Sometimes you come along executable files that could be malware.
Actually, every executable code can be malware! You need to trust developers and verify the integrity or repositories you add.
Avoid installing or running executable code from random locations.
This is quite hard, and security is a gradient. Try to be on the “pretty secure” side of it
What files are executable?
A lot of files can contain executable code. Some may only be able to run that code when opened a specific way, or with a specific program.
Many files need to be made executable manually, this is a security measurement.
Examples of files executing code:
- .rpm
- .flatpak
- .appimage
- .sh, .bash
- .py
On Linux, Files don’t need to have extensions (like .pdf) for the system to know what they are. You can use the file
command to see the filetype
$ file some-executable
some-executable: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, not stripped
$ file some-script
some-script: Bourne-Again shell script, ASCII text executable
Windows Malware
A lot of Malware targets Windows, which caused the myth that Linux wasn’t vulnerable to viruses.
It is, a lot. Desktop Linux simply has a really small marketshare.
When using WINE or Proton, and programs like Lutris or Bottles, be aware that you might run Windows malware! The compatibility layer may make it executable and harm your system.
Bottles Flatpak runs in a sandbox with no filesystem permission by default. This is a good measurement to prevent Malware.
Office Documents
This may surprise you, but also Office Documents and PDFs can contain executable code!
PDFs can contain Javascript.
TODO: What Linux PDF readers run Javascript?
Office documents can contain VBASIC code. Recent versions of MSOffice and Libreoffice will warn you before executing those. Is this correct for Libreoffice? What about Onlyoffice, Collabora Office and Calligra Office?
Run untrusted code in a virtual machine
Containers, like used in Bottles and dangerzone, offer good security.
But using a virtual machine may be even better!
This guide will show you how to do this with virt-manager, on an x86_64 (Intel/AMD) machine.
1. Install virt-manager
On dnf
Fedora
sudo dnf install \
virt-manager \
libvirt-daemon-driver-network \
libvirt-daemon-driver-nodedev \
libvirt-daemon-driver-qemu \
libvirt-daemon-driver-storage-core \
qemu-audio-spice \
qemu-char-spice \
qemu-device-display-qxl \
qemu-device-display-virtio-gpu \
qemu-device-display-virtio-vga \
qemu-device-usb-redirect \
qemu-system-x86-core
On rpm-ostree
Fedora
rpm-ostree install --reboot \
virt-manager \
libvirt-daemon-driver-network \
libvirt-daemon-driver-nodedev \
libvirt-daemon-driver-qemu \
libvirt-daemon-driver-storage-core \
qemu-audio-spice \
qemu-char-spice \
qemu-device-display-qxl \
qemu-device-display-virtio-gpu \
qemu-device-display-virtio-vga \
qemu-device-usb-redirect \
qemu-system-x86-core
Now (on rpm-ostree Fedora after a reboot) enable the needed services
sudo systemctl --now enable virtnetworkd.service
sudo systemctl --now enable virtqemud.service
2. Get a suitable ISO
You want a Linux ISO that supports live-boot, and has all the tools you need.
You can use the Fedora Security Lab or a LIVE install media of your choice. It can be an advantage to have clamav
included, to scan files locally.
3. Create a VM
You can use the “Qemu user session”, which runs unprivileged, which is a security benefit. Enable it under “File” “New Connection”.
If you want to be extra sure, you can disable storage, so everything you do stays in RAM.
Be sure to keep at least 2 CPU cores and 4GB of RAM for your host system, otherwise the VM may crash it.
4. Put the file onto a thumbdrive
This is the easiest method of transferring files to the VM. It also avoids giving it any access to any directory of your host system.
Also, the VM will use it’s own drivers to read the thumbdrive, which may be a security benefits too.
After starting the VM, using the top menu “virtual machine” you can give it access to your thumbdrive using “foward usb device”.
5. Analyze the file
You can use virustotal.com and upload files under 650MB there. You can compress them to reduce their size.
My file actually was a zip bomb, when unpacking it, I suddenly wasnt able to upload it anymore, as it had grown over 650* it’s size!
You can also use ClamAV to scan the file:
clamscan /path/to/file
Both will require internet access, ClamAV needs it to download the latest signatures.
Alternative: Dangerzone
Using a VM is tedious but the most secure way.
Dangerzone exists for the purpose of opening possibly malicious office documents, PDFs or images, and converting them into safe files with no executable code.
It uses a podman container for that, and further enhances security by not using your host kernel, but the gVisor application kernel which acts as a memory-safe and minimal translation layer between the Fedora kernel and the program.
Disclaimer: For me it doesn’t yet work, but it is promising for sure!
Dangerzone is included in Tails.
This happened to me a while ago, so I wanted to write this down