Linux Mint9 Virtual Machine - infection/false positive?

Golden · April 17, 2012, 01:43:09 PM

G'day,

I use Linux Mint 9 within a VMware Player virtual machine running on my Windows 7 Ultimate PC. Within Linux, I've been using Firefox to browse the web as I normally do, no shady sites, just the everyday stuff.

I've also installed CLAMAV and occasionally I will scan the virtual Linux PC, more out of good habit since this is an on-demand scanner only. Recently, its popped up this message as shown below. I'm reasonably confident I haven't purposley downloaded anything malicious.

Linux is always up-to-date with latest updates, as is CLAMAV. I uses HTTPS Everywhere in FireFox.

For the Windows HOST, I use MSE, resident Malwarebytes, WinPatrol, and Windows Firewall. Windows is always up-to-date, as are the antimalware software.

What do you think? What would you suggest?

Regards,
Golden

Corrine · April 17, 2012, 04:06:34 PM

Hi, Golden.

Does ClamAV only scan the Linux install or does it also scan Windows 7?

Another name for pua.js.xored is Trojan:JS/Alescurf.D, a specific JavaScript (JS) that attempts to redirect the affected user's browser to another website. This JavaScript is usually embedded in a malicious or compromised webpage.

Examples:

2011-02-12 11:30:51 http://helloworldfc2.web.fc2.com/TVstream.html 2878CF3C142850D505A198801227D5C5 208.71.106.46 US PUA.JS.Xored

2011-02-19 04:40:08 http://2w2wi.com/com/love/ 00FEB753DFDE2FBBC8845B9B7D850603 202.67.215.166 HK PUA.JS.Xored

If the two IP addresses are in your HOSTS file, that could be what ClamAV is picking up. Otherwise, I suggest clearing the Firefox cache and your temp files and rescan.

Golden · April 18, 2012, 08:53:20 AM

Hi Corinne,

Thanks for the reply. CLAMAV only scans the Linux install - I leave Windows 7 to MSE + Malwarebytes (nothing malicious reported here). Last night I deleted the file using CLAMAV, rebooted, and re-scanned the Linux install and the item was not detected.

I've just cleared the cache content in FireFox. Do you know whewre I might find the HOSTS file in Linux?

Thanks again,
Golden

Corrine · April 18, 2012, 03:46:25 PM

Hi, Golden.

If /etc/hosts Explanation - Linux Mint Community doesn't help, I have a source that will likely know.

Golden · April 19, 2012, 02:51:27 AM

Oh, thats a great site! Thanks Corinne.

I'll try work my way through that, and let you know what I can find.

BTW : Like your article on MS anti-malware over at Garden - very comprehensive.

Corrine · April 19, 2012, 01:55:04 PM

Thanks, Golden. It seemed appropriate to update it. I hope it helps clear up the confusion.

Golden · April 19, 2012, 02:42:13 PM

Hi Corinne,

OK. This is what my HOSTS file looks like, using sudo nana /etc/hosts

Code Select

27.0.0.1	localhost
127.0.1.1	LinuxMint9

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

I'm not sure what I should be looking for. I don't see anything that looks like an IP address in here :blink:

Regards,
Golden

Corrine · April 19, 2012, 05:52:32 PM

Hi, Golden.

There's this:

27.0.0.1 localhost
127.0.1.1 LinuxMint9

As to the IP address associated with the finding by ClamAV, from what I see in the screen capture, that finding was in Firefox, not in the HOSTS file.

I believe th ere are LinuxMint users at Scot's. I'll ask if anyone there has any advice, particularly regarding the HOSTS file. Should you decide to register there, let me know so I can speed the the process as all new registrations are manually vetted.

LilBambi · April 19, 2012, 06:02:21 PM

Do you share files/folders between Linux and the Windows?

If so, it could have come from the Windows side.

:dance:

Corrine · April 19, 2012, 06:09:49 PM

Thank you, LilBambi! I knew I could count on you. :rose:

LilBambi · April 19, 2012, 06:14:47 PM

:wub: Corrine! My pleasure!

:dance:

Corrine · April 19, 2012, 07:19:43 PM

Golden, additional advice from SNF:

Quote from: amenditmanYou should really encourage anyone using Linux Mint 9 to upgrade to Linux Mint 12. 12 is a long term support version and will be good for 2 years.
Just one more reason I use nothing but rolling release distros.

to which LilBambi added:

Quote from: LilBambi
And if they only have a single partition, to back up their data first before doing that. If they have a separare /home partition, they can skip that.

Golden · April 20, 2012, 09:33:55 AM

Thanks Corinne. Sorry about the IP confusion, I assumed I was looking for anything except the local host and LinuxMint IP addresses.

Hi Fran : after your last suggestion, I decided that the Windows host and Linux VM should not share anything between them at all, so I'm confident I must have unwittingly picked this up during some browsing using FireFox in the VM only....I only wish i could remember where as I consider my browsing habits to be quite safe :shocked: I run Linux as a VM on a seperate physical disk from the OS and other data disks.

As mentioned, I cleaned the infection from within CLAMAV, and so far it hasn't reappeared. However, to be on the safe side, I am going to delete this VM (a single file), and rebuild it using LinuxMint12.

Thanks again for your help on this..............if I stumble across this again, I'll backtrack and record the site/s it might have come from.

Regards,
Golden

LilBambi · April 20, 2012, 02:12:25 PM

:goodie:

Excellent idea Golden! You will be much happier with Linux Mint 12 I would imagine, and certainly more safe and will be able to use the latest plugins, as well as Firefox, and be able to keep it updated to the last minute.

Smart move on not creating any shared connections between the Windows PC and the VM. If you want a truly clean environment between them, it's a smart move. It seems like a little overkill until you get hit with something.

OK, the following is not required but suggested. I wish more of these extensions were available in Internet Explorer! It would make Internet Explorer much safer!

With that in mind, might I also suggest the following in your Firefox browser since you use Firefox, (regardless of your operating system):

Extensions:

Adblock Plus - Works in all browsers and OSes, except Internet Explorer unless they changed that recently
WOT (Web of Trust) - Works in most browsers and OSes
FlashBlock - Works in at least FF and Chrome across OSes
NoScript - Works in Firefox in all OSes (and if in Google Chrome or SRWare Iron browser: NotScripts - Works for Chrome in all OSes)

The first two are for anyone, and the last couple are for those who wish to travel around the Internet and not allow arbitrary code Flash (FlashBlock) or other codes like javascript, etc., (NoScript, NotScript) to run on their computers unless they trust the site and with their express permission.

I use all the extensions noted above whether it is in a native install or a VM for any OS I use.

Here's the real test of time for me as to the need for these types of things. Even my Jim, who has used Linux for many years now -- and never had to worry about this type of thing and even teased me for using NoScript for years because it was just plain annoying -- is now using it to protect against the bad stuff out there.

He even goes one further and installs Firefox in his home rather than system wide, and wipes out his profile periodically just on general principles. I personally hate doing that, so I use all the extensions I mentioned above so I don't have to. But I do use a temporary file cleaner in Windows and on Mac to clear out all temporary and TIF (Temporary Internet Files) every day and in Linux I go to the cache folder in my profile and wipe out the files manually.

Of course as a VirtualMachine, you could just keep a clean, updated copy of the VM in the wings, and create a fresh copy each day for use.

Or treat it like a real OS and keep it safe and only replace it if you feel it has been compromised like you are doing now.

It is after all about choice. :dance: