[SOLVED] Detecting Windows Malware on Mint

[SaberClassMor]

I know that there is very little to no reason to worry about malware on my Mint OS.
I am not asking for recommendations for anti-malware programs for Linux; I know AM is unneccessary to protect my Linux system.

tl;dr: A Windows computer in my house got infected with a mining trojan, and I have a Windows 10 partition, and I transfer files back and forth to both of them. I'm concerned that my immunity to the malware might let me act as a carrier if I'm careless.

I transfer files over to my flatmate's PC using a couple of USB sticks (small stuff - anime, mainly) pretty regularly. When he upgraded to Windows 11, Windows Defender found a coin miner. He had issues with Windows Defender on 10 for a good long time, and this may or may not have been the cause. We don't know how long it's been there. My Win10 partition seems fine - Windows Defender turns up clear, and the CPU usage is what I expect Unfortunately, we didn't find out where the miner came from or when the PC was infected.

I realised it's a possibility that I could have given him an infected file without being infected myself, due to it simply not being compatible with Linux. I'd rather not dismiss this out of hand without looking. Is there a way for me to search for potential Windows malware on Mint, even though Mint itself isn't at risk of that malware?

EDIT:
tl;dr despite being a bit difficult to use, ClamAV is the tool for the job.

[Termy]

Yes, it's entirely possible, I'm afraid. Linux isn't immune either, but it's certainly far better off. Linux Mint is a distribution of Linux as an operating system, by the way. I'm just being pedantic, but hey, the more you know. Anyway, you can use ClamAV, installable with:

Code: Select all

sudo apt-get install clamav

There's also a simple GUI for it, called ClamTK, which you might like:

Code: Select all

sudo apt-get install clamtk

Or use a GUI to get it, like a software center or something.

[Schultz]

If you run Clam, be prepared for a lot of false positives.

[Termy]

If you run Clam, be prepared for a lot of false positives.

Oh yeah, I forgot to mention you can get false-positives; it's sort of a given with any anti-virus thing, though.

[sleeper12]

You can check any suspicious files on:

Virus Total:
https://www.virustotal.com/gui/home/upload

Hybrid Analysis:
https://www.hybrid-analysis.com/

[Pjotr]

As sleeper12 said.

Don't install AV in your Linux, because it'll actually make your Linux less secure:
https://easylinuxtipsproject.blogspot.c ... urity.html

[SaberClassMor]

Yes, it's entirely possible, I'm afraid. Linux isn't immune either, but it's certainly far better off. Linux Mint is a distribution of Linux as an operating system, by the way. I'm just being pedantic, but hey, the more you know.

Ach, semantics, indeed. I know how it works but that doesn't help me stop mixing up words :') Though, I overstated safety on purpose - didn't want the thread to get into the fine details of Linux security when it's not my concern.
I saw that Clam had bad ratings on the Software Centre as just not working so I skipped it. Do you have a better experience?

You can check any suspicious files on:

Virus Total:
https://www.virustotal.com/gui/home/upload

Hybrid Analysis:
https://www.hybrid-analysis.com/

These are really cool - the problem is that I have a terabyte of data to check. I'll keep these in my back pocket for smaller files, though, thank you. I'll make use of it for smaller files.

Don't install AV in your Linux, because it'll actually make your Linux less secure:
https://easylinuxtipsproject.blogspot.c ... urity.html

I'm adding a few more lines to my original post, as it seems I didn't make it clear enough that I am not looking for AM for Linux.

[Termy]

I saw that Clam had bad ratings on the Software Centre as just not working so I skipped it. Do you have a better experience?

I've had a mostly good experience with ClamAV. It broke for a while, ages ago, because the database refused to update properly, so I wrote a script which manually updated it. That's about the only real issue I've had with it over the years.

I imagine people don't like ClamAV because of false positives, but they exist in other anti-virus software too, so it's not like ClamAV is uniquely terrible in that regard. Another thing people might not like about it, are the defaults, but ClamAV has a lot of options to choose from, which you can see if you check out it's man page. The last thing which comes to mind for why people might not like it, is that they tried scanning immediately after installing it, but didn't bother waiting for the actual database to be downloaded.

Then again, maybe a lot of people just hate it because it's anti-virus, since Linux is ... well, Linux. I needn't expand on that.

[AwesomeOpossum74]

I know that there is very little to no reason to worry about malware on my Mint OS.

As a community, we should not make this assumption; that we are safe from malware just because we use Linux. I am a member of a couple of security news groups that report on the latest hacks and cracks by some very smart black hat groups. Linux is not 100% safe, and is subject to attacks all the time. There is even a new malware that is actually OS-independent, and capable of attacking Linux, Windows and Mac.

And you are correct, since you are in a mixed environment, it is possible that Linux can be a "carrier" for malware that can eventually infect Windows if opened in that environment.

[Pjotr]

I know that there is very little to no reason to worry about malware on my Mint OS.

As a community, we should not make this assumption; that we are safe from malware just because we use Linux. I am a member of a couple of security news groups that report on the latest hacks and cracks by some very smart black hat groups. Linux is not 100% safe, and is subject to attacks all the time. There is even a new malware that is actually OS-independent, and capable of attacking Linux, Windows and Mac.

And you are correct, since you are in a mixed environment, it is possible that Linux can be a "carrier" for malware that can eventually infect Windows if opened in that environment.

Right. Theoretical risks all over the place (nothing new there, yawn....). But practical risks? Examples of real-life malware dangers with a probability above the radar, for the average Linux desktop user?

[AwesomeOpossum74]

Right. Theoretical risks all over the place (nothing new there, yawn....). But practical risks? Examples of real-life dangers with a probability above the radar, for the average Linux desktop user?

Why do you think there are frequent security updates for our everyday desktop software? Never mind the many web services that get used on millions of Linux servers, that require constant log checking for things "unusual".

Just one way: Bad actors are always submitting code for addition into the kernel, and other application/service/utility that gets used on our desktops. If it gets through the reviewers and is added to the code base, it has potential to give them access in ways not yet understood by the code maintainers.

Now, to desktop vs. server: We desktop users aren't typically the main focus for malware, servers are. But does that mean we shouldn't be on our guard?

[Pjotr]

Right. Theoretical risks all over the place (nothing new there, yawn....). But practical risks? Examples of real-life dangers with a probability above the radar, for the average Linux desktop user?

Why do you think there are frequent security updates for our everyday desktop software?

For fixing security holes, evidently. But stop evading the question: where is the Linux malware that poses a practical real-life risk for Linux desktop users?

Just one way: Bad actors are always submitting code for addition into the kernel, and other application/service/utility that gets used on our desktops. If it gets through the reviewers and is added to the code base, it has potential to give them access in ways not yet understood by the code maintainers.

Yet more theoretical threats. Stop that please. Practical real-life malware risks above the radar are all that counts here.

We desktop users aren't typically the main focus for malware, servers are. But does that mean we shouldn't be on our guard?

Yeah, sure we should be on our guard. Just update daily and use your common sense. Nothing new. Yawn....

[AwesomeOpossum74]

Yeah, sure. Just update daily and use your common sense. Nothing new. Yawn....

I tried. Your comments to me seem negative and/or denialist. Do some research. If you don't believe what I'm saying, that's ok.

[Pjotr]

Yeah, sure. Just update daily and use your common sense. Nothing new. Yawn....

I tried. Your comments to me seem negative and/or denialist. Do some research. If you don't believe what I'm saying, that's ok.

Not OK at all. You're just spreading FUD without giving one real-life example of a practical malware threat for Linux desktop users. Not one. All theory, and only theory. Sad.

[AwesomeOpossum74]

Fine. You don't want to do your own research.
Prime example of bad code submissions: https://itwire.com/open-source/torvalds ... trust.html
High level Linux malware info, with lists: https://en.wikipedia.org/wiki/Linux_mal ... jan_horses
And more: https://hacked.com/linux-ransomware-not ... o-protect/

Please make sure you read it all; you shouldn't miss anything. I could keep going, and reference the uptick in Linux malware in the last couple of years, but honestly, I'm done feeding your attitude.

These things affect all of us, not just servers. To assume you're safe just because you're just using desktop, is to fool yourself.

Since you're basically calling me a liar, I feel it's a good time for me to show myself out of this conversation with you.

[Schultz]

These things affect all of us, not just servers. To assume you're safe just because you're just using desktop, is to fool yourself.

They do? I have yet to see one post in this forum about anybody getting a Linux malware. And nobody is assuming anything . . . keep up to date (OS and browser) and don't do anything dumb. That's about as deep as you need to get: relax, you're running Linux.

[all41]

Yeah, sure. Just update daily and use your common sense. Nothing new. Yawn....

I tried. Your comments to me seem negative and/or denialist. Do some research. If you don't believe what I'm saying, that's ok.

Not OK at all. You're just spreading FUD without giving one real-life example of a practical malware threat for Linux desktop users. Not one. All theory, and only theory. Sad.

yes fud
how many reports of infection--zero

[Pjotr]

nobody is assuming anything . . . keep up to date (OS and browser) and don't do anything dumb.

Exactly. It's real-life risks that are frequent enough to be counted as practical risks, that we have to act upon. Risks that are (almost) purely theoretical, need not concern the average user.

In theory, you can get hit by a meteorite as soon as you step out of the door. Come to think of it: you can even get hit by a meteorite (provided it's big enough) when you stay indoors all the time. Good God.

Total guaranteed security is impossible; we simply have to live with that, in all aspects of life. No choice. And in a hundred years, we'll all be dead. As the French say: c'est la vie.... So shrug your shoulders, smile and make yourself a strong café au lait from freshly ground, good beans. With a fresh croissant to accompany it.

As a bonus, an appropriate song for the Dutch speaking readers:
https://www.youtube.com/watch?v=6XxJ-HAPfcE

[SaberClassMor]

Alas, no matter how much I tried to avoid it, another great debate over Linux and malware...sigh.

I saw that Clam had bad ratings on the Software Centre as just not working so I skipped it. Do you have a better experience?

I've had a mostly good experience with ClamAV. It broke for a while, ages ago, because the database refused to update properly, so I wrote a script which manually updated it. That's about the only real issue I've had with it over the years.

I imagine people don't like ClamAV because of false positives, but they exist in other anti-virus software too, so it's not like ClamAV is uniquely terrible in that regard. Another thing people might not like about it, are the defaults, but ClamAV has a lot of options to choose from, which you can see if you check out it's man page. The last thing which comes to mind for why people might not like it, is that they tried scanning immediately after installing it, but didn't bother waiting for the actual database to be downloaded.

Then again, maybe a lot of people just hate it because it's anti-virus, since Linux is ... well, Linux. I needn't expand on that.

Took your rec and...yeah. The setup wasn't super easy! I'm putting the step I had to take in another reply so it's easier to search.
I'm not sure what the anguish over false positives is - maybe I have nerves of steel, but it wasn't some soul-crushing disaster that I had to google "BC.Gif.Exploit.Agent" Thank you for the rec!