls -l | grep maldetect

The last command will give you a listing of the files and folders with ‘maldetect’ in the name. You should have one similar to ‘ maldetect-1.5’.

cd maldetect-1.5 [or whatever the name of the folder was in the previous step]
sudo ./

Now you will need to configure maldetect to work with the ClamAV Scanner by editing the file ‘/usr/local/maldetect/conf.maldet’. You need to look for a line which starts with ‘scan_clamscan’ and make sure it is set to ‘”1”’. If you want maldetect to automatically quarantine found items set the ‘quarantine_hits’ to a value of ‘1’. To clean the Malware found set the ‘quarantine_clean’ value to ‘1’. If you want to allow user scans to be performed without root access you can change the ‘scan_user_access’ value to ‘1’. Save the file and exit the editor.

NOTE: Since you installed ClamAV first maldetect should already have the scanner setting set to ‘1’. If not, make sure you change it.

To scan all files on your system perform the command from a Terminal:

sudo maldet -a /

A scan will be performed as shown in Figure 1. Maldetect will load the signatures and use the ClamAV scanner to perform the scan for the signatures in the signature file. Results of a scan are placed in a report. A report number, or SCANID, is displayed at the end of the scan. To see the report use the command ‘maldet --report SCANID’.

Figure 01.jpg


In Figure 1 the scan which was just performed created a report with the SCANID of ‘170125-1736.1777’. To see the specific report use the command ‘maldet --report SCANID’. In the case of the scan in Figure 1 the command to see the report would be ‘maldet --report 170125-1736.1777’.

To see a list of all reports use the command ‘maldet -e list’ as shown in Figure 2.

Figure 02.jpg


To restore quarantined files found during a scan use the command:

maldet -s SCANID

As you can see from Figure 2 there have been three scans performed. The scan with the SCANID of ‘170124-2248.22401’ had six hits. This means it found six infected files, on the scan it performed. To use the command ‘maldet --report 170124-2248.22401’ would show results as seen in Figure 3.

Figure 03.jpg


The main things to look at are the following lines:
  1. {HEX}gzbase64.inject.unclassed.15 : /tmp/maldetect-1.5/files/clean/gzbase64.inject.unclassed
  2. {HEX}gzbase64.inject.unclassed.15 : /tmp/maldetect-current.tar.gz
  3. {CAV}Win.Adware.Opencandy-78 : /media/jarret/BookC/Desktop (items)/Windows/SetupImgBsajbdfjaibufibjvSurn_2.5.8.$
  4. {CAV}Win.Adware.Opencandy-78 : /media/jarret/BookC/Desktop (items)/Windows/SetupImgBurn_2.5.8.0.exe
  5. {HEX}gzbase64.inject.unclassed.15 : /tmp/maldetect-1.5/files/clean/gzbase64.inject.unclassed
  6. {HEX}gzbase64.inject.unclassed.15 : /tmp/maldetect-current.tar.gz
Lines 1, 2, 5 and 6 are positive matches found for the maldetect files. The compressed files containing the installation code and the signature database (lines 2 and 6) are noted as being infected. The scanner also detected the signature database itself in lines 1 and 5. Lines 3 and 4 are a Malware called Win.Adware.Opencandy-78. Within the report you can also see that no files were quarantined since the quarantine has not been enabled.

NOTE: Do not run the scans and never check the reports. I have seen large companies do such a thing and find out that a virus was not being quarantined. Since it was not removed the virus was able to spread and cause problems.

As noted at one point in the report you can manually override the quarantine to occur by using the command ‘maldet -q SCANID’. So, if I issue the command ‘maldet -q 170124-2248.22401’ as seen in Figure 4, the infected files will be quarantined.

Figure 04.jpg


Nothing of note occurs when removing the malware which was found during a scan.

NOTE: If you do not enable public scanning then you must run ‘maldet’ as sudo.

Be aware of the threats on the Internet. Keep in mind to always update your signature database as often as you can. Scan your system often.

I hope this article can save you trouble in the future. Happy scanning!
Last edited:

Latest posts