Loads of Viruses Computer serioously compromised?

adouglasmhor

My arse
I got on a fake site through a Google search for a recipe, I was told my Computer's C-drive and Windows security were infected and a pop up got past firefoxes pop up stopper. A script did a fake scan and all sorts of windows file locations came up as infected. I was even told a dynamic link library (.dll) was infected!
The pop ups tried to get me to download stuff whether I closed them, pressed cancel or closed from toolbar. Obvioulsy didn't happen.

Unfortunately the site was apparently not able to detect I was not running windows and weas on a linux box, so no windows security, no C drive (it's /dev/hda1) and no .dll of any kind except a couple I run in WINE, mainly ie. which I only have for the strabucks site and 4OD.

I have marked it in Web of Trust.
For those of you who may be concerned I got my recipe and it's sitting in the slow cooker now.

busenbust

For those of you who may be concerned I got my recipe and it's sitting in the slow cooker now.

^:rotfl: :rotfl:

debitcardmayhem

busenbust wrote: »

^:rotfl: :rotfl:

I take it the recipe used a whole bottle of WINE :beer:

fiddiwebb

Fooooodddddddd......this is more like it :T

Could I ask what's cooking :drool:

adouglasmhor

fiddiwebb wrote: »

Fooooodddddddd......this is more like it :T

Could I ask what's cooking :drool:

Italian style bean and Kale soup with carrot and onion.
Home made bread proving so I just throw it in the oven when I get home.

busenbust

adouglasmhor wrote: »

Italian style bean and Kale soup with carrot and onion.
Home made bread proving so I just throw it in the oven when I get home.

:drool: Can we help each other here on cooking tips:rotfl::rotfl:.

gaming_guy

adouglasmhor wrote: »

Unfortunately the site was apparently not able to detect I was not running windows and weas on a linux box, so no windows security, no C drive (it's /dev/hda1) and no .dll of any kind except a couple I run in WINE, mainly ie. which I only have for the strabucks site and 4OD.

Thats the thing about these sites. They can easily see what OS and browser you use (it's in the useragent) but just throw the content up anyway.

I have had one which correctly picked up that it was a dell box (running windows) i was using but luckily it never infected it as i killed the browser via task manager.

adouglasmhor

gaming_guy wrote: »

Thats the thing about these sites. They can easily see what OS and browser you use (it's in the useragent) but just throw the content up anyway.

I have had one which correctly picked up that it was a dell box (running windows) i was using but luckily it never infected it as i killed the browser via task manager.

I just enjoyed watching it "scan" all sorts of bits of my "windows" system which was not even there.
Like I said it's marked up in WOT nowso hopefully it will stop someone else getting on to the rip of page.

busenbust

adouglasmhor wrote: »

I just enjoyed watching it "scan" all sorts of bits of my "windows" system which was not even there.
Like I said it's marked up in WOT nowso hopefully it will stop someone else getting on to the rip of page.

So long as you are reasonably happy with your current anti-virus and anti-malware setup, given what has occurred - although no damage done .

adouglasmhor

busenbust wrote: »

So long as you are reasonably happy with your current anti-virus and anti-malware setup, given what has occurred - although no damage done .

Windows stuff on an Ultimate Edition Linux (Ubuntu derivative) won't run unless I fiddle about with WINE or Winedoors, the download even had to ask me for permission (which it wasn't getting) to download. I assume Firefox will eventually realise there are pop ups and stop them it seemed to be a new site. Even if I had said OK to a download I would have had a blue diamond symbolising a windows exe on my desktop, if I had opened it in wine it would have looked for places to take over that were not there or were only virtual for that session. I run clam AV so it would not be sending mail on to anyone that carried infection.

I am relatively happy, though not complacent about my security.

adouglasmhor

Here's the scores on the doors for linux exploits.

Trojans
Avoid being Root or SuperUser, see RootSudo. Avoid entering your password to grant higher levels of permission to programs without being aware of having started those programs. Unexpected extra internet traffic is a possible indication. The quoted risk level was at the malware's peak performance.

Kaiten: Linux.Backdoor.Kaiten discovered 14th Feb 2006, risk level low.

Rexob: Linux.Backdoor.Rexob discovered 26th July 2007, risk level very low.


Viruses
Alaeda infects other binary (program) files in the same directory. If you run as a normal user doing non-programming work, you should not have any other binaries in your home folder. Alaeda won't have anything to infect. This is a good reason why you shouldn't download and install random files off the Internet. If you don't know why you're typing in your password, don't do it. Realistically, though, ELF files (the Linux equivalent of a Windows .exe) are pretty picky about what system they run on, so the chance of getting infected is slight.

Bad Bunny discovered 24th May 2007. Once executed, the threat infects all files in the folder the SB.Badbunny worm was originally executed - so don't run it somewhere you have files that you don't want to get infected. It's file-name was "BadBunny.pl". It was written as a cross-platform virus affecting Windows users far more than Linux users because it's easier for programs to grab Root or SuperUser privileges in Windows.

Binom is from 2004 and affected ELF files in a similar manner to Alaeda. The same conditions apply here. Your chance of getting infected is zilch if you don't give a password, and not much even if you do. Be safe, though, and don't run random attachments.

Bliss was probably a proof-of-concept by someone from 1997 trying to prove that Linux could be infected. Because of the Linux user privilege system and the thousands of versions of Linux, it didn't do well at all. This is my favourite virus. It writes a neat log of all its actions to /tmp/.bliss and even has a "--bliss-uninfect-files-please" command line option which actually does what it says. The writer apologised for not having enough time to develop bliss beyond the beta-testing stage. It's one of the very few viruses that made it out into the wild but couldn't spread faster than people were (usually accidentally) wiping it out. Also, almost nothing about the Linux kernel is the same as it was in 1997 so Don't Panic! This one is almost a collectors item but i think it's extinct.

Brundle-Fly was a research virus for an operating systems course and was never in the wild. It even has a website and an uninstaller. If you want to get infected by a virus, this one is good. You'll need to compile it for your system, though, so be prepared to follow a lot of complicated instructions.

The Bukowski Project This project is intended to demonstrate that current popular approaches to software security (e.g. DAC, VMA randomization, etc) are not sufficient and that other approaches should be considered more seriously (e.g. MAC, design by contract). Their website

Diesel is called "relatively harmless" by viruslict.com. It's an ELF virus, just like the others, discovered in 2002. No need to be concerned

The Kagob Virus comes in two flavors and even contains a copyright notice (2001). There are no symptoms of infection. Interestingly, when run, the virus disinfects the infected file to a temporary directory before running, then deletes the file after it is executed. Same ELF problems as before. You won't get this one, either.

MetaPHOR also known as Smilie is another project with its own web page. The exact function and evolution of the virus is laid out. From 2002, it shouldn't represent any risk, even if you can find one in the wild. If you really want to get infected, download the source and compile it yourself.

Nuxbee Virus.Linux.Nuxbee.1403, discovered Dec 2001. This was a fairly harmless, non-memory resident parasitic Linux virus. It searched for ELF files in the directory bin, then wrote itself to the middle of the file. The virus infected files if run with SuperUser rights. It wrote itself to the Entry point offset, encrypts and saved original bytes at the end of a file. See the page at VirusList.

OSF.8759 is the first really dangerous virus on the list. It not only infects all files in the directory (and system files if run as root), but also installs a backdoor into your system. The backdoor doesn't suffer from the problems of normal ELF viruses because the virus itself loads the backdoor. This means that the virus still needs to work under ELF, though, limiting the chance that it will work on your system. Since the virus is from 2002, there is virtually no chance that it will run on your system. If a new version becomes available, you might need to worry.

Podloso The iPod virus, discovered 4th April 2007. Linux.Podloso was a proof-of-concept virus that infected specific iPodLinux files on the compromised device. Once the infection routine was completed the message "You are infected with [REMOVED]e first iPodLinux Virus" was allegedly displayed. It also displayed predetermined greetings message when Linux was shutdown.

Rike discovered August 2003. Rike.1627 was a non-dangerous non-memory-resident parasitic virus. It searched for Linux executable files in the current directory, then wrote itself to the middle of the file. It's size was 1627 bytes and wais written in Assembler. Next, the virus inserted a Jump command to the Entry Point address. See the page at VirusList.

RST is also from 2002 and also installs a back-door. It, however, operates under normal ELF rules, making it virtually harmless to today's systems.

Satyr discovered in MArch 2001 and was another harmless non-memory-resident parasitic Linux virus. The virus was a Linux executable module (ELF file). It searched for other ELF files in the system, and then attempted to infect them. From Virus List again.

Staog was the first Linux virus, created in 1996. It used vulnerabilities which have long been patched. It cannot harm you.

VIT is another ELF virus, this time from 2000. Since Ubuntu didn't exist seven years ago, you won't be running a system that old and won't be infected.

Winter is also from 2000 and is the smallest known Linux virus. It suffers from the same problems as all ELF viruses.

Lindose was also known as Winux and PEElf. It was another proof-of-concept virus, showing how a virus can be constructed to infect both Windows and Linux computers. It has never been seen in the wild. Made in March 2001.

Wit apparently released December 2007, another proof-of-concept by the looks of it.

ZipWorm passes by infection of .zip files. When run, the virus infects all other .zip files in the directory. It has no other ill effects. From 2001, it is unlikely you'll ever run across it.


Worms
Net-worm.linux.adm: This is from 2001 which exploited a buffer overrun (one of the most common methods for viruses). It scans the network for computers with open ports, tries the attack, infects web pages hosted on the system and propagates further. This worm is not dangerous to you because the buffer overruns have been patched for years and you do not have any open ports.

Adore: An infected computer scans the network for DNS, FTP, and printer servers, infecting them using various methods. A back-door is installed and the worm propagates itself. This worm is not dangerous to you because the methods of attack are also from 2001 and have been long patched. Even if the weren't patched, you don't have these services running on your Ubuntu system.

The Cheese Worm used a back-door which was installed by another worm. The Cheese Worm then removed the back-door and propagated. It was an attempt to clean an already infected system. This worm is not dangerous because the worms it needed to propagate are no longer dangerous. Whether it was ever dangerous in the first place is debatable.

Devnull is a worm from 2002 which used an old OpenSSL to infect a system, becoming part of an IRC controlled botnet. The worm could only propagate if a compiler was present on the system. The vulnerability this worm used has long been patched. OpenSSH is not installed on your system by default.

Kork uses the Red Hat Linux 7.0 print server and needs to download part of itself from a website. That website no longer exists. Red Hat 7.0 is not Ubuntu Linux. You are safe.

Lapper has no information about it at all, anywhere, so I can't give you and information about it, but it was added to the list in 2005, and any vulnerabilities it exploited have almost certainly been patched by now. I can't say for certain whether this worm could affect you or not, but most vulnerabilities are patched within days, not weeks, so two years makes it very unlikely you could be affected by this.

The L10n Worm (pronounced "Lion") was active in 2001 and used a printer server for exploit. The vulnerability has been patched and the server is not installed on Ubuntu. This is no danger to you.

The Mighty Worm appeared in 2002 and used a vulnerability in the secure session module of the old Apache web server, installing a backdoor and joining an IRC botnet. This vulnerability has been patched, Apache is not installed on your system, and the entire architecture of the web server has changed. You can never get infected.

Millen discovered 18th November 2002. It replicated to Linux systems on Intel platforms and used remote exploits on four different servers to spread to vulnerable computers. If it succeeded in exploiting a system, it spawned a shell on the system to retrieve the mworm.tgz package by using ftp. It then uncompressed the contents of mworm.tgz to the "/tmp/...." directory. The worm was supposed to open a back-door on port TCP/1338 and offer a remote shell to an attacker for connecting to this port.

Ramen apparently spread in January 2001 attacking only RedHat systems, not our Debian family. An unusual feature of this worm was its calling card that made infected systems easily identifiable: It replaced all files on the system named "index.html" with a modified version with the page title "Ramen Crew"

The Slapper Worm used the same vulnerability as the Mighty Worm and operated similarly. You can't get this one, either.

SSH Bruteforce was apparently being developed in 2007 but seems to have never reached even alpha release, let alone beta-testing!

That's the entire list of Linux viruses and worms. Fewer than thirty. Compare that to the estimated 140,000 viruses for Windows, and you'll understand why people say you don't need a virus scanner on Linux.

I don't agree and run clam AV even if I am not vulnerable I don't want to forward any nasties on by mistake to someone else. Also someone may decide to make a new one one day.