Cross-browser firefox/konqueror malware on Ubuntu Dapper

Ken Siersma siersmak at ekkinc.com
Fri Aug 4 16:57:23 UTC 2006


Michael V. De Palatis wrote:
>> On 8/4/06, Charlie Zender <zender at uci.edu> wrote:
>>     
>>> Help! My Ubuntu Dapper laptop has malware infecting its browswers!
>>> About three weeks ago my Firefox browser started showing signs of
>>> malware infestation. The symptoms are that the browser re-directs
>>> my normal requests to click-for-pay sites www.ownbox.com and usseek.com.
>>> To get rid of this malware I've tried
>>>
>>> 0. Re-booting
>>> 1. Purging and re-installing firefox
>>> 2. Deleting my ~/.firefox directory
>>> 3. Running Konqueror instead
>>>
>>> None of these work. After a few hours of browsing the re-directs to
>>> the click-for-pay sites begin again. So this cross-browser malware
>>> has somehow installed itself in files that survive re-boots and
>>> browser re-installs. I've found other reports of this malware related
>>> to Windows PCs, but no instructions on how to erase it from Linux.
>>> Any ideas
>>>
>>> 1. How to find it's source and erase it completely from disk?
>>> 2. How to tell if it's phoning home my passwords?
>>> 3. Sites that discuss this particular malware?
>>>
>>> Thanks,
>>> Charlie
>>>       
>
> One question: Is your computer behind another computer that is
> connecting to the Internet? That is, does your Linux machine get its
> IP from, say, a Windows PC that is the one directly connected and
> sharing the connection? If that is the case, it may be a problem with
> that machine rather than the Linux one.
>
> I have never heard of any malware affecting Linux, so if the above is
> the case, that might be the problem. Otherwise, I hope malware doesn't
> start becoming as commonplace on Linux as it is on Windows...
>
> Mike
>
>   
This is quite interesting.   I haven't heard of malware on linux either,
but the day will come I'm sure.  If it ends up being determined that
malware modified a system file on ubuntu, I have to wonder is this a
downside to the system's extensive requirement of the use of sudo?  I
propose that it's possible that the malware recognized this as an ubuntu
distribution, then asked the unsuspecting (and unsuspicious?) user to
enter the root password so that it could do whatever it supposedly
wanted to do, and then went in and modified /etc/hosts or whatever. 

Just thinking out loud.  I do think (and hope) that what really happened
is the user's files were modified, not the system files.  But I have no
idea which ones...

-Ken

-- 
Ken Siersma, Software Engineer
EKK, Inc.
http://www.ekkinc.com





More information about the ubuntu-users mailing list