Announcement

Collapse
No announcement yet.

Has your computer been hijacked?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Has your computer been hijacked?

    Visit this website and check: http://www.dcwg.org/detect/
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    Specifically for Windows and Mac's? Don't see anything on the site that specifies, or even identifies, Linux machines.
    Windows no longer obstructs my view.
    Using Kubuntu Linux since March 23, 2007.
    "It is a capital mistake to theorize before one has data." - Sherlock Holmes

    Comment


      #3
      That checker is looking for evidence of specific pieces of Windows malware... Alureon and Zlob.

      Comment


        #4
        Which, I'm assuming (there I go, assuming), applies only to Windows PC's, or maybe, Wine on Linux?
        Windows no longer obstructs my view.
        Using Kubuntu Linux since March 23, 2007.
        "It is a capital mistake to theorize before one has data." - Sherlock Holmes

        Comment


          #5
          Alureon is a rootkit, so an unprotected Windows VM is potentially vulnerable. Zlob modifies IE browser helper objects, so I suppose it could infect a Wine installation -- I don't know enough about how Wine works to offer any certainty here, though.

          Comment


            #6
            My assumption was that the malware infected Windows machines only.

            I posted it because several folks on the forum also run Windows in dual boot or by virtual guest, and may not be aware that their Windows machine may be compromised. I should have been more clear.
            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
            – John F. Kennedy, February 26, 1962.

            Comment


              #7
              For the curious... more on the FBI's takedown of the Alureon/DNSchanger botnet.

              Comment


                #8
                All of this is very interesting. It was a seemingly rather umbiquitous virus that led me to adopt linux as my main OS. After installing Kubuntu, one of my first actions was to install ClamTK and run a recursive scan. It found 52 infected files and quarantined them. I later deleted them. Since then, I've found nothing. Of course, I don't surf in Windows anymore. The virus I caught that sent me to linux, I caught from going to only three well known and fairly respected sites, after having my machine's HDD's professionally cleaned (consisted of having the HDD's wiped followed by a new Windows installation). After having this done and getting my computer home, I logged into my then homepage: Google, then checked my hotmail account (without opening any email), and then to craigslist and boom I was infected again. I forget the name of it, I believe it was a rootkit, PNS?rootkit. At any rate it was scrambling any jpeg file I accessed.
                Now I know any machine can be hacked, no matter what the OS. Even running linux we should be concerned with malware. So I suppose my question is; can our machine's Windows installation catch malware through our linux browsing? Would a Clamtk scan block the infection? I know this question exposes me as the rank amatuer I am, but I'm not the only one browsing this site, so the answer may be important to some.

                Comment


                  #9
                  The single most important thing you can do to protect a Windows machine -- whether on-metal or virtual -- is not to run as local administrator.

                  You know how, in Linux, you have to sudo to make any system-wide changes or install software? That's because your user account lacks these privileges. Any malware that manages to worm (ha ha) its way onto your computer will have very limited ability to do anything. It has to overcome two hurdles: getting the execute flag set on the file and launching with higher privileges.

                  On a default Windows setup, the first user created during installation possesses full administrator privileges. When people create additional accounts on a Windows machine (for family members, typically), they invariably create these as administrators, too. Downloaded malware runs with full privileges and can wreak havoc. Also, Windows does not support the notion of an execute flag. If a file ends with ".exe" or the contents of the file start with "MZ" plus certain data structures, then that file will run -- there are no user-controllable attributes that can override this.

                  Browsing the Internet from a Windows computer using the account you created during setup means that the Internet is the administrator of your PC. This is bad! I have for a long time encouraged people to change their account type to Standard, which you can do in the control panel. Before you do this, though, create another administrator account, write down the password, and protect the piece of paper. You'll need to either log in to or runas this account if you want to install something or make systemwide changes.

                  Comment


                    #10
                    Steve,

                    Worthy advice! However, my problems started with just such a setup. I set up an administrator account (passworded(a perfectly good noun misused as a verb)), only rarely used when I needed to download, and a 'users' account, that I did my surfing with. I had accounts with AVG, Malwarebytes and I also used Spybot. I used these regularly; probably spent 4 or 5 hours a week scanning, updating, ect. Add to that, $100 bucks or so a year in membership fees. Am I glad I switched to Linux! Now all I use in Windows is Immunet, a great open-source Windows version of ClamAV. Of course, I don't surf from Windows anymore,
                    I do have a bad habit, though. I am obsessed with and collect small, old things. My auction people call them 'artifacts'. Anyway, I do a lot of online research for identification and so go to a lot of obscure and unusual sites. Frequently my searches involve searching 'images' in my search engine and following likely links. Picked up most of my infections this way. However, it's a necessary evil. It's the best way to identify some obscure device, coin, engraving or other that caught my eye at a sale.

                    capt-zero

                    Comment


                      #11
                      Originally posted by capt-zero View Post
                      ..... After installing Kubuntu, one of my first actions was to install ClamTK and run a recursive scan. It found 52 infected files and quarantined them. I later deleted them.
                      Did you install Kubuntu as a dual boot to Windows? I ask because finding 52 infected files after installing Kubuntu implies that the infected files were in the downloaded Kubuntu ISO which, I believe, is not the case, otherwise tens of thousands of people would be reporting Kubuntu viral infections, but I haven't heard of any. ClamTK (the gui to ClamAV) and ClamAV are usually installed on Linux in order to run ClamAV against the Windows partition while running Linux. That way, Windows cannot be running and any infections won't be in memory while running ClamAV. IF that is the case then the 52 files were on the Windows partition and not part of Kubuntu.



                      Originally posted by capt-zero View Post
                      Since then, I've found nothing. Of course, I don't surf in Windows anymore. The virus I caught that sent me to linux, I caught from going to only three well known and fairly respected sites, after having my machine's HDD's professionally cleaned (consisted of having the HDD's wiped followed by a new Windows installation). After having this done and getting my computer home, I logged into my then homepage: Google, then checked my hotmail account (without opening any email), and then to craigslist and boom I was infected again. I forget the name of it, I believe it was a rootkit, PNS?rootkit. At any rate it was scrambling any jpeg file I accessed.
                      I am also curious about how the HDDs were cleaned. "Wiping" an HD to some techies involves only reformatting the C: drive and not the MBR or phantom partition. Viruses and Trojans that are really tough to remove are those lodged in the MBR and/or the phantom partition on which the Windows recovery files are stored. Re-installing Windows after merely reformatting the C: just re-installs the Trojan or virus as well. After a cleaning techies use the phantom partition, along with the disks created during the first install, to re-install Windows, unless the owner had installed from a full-install CD. IF they don't reformat the MBR and the phantom drive then re-installing Windows is a LOT easier but these days doesn't remove the embedded malware.

                      IF the C:, the MBR and phantom partitions are erased and the whole HD reformatted then there is no way to install Windows without a full-install CD.

                      I am also curious about the "New Windows" installation. Did you buy a full-install CD? When my licensed XP CD failed to install I took it to a Windows repair shop to have them re-polish it. They "tried" using their polishing machine but couldn't get my XP CD to boot. So, they sold me a CD which contained a copy of a "volume" XP licensed CD. It wouldn't boot on my laptop. So, I spent several hours using various hand polishing techniques and got my CD able to boot so I could install it. Curious, I checked the license key on the "volume" CD and found it was a hacked key. I suspect the copy of XP was illegal as well, and probably infected. (Straight off PirateBay?)


                      Originally posted by capt-zero View Post
                      Now I know any machine can be hacked, no matter what the OS. Even running linux we should be concerned with malware.
                      True, any OS can get infected. It's just that some can get infected a LOT easier than others. On a Linux box a firewall with all ports closed (never completes a three-way handshake), which Kubuntu has, is a good first step. The next precaution to take is to NEVER allow yourself to be socially engineered:
                      1) don't save a file attachment, or download a file, that comes uninvited from unknown sources,
                      2) failing #1 then don't add the "x" permission to that file and,
                      3) failing #1 & #2, don't execute that file as you or as root.
                      A user that fails all three steps deserves the problems they'll get.

                      As far as browsing goes, it is possible for a webpage to run the JavaScript interpreter, or a plugin like flash or java, that looks for a browser bug that can be exploited to run shellcode placed in memory. The shellcode must escape whatever protections the browser has - for a Chrome bug it would have to escape chrome's sandbox and attempt to escalate to root privileges. There are so many java bugs, which is why it is favored by malware coders. So, now IF the shellcode is running on your machine as root, it can write its assembly payload to a file or go download a file from the internet and run it. On Linux the shellcode still has to add the "x" permission to the file, but the only permission it can give is what the privileges it has from the user it is running under.

                      Moral: DON'T RUN AS ROOT. That's why sudo is made the way it is. Escalating to root in Linux is no trivial task.

                      For really secure browsing, if running in a Chromium sandbox isn't enough, one can create a jail-house and run the browser in it. Any infections are lost when the jail is closed. Jail-breaking is another task that is not trivial.

                      As far as your jpg images being corrupted: sophisticated malware will usually use the shellcode in JavaScript as a stager to pull down more complicated, sophisticated code. Everything depends on the bug and exploit - all the logic and shellcode could be in an image that busts an image parser, hence your complaints about a jpg file not displaying or displaying properly.

                      In Kubuntu, you can install rkhunter, and/or chkrootkit and have them run as daily in cron. They can be configured to send you emails when a file is added or changed or removed, when compared with the previous run. I install both. (BTW, if you have GoogleEarth installed it will want to remove it because GoogleEarth installs with missing "dependencies")


                      Originally posted by capt-zero View Post
                      So I suppose my question is; can our machine's Windows installation catch malware through our linux browsing? Would a Clamtk scan block the infection? I know this question exposes me as the rank amatuer I am, but I'm not the only one browsing this site, so the answer may be important to some.
                      Generally, NO.

                      IF you are dual booting with Windows or have installed Linux using WUBI, then Windows is NOT running when you are running Linux, and generally the Windows fs is not mounted unless YOU mount it.

                      I don't mount the Windows partition on my dual boot installation unless I want to move a file to the Windows side, and then I mount it only to move the file, then I umount it.

                      The default firewall installed by Kubuntu is more than adequate to block outside attacks against the ports.

                      I don't have AV software installed. It won't protect you from malware for which the signature is not yet in the dat file, and machines have to be infected in sufficient numbers before the infection gets noticed. One or two infections only means that the machines are in some lab of an AV vendor and they are experimenting with viruses. By the time a virus gets noticed many machines could already be infected. The best route to take is to install software ONLY from a vetted repository (like Kubuntu's, medibuntu, sourceforge, etc, ), and people you know on launchpad, like Riddell, etc.,

                      IMO, Rkhunter and chkrootkit will keep you informed if something changes on your fs without your knowledge. If it sends you an email or posts a msg in the log, you can quickly locate the problem and resolve it. (Not all changes are bad.).

                      EDIT: I forgot to add three points.
                      Android is the world's most popular smartphone. Android is based on Linux with Java layered on top. As of December there were 450,000 paid and free apps in the Google store, and that month there were 10 Billion downloads. One source puts the number of different malware attacks at 70,000, almost 2% of the number of apps. Running Linux with a promiscuous DE and layered with Java appears to create a very vulnerable environment. Google doesn't want to restrain app developers because they want to catch up with iPhone's 5 million apps. However, iPhone is having security problems of its own for the same reason, even though it doesn't rely on Java.

                      Linux did have an "ActiveX" promiscuity problem a few years ago when it was discovered that an email attachment that ended in ".desktop" and was saved to the desktop would automatically execute. This was discovered while I was running Mandriva, just before I moved to Kubuntu in Jan of 2009. I tested it rather quickly but it had already been patched (within two days!) and didn't work on my installation. So, careless coding can lead to serious problems.

                      As long as folks keep a good firewall, have good passwords, don't run as root and do not succumb to social engineering, there is little chance of their Kubuntu installation being infected. Some have said that the only reason why Linux isn't as infected as Windows is because it isn't as popular. That myth has been punctured. The Linux desktop marketshare ranges from 12% and up depending on the geographical location. Based strictly on "popularity" if Windows has about 2 Million viruses per year (Ed Bots counted 17M in 10 years, but ascribes most of the ones in the last 4 months to non-Windows OSs), then Linux should see about 200K viruses per year. I can't think of a successful Linux virus last year, even though AV houses reported several hundred. Checking on those you'll find they were found on only 2 or 3 PCs and were of low risk. Two or three? The only way that is possible is if the PCs were in the AV software house labs. The last big Linux "infection" was last September, when it was discovered that a team of hackers took six months to collect 700 Linux boxes that were either running as root or had weak passwords. IOW, a brute force manual attack. Their motive? They used the Linux boxes as "command and control" boxes, each box controlling hundreds of Windows boxes. After they'd break in they'd secure the boxes properly so no other hackers could break in and steal what they stole.
                      Last edited by GreyGeek; Apr 23, 2012, 02:35 PM.
                      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                      – John F. Kennedy, February 26, 1962.

                      Comment


                        #12
                        Where's the +1, like or thanks button?

                        Nothing to contribute, but what GreyGeek wrote is a nice piece of writing. Thanks.
                        "Just keep on learning. Little by little... If you're empty, then you can take in anything. If you want to be reborn, then it's in your best interest to become empty." - Vinland Saga

                        Comment


                          #13
                          GreyGeek,

                          I'm not sure what process was used to "wipe" the hard drive at the shop. It is more than likely that I returned with the same infected MBR that I brought in with my machine. This incident sparked my interest in learning about and 'thoughening' up my own defences. As I mentioned in an earlier post of mine, my knowledge of my system really began with that moment. Before I had been a strictly casual surfer (more of a paddleboarder), willing to be floated by the whims of the medium. Like most people, I just assumed that viruses and trojans were just a part of the internet and a burden you just had to tolerate if you wanted to surf. Finding Linux, though, has sparked a long dormant interest in computer science that I had earlier in life during the era of the trash 80s. I have learned an enormous amount in the last two months, but am still an absolute greenhorn.
                          I'm going to try both of the programs you mentioned. Even though we use Linux, I still believe we have to keep our defenses up. There are a lot of predators out there and some of them are quite ingenious.

                          Comment


                            #14
                            Sorry Greygeek, I closed my post without a proper thank you and a sincere note of gratitude for your help.

                            thanx,
                            capt-zero

                            Comment


                              #15
                              Originally posted by capt-zero View Post
                              .... Even though we use Linux, I still believe we have to keep our defenses up. There are a lot of predators out there and some of them are quite ingenious.
                              For sure, on both points!
                              "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                              – John F. Kennedy, February 26, 1962.

                              Comment

                              Working...
                              X