Hello,
My family members were checking some information on google using the laptop loaded with Lenny. After some time, they got a message saying that there was a lot of trojan and 'blah blah' infection in their system and they should immediately protect it by clicking on the link provided. They called me up to ask what to do and I asked them to simply cancel it and close the window. However the window was persistent and would refuse to close. It even came to a stage where it wanted to download some exe file to protect the computer. Finally after a lot of clicking, the windows finally closed. I asked them to restart the system and clear all browsing history. After that no window has popped up in the next use.
Now this is common in Windows where such popups from infected websites will download a spyware that is actually a virus disguised as an anti-virus. Getting such viruses out of the Windows systems is a real pain. They disable all admin commands too. However my worry is the persistent window that refused to go in Linux. This is mostly due to javascript enabled in the browser (Iceweasel). Luckily it was an exe file that was trying to get in and it would be useless for the Linux environment. What happens if it is a linux compatible script? Will the javascript enabling allow the script to execute? It is a little worrying.
2009/5/10 Rony gnulinuxist@gmail.com:
Hello,
My family members were checking some information on google using the laptop loaded with Lenny. After some time, they got a message saying that there was a lot of trojan and 'blah blah' infection in their system and they should immediately protect it by clicking on the link provided. They called me up to ask what to do and I asked them to simply cancel it and close the window. However the window was persistent and would refuse to close. It even came to a stage where it wanted to download some exe
My wild guess is that it was one of those malware advertisements that show windows message boxes with some generic message to clean up the system. The whole message box is a link and obviously refuses to go away.
Anurag
Anurag wrote:
2009/5/10 Rony gnulinuxist@gmail.com:
Hello,
My family members were checking some information on google using the laptop loaded with Lenny. After some time, they got a message saying that there was a lot of trojan and 'blah blah' infection in their system and they should immediately protect it by clicking on the link provided. They called me up to ask what to do and I asked them to simply cancel it and close the window. However the window was persistent and would refuse to close. It even came to a stage where it wanted to download some exe
My wild guess is that it was one of those malware advertisements that show windows message boxes with some generic message to clean up the system. The whole message box is a link and obviously refuses to go away.
It was just that but my query is how secure is browsing in Linux if javascript is enabled, given the fact that this sticky window would refuse to go? Does enabling of scripting in firefox bypass the Unix file self execute permission barrier?
On Mon, May 11, 2009 at 9:54 PM, Rony gnulinuxist@gmail.com wrote:
It was just that but my query is how secure is browsing in Linux if javascript is enabled, given the fact that this sticky window would refuse to go? Does enabling of scripting in firefox bypass the Unix file self execute permission barrier?
That sticky window won't do anything more than just annoy you. If it wants to do some damage to your data I suspect it will have to get you to:
1) Download the malicious program 2) Chmod it to give it execute permissions 3) Execute it
And to do some real damage to your system and not just your data it will have to also do:
4) Ask for sudo or root password.
If someone actually goes through all of these steps to infect himself/herself with some worm/malware then I guess [s]he has earned it and we should congratulate him/her for the achievement ;)
Siddhesh Poyarekar wrote:
On Mon, May 11, 2009 at 9:54 PM, Rony gnulinuxist@gmail.com wrote:
It was just that but my query is how secure is browsing in Linux if javascript is enabled, given the fact that this sticky window would refuse to go? Does enabling of scripting in firefox bypass the Unix file self execute permission barrier?
That sticky window won't do anything more than just annoy you. If it wants to do some damage to your data I suspect it will have to get you to:
- Download the malicious program
- Chmod it to give it execute permissions
- Execute it
That should be easy in a malicious javascript.
And to do some real damage to your system and not just your data it will have to also do:
- Ask for sudo or root password.
Assuming that many Ubuntu and other sudo users do not set sudo to ask for a password every time, sudo retains a previously typed password for 14 minutes. That time is enough for the unwanted software to sneak in wherever possible.
2009/5/11 Rony gnulinuxist@gmail.com:
It was just that but my query is how secure is browsing in Linux if javascript is enabled, given the fact that this sticky window would refuse to go? Does enabling of scripting in firefox bypass the Unix file self execute permission barrier?
From what I understand of mozilla's javascript engine, it runs inside
a sandbox and has no permission to do anything with the operating system. A javascript code wouldn't be able to automagically download files and set chmod bits.
Anurag
On Mon, May 11, 2009 at 11:03 PM, Anurag anurag@gnuer.org wrote:
From what I understand of mozilla's javascript engine, it runs inside a sandbox and has no permission to do anything with the operating system. A javascript code wouldn't be able to automagically download files and set chmod bits.
Not the javascript engine as such, but the extensions surely can do a lot of things like uploading/downloading files. Don't know if they can chmod stuff though.
But chmod is not really necessary actually. I shot my mouth off (more my fingers than mouth actually ;) ) in the earlier email but I remember someone blogging about launchers being used to overcome the execute barrier. One could "execute" a launcher without it requiring execute permissions. In fact, it cannot be too difficult to do the following:
1) Get user to download the launcher 2) Double-click on the launcher, which could make some change in the menu list such that one of the administrative tasks is modified with my little trojan launcher 3) When the user launches the "infected" administrative task, he is prompted for the sudo/su password, which he happily enters 4) Pwned!
I can't seem to find the blog post off-hand, I think someone at work had pointed us to it. Will post the link when I find it.
On Mon, May 11, 2009 at 11:16 PM, Siddhesh Poyarekar siddhesh.poyarekar@gmail.com wrote:
I can't seem to find the blog post off-hand, I think someone at work had pointed us to it. Will post the link when I find it.
http://www.geekzone.co.nz/foobar/6229 http://www.geekzone.co.nz/foobar/6236
Yes, most people got stuck with the virus != worm != trojan and all that. Let's call it a design exploit of sorts.
Siddhesh Poyarekar wrote:
On Mon, May 11, 2009 at 11:16 PM, Siddhesh Poyarekar siddhesh.poyarekar@gmail.com wrote:
I can't seem to find the blog post off-hand, I think someone at work had pointed us to it. Will post the link when I find it.
http://www.geekzone.co.nz/foobar/6229 http://www.geekzone.co.nz/foobar/6236
Yes, most people got stuck with the virus != worm != trojan and all that. Let's call it a design exploit of sorts.
Interesting article and it mentions the sudo vulnerability that I mentioned in the earlier mail. since a long time I have been using sudo with password entry set for every time. Anyway guys what extra steps can be taken to prevent javascript from executing bad code? Has anyone used any add-on/plugin for firefox in this regard?
On Tue, May 12, 2009 at 1:09 PM, Rony gnulinuxist@gmail.com wrote:
Siddhesh Poyarekar wrote:
On Mon, May 11, 2009 at 11:16 PM, Siddhesh Poyarekar siddhesh.poyarekar@gmail.com wrote:
I can't seem to find the blog post off-hand, I think someone at work had pointed us to it. Will post the link when I find it.
http://www.geekzone.co.nz/foobar/6229 http://www.geekzone.co.nz/foobar/6236
Yes, most people got stuck with the virus != worm != trojan and all that. Let's call it a design exploit of sorts.
Interesting article and it mentions the sudo vulnerability that I mentioned in the earlier mail. since a long time I have been using sudo with password entry set for every time. Anyway guys what extra steps can be taken to prevent javascript from executing bad code? Has anyone used any add-on/plugin for firefox in this regard?
noscript?
Regards, Mohan S N
Mohan Nayaka wrote:
On Tue, May 12, 2009 at 1:09 PM, Rony gnulinuxist@gmail.com wrote:
Interesting article and it mentions the sudo vulnerability that I mentioned in the earlier mail. since a long time I have been using sudo with password entry set for every time. Anyway guys what extra steps can be taken to prevent javascript from executing bad code? Has anyone used any add-on/plugin for firefox in this regard?
noscript?
I don't want to stop scripts, only bad ones. Anyway I will look up noscript. Thanks.
On Wed, May 13, 2009 at 9:05 PM, Rony gnulinuxist@gmail.com wrote:
I don't want to stop scripts, only bad ones. Anyway I will look up noscript. Thanks.
The idea would be to disable all scripting and then only allow on a case to case basis. But that can become quite frustrating due to the fact that a large number of sites nowadays like to shove an ajax interface in your face.
Anurag wrote:
2009/5/11 Rony gnulinuxist@gmail.com:
It was just that but my query is how secure is browsing in Linux if javascript is enabled, given the fact that this sticky window would refuse to go? Does enabling of scripting in firefox bypass the Unix file self execute permission barrier?
From what I understand of mozilla's javascript engine, it runs inside
a sandbox and has no permission to do anything with the operating system. A javascript code wouldn't be able to automagically download files and set chmod bits.
Is this only with selinux or any linux system?
2009/5/11 Rony gnulinuxist@gmail.com:
It was just that but my query is how secure is browsing in Linux if javascript is enabled, given the fact that this sticky window would refuse to go? Does enabling of scripting in firefox bypass the Unix file self execute permission barrier?
From what I understand of mozilla's javascript engine, it runs inside
a sandbox and has no permission to do anything with the operating system. A javascript code wouldn't be able to automagically download files and set chmod bits.
Anurag
On Monday 11 May 2009, Anurag wrote:
2009/5/11 Rony gnulinuxist@gmail.com:
It was just that but my query is how secure is browsing in Linux if javascript is enabled, given the fact that this sticky window would refuse to go? Does enabling of scripting in firefox bypass the Unix file self execute permission barrier?
From what I understand of mozilla's javascript engine, it runs inside
a sandbox and has no permission to do anything with the operating system. A javascript code wouldn't be able to automagically download files and set chmod bits.
Assuming that the sandbox implementation is secure. Afair there were holes in the jre. Especially M$ jre.
Anything Auto is a security hole EOM.
Rony wrote:
It was just that but my query is how secure is browsing in Linux if javascript is enabled, given the fact that this sticky window would refuse to go? Does enabling of scripting in firefox bypass the Unix file self execute permission barrier?
Uhm...well it is very much possible to take over the control of the entire system without actually knowing the root password. What is required is only a exploitable vulnerability =)
- Dinesh
-
Anurag -
Dinesh A. Joshi -
jtd -
Mohan Nayaka -
Rony -
Siddhesh Poyarekar