[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Intrusion spyware malware key stroke detection



First:  thank you, Crispin Cowan,  for your prompt and comprehensive reply.  
Makes me feel even more certain that my dedication to SuSE extending back 
many years has been a 
good thing.  I certainly have received much more value than I 
would have from MS. 

> * Coincidence: Are you sure that the spams are resulting from your
 >     google queries? Or just that you are getting spam on topics that
  >    you are interested in?
Second:  good thought.  Most likely some one there is passing on my address.  
I don't believe those privacy statements anyway..

>* Verify your RPMs: do an "rpm -V" on all of your packages. This is
>      a lot of work, as you likely have thousands of packages. Read the
>      RPM man page to interpret the verbose output.
> All of which is a lot of work. You may find it easier to do a clean
> re-install of your OS. Upgrade to SUSE 10 while you are at it :):) 
Third:  The rpm-V process might be OK for a few packages, but for all of them,  
Thanks but no thanks.  Will start looking for version 10.+. 

> So all of your remediation steps are a lot of work. Therefore, it would
> be worth while to test the "malicious web site" theory first.
>   1. Make up 2 obscure search terms that you *never* would use.
   2. Enter one of them into google.
   3. Go visit the resulting web sites.
   4. See if you get spam.
   5. Enter the other search term into google
   6. Do *not* visit any of the resulting web sites.
>   7. See if you get spam. 
Fourth:  Good idea.  If only for my own peace of mind.  Will do.


> I don't know what you mean by "Aliasing" 
Fifth:  As I understand it, this is using a remote machine with a different 
address.  My machine only connects to it.  It has the internet connection.  
Having though more and written this I see that it would be no solution 
because I would still be connecting via internet.  


>.To be secure against this stuff, I would recommend a clean install of
>SUSE 10.0 or 10.1, and add AppArmor profiles to all of the client
>applications that you use (Firefox, Konqueror, Evolution, KMail,
>Thunderbird, Gaim, etc.). That should prevent re-installation of the
>suspected spyware.
Sixth:  I've seen the discussion about AppArmor on the security site.  I 
gather it is not available for versions < 10.  RIght?  or Wrong?  

Seventh:  What is *clean* install?  Necessary to overwrite and loose /home/~ 
and /usr?  

.....................................................


On Wednesday 22 February 2006 08:55, you wrote:
> Martin wrote:
> > I use suse 9.3 pro on home network. Boxed retail DVD set.   Suse
> > firewall. Security updates are current.   KDE  Konqueror and / or
> > Firefox. Comcast cable internet service provider.   No alias.
> >
> >  Everyday I am seeing spam email which is a reflection of complex
> > sensitive key word phrases I had typed into google just  a few days
> > previously.
>
> That is *very* spooky. Of course I don't know what is happening, but
> here are some possibilities:
>
>     * Coincidence: Are you sure that the spams are resulting from your
>       google queries? Or just that you are getting spam on topics that
>       you are interested in?
>     * Malicious web sites: If you typed the queries into google, you
>       presumably then went to click on the links google produced. The
>       sites you visited can read your e-mail address from your web
>       browser (if you told your web browser your e-mail address) and
>       thus the destination sites may be producing the spam.
>     * You've been hacked: Such spyware is common on Windows, but I have
>       never heard of it on Linux.
>
> > What are the security implications of this?  How do I configure what I
> > have to stop this?  What additional measures might be appropriate?  Is
> > this spying for  commercial purposes or could it be US Government spying?
> >  The linux network worm?
>
> It is very unlikely to be government spying.
>
> Securely cleaning spyware is very difficult, because the places spyware
> can hide is near infinite. Here are a range of options for verifying and
> cleaning your system:
>
>     * Verify your RPMs: do an "rpm -V" on all of your packages. This is
>       a lot of work, as you likely have thousands of packages. Read the
>       RPM man page to interpret the verbose output.
>     * Verify your RPMs from clean media: Do the above, but do it with
>       respect to the .rpm files on your DVD, in case the spyware has
>       changed your RPM meta-data on your system.
>     * Verify your RPMs from rescue media: the spyware may have installed
>       a kernel rootkit that makes all verification invalid, so to be
>       really sure you have to boot from rescue media instead of the
>       installed kernel, and then do these RPM verification steps.
>
> All of which is a lot of work. You may find it easier to do a clean
> re-install of your OS. Upgrade to SUSE 10 while you are at it :)
>
> So all of your remediation steps are a lot of work. Therefore, it would
> be worth while to test the "malicious web site" theory first.
>
>    1. Make up 2 obscure search terms that you *never* would use.
>    2. Enter one of them into google.
>    3. Go visit the resulting web sites.
>    4. See if you get spam.
>    5. Enter the other search term into google
>    6. Do *not* visit any of the resulting web sites.
>    7. See if you get spam.
>
> If you get spam from both obscure search terms, then perhaps you have
> spyware, and you should re-install. If you get spam only from the first
> obscure search term, then it is likely the web sites doing it to you.
> But that is quite surprising, as it doesn't happen to me. If you get no
> spam for the obscure search terms, then I suspect coincidence, and
> someone is just spamming you on topics you commonly search for.
>
> > Aliasing?  Fire wall configuration?  Stop always connected cable internet
> > and go back to using on demand dialup.?
>
> Going to dialup is unlikely to help, as all suspected cases here have to
> do with client interaction, not hosted services.
>
> Firewall configuration will not help, as you will configure your
> firewall to allow out HTTP and DNS, and spyware can send its stuff out
> those ports.
>
> I don't know what you mean by "Aliasing".
>
> > My first reactions are to look into aliasing. Or go back to on demand
> > dialup.
> >
> > But if keystrokes are being detected then there is no security.  Very
> > alarming.
>
> To be secure against this stuff, I would recommend a clean install of
> SUSE 10.0 or 10.1, and add AppArmor profiles to all of the client
> applications that you use (Firefox, Konqueror, Evolution, KMail,
> Thunderbird, Gaim, etc.). That should prevent re-installation of the
> suspected spyware.
>
> Crispin

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here