3

Distro: Lubuntu

Browser: Mozilla SeaMonkey

I downloaded a file from zippyshare.com the other day. I got one of those "Hello Microsoft (sic) user! You have won an iPad!" messages, and it correctly identified my ISP. It locked me out of the browser to the extent I couldn't close the tab, turn off javascript, or even close the browser. I had to kill the browser via Task Manager. Before doing so, I noted the URL of the page with the message and added the host to my hosts file.

Today, I went to zippyshare again and got a different message with a different URL. I think it was an alarmist "You have been infected" message or something similar. Again, it completely locked me out from doing anything. I killed the browser and added that host to my hosts file.

I re-opened the browser, selected to restore the session except for any tabs related to zippyshare. Then, without any action by me, I found among my browser tabs a page open to my router logon page. That was not anything I had clicked.

I'm now wondering if there is malware on my system -- or some sort of browser hijacking scheme in place -- and how to get rid of it.

Steps I've taken so far:

  • I changed by DNS server to 8.8.8.8. I thought it was that already, but it apparently wasn't.

  • I checked for unusual browser extensions. I don't remember if Chatzilla was preinstalled in SeaMonkey but I removed it, since I would never use a program like that. Everything else looked fine.

  • I turned off modem/router and disconnected all cables. By the time I get home from work, I will have a new IP address. I plan to log into my router page (with the router still off) and see if any settings have been changed.

Are there any anti-malware programs for Linux like Malwarebytes for Windows?

Is there anything else I should do?

Thanks!

Gary7QW
  • 33

1 Answers1

5

This is a very difficult and broad question to answer, but I'll try.

ZippyShare

Based on what I've seen of ZippyShare, they use an Ad Revenue model to generate income. I've also noted that the site is heavily laden with popups and dialogs.

Locked out of your browser

Being locked out of your browser is probably the result of a hidden, or covered dialog box. If a dialog box pops up, and you cannot see it, you will find that the browser seems locked until you close that dialog box.

This is a technique used to force you to click on the dialog box, but can get mixed up with other windows/tabs/popups and actually make it near impossible to click/close.

Killing it off with the task manager is the only real option.

You have been infected

Again, just a more alarmist way of trying to take your money. With statements like "We've detected XXX amounts of malware on your system, click here to repair" etc.

Router Login Page

It's unlikely this was caused by any Malware, it's easy to guess the address for the majority of home user routers/modems. For example, they'll usually be in the 192.168.X.X range, or the 10.1.X.X range. IF a malicious script tried to open it, it wouldnt be out of the question for it to guess.

Malware

Malware on Linux is unlikely, but increasingly possible. If you're truly concerned, then I'd recommend ClamAV, and Bleachbit, both are available in the Ubuntu App Store or via apt-get/apt/aptitude.

Browser Safety

Outside of that, I'd suggest resetting your browser defaults, removing any unknown addons/plugins, and resetting your homepage. Additionally, adding an Adblocker like uBlock Origin to help when on places like ZippyShare, and a privacy plugin like Privacy Badger or Ghostery.

Comment contributed options:

(thanks @Zacharee1 and @Marton)

Hosts File Blocking

This is a good way to stop the ads before they begin, but can be a little tricky. You can get a copy of a hosts file that can be used to block ads from hpHosts which is under the MalwareBytes umbrella.

Basiclly, you extract the file; copy the contents and add it to your /etc/hosts.

Safety Report

Here is a copy of Google's Safe Browsing report for zippyshare.com:

  • Some pages on this website send visitors to dangerous websites.
  • Some pages on this website install malware on visitors' computers.
  • Some downloads on this site are new or not commonly downloaded by users, and may be dangerous. Safe Browsing is warning users on these downloads. In these cases, the warnings are lifted automatically if the content is verified to be safe.
  • Dangerous websites have been sending visitors to this website, including: safelinkconverter.com, href.li, and gdaily.org.
AnotherKiwiGuy
  • 4,370
  • 1
  • 21
  • 38
  • 1
    You can also use extensions like AdBlockPlus, Privacy Badger and Windscribe (VPN and adblocker) in tandem to block quite a few malicious and/or annoying domains. – TheWanderer Nov 17 '16 at 21:58
  • Good point. None of the applications I mentioned are exclusive, they can and probably should be used in tandem. There are a lot of good apps and plugins out there, least of all those listed by the EFF. There's some great info over at https://ssd.eff.org/ – AnotherKiwiGuy Nov 17 '16 at 22:03
  • 1
    I would also recommend using NoScript. – Marton Nov 17 '16 at 22:03
  • Updated with your suggestions :) – AnotherKiwiGuy Nov 17 '16 at 22:07
  • Don't recommend BleachBit, because it removes things that are actually important – cat Nov 17 '16 at 23:53
  • @cat can you provide a little more of an explanation? What important things does it remove? – AnotherKiwiGuy Nov 17 '16 at 23:56
  • 2
    ThatGuy, thanks for your comprehensive reply. I will act on the recommendations.

    BTW, I second the @cat caution on BleachBit. I've removed vital things using that program. I thought I was just removing a shortcut; instead it removed the original files.

    As for zippyshare itself, I've used it and similar file hosting sites for about five years and zippyshare HAD been the best. The malicious stuff is new and is worse than anything I've seen to date.

     – Gary7QW Nov 18 '16 at 01:56
  • Very good. I'll look into Bleachbit further, and review it's effectiveness for future reference :) – AnotherKiwiGuy Nov 18 '16 at 01:58
  • 1
    @ThatGuy The only reference I can be bothered to find right now is this answer of mine and the comments: Can I restore my files I deleted using BleachBit? – cat Nov 18 '16 at 02:00
  • Thanks @cat I'll try and run a more thorough test of Bleachbit in the future. This may be something that is of value to other users. – AnotherKiwiGuy Nov 18 '16 at 02:03