I generally agree that AV software is next to useless. But as we have seen with Mac OSX in recent weeks, malware doesn't necessarily have to get root to do damage, nor does it need the user to manually install it. The Flashback trojan did not need any user interaction (the later versions didn't anyway). All it did was attack Java running in the browser and then implant itself in the user's /home directory via a hidden file (a file is hidden if it starts with a period). From there it downloaded another file which then executed and basically connected to a botnet. The good news for OSX was it was simple to remove and you didn't need AV to do it. This guy here gives a thorough overview of how it gets in and how it gets removed.
My point here is that OSX uses the same UNIX security model Linux does, so what happens on OSX should be applicable to Linux. Indeed, I doubt it would take very many changes at all for someone to make Flashback work on Linux. The basic structure of how OSX works and how Linux works are the same in regard to file system permissions.
The only question I have regarding this is if Linux (and Ubuntu in particular) will be immune due to the default umask setting. That is, every file downloaded to /home on Linux is not executable by default (it doesn't have the "x" bit sett). I wonder is OSX enables this same behavior? It seems to me the malware would need a way around this so it could be executed. Does anyone know what OSX's default umask is?
That all aside, even with AV software, you wouldn't have caught this trojan in its early stages (before AV makers put it in their database). So, AV software is no guarantee of being clean. Never has been, never will be. I think there are better solutions like MAC systems (Apparmor) and other sandboxing mechanisms.
Bookmarks