bestlifeusa malware script - what precautions to take?

[tashirosgt]

A forum that I visit with Firefox has a message that says the following:

Quote:

I've detected a bestlifeusa.ru script that tries to run of this server, I've reported this, but I'm pretty sure most of you get this one too, I was just protected so I'm fine - you may not be so lucky, so I'm asking you guys to get your system checked immediately.

If you use firefox - install the No Script extention after you have cleaned your system for all worms, viruses and spyware. And make sure that the bestlifeusa.ru script can't execute on your system
from this site.

If you don't have any "anti script" "no script" "script stopping" system installed with your browser, you will likely not notice this script, I suspect it's a spy-script that spies on you - and you most certainly have it!

I think the measures recommended might be Windows oriented. What can be done under Linux?

[macemoneta]

NoScript works on Linux as well. That and AdBlock Plus are pretty much mandatory these days.

[tashirosgt]

What is an effective way to detect and remove such scripts? I installed the noscript extension and as I view this page, I see the message:

Scripts Currently Forbidden | <SCRIPT>:41 | <OBJECT>:0

but I have no idea what that means.

[macemoneta]

NoScript does have a forum and online documentation.

The message you are seeing with hover is the number of scripts forbidden. NoScript is detecting and removing the scripts on the fly.

[tashirosgt]

My concern is about what happened prior to installing Noscript. Can malware scripts leave malware on the machine or is their power only in effect when they are running from the web page that contains them? My understanding of Java is that it does have some built-in restrictions about what a program can do. Does Javascript also limit what programs can do? Can a Javascript from a website put a file in my /bin or /usr directory tree? That type of thing is what I want to detect and eliminate.

[macemoneta]

On Linux, the file system permissions and mandatory access controls (SELinux) prevents write to those directories. There are really only about 5-6 dozen Linux exploits in the wild (as opposed to a quarter million or so for Windows, for example), and as long as you stay reasonably up to date and don't respond to a browser pop-up with your root password, they are generally ineffective.

If you'd like to check for those, you can run a tool like chkrootkit, which you can install with the Add/Remove Software tool.

Quote:

Originally Posted by tashirosgt

My concern is about what happened prior to installing Noscript. Can malware scripts leave malware on the machine or is their power only in effect when they are running from the web page that contains them? My understanding of Java is that it does have some built-in restrictions about what a program can do. Does Javascript also limit what programs can do? Can a Javascript from a website put a file in my /bin or /usr directory tree? That type of thing is what I want to detect and eliminate.

The "new" place for web sites to hide thing is in the /home/username/.macromedia and of course /tmp and /var/tmp and there are probably others. I try to "wipe" those folders every few weeks if I can remember.

[tashirosgt]

Do you erase all the directories in
/home/username/.macromedia/Flash_Player/#SharedObjects/
?

Quote:

Originally Posted by tashirosgt

Do you erase all the directories in
/home/username/.macromedia/Flash_Player/#SharedObjects/
?

I go down one more level so everything in /home/kyryder/.macromedia/Flash_Player/#SharedObjects/QMLSKZ86/* would get wiped and everything in /home/kyryder/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/* I would also wipe.

Ky

[CiaW]

Quote:

Originally Posted by macemoneta

On Linux, the file system permissions and mandatory access controls (SELinux) prevents write to those directories. There are really only about 5-6 dozen Linux exploits in the wild (as opposed to a quarter million or so for Windows, for example), and as long as you stay reasonably up to date and don't respond to a browser pop-up with your root password, they are generally ineffective.

If you'd like to check for those, you can run a tool like chkrootkit, which you can install with the Add/Remove Software tool.

Do you happen to know how chkrootkit compares to rkhunter? I have rkhunter installed and in addition to looking for rootkits it also checks for some malware, etc. I'll check out chkrootkit too, just to see what it's like. rkhunter is also a 'yum install' away!

[macemoneta]

Both rkhunter and chkrootkit are in the repos. I haven't used rkhunter in a while (it was pretty unstable when it was first added to Fedora). If you like it better, then go for it. I haven't seen real Linux malware or rootkits in the wild in the 15+ years I've been using/administering Linux, so I don't think it matters much which you use.

[aleph]

Quote:

Originally Posted by tashirosgt

Do you erase all the directories in
/home/username/.macromedia/Flash_Player/#SharedObjects/
?

You may take a look at my post about clearing Flash persistent objects:
http://forums.fedoraforum.org/showthread.php?t=232855

Usually you don't have to worry about /tmp because the tmpwatch cronjob will kick in periodically and remove most stuff from there.

[tashirosgt]

aleph,
I understand your idea and I like it.

On the other hand, after trying to use Noscript for a day, I think it's a nuisance. I spent about an hour trying to order some things from NewEgg and I think I've failed, but I'm not sure. I suppose I'll have to wait a day or so just see if I get the email notice of the oder. In trying the "checkout", you run into several different sites that noscript blocks. When you unblock them, you get a message about re-doing the page. After I finished the last step ( a verification from my credit card company site) it wasn't clear how to continue the process. Firefox blocked a pop-up window at that point and I couldn't get it unblocked. It was a typical computer comedy.



The site that had the bad script (described in the original post) was one where I would set noscript to allow scripts anyway! If I only used one computer, I might eventually get noscript configured well, but I use several.

What the world needs is a product that would attempt to examine scripts and detect malicious ones - like a virus checker. Of course, I'm not claiming this is technologically possible - just wishful thinking.