Ubuntu – Remote Access Trojan in Ubuntu

iptablesmalwarenetworkingSecurity

Introduction

Hello, I'm kinda new to Ubuntu but I have switched to it from windows since I have heard that its more secure and more virus-free in the last few months I have read a lot about computer viruses and it probably made me a bit more paranoid.

The problem

We all know that Linux is more virus-free but it still contains some viruses but what are the chances about getting a Remote Access Trojan (RAT) I have noticed several times that when I left my room for a while another window/program I didn't touch was opened and since my computer contains a lot of source codes I would consider it as 'end-of-my-life' if something like this would happen

Additional Information

  • I have uninstalled VNC (vino) from my machine right after the system installation

  • I have not download anything unknown from the internet, only a few well-known programmes using official packages with apt-get install

  • I haven't visited any websites I wouldn't be sure about (my ubuntu is only used for programming)

  • I use ClamAV scanning tool every morning clamscan -r --bell -i /

  • I have also used rkhunter to scan for possible rootkits – nothing was found

Solutions I have already heard about but I haven't really tested them

  • Using wireshark to monitor traffic (I am not experienced with using this tool I would like to know what kind of data should I be looking for)
  • I have also heard that iptables might be useful

Ending

I know that you can never be 100% sure that your computer is virus free, but I think having a RAT in your computer is kind of 'extreme virus' to be honest I doubt that someone would really be controlling me pc since I am sure there is no real way for him to it but on the other side I'm still paranoid about this is there any way I can really check it and then finally close this case which eats a lot of my time searching security forums etc… ?

My opinion: I personally doubt that the small group of existing viruses on Linux contains virus of this type but maybe I am wrong.

Best Answer

Linux, by design, is already extremely secure because of its permissions model and its core design principles. Unlike Windows, Linux was built with security in mind, which made it very hard to actually penetrate.

With this in mind, penetrating any system is not impossible, but there are a few easy steps you can take to prevent most any virus from ever reaching your computer.

  • Keep your system up to date!
    If a security vulnerability is found in any well-maintained package, it will be patched exceedingly quickly. Just run sudo apt update && sudo apt full-upgrade every so often to keep all of your packages up-to-date.
  • Avoid PPAs like the plague!
    PPAs are insanely useful for people, but unless you can be 100% sure that they're run by reputable people and are not compromised, do not add them to your system. Malware through APT isn't really in the realm of average possibility, so you'll be safe.
  • Use a Firewall!
    Remember I said that occasionally a bug can be found in a program which may be exploited? Install ufw from APT, and then run this command: sudo ufw default deny incoming. This command will block any incoming connections to your computer. If you need to allow some incoming connection, just add another firewall rule.
  • Scan for Viruses/Rootkits Occasionally!
    Just to play on the safe side, you should use clamav and rkhunter occasionally regularly. Once every two weeks will likely be more than enough for 99.9% of people.
  • Use Common Sense!
    The absolute best anti-malware in existence is common sense! Don't visit strange websites, don't download and run unknown files, and the like.
  • Keep Backups!
    In the case of the worst possible incident (something being infected), just wipe your system and restore from a clean backup. If you want to be really safe, you can even make your backups offline (through a live boot) so malware won't have a chance to spread to your drive, except in its raw file form.
  • Encrypt, Baby, Encrypt!
    If you have sensitive data on your drive, it's often a good idea to encrypt it. Decrypt the data when you need to work on it, and re-encrypt it the second you're done. You can even store the encrypted data on a separate drive. This ensures that if malware does somehow get on your machine, its window of opportunity is very small.

Keeping these simple tricks in mind, you should be safe from 99.999% of all malware on Linux. You're already on a secure OS, and I assume you haven't made drastic changes to permissions. You'll be just fine!

Related Question