Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linux distros infected?


  • Please log in to reply
56 replies to this topic

#1 Hedgehog83

Hedgehog83

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 10 February 2016 - 03:20 PM

Hi,

I was using Ubuntu 14.04 and also 14.04.03. I ran Malwarebytes on it and was surprised to see several Trojans and backdoors on the PC. First, I thought that it was something that happened because of me. But getting suspicious, I checked my Zorin 9 installation, and to my surprise, it had several Trojans and backdoors as well. I used Malwarebytes to find these as well. The last system was hardly used. This makes me think that the image was infected when I got it. Could it be that the distros are distributed with malware, or are those just false positives?



BC AdBot (Login to Remove)

 


#2 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:05:51 PM

Posted 10 February 2016 - 03:32 PM

As far as I know Malwarebytes doesn't even have a Linux version.... so how did you install this? I assume with wine? More than likely then these are false positives because it isn't built for Linux.

 

*EDIT

 

Malwarebytes software requitements:

 

 

 

Software Requirements:
Windows 10 (32/64-bit)
Windows 8.1 (32/64-bit)
Windows 8 (32/64-bit)
Windows 7 (32/64-bit)
Windows Vista (Service Pack 1 or later, 32/64-bit)
Windows XP (Service Pack 2 or later, 32-bit only)
Internet Explorer 6 or newer

Edited by DeimosChaos, 10 February 2016 - 03:33 PM.

OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#3 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:51 AM

Posted 10 February 2016 - 03:48 PM

 

As far as I know Malwarebytes doesn't even have a Linux version.... so how did you install this? I assume with wine? More than likely then these are false positives because it isn't built for Linux.

I agree

 

EDIT

 

I just saw your other post here

http://www.bleepingcomputer.com/forums/t/605079/linux-distros-infected/#entry3931813

 

 

Using Malwarebytes in Wine to scan Linux is a pointless exercise and will result in false positives if it even works. Malwarebytes is made for Windows operating system and looks for Windows based Malware.


Edited by NickAu, 10 February 2016 - 04:25 PM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#4 Daydreamed

Daydreamed

  • Members
  • 349 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Dimension C-137
  • Local time:02:51 PM

Posted 10 February 2016 - 04:00 PM

 

As far as I know Malwarebytes doesn't even have a Linux version.... so how did you install this? I assume with wine? More than likely then these are false positives because it isn't built for Linux.

 

*EDIT

 

Malwarebytes software requitements:

 

 

 

Software Requirements:
Windows 10 (32/64-bit)
Windows 8.1 (32/64-bit)
Windows 8 (32/64-bit)
Windows 7 (32/64-bit)
Windows Vista (Service Pack 1 or later, 32/64-bit)
Windows XP (Service Pack 2 or later, 32-bit only)
Internet Explorer 6 or newer

 

Malwarebytes has an OS X version as well. I've never heard of Malwarebytes on Linux.


- Daydreamed


#5 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:05:51 PM

Posted 10 February 2016 - 04:04 PM

Malwarebytes has an OS X version as well. I've never heard of Malwarebytes on Linux.

 

 

I did see the OS X version in passing...


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#6 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:51 PM

Posted 10 February 2016 - 04:50 PM

MBAM creates a scan log that you can copy and post. It would be interesting to see what exactly it identified as malware

and the location of the files.

 

Open MBAM and click on the history tab. Post the scan log....not the update log. That is assuming that what you are using

is the same MBAM UI as seen in Windows.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 10 February 2016 - 06:22 PM

Yes. I am running it in Wine. If Malwarebytes is not good for Linux, what other similar GUI AV software can I use. I know Linux is more secure than Windows, but still would like to take extra preacautions.



#8 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 10 February 2016 - 06:44 PM

Also, when trying to run a scan or just starting Malwarebytes in both Zorin and Ubuntu, Malwarebytes presents a message saying: "Malwarebytes was unable to load the Anti-Rootkit DDA Driver, this error may be caused by rootkit activity."



#9 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 10 February 2016 - 06:49 PM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/18/2016
Scan Time: 7:39:52 PM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.01.19.01
Rootkit Database: v2016.01.09.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: yb

Scan Type: Hyper Scan
Result: Completed
Objects Scanned: 104426
Time Elapsed: 2 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Disabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 5
Broken.OpenCommand, HKCR\batfile\shell\open\command, Good: ("Bad: ()" %*), Delete-on-Reboot,[ffffffffffffffffffffffffffffffff], %5
Broken.OpenCommand, HKCR\comfile\shell\open\command, Good: ("Bad: ()" %*), Delete-on-Reboot,[ffffffffffffffffffffffffffffffff], %5
Broken.OpenCommand, HKCR\piffile\shell\open\command, Good: ("Bad: ()" %*), Delete-on-Reboot,[ffffffffffffffffffffffffffffffff], %5
Broken.OpenCommand, HKCR\scrfile\shell\open\command, Good: ("Bad: ()" /S), Delete-on-Reboot,[ffffffffffffffffffffffffffffffff], %5
Broken.OpenCommand, HKCR\regfile\shell\open\command, Good: (regedit.exe "Bad: ()"), Delete-on-Reboot,[ffffffffffffffffffffffffffffffff], %5

Folders: 0
(No malicious items detected)

Files: 4
Trojan.Agent, C:\windows\system32\dmusic32.dll, Quarantined, [106d45f6e0b9e452fa0ef825b44f7f81],
Backdoor.Bot, C:\windows\system32\iexplore.exe, Quarantined, [2f4e013a19807bbb45c067b8a95a0ef2],
Trojan.Agent, C:\windows\rundll.exe, Quarantined, [2a5399a20297152185c20825996ace32],
Trojan.Tracur, C:\windows\system32\winnls32.dll, Quarantined, [403d98a3d9c0a4924960b495d72c867a],

Physical Sectors: 0
(No malicious items detected)


(end)



#10 Arthfael

Arthfael

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 10 February 2016 - 06:58 PM

Since the other topic was closed, I came to basically say the same thing that was said there. Running any kind of Windows security programs in a Linux environment could cause problems. I'm not good at reading logs like you posted above, but it looks to me you possibly have a dual-boot setup?  MBAM may be seeing your Windows partition as infected. If that's the case, run MBAM free on the Windows install only and see if it can remove them. It isn't likely that the infection will affect your Linux install, but these days there are no guarantees. Linux is as secure as the distro developers make it, and depends on them pushing any and all security updates to the repos and you installing things only from the software repos. 


Edited by Arthfael, 10 February 2016 - 06:59 PM.


#11 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:51 PM

Posted 10 February 2016 - 07:06 PM

Hedgehog83....those are Windows files. You have some serious malware on your Windows drive. Scan Date 1/18/2016

 

Boot into your Windows XP and do this:

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 10 February 2016 - 07:56 PM

Files: 4
Trojan.Agent, C:\windows\system32\dmusic32.dll, Quarantined, [106d45f6e0b9e452fa0ef825b44f7f81],
Backdoor.Bot, C:\windows\system32\iexplore.exe, Quarantined, [2f4e013a19807bbb45c067b8a95a0ef2],
Trojan.Agent, C:\windows\rundll.exe, Quarantined, [2a5399a20297152185c20825996ace32],
Trojan.Tracur, C:\windows\system32\winnls32.dll, Quarantined, [403d98a3d9c0a4924960b495d72c867a],

These files are in your Wine prefix, they do not come with Ubuntu, but they do come with Wine. Wine can be infected by Malware so it's possible the legitimate versions have been swapped out with malcious ones, but most likely they are just false positives. I would suggest further examination.

What programs do you have installed in Wine?

 

Not sure, type in your terminal:

ls -l "/home/$(whoami)/.wine/dosdevices/c:/Program Files/"
ls -l "/home/$(whoami)/.wine/dosdevices/c:/Program Files (x86)/"
Post the result.

What arch is your Wine prefix?

 

Not sure, type in your terminal:

wc -l /home/$(whomai)/.wine/dosdevices/c:/windows/syswow64
Post the result.

 

:)



#13 SuperSapien64

SuperSapien64

  • Members
  • 922 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 10 February 2016 - 08:33 PM

Yes. I am running it in Wine. If Malwarebytes is not good for Linux, what other similar GUI AV software can I use. I know Linux is more secure than Windows, but still would like to take extra preacautions.

There's Eset Nod32 Antivirus for Linux but that isn't free but its an on access (realtime shields) scanner there's also Bitdefender for Unices (free for personal use) on-demand scanner. Both of these have a GUI and scored quite well https://www.av-test.org/en/news/news-single-view/linux-16-security-packages-against-windows-and-linux-malware-put-to-the-test/

If your trying to ovoid malware on Linux I would recommend Firejail its a sandbox application along with a good script blocker such as Noscript (Firefox) and Umatrix (Chrome)



#14 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 10 February 2016 - 08:58 PM

I realize it says that my OS is Windows XP. However, I only have Zorin installed on that computer. I have 2 drives. 1 is empty. The other one is Zorin. Not sure why the log says that.

 

Hollowface, for the top 2 commands, I get "No such file or directory"

 

For the last command, it says that I have a syntax error, even though I double checked the spelling multiple times.



#15 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 10 February 2016 - 09:24 PM

I realize it says that my OS is Windows XP. However, I only have Zorin installed on that computer. I have 2 drives. 1 is empty. The other one is Zorin. Not sure why the log says that.

MalwareBytes detects it as Windows XP, becuase by default Wine reports itself as Windows XP, though it can be configured to report as other Windows releases.

for the top 2 commands, I get "No such file or directory"

They assumed you were using the default Wine prefix path. If you were, at least the first one would have given an output. Where is your custom Wine prefix stored?

 

If you aren't sure type:

ls -a -l -R ~/ | grep -a "dosdevices"

This will search your user's home folder, but if you've stored your prefix elsewhere it won't be found.

Post the result.

For the last command, it says that I have a syntax error, even though I double checked the spelling multiple times.

That's my fault. I typed "whomai" instead of "whoami". Don't worry about running that command yet, since it assumes the use of a default Wine prefix location.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users