VirusInfo: Linux System Reference
Below is a small list of known Linux malware and other threats. This list mostly contains the most significant viruses on the platform, although some of them no longer work or are no longer in maintained. This list contains some viruses that are too tedious to make a page out of. The death screen for Linux is the kernel panic.
- Mayhem (x86 and x64) - A multifuctional botnet that works on Linux and FreeBSD. It was most prominent in October 2014 when it spread using the Shellshock vulnerability to thousands of websites.
- Remaiten (x86 mips, mipsel, armeabi, armebeabi) - A botnet that mostly targeted vulnerable routers and IoT devices.
- Snakso-A (x64) - A x64-bit Linux webserver rootkit that does iFrame injections.
- Effusion (x86 and x64) - A 32/x64-bit injector for webservers running Apache and Nginx. Discovered in 2014
- Hand of Thief (x86 and x64) - A banker trojan for Linux that was discovered in 2013, mostly ineffective due to relying 100% on a user running the file.
- Kaiten (x86 and x64) - Kaiten is a backdoor trojan that connects to an IRC channel to allow hackers to remotely control an infected computer, mostly used for DDoS attacks.
- Turla (x86) - Turla is a trojan package that targets the Linux operating system. Although it was never confirmed, it is suspected it may have been written by the Russian government for use in targeting other governments and militaries since at least 2008.
- Rexob (x86) - Backdoor trojan
- Tsunami (x86 and x64) - Active botnet trojan that targets Linux systems, mostly used for DoS attacks.
- Waterfall screensaver - This malware has no official name. It spread via gnome-look.org in 2009 and was used for denial of services attacks against a website called "MMOwned", which provides exploits for popular MMORPGs. The malware was removed shortly from the site after the discovery was found. It only targeted Debian-based systems.
- Suicide Linux (x86) - Trojan that disables certain things on the user's Linux computer, making it harder to use the computer.
- MEMZ (x86) - Dangerous trojan that can delete the user's MBR, unknown if it has entered the wild.
- 42 (x86) - Open source virus which uses CRC32 instructions for decryption.
- Arches (x86) - Open source virus that infects .ELF files.
- Alaeda (x86 and x64) - A virus that infects other binaries that are in the same directory.
- Binom (x86 and x64) - A virus that infects other binaries in a similar manner to Alaeda. Requires root
- Bliss (x86) - A virus from 1997 that is speculated to be a proof-of-concept virus rather that an actual virus. Requires root privileges. Debian Linux is still vulnerable to this virus, but due to the fact that it requires root privileges, this risk is very minimal. To disinfect files the user can run the binary and "--bliss-uninfect-files-please" to disinfect the user's system.
- Brundle (also known as Brundle-Fly) (x86) - An open source research virus, which has its own website and uninstaller.
- Bukowski (x86) - A research virus meant to state that current popular approaches to software security (DAC VMA, randomization, and others) are not sufficient enough and that other approaches should be considered seriously. This one also has its own website.
- Caveat (x86) - Open-source virus
- Coin (x86) - Open-source virus
- Diesel (x86) - A file infecting virus similar to Alaeda and Binom. Discovered in 2002.
- Hasher (x86) - Open-source virus
- Kagob.a (x86) - File infector virus
- Kagob.b (x86) - File infector virus
- Lacrimae (x86) -
- Lindose (also known as PE.ELF and Winux) (x86) - The first cross-platform virus that affects Microsoft Windows and Linux computers. It was never in the wild, it was only a proof of concept virus.
- Linux.Encoder.1 (also known as Trojan.Linux.Ransom.A) (x86 and x64) - Ransomware trojan targeting computers running Linux. First Ransomware Trojan discovered on Linux. Discovered on November 5, 2015. Infected several thousand websites.
- MetaPHOR (also known as Simile) (x86 and x64) -
- Nuxbee (x86) - Fairly harmless and non-memory resident parasitic Linux virus. It searched for .ELF files in the directory bin, then wrote its.ELF to the middle of the file. Discovered in December 2001. Requires root
- OSF.8759 (x86) - Dangerous virus that infects all the files in a directory that it can find, and also infects system files if ran with root. It also installs a backdoor onto the system. Discovered in 2002.
- Podloso (also known as the "iPod virus") (x86) -
- Rike (x86) -
- RST (x86) - Most prominent for infecting Korean releases of Mozilla Suite 1.7.6 and Thunderbird 1.0.2 in September 2005. It installs a backdoor to the system.
- Satyr (x86) - Harmless non-memory resident parasitic Linux virus. It searches for other .ELF files in the system and infects them.
- Staog (x86) - The first virus ever written for Linux, in 1996. It was notable for exploiting kernel vulnerabilities to stay resident and infect binaries. It was written in assembly by the hacker group VLAD.
- Vit (x86) - .ELF virus from 2000.
- Winter (x86) - Smallest known Linux virus that infects .ELF files.
- Wit (x86) - Most likely another proof of concept virus.
- Zariche (x86) -
- ZipWorm (x86) - Passes by infection of .zip files.
- Adm (x86) - Network worm from 2001 that exploited a buffer overrun, and scans computers in the network for open ports, attempts the attack, infects web pages hosted on the system and propagates further.
- Adore (x86) - An infected computer scans the network for .DNS, .FTP, and printer servers, infecting them with various methods. A backdoor is installed, and the worm propagates its.ELF. From 2001
- Bad Bunny (x86) - Discovered in 2007, it is a cross-platform computer worm written in several scripting languages and distributed as an OpenOffice.org document, which contains a macro written in StarBasic. It runs badbunny.js under Microsoft Windows, badbunny.pl under Linux, and badbunny.rb, and displays a message box and a pornographic image when successfully ran.
- Cheese (x86) - Used a backdoor which was installed by another worm. Cheese then removed the backdoor and propagated.
- Devnull (x86) - Computer worm (named after /dev/null) that executes a shell script and connects to an IRC client which then waits for commands.
- Kork (x86) - Worm that only targets Red Hat Linux 7.0. Downloads files that no longer exist, so the virus no longer works.
- Lion (or L10n) (x86) - Worm that was active in 2001 but no longer works.
- Darlloz (several) - Worm that targets home routers, set-top boxes, security cameras, industrial control systems, and other IoT devices.
- Lupper (x86) -
- Mighty (x86) - Appeared in 2002 and used a vulnerability in Apache, also installed a backdoor and joined an IRC botnet.
- Millen (x86) - This worm replicated to Linux systems on Intel platforms and used remote exploits on four different servers to spread to vulnerable computers. If it was successful at exploiting a system, it spawned a shell on the system to retrive the mworm.tgz package by using ftp. It then uncompressed the contents of the mworm.tgz file to the "/tmp/..." directory. The worm was also opens a backdoor on port 1338 and offer a remote shell to an attacker for connecting to this port.
- Ramen (x86) - Worm that only targeted RedHat systems
- Slapper (x86) - Used the same vulnerability as the Mighty worm. It also operated similarly.
- SSH Bruteforce (x86) - Worm that has no official name, it was never spread or released into the wild but was in alpha testing in 2007.