Will antivirus be more significant on Linux desktop after this xz-util backdoor?

I understand that no Operating System is 100% safe. Although this backdoor is likely only affects certain Linux desktop users, particularly those running unstable Debian or testing builds of Fedora (like versions 40 or 41), **Could this be a sign that antivirus software should be more widely used on Linux desktops? ** ( I know this time is a zero-day attack)

What if, malicious code like this isn’t discovered until after it’s released to the public? For example, imagine it was included in the initial release of Fedora 40 in April. What if other malware is already widespread and affects more than just SSH, unlike this specific case?

My point is,

  • Many people believe that Linux desktops don’t require antivirus software.
  • Antivirus can at least stop malware once it’s discovered.
  • Open-source software is protected by many parties, but a backdoor like this one, which reportedly took 2 years to plan and execute, raises my concern about being more cautious when choosing project code maintainers.
  • Linux desktops will likely be targeted by more attacks as they become more popular.

IMO, antivirus does not save stupid people(who blindly disable antivirus // grant root permission) but it does save some lazy people.

OS rely heavily on users practicing caution and up-to-date(both knowledge and the system). While many users don’t follow tech news, they could unknowingly be running (this/any) malware without ever knowing. They might also neglect system updates, despite recommendations from distro maintainers.

This is where antivirus software can be useful. In such cases, users might be somewhat protected once the backdoor signature is added to the antivirus database.

Thankfully, the Linux community and Andres Freund responded quickly to this incident.

onlinepersona,

The maintainer of xz was pressured into adding a new, unknown maintainer because he was alone and most likely unpaid. Had this critical piece of software been well-funded and the maintainer well-compensated, he probably never would’ve added the maintainer.

Regardless, I’m not sure how an antivirus would help here. This was a component upon which many others were built. How would this have been detected heuristically? Maybe somebody with a deeper understanding can also weigh in whether SELinux could’ve helped here, but if it’s a lib*, I guess not.

IMO the major problem is upstream: fund critical components. If you work in an org using opensource (and I bet you do), try and get them to set aside some kind of budget for opensource projects they use. For example a simple 100€ distributed across selected projects every month or every year. Or more, whatever… just something.

Also probably reproducible builds would help. The distributed archives should not differ from that of multiple build services.

SennheiserHD600,

I dont think av would help with a backdoor, only things like malware, miners, ect. I feel most people that use linux can figure out not to run lil-uzi_leaked-song.mp3.exe

Codilingus,

Music.exe, ahhh the good ol’ limewire days of being too young and novice to not know better.

nyan,

In the specific case of xz-utils, many lazy people would never have been at risk because the issue is limited to xz-utils 5.6.x (a quite recent version). Not updating provided (unusually) a mitigation in this case.

crispy_kilt,

That’s not how antimalware software works. They can do nothing against backdoors.

spaphy,

I find all this “bog down your system” answers to be a crock of shit. Go run ESET nod32 and put it in interactive mode. Yes, you’ll get a lot of prompts but damn you’ll learn so much about what’s going on in your computer and the networks it’s reaching out to. If you’re on windows run glass wire or OSX run little snitch. I used to know a Linux alternative for those but the point stands that you should have tools that you can use in a desktop setting to really understand what is running, and what it’s connecting to. You should have a program running that can check against a database of hashes of files for signature matches. It seems though like there’s not strong enough AV. And I suspect that’s on purpose so state actors can easily get into our systems in all nations.

nshibj,

If you’re on windows run glass wire or OSX run little snitch. I used to know a Linux alternative for those

Would you happen to know the name of a similar tool for Linux? I was just yesterday searching myself but I couldn’t find anything

Para_lyzed,

The port of Little Snitch to Linux is called OpenSnitch. I’ve never used Glass Wire, so I have no idea if that’s what you’re looking for.

nshibj,

Thank you! That’s exactly what I was looking for. I am familiar with Little Snitch for macOS, so this looks perfect.

For anyone interested: github.com/evilsocket/opensnitch

spaphy,

Try portmaster it’s open source. It might not be perfect in UI but I believe that’s what I used last time on Linux.

Secret300,

In this xz scenario an antivirus wouldn’t do shit. it’s better to find and fix vulnerabilities rather than bog your system down with malware

danielfgom,
@danielfgom@lemmy.world avatar

Nope. In Linux the typical action is to immediately get a fix out ASAP and be done with it.

Plus it’s unlikely that AntiVirus would actually make any difference. Even in Windows many things go undetected. All it does is bog down your system

lemmyingly,

I think you got the response we all expected you’d get.

I wonder why we don’t hear about open source anti-virus even though I think there are a couple of them out there.

possiblylinux127,

Because “antivirus” is a panacea

possiblylinux127,

Antivirus software is highly unlikely to detect a backdoor

biribiri11, (edited )

By the way, all Fedora packages are scanned with ClamAV as part of bodhi tests. Here’s the test matrix where xz 5.6.0 passed the scan, and would have allowed the exploit in for the F40 beta if it wasn’t obsoleted by another build where the vulnerability’s mechanism was disabled because it triggered valgrind failures in other software.

Sure, there’s more sophisticated AV software out there, but at the end of the day, the F40 beta was temporarily saved because of luck, the beta freeze period, and valgrind. The ecosystem as a whole was saved because “Jia Tan” wasn’t aware that making Postgres run slightly slower immediately raises alarm bells.

bizdelnick,

What? Use a bloatware that consumes a lot of resources, slows down the whole system and increases the attack surface instead of regular updates? Are you kidding?

possiblylinux127,

Not to mention the proprietary nature of most mainstream antimalware solutions means is can conveniently ignore threats. Such software also tends to be spyware and sometimes even malware

chameleon,
chameleon avatar

Realistically, I think vendors will be trying to push their crap using this attack as leverage. They did it with Heartbleed, Shellshock and the Log4j issue. Their software won't/wouldn't accomplish anything, just like it didn't with those issues, but they're sure as hell gonna try to make it seem like it does.

savvywolf, (edited )
@savvywolf@pawb.social avatar

An antivirus wouldn’t protect against the xz exploit. Imagine it did pull down the database of hashes and found a malicious xz binary, what is it going to do?

It can’t quarantine it, because that would break programs. It could update it, but shouldn’t your package manager be the one in charge of that? So the best it can do is notify you of the exploit… Which also feels like a thing the package manager should be doing.

I think instead of an antivirus, we should have a stricter permissions model. Certain applications can identity locations as “private” which blocks untrusted applications. So a random file you downloaded won’t be able to read your browser cookie jar or Discord session.

Random files you download from the internet should be executed in an unprivileged context which requires a “do you want this application to have access to this?” prompt whenever it does something sketchy.

Interestingly, afaik, Valve already runs Windows games in a secure container when using Proton. Fun fact.

limelight79,

I’d add that if one of the basic libraries is compromised, you can’t trust the anti-virus or really any other program on that system.

savvywolf,
@savvywolf@pawb.social avatar

Yep, the antivirus might need a compression library to manage its database. :P

limelight79,

The xz issue might not directly affect an anti-virus, so maybe in this specific case, it would work fine. But it wouldn’t be hard to come up with another library that would make the anti-virus moot. And even in the xz situation, doesn’t it affect systemd?

All bets are off when you can no longer trust low level software like this.

Also, the Ken Thompson Hack comes to mind.

bacon_pdp,

Didn’t Guix solve that one with its full-source bootstrap?

limelight79,

I am not familiar with that. From a quick glance it looks like the new HURD. But I think even there you’re relying on the work of others.

Atemu,
@Atemu@lemmy.ml avatar

Sorta.

You still need to trust a full Linux kernel and x86 hardware system.

possiblylinux127,

I did not know that about proton. Interesting.

Pantherina,

Antivirus doesnt work. It would need to monitor the whole system all the time, making it like twice as slow. How do you “stop” such a malware? You cant even uninstall xz without borking systemd.

Using SELinux especially for user programs, downloading only from trusted repos, having home non-executable apart from that and using a nonwheel user is the best you can do. Apart from using a hardened base Distro, like Secureblue, QubesOS or Tails.

Wes_Dev,

So, I got malware that seemed to create an hidden proxy or VPN or something when I was online, without me having to install anything. I was on Fedora using Firefox in private mode with Ublock Origin and some script blocker. Ghostery, or Privacy Badger, or something. Fedora has it’s firewall enabled and blocking inbound connections, and SELinux was running. It would occasionally report small things like VLC or Clam AV wanting access to something.

It took me a little bit to realize something was wrong.

I realized it after Google started demanding repeated captcha attempts for everything, I started seeing unsuccessful attempts to sign into my Microsoft account from around the world, and some websites started blocking my IP for abuse. A few times, the blocking page (usually Cloudflare) showed that my public IP was over 240.0.0.0, in the unassigned block. My modem logs showed my machine making outbound connections to these random or impossible IPs at times that roughly lined up with my connection issues.

But if I simply hit refresh on those pages when they blocked me, the websites suddenly returned my correct residential IP address and started working again. I was slow to catch on. Hell, I hadn’t even used my Microsoft account for years, and I assumed Fedora with SELinux would alert me if anything strange was going on. It didn’t. My machine started acting weird, but I couldn’t place my finger on exactly how. I tried tools like Clam AV, or any number of intrusion detection solutions to assuage my growing paranoia. Problem is that they require some knowledge and you have to set them up before things go wrong.

Besides a terminal tool to unhide running processes, which inconsistently returned zero to dozens of unknown short-lived programs with increasingly high PIDs, nothing was detected. I later ran that unhide tool on a live USB of Fedora, and it did the same thing, so I assumed it was a false positive.

Ultimately, it was my fault, I know. I just went on a shady website to watch a TV show. Stupid, but not uncommon. My android phone also started acting strangely around the same time. I assume because I visited the same site to finish some season in bed using Firefox mobile. It’s been replaced entirely now.

But the point is that SELinux didn’t stop anything, I didn’t have to explicitly download or install anything to my machine, and it was some kind of drive-by infection that somehow added my machine to a kind of botnet, I think. Hard to tell just from the various logs I gathered from my machine and modem.

I don’t know what it was doing, but when I finally put all the pieces together, I completely wiped the drive in that machine, including a long dd operation on the drives with /dev/random. Still not sure what I’m going to do with it.

I’m also not sure if the infection was limited to Firefox itself, or if my entire machine was compromised. I may never know for sure.

While I was being stupid, I wasn’t being completely reckless and just running untrusted code from strange places. I watched TV in Firefox’s embedded video player. All it took was going to a website that I found by other people recommending it on social media. I should have known better, but I’m human.

If I can’t even visit a webpage without getting invisible botnet malware that escapes professionally configured tools like SELinux on Fedora, then how are complete newbies, or kids, or grandparents, or “know just enough to be dangerous nerds” (like me) supposed to be safe?

I agree that the user is the single biggest point of failure in security, and should be mindful. But when you’re not installing random Github packages, or turning off your firewall, or enabling SSH, and your machine can still get so easily pwned, what then?

That’s the value of anti-virus software. Yeah, it’s not perfect, but neither is your list of rules to follow. There is no single perfect approach, and people are lazy, impulsive, and sometimes drunkenly want to watch Breaking Bad. I don’t know what the solution is, but outright denying everyday antivirus seems… unwise, I guess?

Even if if takes a month for the vendor to be able to detect it, that’s still protection for anyone who comes after. It doesn’t have to be perfect to make a positive difference.

And, no: For anyone curious, I’m not going into more detail about the website.

possiblylinux127,

Additionally setting up a firewall is pretty important.

Pantherina,

Your distro should absolutely include that. And make sure to actually close all not needed ports, which is more work but the GUIs allow that easily.

possiblylinux127,

Most if not all don’t

Pantherina,

Fedora does

possiblylinux127,

It does? I run Fedora and when I spin anything up it becomes available outside my machine. I installed Firewalld

Pantherina,

Okay thats crazy. Maybe RPM installs can losen the firewall, or maybe common things are always open.

climateserver8538,

cyberplace.social/…/112194735806991939

“4 days since XZ backdoor became public knowledge and most major Linux AV and EDR security vendors still have zero detections… they haven’t even set the static file hashes as malicious.

Can’t wait for all the vendor blogs in a week saying they fully protect against the threat. 👍”

The answer to your question: no.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • linux@lemmy.ml
  • rosin
  • thenastyranch
  • osvaldo12
  • cubers
  • InstantRegret
  • DreamBathrooms
  • cisconetworking
  • magazineikmin
  • Youngstown
  • Durango
  • mdbf
  • slotface
  • ngwrru68w68
  • kavyap
  • JUstTest
  • tacticalgear
  • modclub
  • khanakhh
  • anitta
  • ethstaker
  • tester
  • everett
  • GTA5RPClips
  • normalnudes
  • megavids
  • Leos
  • provamag3
  • lostlight
  • All magazines
    •