Get APLawrence.com by RSSWindows Spam on Linux
2009/08/14
by Bill Mohrhardt
I was NOT on-line last night, actually reading a book instead, when my wife comes downstairs saying that our computer is telling her that it has been infected with spyware and that we NEED to download some software to fix that.
I chuckled, of course, knowing that our computer is RHEL5 using Firefox 3.0.x. But, being the 24/7 support person, I went upstairs. The odd thing was that the screen behind the dialogue box looked very Windoze-like. I went to a terminal window, and did a kill -15 on the firefox process. That killed it right away, and it was only using 5% of CPU, so it couldn't have been too evil.
I then did a find / -ctime 0 -print to see all of the changes/adds. Interestingly, there were some .wine files in our /tmp, which would explain the Windoze-like appearance. I am kind of curious now what the thing might have tried to do had we agreed to download their anti-spyware.
Anyway, I wiped out the /tmp stuff, and our Firefox is already configured for clearing out temporary Internet files upon exit. I then did a restart, and checked my ps -ef and everything was all clear. I will admit though, that Firefox 3.0.x (versus 2.0.x) seems to be a very busy program, using CPU time even after one closes it out. It is probably writing some cached database entries of some variety. Who knows?
Gee, maybe I need one of those Linux-based anti-spyware programs........ not!
More Articles by Bill Mohrhardt
/Linux/win-spam.html copyright August 2009 Bill Mohrhardt All Rights Reserved
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
I sell and support
Kerio Mail server
Click here to add your comments
Wed Aug 19 01:51:10 2009: Subject: drag
I recently lent a Linux laptop to a friend that needed it for job hunting (she recently being unemployed). She is a fan of places like Myspace in the past and has recently discovered Facebook and is now happily tearing it up online during her period of joblessness. (Yay for people that have open wifi!)
She somehow gone to a web page that worked it's way around Firefox's (Iceweasel, actually) pop-up prevention and proceeded to convince her that she had no less then 150 different pieces of malware detected and she needed to run the anti-spyware software immediately.
Of course she panicked and didn't know what to do. Being the enterprising type she was hoping that she could resolve the problem without my intervention.
The next weekend I visited her and saw that she downloaded and attempted to execute about 20 different instances of the malicious 'anti-spyware' program. I didn't have Wine installed so none of them executed. A quick drag to the trash and it was history.
A example image of the sort of thing that people run into while using Linux:
http://www.geeksaresexy.net/wp-content/uploads/2009/01/linuxvir.jpg
Kinda amusing. Although I suppose it could of been a ELF executable as much as a Windows Exe. In that case she would of been screwed for a while.
Of course the machine is setup to use 'su', not sudo in the Ubuntu-style, and she had no idea what the root password would of been anyways... So the thing would of probably been limited to her user account (unless it was smart enough to figure out a local privilage escalation exploit, which (unfortunately) is not terribly difficult to find in any OS). Cleaning up a infection limited to a user account should be easy to clean up.
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar