Welcome to the Linux Foundation Forum!

Recent malware Affecting Ubuntu and Firefox


Hi; I'm not very good with forums and so those who read my comments here will have to forgive my ineptitude with html, etc.

In the past two weeks my Ubuntu machine, running Ubuntu v18.04.2 has been hit with multiple examples of malware that is being lodged in Firefox and appears to be write-protected so that Bleachbit cannot delete it.

I will list below some of the objects removed this past week by ClamTK:

Win.Trojan.Xored-1 (8-7)
Js.Coinminer.Generic-7104549-0 (8-8)
Win.Exploit.CVE_2012_1461-1 (8-6)
Win.Exploit.CVE_2012_1461-1 (8-4)
Win.Exploit.CVE_2012_1461-1 (8-2)
uBlock@raymondhill.net.xpi -- Js.Coinminer.Generic-7-10459-0 8-8-19
Win.Exploit.CVE_2012_1461-1 -- 8-9-19
uBlock@raymondhill.net.xpi -- Js.Coinminer.Generic-7104549-0 -- 2 examples 8-9-19
Firefox/ok1tk16v.default/cache2/doomed/1964705863 -- Win.Exploit.CVE_2012_1461-1

Some of the malware objects being removed by Clam were received DIRECTLY from the Raymond Hill ad blocker upon installation. Following scans using ClamTK the Raymond Hill object was deleted, which also deletes the ad blocker. Vicious circle. I've been forced to stop using the latter because of this. My second choice in ad blockers remains AdBlock Plus, which is now running in my Firefox.

Linux is no longer impervious to attacks, which thing is made clear by the foregoing.

My advice is to use caution browsing and run frequent scans with an antivirus/anti-malware program.

So far the only antivirus I've ever used has been the Cisco Systems' ClamAV.

I hope this helps.


  • mike8144
    mike8144 Posts: 2
    edited August 2019

    Greetings everyone!
    There is some good news to report. After installing the rootkit remover, chkrootkit and running scans in Terminal i was able to identify a number of malware 'sniffers' living in the usr/lib and other associated folders, and restore my machine!
    I'd suspected that something was cohabiting in my laptop with me that you wouldn't want to introduce to Mama, and i'm very pleased that my old install of Ubuntu is now back up to par (although i'm definitely knocking on wood).
    Ubuntu is generally worry free where it comes to unwanted gifts of the malware kind, but one can easily encounter such gremlins via downloads.
    The best policy is to avoid ALL downloads that can't be accessed through the devs and easily installed via Terminal by entering sudo apt-get install (software name), or by running Synaptic Package Manager, one of the most useful tools the Ubuntu user can install.
    ClamTK is apparently unable to detect sniffers so if you suspect your machine may have a hitch-hiker you are advised to run chkrootkit, which can be installed via terminal.
    All the removal work you do once the latter discovers something must be performed manually, and this can be accomplished by:
    1) Disconnecting from WAN (Pull the cat5 en cable or disconnect the fone wire on DSL systems; if using WiFi turn it OFF and in cable systems unscrew the WAN connector from the modem)
    2) R-click in desktop field and select Terminal from the drop-down menu
    3) 'Come big' by acting as ROOT: type sudo -i, enter (or you'll be denied access)
    4) Type nautilus, enter
    5) When you do the above a 640x480-ish copy of your Files program (the actual name of Files is Nautilus, as you see in the glyph of a file cabinet on Desktop) will appear. Use this to navigate sequentially to every 'suspect' file Chkrootkit lists in its summary and delete the final item in each line from the summary, leaving predecessor files in the tree intact
    6) You should have a backup of Ubuntu to fall back on, and one can usually be made by slipping a postage-stamp SIM card into your machine's slot and using Terminal for the backup, by typing sudo deja-dup --backup and allowing the process to run.
    If deja-dup isn't installed you can easily set it active by clicking the tic-tak-toe icon on your Desktop labeled, 'Show Applications,' then navigating to (what is usually the third page) Utilities/Backups and clicking Backups.
    It's all self-explanatory from there.
    7) Once all the sniffers and malware files are removed type: sudo reboot and enter.
    Start pressing the Shift key as the system begins coming back up and when the Grub screen appears (in pink, no less) press the down arrow and select the dialog, *Advanced options for Ubuntu; enter, and upon redirect to a second Grub page use your arrows array to drop down one line and select Recovery mode for the kernel of your choice.
    Allow the process to run; you will be required to enter your sda5_crypt password to continue, and when the process stops use your arrows again to scroll down to the line, 'Drop to root shell prompt,' press enter and then press enter again at the prompt; type sudo reboot and your machine will reboot, which is a good idea because it allows you to avoid level5 graphics issues following the second login.
    I sincerely hope this verbose summary helps newbies and others struggling to master the many Linux processes.

  • ivanbabian

    I have some malware here in new haven ct, that the police have deployed against me to like violate my civil rihts so that they can abuse me on behalf of a megaslumlord, it disables the rootkithunter and network manageter and terminal on boot in linux 6.8 it probably affects android to it locks the root on fedora 38, debian 11, and kali, im using a rpi4 with 8 gigs, i have a sampleof this i can compress and submit email me babianivan2@gmail.com and ill put it up in a downloadable googlelink compressed for analysis... im dd dev zeroing all my drives but i have a sandbox set up if anyone wants to look at this and break this police exploit so they can never use it again


Upcoming Training