Linux Malware Detect: 2 Years Strong

As cliche as it sounds, where has the time gone? Today we celebrate two years of Linux Malware Detect, open-source (web) malware detection.

The project has seen allot of change since the first release. What was initially started as an internal project to deal with a large increase in malware activity at my job, a mid-sized web hosting company, quickly grew into a larger, established, project that proved useful for the hosting community at large. I spent nearly three months collecting malware to form the base of the initial signature set, developing the program logic and engaging people in WHT & Cpanel IRC to test the early releases. Those first releases had less than 200 signatures, it was strictly MD5 based and used technique that were less than efficient and in many ways initially flawed.

As the project matured in it’s early releases, the reality of Linux (web) malware detection became evident, there was little to no tools that existed for the job and LMD was filling an important void. The few tools that did exist were either not focused on malware or were commercial solutions that made no effort to share malware signatures or resources with the Linux community at large. This quickly lead to a litany of feature requests for LMD along with a mountain of malware submissions from early adopters, all of whom saw in LMD what I saw; an ability to become an effective and crucial tool in combating malware.

Inside of the first couple of major releases, LMD saw an explosion of features and signatures which contributed to the maturity of the project. There were major additions such as hex based pattern matching, quarantine support, reporting system, real time inotify monitoring, malware checkouts, clean & restore features and much more. The signature base grew from 200 odd to now 8,388 at the time of this writing, an average of almost 350 new signatures per month.

The project now sits at version 1.4, which was released in April of 2011. Though the current release is 6 months old, that is by no means an indicator of the projects status but rather the success of it and the maturity there-in. The project still receives near daily signature updates, the malware queue from checkouts has never been more busy with an average of 85 malware submissions per day, the manual review queue for checkouts sits at just over 3300 files and is an ever challenging task to maintain but one I do willingly. Though there is much room for improvement and many features that can be added to LMD, at the moment there are no pressing features required by LMD. Do I have plans in store for the project in the short term? Yes, of course, but like many open source projects, time commitment to the project has to be balanced with my job and personal time so the priorities often shift between signature maintenance, feature development and work on other projects.

The success of the project can be measured by the 13,051 installations ( @ time of writing ) that report in daily, the 540+ new installations per month and the over 17,000 google references to the project. I am proud of LMD, where it has come in the last 24 months and am very encouraged by where I see it going in the future. I look forward to many years of success ahead for LMD and hope you will continue to trust in LMD to combat your malware threats.