Linux malware detection tools

Introduction

Malicious software on Linux is not that uncommon. Fortunately, there are open source tools that help with detecting or recognizing malware samples.

Some of the tools in this overview can serve multiple purposes. For example, the ClamAV engine can be used to scan your incoming mail for the presence of malware. At the same time, ClamAV is also a good addition for your malware analysis lab to learn what samples are well-known.

Usage

Linux malware detection tools are typically used for malware analysis, malware detection, malware scanning.

Users for these tools include forensic specialists, malware analysts, system administrators.

Tools

chkrootkit (malware scanner)

malware detection, malware scanning

Chkrootkit is typically used to perform daily security scans to detect traces of malware.

ClamAV (malware scanner)

malware analysis, malware detection, malware scanning

ClamAV is a popular tool to detect malicious software or malware. While it calls itself an antivirus engine, it probably won't encounter many viruses, as they have become rare. It is more likely to find other forms of malware like worms, backdoors, and ransomware. ClamAV can be used in a few ways, from doing an occasional scan up to scanning in batch. ClamAV does not do on-access scanning but can be combined with other tools to obtain similar functionality. ClamAV is often...

Dagda (vulnerability scanner for Docker containers)

malware detection, malware scanning, vulnerability management, vulnerability scanning

The main reasons to use Dagda is the detection of vulnerable or malicious components within your containerized environment.

LMD (malware detection tool)

malware scanning

Linux Malware Detect (LMD) is a malware scanner for systems running Linux. The open source software project is released with the GPLv2 license.

Loki (file scanner to detect indicators or compromise)

digital forensics, intrusion detection, security monitoring

Loki is security tool to find so-called indicators of compromise (IOC). It does this by scanning files and then uses pattern matching.

Malice (VirusTotal clone)

malware analysis, malware detection, malware research, malware scanning

Malice is a malware analysis that wants to provide a free and open source version of VirusTotal. The goal of Malice is to make it usable by both independent researchers up to fortune 500 companies.

Malice is useful for those that do malware analysis or deal with user-generated files that may contain malware. The framework allows scanning files and directories to see if they are infected.

Malscan (malware scanner for web servers)

malware protection, malware scanning

Malscan is a tool to scan for malicious software (malware) such as viruses, worms, and backdoors. Its goal is to extend ClamAV with more scanning modes and signatures. It targets web servers running Linux, but can also be used on mail servers and desktops.

Maltrail (malicious traffic detection system)

intrusion detection, network analysis, security monitoring

Maltrail monitors for traffic on the network that might indicate system compromise or other bad behavior. It is great for intrusion detection and monitoring.

MultiScanner (file scanning and analysis framework)

malware analysis, malware detection, malware scanning

MultiScanner helps malware analysts by providing a toolkit to perform both automated and manual analysis. The data extracted from the analysis can be easily stored together, including the relevant metadata and samples. It allows enriching the data further by retrieving information from external resources.

Rootkit Hunter (malware scanner)

malware detection, malware scanning

Security tool to search for traces of rootkits, backdoors, and other malicious components on systems running Linux and other flavors of Unix

YARA (malware identification and classification)

malware analysis, malware detection, malware scanning

YARA is a tool to identify and classify malware samples. It uses textual or binary patterns to match data, combined with a boolean expression to define a match. YARA is multi-platform, can be used via a command-line interface or via Python scripts using the yara-python extension.

Missing a favorite tool in this list? Share a tool suggestion and we will review it.