Linux malware#Threats

Like Unix systems, Linux implements a multi-user environment where users are granted specific privileges and there is some form of access control implemented. To gain control over a Linux system or to cause any serious consequences to the system itself, the malware would have to gain root access to the system.

In the past, it has been suggested that Linux had so little malware because its low market share made it a less profitable target. Rick Moen, an experienced Linux system administrator, counters that:

{{blockquote|[That argument] ignores Unix's dominance in a number of non-desktop specialties, including Web servers and scientific workstations. A virus/trojan/worm author who successfully targeted specifically Apache httpd Linux/x86 Web servers would both have an extremely target-rich environment and instantly earn lasting fame, and yet it doesn't happen.{{cite web |url=http://linuxmafia.com/~rick/faq/#virus4 |title=Virus Department |access-date=2015-12-24 |archive-date=2015-12-25 |archive-url=https://web.archive.org/web/20151225051103/https://linuxmafia.com/~rick/faq/#virus4 |url-status=live }}}}

In 2008 the quantity of malware targeting Linux was noted as increasing. Shane Coursen, a senior technical consultant with Kaspersky Lab, said at the time, "The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system ... The use of an operating system is directly correlated to the interest by the malware writers to develop malware for that OS."{{cite web |url=http://www.internetnews.com/dev-news/article.php/3601946 |title=Linux Malware On The Rise |access-date=2008-03-08 |last=Patrizio |first=Andy |date=April 2006 |archive-date=2012-02-05 |archive-url=https://web.archive.org/web/20120205070731/http://www.internetnews.com/dev-news/article.php/3601946 |url-status=live }}

Tom Ferris, a researcher with Security Protocols, commented on one of Kaspersky's reports, stating, "In people's minds, if it's non-Windows, it's secure, and that's not the case. They think nobody writes malware for Linux or Mac OS X. But that's not necessarily true."

Some Linux users do run Linux-based anti-virus software to scan insecure documents and email which comes from or is going to Windows users. SecurityFocus's Scott Granneman stated:

{{blockquote|...some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance, may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel, that contain and propagate viruses. Linux mail servers should run AV software in order to neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express users.}}

Because they are predominantly used on mail servers which may send mail to computers running other operating systems, Linux virus scanners generally use definitions for, and scan for, all known viruses for all computer platforms. For example, the open source ClamAV "Detects ... viruses, worms and trojans, including Microsoft Office macro viruses, mobile malware, and other threats."{{cite web |url=http://www.clamav.net/doc/latest/clamdoc.pdf |title=Clam AntiVirus 0.96 User Manual |access-date=2011-02-22 |last=ClamAV |year=2010 |archive-date=2011-02-19 |archive-url=https://web.archive.org/web/20110219151745/http://www.clamav.net/doc/latest/clamdoc.pdf |url-status=live }}

Cases of malware intended for Microsoft Windows systems posing a danger to Linux systems when run through compatibility layers such as Wine, while uncommon, have been recorded.{{Cite journal|last1=Duncan|first1=Rory|last2=Schreuders|first2=Z. Cliffe|date=1 March 2019|title=Security implications of running windows software on a Linux system using Wine: a malware analysis study|journal=Journal of Computer Virology and Hacking Techniques|language=en|volume=15|issue=1|pages=39–60|doi=10.1007/s11416-018-0319-9|issn=2263-8733|doi-access=free}}

The viruses listed below pose a potential, although minimal, threat to Linux systems. If an infected binary containing one of the viruses were run, the system would be temporarily infected, as the Linux kernel is memory resident and read-only. Any infection level would depend on which user with what privileges ran the binary. A binary run under the root account would be able to infect the entire system. Privilege escalation vulnerabilities may permit malware running under a limited account to infect the entire system.

It is worth noting that this is true for any malicious program that is run without special steps taken to limit its privileges. It is trivial to add a code snippet to any program that a user may download and let this additional code download a modified login server, an open mail relay, or similar program, and make this additional component run any time the user logs in. No special malware writing skills are needed for this. Special skill may be needed for tricking the user to run the (trojan) program in the first place.

The use of software repositories significantly reduces any threat of installation of malware, as the software repositories are checked by maintainers, who try to ensure that their repository is malware-free. Subsequently, to ensure safe distribution of the software, checksums are made available. These make it possible to reveal modified versions that may have been introduced by e.g. hijacking of communications using a man-in-the-middle attack or via a redirection attack such as ARP or DNS poisoning. Careful use of these digital signatures provides an additional line of defense, which limits the scope of attacks to include only the original authors, package and release maintainers and possibly others with suitable administrative access, depending on how the keys and checksums are handled. Reproducible builds can ensure that digitally signed source code has been reliably transformed into a binary application.

The classical threat to Unix-like systems are vulnerabilities in network daemons, such as SSH and web servers. These can be used by worms or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords.

Linux servers may also be used by malware without any attack against the system itself, where e.g. web content and scripts are insufficiently restricted or checked and used by malware to attack visitors. Some attacks use complicated malware to attack Linux servers, but when most get full root access then hackers are able to attack by{{Cite web|url = http://connection.ebscohost.com/c/articles/91650917|title = Stealthy Apache Exploit Redirects Victims to Blackhole Malware.|date = 5 January 2013|last = Prince|first = Brian}} modifying anything like replacing binaries or injecting modules. This may allow the redirection of users to different content on the web.{{Cite web|url = http://www.eweek.com/security/stealthy-apache-exploit-redirects-victims-to-blackhole-malware/|title = Stealthy Apache Exploit Redirects Victims to Blackhole Malware|date = May 1, 2013|access-date = Nov 19, 2014|website=eWeek |last = Prince|first = Brian}} Typically, a CGI script meant for leaving comments, could, by mistake, allow inclusion of code exploiting vulnerabilities in the web browser.

Older Linux distributions were relatively sensitive to buffer overflow attacks: if the program did not care about the size of the buffer itself, the kernel provided only limited protection, allowing an attacker to execute arbitrary code under the rights of the vulnerable application under attack. Programs that gain root access even when launched by a non-root user (via the setuid bit) were particularly attractive to attack. However, as of 2009 most of the kernels include address space layout randomization (ASLR), enhanced memory protection and other extensions making such attacks much more difficult to arrange.

An area of concern identified in 2007 is that of cross-platform viruses, driven by the popularity of cross-platform applications. This was brought to the forefront of malware awareness by the distribution of an OpenOffice.org virus called Badbunny.

Stuart Smith of Symantec wrote the following:

What makes this virus worth mentioning is that it illustrates how easily scripting platforms, extensibility, plug-ins, ActiveX, etc, can be abused. All too often, this is forgotten in the pursuit to match features with another vendor... The ability for malware to survive in a cross-platform, cross-application environment has particular relevance as more and more malware is pushed out via Web sites. How long until someone uses something like this to drop a JavaScript infecter on a Web server, regardless of platform?{{cite web |url=http://www.symantec.com/enterprise/security_response/weblog/2007/06/bad_bunny.html |title=Bad Bunny |access-date=2008-02-20 |last=Smith |first=Stuart |date=June 2007 |url-status=dead |archive-url=https://web.archive.org/web/20080324042224/http://www.symantec.com/enterprise/security_response/weblog/2007/06/bad_bunny.html |archive-date=2008-03-24 }}

As is the case with any operating system, Linux is vulnerable to malware that tricks the user into installing it through social engineering. In December 2009 a malicious waterfall screensaver that contained a script that used the infected Linux PC in denial-of-service attacks was discovered.{{cite web |url=http://www.ubuntu-user.com/Online/News/Malicious-Screensaver-Malware-on-Gnome-Look.org |title=Malicious Screensaver: Malware on Gnome-Look.org |access-date=2009-12-12 |last=Kissling |first=Kristian |date=December 2009 |archive-date=2009-12-13 |archive-url=https://web.archive.org/web/20091213142853/http://www.ubuntu-user.com/Online/News/Malicious-Screensaver-Malware-on-Gnome-Look.org |url-status=live }}

The IBM Security Report: Attacks on Industries Supporting COVID-19 Response Efforts Double had as a key point that "Cybercriminals Accelerate Use of Linux Malware – With a 40% increase in Linux-related malware families in the past year, and a 500% increase in Go-written malware in the first six months of 2020, attackers are accelerating a migration to Linux malware, that can more easily run on various platforms, including cloud environments." That these cybercriminals are increasingly using Linux and Unix to target hospitals and allied industries (that rely on these systems and cloud networks) that they are increasingly vulnerable during the COVID-19 crisis, such as the Red Cross cyberattack.{{Cite web|url=https://newsroom.ibm.com/2021-02-24-IBM-Security-Report-Attacks-on-Industries-Supporting-COVID-19-Response-Efforts-Double|title=IBM Security Report: Attacks on Industries Supporting COVID-19 Response Efforts Double|website=IBM Newsroom}}

File:ClamTK3.08.jpg GUI for ClamAV running a scan on Ubuntu 8.04 Hardy Heron]]

There are a number of anti-virus applications available which will run under the Linux operating system. Most of these applications are looking for exploits which could affect users of Microsoft Windows.

These applications are useful for computers (typically, servers) which will pass on files to Microsoft Windows users. They do not look for Linux-specific threats.

{{columns-list|colwidth=30em|

• Avast! (proprietary; freeware version available)
• AVG (proprietary; freeware version available)
• Avira (proprietary; freeware version was available, discontinued due to lack of demand){{cite web|url=http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1491|title=Discontinuation of Antivirus solutions for Linux systems on June 30th 2016|access-date=2014-10-14|archive-url=https://web.archive.org/web/20171214014530/https://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1491|archive-date=2017-12-14|url-status=dead}}
• BitDefender (proprietary; freeware version available)
• ClamAV (free and open source software){{cite web |url=http://www.clamav.net/ |title=ClamAV |access-date=2011-02-22 |archive-date=2013-07-22 |archive-url=https://web.archive.org/web/20130722211341/http://www.clamav.net/ |url-status=live }}
• Comodo (proprietary; freeware version available){{cite web |url = https://www.comodo.com/home/internet-security/antivirus-for-linux.php |title = Comodo Antivirus for Linux |access-date = 17 October 2012 |last = Comodo Group |year = 2015 |archive-date = 11 December 2015 |archive-url = https://web.archive.org/web/20151211050327/https://www.comodo.com/home/internet-security/antivirus-for-linux.php |url-status = live }}
• Crowdstrike (Proprietary)
• Dr.Web (proprietary){{cite web |url=http://products.drweb.com/linux/ |title=Dr.Web anti-virus for Linux |access-date=2010-05-25 |publisher=Dashke |archive-date=2019-02-27 |archive-url=https://web.archive.org/web/20190227043503/http://products.drweb.com/linux/ |url-status=live }}
• F-Prot (proprietary; freeware version available){{cite web|url = http://www.f-prot.com/products/corporate_users/unix/|title = F-PROT Antivirus for Linux x86 / BSD x86|access-date = 13 December 2011|last = FRISK Software International|year = 2011|archive-date = 4 December 2011|archive-url = https://web.archive.org/web/20111204053631/http://www.f-prot.com/products/corporate_users/unix/|url-status = live}}
• F-Secure Linux (proprietary)
• Kaspersky Linux Security (proprietary){{cite web |url=http://www.kaspersky.com/linux |title=Kaspersky Linux Security - Gateway, mail and file server, workstation protection for Linux/FreeBSD |access-date=2009-02-11 |publisher=Kaspersky Lab |archive-date=2011-06-24 |archive-url=https://web.archive.org/web/20110624234810/http://www.kaspersky.com/linux |url-status=live }}
• McAfee VirusScan Enterprise for Linux (proprietary){{cite web |url=http://www.mcafee.com/us/products/virusscan-enterprise-for-linux.aspx |title=McAfee VirusScan Enterprise for Linux |access-date=2012-12-27 |publisher=McAfee |archive-date=2016-12-18 |archive-url=https://web.archive.org/web/20161218211352/http://www.mcafee.com/us/products/virusscan-enterprise-for-linux.aspx |url-status=live }}
• Panda Security for Linux (proprietary){{cite web |url=http://www.pandasecurity.com/spain/homeusers/solutions/linux/ |title=Panda Security Antivirus Protection for Linux |access-date=2009-01-13 |publisher=Panda Security |archive-url=https://web.archive.org/web/20090129225753/http://www.pandasecurity.com/spain/homeusers/solutions/linux/ |archive-date=2009-01-29 |url-status=dead }}
• Sophos (proprietary)
• Symantec AntiVirus for Linux (proprietary){{cite web |url=http://service1.symantec.com/SUPPORT/ent-security.nsf/ppfdocs/2005110716014248 |archive-url=https://web.archive.org/web/20070429092307/http://service1.symantec.com/SUPPORT/ent-security.nsf/ppfdocs/2005110716014248 |url-status=dead |archive-date=2007-04-29 |title=System requirements for Symantec AntiVirus for Linux 1.0 |access-date=2009-03-07 |last=Symantec |date=January 2009 }}
• Trend Micro ServerProtect for Linux (proprietary)

}}

These applications look for actual threats to the Linux computers on which they are running.

• chkrootkit (free and open source software){{Cite web|url=http://www.chkrootkit.org/|title=chkrootkit -- locally checks for signs of a rootkit|website=www.chkrootkit.org|access-date=2019-09-07|archive-date=2020-01-13|archive-url=https://web.archive.org/web/20200113075923/http://www.chkrootkit.org/|url-status=live}}
• ClamAV (free and open source software){{Cite web|url=http://www.clamav.net/|title=ClamavNet|website=www.clamav.net|access-date=2008-12-03|archive-date=2013-07-22|archive-url=https://web.archive.org/web/20130722211341/http://www.clamav.net/|url-status=live}}
• Comodo (proprietary){{cite web |url=http://forums.comodo.com/comodo-antivirus-for-linux-cavl/comodo-antivirus-for-linux-cavl-v112680251-is-released-t92199.0.html |title=COMODO Antivirus for Linux (CAVL) v1.1.268025.1 is released! |publisher=comodo.com |date=2013-02-28 |access-date=2014-06-12 |archive-date=2018-11-18 |archive-url=https://web.archive.org/web/20181118145226/http://forums.comodo.com/comodo-antivirus-for-linux-cavl/comodo-antivirus-for-linux-cavl-v112680251-is-released-t92199.0.html |url-status=live }}
• Crowdstrike (proprietary)
• Dr.Web (proprietary)
• ESET (proprietary){{cite web|url=http://www.eset.com/int/home/products/antivirus-linux/|title=ESET File Security - Antivirus Protection for Linux, BSD, and Solaris|access-date=2008-10-26|publisher=Eset|archive-date=2018-11-18|archive-url=https://web.archive.org/web/20181118182816/https://www.eset.com/int/home/products/antivirus-linux/|url-status=live}}{{cite web |url=http://www.eset.com/products/linux_mail.php |title=ESET Mail Security - Linux, BSD, and Solaris mail server protection |access-date=2008-10-26 |publisher=Eset |url-status=dead |archive-url=https://web.archive.org/web/20080512082347/http://www.eset.com/products/linux_mail.php |archive-date=2008-05-12 }}{{cite web |url=http://www.eset.com/products/gateway.php |title=ESET NOD32 Antivirus for Linux Gateway Devices |access-date=2008-10-26 |publisher=Eset |url-status=dead |archive-url=https://web.archive.org/web/20080510143951/http://www.eset.com/products/gateway.php |archive-date=2008-05-10 }}{{cite web |url=http://www.eset.com/us/download/home/detail/family/71/#offline,98,ENU |title=ESET NOD32 Antivirus 4 for Linux Desktop |access-date=2014-06-12 |publisher=Eset |archive-date=2015-07-21 |archive-url=https://web.archive.org/web/20150721195255/http://www.eset.com/us/download/home/detail/family/71/#offline,98,ENU |url-status=live }}{{Citation needed|date=August 2024}}
• Kaspersky Virus Removal Tool (KVRT) for Linux (free){{cite web | url=https://www.kaspersky.com/blog/kvrt-for-linux/51375/ | title=KVRT for Linux: Malware scanner for Linux systems | date=30 May 2024 }}
• Linux Malware Detecthttps://www.rfxn.com/projects/linux-malware-detect/ {{Webarchive|url=https://web.archive.org/web/20200115150701/https://www.rfxn.com/projects/linux-malware-detect/ |date=2020-01-15 }} R-fx Networks project page of LMD
• lynis (open source auditing){{Cite web|url=https://cisofy.com/lynis/|title=Lynis - Security auditing and hardening tool for Linux/Unix|website=cisofy.com|access-date=2017-01-09|archive-date=2020-02-04|archive-url=https://web.archive.org/web/20200204112659/https://cisofy.com/lynis/|url-status=live}}{{Cite web|url=https://github.com/CISOfy/lynis|title=Lynis: Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional. - CISOf..|date=September 7, 2019|via=GitHub|access-date=January 9, 2017|archive-date=February 5, 2020|archive-url=https://web.archive.org/web/20200205010648/https://github.com/CISOfy/lynis|url-status=live}}
• rkhunter (free and open source software){{cite web|url=http://www.rootkit.nl/projects/rootkit_hunter.html|title=Root Kit Hunter|url-status=dead|archive-url=https://web.archive.org/web/20130305191528/http://rootkit.nl/projects/rootkit_hunter.html|archive-date=2013-03-05}}
• Samhain (free and open source software){{Cite web|url=https://la-samhna.de/samhain/|title= samhain The SAMHAIN file integrity / host-based intrusion detection system|access-date=2021-10-03}}
• Sophos (proprietary){{cite web |url=http://nakedsecurity.sophos.com/2008/02/13/botnets-a-free-tool-and-6-years-of-linuxrst-b/ |title=Botnets, a free tool and 6 years of Linux/Rst-B | Naked Security |publisher=Nakedsecurity.sophos.com |date=2008-02-13 |access-date=2013-08-11 |archive-date=2019-01-27 |archive-url=https://web.archive.org/web/20190127213220/https://nakedsecurity.sophos.com/2008/02/13/botnets-a-free-tool-and-6-years-of-linuxrst-b/ |url-status=live }}{{Cite web|url=https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx|title=Free Linux Malware Scanner | Lightweight Agent for Linux Malware Detection and Removal | Sophos|website=www.sophos.com|access-date=2015-10-30|archive-date=2020-01-17|archive-url=https://web.archive.org/web/20200117224552/https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx|url-status=live}}

Linux malware can also be detected (and analyzed) using memory forensics tools, such as:

• Forcepoint (proprietary){{Cite web|url=https://www.forcepoint.com/|title=Forcepoint|website=Forcepoint|access-date=2019-09-07|archive-date=2020-01-23|archive-url=https://web.archive.org/web/20200123180312/https://www.forcepoint.com/|url-status=live}}
• Volatility[http://www.volatilesystems.com/ volatilesystems.com] {{webarchive|url=http://webarchive.loc.gov/all/20110217010903/https://www.volatilesystems.com/ |date=2011-02-17 }} (free and open source software){{Cite web|url=https://code.google.com/archive/p/volatility/wikis/LinuxMemoryForensics.wiki|title=Google Code Archive - Long-term storage for Google Code Project Hosting.|website=code.google.com|access-date=2019-09-07|archive-date=2019-08-27|archive-url=https://web.archive.org/web/20190827192551/https://code.google.com/archive/p/volatility/wikis/LinuxMemoryForensics.wiki|url-status=live}}

The following is a partial list of known Linux malware. However, few if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat. Known malware is not the only or even the most important threat: new malware or attacks directed to specific sites can use vulnerabilities previously unknown to the community or unused by malware.

• Mayhem – 32/64-bit Linux/FreeBSD multifunctional botnetKovalev et al (17 July 2014), [https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-Mayhem Mayhem – a hidden threat for *nix web servers] {{Webarchive|url=https://web.archive.org/web/20160106041213/https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-Mayhem |date=2016-01-06 }}, Virus Bulletin
• Linux.Remaiten – a threat targeting the Internet of things.{{cite web|url=http://www.welivesecurity.com/2016/03/30/meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and-potentially-other-iot-devices/|title=Meet Remaiten - a Linux bot on steroids targeting routers and potentially other IoT devices|work=WeLiveSecurity|author1=Michal Malík|author2=Marc-Etienne M.Léveillé|date=30 March 2016 |access-date=4 November 2018|archive-date=5 November 2018|archive-url=https://web.archive.org/web/20181105160418/https://www.welivesecurity.com/2016/03/30/meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and-potentially-other-iot-devices/|url-status=live}}{{cite web|url=http://www.virusradar.com/en/Linux_Remaiten/detail|title=Threat Detail - ESET Virusradar|work=virusradar.com|access-date=3 April 2016|archive-date=15 April 2016|archive-url=https://web.archive.org/web/20160415161342/http://www.virusradar.com/en/Linux_Remaiten/detail|url-status=live}}{{cite web|url=http://thehackernews.com/2016/03/internet-of-thing-malware.html|title=Advanced Malware targeting Internet of the Things and Routers|author=Mohit Kumar|date=31 March 2016|work=The Hacker News|access-date=3 April 2016|archive-date=3 April 2016|archive-url=https://web.archive.org/web/20160403030652/http://thehackernews.com/2016/03/internet-of-thing-malware.html|url-status=live}}
• Mirai (malware) – a DDoS botnet spreads through telnet service and designed to infect Internet of Things (IoT).{{cite web | url=https://www.cyber.nj.gov/threat-profiles/botnet-variants/mirai-botnet | title=Mirai Botnet | publisher=The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) | date=December 28, 2016 | access-date=28 December 2016 | author=njccic | archive-date=12 December 2016 | archive-url=https://web.archive.org/web/20161212084605/https://www.cyber.nj.gov/threat-profiles/botnet-variants/mirai-botnet | url-status=live }}{{cite web | url=https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ | title=KrebsOnSecurity Hit With Record DDoS | publisher=Brian Krebs | date=September 21, 2016 | access-date=17 November 2016 | author=Krebs, Brian | archive-date=15 November 2016 | archive-url=https://web.archive.org/web/20161115112659/https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ | url-status=live }}{{cite web | url=http://fortune.com/2016/10/03/botnet-code-ddos-hacker/ | title=Why a Hacker Dumped Code Behind Colossal Website-Trampling Botnet | publisher=Fortune.com | date=October 3, 2016 | access-date=19 October 2016 | author=Hackett, Robert | archive-date=22 October 2016 | archive-url=https://web.archive.org/web/20161022172232/http://fortune.com/2016/10/03/botnet-code-ddos-hacker/ | url-status=live }}{{Cite news|url=https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/|title=What We Know About Friday's Massive East Coast Internet Outage|last=Newman|first=Lily Hay|newspaper=WIRED|language=en-US|access-date=2016-10-21|archive-date=2016-10-22|archive-url=https://web.archive.org/web/20161022013504/https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/|url-status=live}}
• GafGyt/BASHLITE/Qbot – a DDoS botnet spreads through SSH and Telnet service weak passwords, firstly discovered during bash Shellshock vulnerability.{{cite web | url=https://www.zdnet.com/article/first-attacks-using-shellshock-bash-bug-discovered/ | title=First attacks using shellshock Bash bug discovered | publisher=ZDNet | date=September 25, 2014 | access-date=25 September 2014 | author=Liam Tung | archive-date=21 December 2014 | archive-url=https://web.archive.org/web/20141221092301/http://www.zdnet.com/article/first-attacks-using-shellshock-bash-bug-discovered/ | url-status=live }}
• LuaBot – a botnet coded with modules component in Lua programming language, cross-compiled in C wrapper with LibC, it aims for Internet of Things in ARM, MIPS and PPC architectures, with the usage to DDoS, spreads Mirai (malware) or selling proxy access to the cyber crime.{{cite web | url=http://news.softpedia.com/news/luabot-is-the-first-botnet-malware-coded-in-lua-targeting-linux-platforms-507978.shtml | title=LuaBot Is the First DDoS Malware Coded in Lua Targeting Linux Platforms | publisher=Softpedia | date=September 5, 2016 | access-date=5 September 2016 | author=Catalin Cimpanu | archive-date=6 September 2016 | archive-url=https://web.archive.org/web/20160906111647/http://news.softpedia.com/news/luabot-is-the-first-botnet-malware-coded-in-lua-targeting-linux-platforms-507978.shtml | url-status=live }}{{cite web | url=http://news.softpedia.com/news/luabot-author-says-his-malware-is-not-harmful-508397.shtml | title=LuaBot Author Says His Malware Is "Not Harmful" | publisher=Softpedia | date=September 17, 2016 | access-date=17 September 2016 | author=Catalin Cimpanu | archive-date=18 September 2016 | archive-url=https://web.archive.org/web/20160918004939/http://news.softpedia.com/news/luabot-author-says-his-malware-is-not-harmful-508397.shtml | url-status=live }}
• Hydra,{{cite web | url=http://insecurety.net/?p=90 | title=Hydra IRC bot, the 25 minute overview of the kit | publisher=Insecurety Research | date=June 12, 2012 | access-date=12 June 2012 | author=Infodox | archive-date=7 February 2014 | archive-url=https://web.archive.org/web/20140207115028/http://insecurety.net/?p=90 | url-status=live }} Aidra,{{cite web | url=https://arstechnica.com/security/2013/03/guerilla-researcher-created-epic-botnet-to-scan-billions-of-ip-addresses/ | title=Guerilla researcher created epic botnet to scan billions of IP addresses | publisher=Ars Technica | date=March 21, 2013 | access-date=21 March 2013 | author=Dan Goodin | archive-date=20 March 2013 | archive-url=https://web.archive.org/web/20130320210708/http://arstechnica.com/security/2013/03/guerilla-researcher-created-epic-botnet-to-scan-billions-of-ip-addresses/ | url-status=live }} LightAidra{{cite web | url=https://www.theregister.co.uk/2014/09/09/linux_modem_bot/ | title=Use home networking kit? DDoS bot is BACK... and it has EVOLVED | publisher=The Register | date=September 9, 2014 | access-date=9 September 2014 | author=John Leyden | archive-date=12 September 2014 | archive-url=https://web.archive.org/web/20140912064209/http://www.theregister.co.uk/2014/09/09/linux_modem_bot/ | url-status=live }} and NewAidra{{cite web | url=https://www.theregister.co.uk/2016/10/31/iot_botnet_wannabe/ | title=A successor to Mirai? Newly discovered malware aims to create fresh IoT botnet | publisher=The Register | date=October 31, 2016 | access-date=31 October 2016 | author=John Leyden | archive-date=1 November 2016 | archive-url=https://web.archive.org/web/20161101124851/http://www.theregister.co.uk/2016/10/31/iot_botnet_wannabe/ | url-status=live }} – another form of a powerful IRC botnet that infects Linux boxes.
• EnergyMech 2.8 overkill mod (Linux/Overkill) – a long-lasting botnet worm designed to infect servers with its bot and operated through IRC protocol, for the purposes of DDoSing and spreading itself.{{cite web | url=http://blog.malwaremustdie.org/2016/11/mmd-0061-2016-emech-for-ddos.html | title=MMD-0061-2016 - EnergyMech 2.8 Overkill Mod | publisher=MalwareMustDie | date=November 28, 2016 | access-date=28 November 2016 | author=unixfreaxjp | archive-date=19 January 2017 | archive-url=https://web.archive.org/web/20170119084205/http://blog.malwaremustdie.org/2016/11/mmd-0061-2016-emech-for-ddos.html | url-status=live }}

{{columns-list|colwidth=30em|

• Linux.Encoder.1{{cite web|url=https://vms.drweb.com/virus/?i=7703983&lng=en|title=Linux.Encoder.1|work=drweb.com|access-date=10 November 2015|archive-date=17 November 2015|archive-url=https://web.archive.org/web/20151117030616/https://vms.drweb.com/virus/?i=7703983&lng=en|url-status=live}}{{cite web|url=http://www.computerworld.com/article/3003461/security/first-linux-ransomware-program-cracked-for-now.html|title=First Linux ransomware program cracked, for now|author=Lucian Constantin|date=10 November 2015|work=Computerworld|access-date=10 November 2015|archive-date=12 November 2015|archive-url=https://web.archive.org/web/20151112020950/http://www.computerworld.com/article/3003461/security/first-linux-ransomware-program-cracked-for-now.html|url-status=live}}
• Lilocked{{cite web|url=https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/|title=Lilocked|access-date=7 September 2019|archive-date=7 September 2019|archive-url=https://web.archive.org/web/20190907015826/https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/|url-status=live}}{{Cite web|url=https://www.cybersecurity-insiders.com/lilocked-ransomware-hits-linux-servers/|title=LiLocked Ransomware hits Linux Servers|first=Naveen|last=Goud|date=September 6, 2019|access-date=September 7, 2019|archive-date=February 21, 2021|archive-url=https://web.archive.org/web/20210221052902/https://www.cybersecurity-insiders.com/lilocked-ransomware-hits-linux-servers/|url-status=live}}

}}

• Snakso – a 64-bit Linux webserver rootkitLeyden, John ( 21 November 2012), [https://www.theregister.co.uk/2012/11/21/powerful_linux_rootkit/ Evildoers can now turn all sites on a Linux server into silent hell-pits] {{Webarchive|url=https://web.archive.org/web/20161116231228/http://www.theregister.co.uk/2012/11/21/powerful_linux_rootkit/ |date=2016-11-16 }}, The Register, retrieved 21 November 2012
• Pigmy Goat - used in Sophos Firewall in 2024 {{cite web | url=https://www.bleepingcomputer.com/news/security/custom-pygmy-goat-malware-used-in-sophos-firewall-hack-on-govt-network/ | title=Custom "Pygmy Goat" malware used in Sophos Firewall hack on govt network }}

{{columns-list|colwidth=30em|

• Effusion – 32/64-bit injector for Apache/Nginx webservers, (7 Jan 2014)Kovalev et al [https://www.virusbtn.com/virusbulletin/archive/2014/01/vb201401-Effusion Effusion – a new sophisticated injector for Nginx web servers] {{Webarchive|url=https://web.archive.org/web/20160106041213/https://www.virusbtn.com/virusbulletin/archive/2014/01/vb201401-Effusion |date=2016-01-06 }}, Virus Bulletin
• Hand of Thief – Banking trojan, 2013,{{cite web |author=rsa.com |url=https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/ |title=Thieves Reaching for Linux—"Hand of Thief" Trojan Targets Linux #INTH3WILD » Speaking of Security - The RSA Blog and Podcast |publisher=Blogs.rsa.com |access-date=2013-08-11 |url-status=dead |archive-url=https://web.archive.org/web/20130815040638/http://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/ |archive-date=2013-08-15 }}{{cite web |last=Vaughan |first=Steven J. |url=https://www.zdnet.com/home-and-office/networking/linux-desktop-trojan-hand-of-thief-steals-in/ |title=Linux desktop Trojan 'Hand of Thief' steals in |publisher=ZDNet |access-date=2013-08-11 |archive-date=2014-11-16 |archive-url=https://web.archive.org/web/20141116035400/http://www.zdnet.com/linux-desktop-trojan-hand-of-thief-steals-in-7000019175/ |url-status=live }}
• Kaiten – Linux.Backdoor.Kaiten trojan horse{{cite web |url=http://www.symantec.com/security_response/writeup.jsp?docid=2006-021417-0144-99 |title=Linux.Backdoor.Kaiten |access-date=2008-03-08 |last=Florio |first=Elia |date=February 2006 |archive-date=2013-05-14 |archive-url=https://web.archive.org/web/20130514095914/http://www.symantec.com/security_response/writeup.jsp?docid=2006-021417-0144-99 |url-status=dead }}
• Rexob – Linux.Backdoor.Rexob trojan{{cite web |url=http://www.symantec.com/security_response/writeup.jsp?docid=2007-072612-1704-99 |title=Linux.Backdoor.Rexob |access-date=2008-03-08 |last=Florio |first=Elia |date=December 2007 |archive-date=2013-05-14 |archive-url=https://web.archive.org/web/20130514162255/http://www.symantec.com/security_response/writeup.jsp?docid=2007-072612-1704-99 |url-status=dead }}
• Waterfall screensaver backdoor – on gnome-look.org{{cite web |url=https://lwn.net/Articles/367874/ |title=Linux malware: an incident and some solutions |access-date=2010-09-16 |last=Vervloesem |first=Koen |date=December 2009 |archive-date=2016-11-18 |archive-url=https://web.archive.org/web/20161118033032/https://lwn.net/Articles/367874/ |url-status=live }}
• Tsunami.gen – Backdoor.Linux.Tsunami.gen{{cite web|url=https://w.securelist.com/en/descriptions/backdoor.linux.tsunami.gen |archive-url=https://web.archive.org/web/20160106041216/https://w.securelist.com/en/descriptions/backdoor.linux.tsunami.gen |url-status=dead |archive-date=2016-01-06 |title=Backdoor.Linux.Tsunami.gen |publisher=Securelist |access-date=2014-05-09}}
• Turla – HEUR:Backdoor.Linux.Turla.gen{{cite web|url=https://securelist.com/blog/research/67962/the-penquin-turla-2/|title=The 'Penquin' Turla - Securelist|work=securelist.com|date=8 December 2014 |access-date=10 November 2015|archive-date=20 November 2015|archive-url=https://web.archive.org/web/20151120092136/https://securelist.com/blog/research/67962/the-penquin-turla-2/|url-status=live}}{{cite web|url=http://www.omgubuntu.co.uk/2014/12/government-spying-turla-linux-trojan-found|title=Yes, This Trojan Infects Linux. No, It's Not The Tuxpocalypse - OMG! Ubuntu!|author=Joey-Elijah Sneddon|work=OMG! Ubuntu!|date=9 December 2014 |access-date=10 November 2015|archive-date=1 October 2015|archive-url=https://web.archive.org/web/20151001195532/http://www.omgubuntu.co.uk/2014/12/government-spying-turla-linux-trojan-found|url-status=live}}
• Xor DDoS{{cite web | url=http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html | title=Linux/XOR.DDoS : Fuzzy reversing a new China ELF | publisher=MalwareMustDie | date=September 29, 2014 | access-date=29 September 2014 | author=unixfreaxjp.wirehack7, shibumi | archive-date=2 October 2014 | archive-url=https://web.archive.org/web/20141002120011/http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html | url-status=live }} – a trojan malware that hijacks Linux systems and uses them to launch DDoS attacks which have reached loads of 150+ Gbps.{{cite web|url = https://www.akamai.com/us/en/about/news/press/2015-press/xor-ddos-botnet-attacking-linux-machines.jsp|title = OR DDoS Botnet Launching 20 Attacks a Day From Compromised Linux Machines, Says Akamai|access-date = 18 March 2016|author = Akamai Technologies|date = 29 September 2015|archive-date = 18 March 2016|archive-url = https://web.archive.org/web/20160318142304/https://www.akamai.com/us/en/about/news/press/2015-press/xor-ddos-botnet-attacking-linux-machines.jsp|url-status = live}}
• Hummingbad – has infected over 10 million Android operating systems. User details are sold and adverts are tapped on without the user's knowledge thereby generating fraudulent advertising revenue.{{cite web|url = https://www.theguardian.com/technology/2016/jul/06/hummingbad-malware-infects-10m-android-devices-information-apps-ads|title = HummingBad malware infects 10m Android devices|access-date = 2016-07-06|author = Samuel Gibbs|website = TheGuardian.com| date=6 July 2016 |archive-date = 2019-06-19|archive-url = https://web.archive.org/web/20190619155649/https://www.theguardian.com/technology/2016/jul/06/hummingbad-malware-infects-10m-android-devices-information-apps-ads|url-status = live}}
• NyaDrop – a small Linux backdoor compiled from a Linux shellcode to be used to infect Linux boxes with bigger size Linux malware.{{cite web | url=https://www.grahamcluley.com/nyadrop-exploiting-iot-insecurity-infect-devices-malware/ | title=NyaDrop exploiting Internet of Things insecurity to infect Linux devices with malware | publisher=Graham Cluley | date=October 17, 2016 | access-date=4 November 2018 | author=David Bisson | archive-date=5 November 2018 | archive-url=https://web.archive.org/web/20181105012521/https://www.grahamcluley.com/nyadrop-exploiting-iot-insecurity-infect-devices-malware/ | url-status=live }}
• PNScan – Linux trojan designed to aim routers and self-infecting to a specific targeted network segment in a worm-like form{{cite web | url=http://news.softpedia.com/news/pnscan-linux-trojan-resurfaces-with-new-attacks-targeting-routers-in-india-507617.shtml | title=PNScan Linux Trojan Resurfaces with New Attacks Targeting Routers in India | publisher=Softpedia | date=August 25, 2016 | access-date=25 August 2016 | author=Catalin Cimpanu | archive-date=26 August 2016 | archive-url=https://web.archive.org/web/20160826234411/http://news.softpedia.com/news/pnscan-linux-trojan-resurfaces-with-new-attacks-targeting-routers-in-india-507617.shtml | url-status=live }}
• SpeakUp – a backdoor trojan that infects six different Linux distributions and macOS devices.{{cite web | url=https://threatpost.com/speakup-linux-backdoor/141431/ | title=SpeakUp Linux Backdoor Sets Up for Major Attack | date=February 4, 2019 | author=Tara Seals | access-date=February 4, 2019 | archive-date=November 29, 2019 | archive-url=https://web.archive.org/web/20191129044127/https://threatpost.com/speakup-linux-backdoor/141431/ | url-status=live }}

}}

{{columns-list|colwidth=30em|

• 42{{cite web|url=http://vx.eof-project.net/viewtopic.php?pid=1049|title=Linux.42: Using CRC32B (SSE4.2) instruction in polymorphic decryptor|last=herm1t|date=August 2008|url-status=dead|archive-url=https://archive.today/20110107125751/http://vx.eof-project.net/viewtopic.php?pid=1049|archive-date=2011-01-07}}{{cite web|url=http://blogs.technet.com/mmpc/archive/2008/09/10/life-the-universe-and-everything.aspx|title=Life, the Universe, and Everything|last=Ferrie|first=Peter|date=September 2008|access-date=2010-01-17|archive-url=https://web.archive.org/web/20120813084706/http://blogs.technet.com/b/mmpc/archive/2008/09/10/life-the-universe-and-everything.aspx|archive-date=2012-08-13|url-status=dead}}
• Arches{{cite web|url=http://vx.netlux.org/lib/vhe00.html | title=Infecting ELF-files using function padding for Linux |last=herm1t|date=August 2006|archive-url = https://web.archive.org/web/20120122161950/http://vx.netlux.org/lib/vhe00.html |archive-date = 22 January 2012}}
• Alaeda – Virus.Linux.Alaeda{{cite web |url=http://www.viruslist.com/en/viruses/encyclopedia?virusid=21703 |title=Virus.Linux.Alaeda |access-date=2008-03-08 |last=Kaspersky Lab |date=May 2007 |archive-url = https://web.archive.org/web/20090713010454/http://www.viruslist.com/en/viruses/encyclopedia?virusid=21703 |archive-date =13 July 2009}}
• Binom – Linux/Binom{{cite web |url=http://vil.nai.com/vil/content/v_130506.htm |archive-url=https://web.archive.org/web/20050124142040/http://vil.nai.com/vil/content/v_130506.htm |url-status=dead |archive-date=2005-01-24 |title=Linux/Binom |access-date=2008-03-08 |last=McAfee |date=December 2004 }}
• Bliss – requires root privileges
• Brundle{{cite web|url=http://www.roqe.org/brundle-fly/ |title=Brundle Fly 0.0.1 - A Good-Natured Linux ELF Virus |access-date=2008-03-08 |last=Rieck |first=Konrad and Konrad Kretschmer |date=August 2001 |url-status=dead |archive-url=https://web.archive.org/web/20080514013935/http://www.roqe.org/brundle-fly/ |archive-date=May 14, 2008 }}
• Bukowski{{cite web |url=http://sourceforge.net/projects/bukowski/ |title=Project Bukowski |access-date=2008-03-08 |last=de Almeida Lopes |first=Anthony |date=July 2007 |archive-date=2013-05-14 |archive-url=https://web.archive.org/web/20130514093707/http://sourceforge.net/projects/bukowski/ |url-status=live }}
• Caveat{{cite web|url=http://www.vxheavens.com/lib/vhe06.html|title=Caveat virus|last=herm1t|date=February 2008|access-date=2010-01-17|archive-date=2018-12-23|archive-url=https://web.archive.org/web/20181223030443/http://www.vxheavens.com/lib/vhe06.html|url-status=live}}{{cite web|url=http://vx.netlux.org/lib/apf29.html |last=Ferrie |first=Peter |title=Can you spare a seg? |date=July 2009 |url-status=dead |archive-url=https://web.archive.org/web/20120117122655/http://vx.netlux.org/lib/apf29.html |archive-date=2012-01-17 }}
• Cephei – Linux.Cephei.A (and variants){{cite web |url=http://www.virusradar.com/en/Linux_Cephei.A/description |title=Linux.Cephei - ESET Virusradar |date=January 2019 |last=TMZ|archive-url = https://web.archive.org/web/20180705173356/http://www.virusradar.com/en/Linux_Cephei.A/description|archive-date =5 July 2018}}
• Coin{{cite web|url=http://www.vxheavens.com/lib/vhe04.html|title=Reverse of a coin: A short note on segment alignment|last=herm1t|date=October 2007|access-date=2010-01-17|archive-date=2012-03-03|archive-url=https://web.archive.org/web/20120303032927/http://www.vxheavens.com/lib/vhe04.html|url-status=live}}{{cite web|url=http://vx.netlux.org/lib/apf31.html |title=Heads or tails? |last=Ferrie |first=Peter |date=September 2009 |url-status=dead |archive-url=https://web.archive.org/web/20120117122247/http://vx.netlux.org/lib/apf31.html |archive-date=2012-01-17 }}
• Hasher{{cite web|url=http://www.vxheavens.com/lib/vhe02.html|title=Hashin' the elves|last=herm1t|date=October 2007|access-date=2010-01-17|archive-date=2014-10-10|archive-url=https://web.archive.org/web/20141010015830/http://vxheavens.com/lib/vhe02.html|url-status=live}}{{cite web|url=http://vx.netlux.org/lib/apf30.html |title=Making a hash of things |last=Ferrie |first=Peter |date=August 2009 |url-status=dead |archive-url=https://web.archive.org/web/20120117121406/http://vx.netlux.org/lib/apf30.html |archive-date=2012-01-17 }}
• Lacrimae (aka Crimea){{cite web|url=http://vx.netlux.org/herm1t/Lacrimae_EN.txt |title=README |last=herm1t |date=June 2008 |url-status=dead |archive-url=https://web.archive.org/web/20120206235015/http://vx.netlux.org/herm1t/Lacrimae_EN.txt |archive-date=2012-02-06 }}{{cite web|url=http://vx.netlux.org/lib/apf12.html |title=Crimea river |last=Ferrie |first=Peter |date=February 2008 |url-status=dead |archive-url=https://web.archive.org/web/20120117122703/http://vx.netlux.org/lib/apf12.html |archive-date=2012-01-17 }}
• Nuxbee – Virus.Linux.Nuxbee.1403{{cite web |url=http://www.viruslist.com/en/viruses/encyclopedia?virusid=21725 |title=Virus.Linux.Nuxbee.1403 |access-date=2008-03-08 |last=Kaspersky Lab |date=December 2001|archive-url = https://web.archive.org/web/20120302072354/http://www.securelist.com/en/descriptions/old21725 |archive-date =2 March 2012}}
• PiLoT{{cite web|url=http://www.vxheavens.com/lib/vhe05.html|title=INT 0x80? No, thank you!|last=herm1t|date=November 2007|access-date=2010-01-17|archive-date=2018-12-23|archive-url=https://web.archive.org/web/20181223030442/http://www.vxheavens.com/lib/vhe05.html|url-status=live}}{{cite web|url=http://vx.netlux.org/lib/apf37.html |title=Flying solo |last=Ferrie |first=Peter |date=September 2009 |url-status=dead |archive-url=https://web.archive.org/web/20120117122359/http://vx.netlux.org/lib/apf37.html |archive-date=2012-01-17 }}
• Podloso – Linux.Podloso (The iPod virus){{cite web |url=http://www.symantec.com/business/security_response/writeup.jsp?docid=2007-040516-4947-99 |title=Linux.Podloso |access-date=2008-03-08 |last=Ferrie |first=Peter |date=April 2007 |archive-date=2013-05-30 |archive-url=https://web.archive.org/web/20130530040114/http://www.symantec.com/security_response/writeup.jsp?docid=2007-040516-4947-99 |url-status=dead }}{{cite web |url=http://www.symantec.com/enterprise/security_response/weblog/2007/04/the_ipod_virus.html |title=The iPod virus |access-date=2008-03-08 |last=Ferrie |first=Peter |date=April 2007 |url-status=dead |archive-url=https://web.archive.org/web/20080302053542/http://www.symantec.com/enterprise/security_response/weblog/2007/04/the_ipod_virus.html |archive-date=2008-03-02 }}
• RELx{{cite web|url=http://www.vxheavens.com/lib/vhe08.html|title=From position-independent to self-relocatable viral code|last=herm1t|date=December 2009|access-date=2010-05-07|archive-date=2019-05-24|archive-url=https://web.archive.org/web/20190524004609/http://www.vxheavens.com/lib/vhe08.html|url-status=live}}
• Rike – Virus.Linux.Rike.1627{{cite web |url=http://www.viruslist.com/en/viruses/encyclopedia?virusid=21733 |title=Virus.Linux.Rike.1627 |access-date=2008-03-08 |last=Kaspersky Lab |date=August 2003|archive-url = https://web.archive.org/web/20120302072359/http://www.securelist.com/en/descriptions/old21733 |archive-date =2 March 2012}}
• RST – Virus.Linux.RST.a{{cite web |url=http://www.viruslist.com/en/viruses/encyclopedia?virusid=21734 |title=Virus.Linux.RST.a |access-date=2008-03-08 |last=Kaspersky Lab |date=January 2002 |url-status=dead |archive-url=https://web.archive.org/web/20071107040802/http://www.viruslist.com/en/viruses/encyclopedia?virusid=21734 |archive-date=2007-11-07 }} (known for infecting Korean release of Mozilla Suite 1.7.6 and Thunderbird 1.0.2 in September 2005{{cite web|url =http://www.linux-magazine.com/w3/issue/62/Viruses_in_Linux.pdf|archive-url=https://web.archive.org/web/20140517132434/http://www.linux-magazine.com/w3/issue/62/Viruses_in_Linux.pdf|archive-date=2014-05-17|title=The ways of viruses in Linux HOW SAFE? |access-date=2009-08-21}})
• Staog
• Vit – Virus.Linux.Vit.4096{{cite web|url=http://www.viruslist.com/en/viruslist.html?id=3135&key=00001000050000200003 |title=Virus.Linux.Vit.4096 |access-date=2008-03-08 |last=Kaspersky Lab |date=March 2000 |url-status=dead |archive-url=https://web.archive.org/web/20071107040844/http://www.viruslist.com/en/viruslist.html?id=3135&key=00001000050000200003 |archive-date=November 7, 2007 }}
• Winter – Virus.Linux.Winter.341{{cite web |url=http://www.viruslist.com/en/viruses/encyclopedia?virusid=21756 |title=Virus.Linux.Winter.341 |access-date=2008-03-08 |last=Kaspersky Lab |date=October 2000 |url-status=dead |archive-url=https://web.archive.org/web/20071110002308/http://www.viruslist.com/en/viruses/encyclopedia?virusid=21756 |archive-date=2007-11-10 }}
• Winux (also known as Lindose and PEElf){{cite web|url=http://www.f-secure.com/v-descs/lindose.shtml |title=F-Secure Virus Descriptions: Lindose |access-date=2008-03-08 |last=Rautiainen |first=Sami |date=March 2001 |display-authors=etal |url-status=dead |archive-url=https://web.archive.org/web/20080621115415/http://www.f-secure.com/v-descs/lindose.shtml |archive-date=June 21, 2008 }}
• Wit virus{{cite web |url=http://members.hellug.gr/nmav/papers/other/wit-virus.pdf |title=The Wit Virus: A virus built on the ViT ELF virus |access-date=2008-12-31 |archive-date=2016-03-03 |archive-url=https://web.archive.org/web/20160303214605/http://members.hellug.gr/nmav/papers/other/wit-virus.pdf |url-status=live }}
• Zariche – Linux.Zariche.A (and variants){{cite web |url=http://www.virusradar.com/en/Linux_Zariche.A/description |title=Linux.Zariche - ESET Virusradar |date=January 2015 |last=TMZ |access-date=2015-01-23 |archive-date=2018-11-30 |archive-url=https://web.archive.org/web/20181130114656/https://www.virusradar.com/en/Linux_Zariche.A/description |url-status=live }}
• ZipWorm – Virus.Linux.ZipWorm{{cite web |url=http://www.viruslist.com/en/viruses/encyclopedia?virusid=21759 |title=Virus.Linux.ZipWorm |access-date=2008-03-08 |last=Kaspersky Lab |date=January 2001|archive-url = https://web.archive.org/web/20090713011043/http://www.viruslist.com/en/viruses/encyclopedia?virusid=21759 |archive-date =13 July 2009}}

}}

{{columns-list|colwidth=30em|

• Adm – Net-Worm.Linux.Adm{{cite web |url=http://www.viruslist.com/en/viruses/encyclopedia?virusid=23854 |title=Net-Worm.Linux.Adm |access-date=2008-03-08 |last=Kaspersky Lab |date=May 2001 |url-status=dead |archive-url=https://web.archive.org/web/20071030074550/http://www.viruslist.com/en/viruses/encyclopedia?virusid=23854 |archive-date=2007-10-30 }}
• Adore{{cite web |url=http://www.f-secure.com/v-descs/adore.shtml |title=F-Secure Virus Descriptions: Adore |access-date=2008-03-08 |last=Rautiainen |first=Sami |date=April 2001 |archive-date=2013-05-12 |archive-url=https://web.archive.org/web/20130512223246/http://www.f-secure.com/v-descs/adore.shtml |url-status=live }}
• Bad Bunny – Perl.Badbunny{{cite web |url=http://www.symantec.com/security_response/writeup.jsp?docid=2007-052400-3656-99 |title=Perl.Badbunny |access-date=2008-03-08 |last=Smith |first=Stuart |date=May 2007 |archive-date=2013-05-14 |archive-url=https://web.archive.org/web/20130514095927/http://www.symantec.com/security_response/writeup.jsp?docid=2007-052400-3656-99 |url-status=dead }}
• Cheese – Net-Worm.Linux.Cheese{{cite web |url=http://www.viruslist.com/en/viruses/encyclopedia?virusid=23856 |title=Net-Worm.Linux.Cheese |access-date=2008-03-08 |last=Kaspersky Lab |date=May 2001 |url-status=dead |archive-url=https://web.archive.org/web/20071028171038/http://www.viruslist.com/en/viruses/encyclopedia?virusid=23856 |archive-date=2007-10-28 }}
• Devnull
• Kork{{cite web |url=http://www.f-secure.com/v-descs/kork.shtml |title=F-Secure Virus Descriptions: Kork |access-date=2008-03-08 |last=Rautiainen |first=Sami |date=April 2001 |archive-date=2013-05-12 |archive-url=https://web.archive.org/web/20130512215728/http://www.f-secure.com/v-descs/kork.shtml |url-status=live }}
• Linux/Lion
• Linux.Darlloz – targets home routers, set-top boxes, security cameras and industrial control systems.{{cite web |author=Mohit Kumar |url=http://thehackernews.com/2013/11/Linux-ELF-malware-php-cgi-vulnerability.html |title=Linux worm targeting Routers, Set-top boxes and Security Cameras with PHP-CGI Vulnerability |publisher=The Hacker News |date=2013-11-30 |access-date=2013-12-04 |archive-date=2018-11-30 |archive-url=https://web.archive.org/web/20181130121935/https://thehackernews.com/2013/11/Linux-ELF-malware-php-cgi-vulnerability.html |url-status=live }}{{cite web |author=Joe Casad |url=http://www.linux-magazine.com/Online/News/New-Worm-Attacks-Linux-Devices |title=New Worm Attacks Linux Devices |publisher=Linux Magazine |date=3 December 2013 |access-date=4 December 2013 |archive-date=6 December 2013 |archive-url=https://web.archive.org/web/20131206035656/http://www.linux-magazine.com/Online/News/New-Worm-Attacks-Linux-Devices |url-status=live }}
• Linux/Lupper.worm{{cite web |url=http://vil.nai.com/vil/content/v_136821.htm |archive-url=https://web.archive.org/web/20051124010516/http://vil.nai.com/vil/content/v_136821.htm |url-status=dead |archive-date=2005-11-24 |title=Linux/Lupper.worm Description |access-date=2010-10-10 |last=McAfee |date=June 2005 }}
• Mighty – Net-Worm.Linux.Mighty{{cite web |url=http://www.viruslist.com/en/viruses/encyclopedia?virusid=23864 |title=Net-Worm.Linux.Mighty |access-date=2008-03-08 |last=Kaspersky Lab |date=October 2002 |url-status=dead |archive-url=https://web.archive.org/web/20071107040820/http://www.viruslist.com/en/viruses/encyclopedia?virusid=23864 |archive-date=2007-11-07 }}
• Millen – Linux.Millen.Worm{{cite web |url=http://www.symantec.com/security_response/writeup.jsp?docid=2002-121114-1432-99 |title=Linux.Millen.Worm |access-date=2008-03-08 |last=Perriot |first=Frederic |date=February 2007 |archive-date=2013-05-16 |archive-url=https://web.archive.org/web/20130516120612/http://www.symantec.com/security_response/writeup.jsp?docid=2002-121114-1432-99 |url-status=dead }}
• Ramen worm - targeted only Red Hat Linux distributions versions 6.2 and 7.0
• Slapper{{cite web |url=http://www.f-secure.com/v-descs/slapper.shtml |title=F-Secure Virus Descriptions: Slapper |access-date=2008-03-08 |last=Rautiainen |first=Sami |date=September 2002 |display-authors=etal |archive-date=2012-06-27 |archive-url=https://web.archive.org/web/20120627032132/http://www.f-secure.com/v-descs/slapper.shtml |url-status=live }}
• SSH Bruteforce{{cite web |url=https://www.altsci.com/concepts/virus/ |title=SSH Bruteforce Virus by AltSci Concepts |access-date=2008-03-13 |last=Voss |first=Joel |date=December 2007 }}{{Dead link|date=September 2019 |bot=InternetArchiveBot |fix-attempted=yes }}

}}

• Botnet
• Comparison of computer viruses
• Computer virus
• Computer worm
• Dirty COW
• Ransomware
• Spyware
• Timeline of computer viruses and worms
• Trojan horse (computing)

{{Reflist|30em}}

• [https://help.ubuntu.com/community/Linuxvirus Linuxvirus] on the Official Ubuntu Documentation

{{Linux}}

{{Malware}}

{{DEFAULTSORT:Linux Malware}}

Category:Linux

Category:Malware by platform