Re: [suse-security] Intrusion spyware malware key stroke detection
I use suse 9.3 pro on home network. Boxed retail DVD set. Suse firewall. Security updates are current. KDE Konqueror and / or Firefox. Comcast cable internet service provider. No alias. Everyday I am seeing spam email which is a reflection of complex sensitive key word phrases I had typed into google just a few days previously. What are the security implications of this? How do I configure what I have to stop this? What additional measures might be appropriate? Is this spying for commercial purposes or could it be US Government spying? The linux network worm? Aliasing? Fire wall configuration? Stop always connected cable internet and go back to using on demand dialup.? My first reactions are to look into aliasing. Or go back to on demand dialup. But if keystrokes are being detected then there is no security. Very alarming. Thanks to any who can help Martin
Martin wrote:
I use suse 9.3 pro on home network. Boxed retail DVD set. Suse firewall. Security updates are current. KDE Konqueror and / or Firefox. Comcast cable internet service provider. No alias.
Everyday I am seeing spam email which is a reflection of complex sensitive key word phrases I had typed into google just a few days previously.
That is *very* spooky. Of course I don't know what is happening, but here are some possibilities: * Coincidence: Are you sure that the spams are resulting from your google queries? Or just that you are getting spam on topics that you are interested in? * Malicious web sites: If you typed the queries into google, you presumably then went to click on the links google produced. The sites you visited can read your e-mail address from your web browser (if you told your web browser your e-mail address) and thus the destination sites may be producing the spam. * You've been hacked: Such spyware is common on Windows, but I have never heard of it on Linux.
What are the security implications of this? How do I configure what I have to stop this? What additional measures might be appropriate? Is this spying for commercial purposes or could it be US Government spying? The linux network worm?
It is very unlikely to be government spying. Securely cleaning spyware is very difficult, because the places spyware can hide is near infinite. Here are a range of options for verifying and cleaning your system: * Verify your RPMs: do an "rpm -V" on all of your packages. This is a lot of work, as you likely have thousands of packages. Read the RPM man page to interpret the verbose output. * Verify your RPMs from clean media: Do the above, but do it with respect to the .rpm files on your DVD, in case the spyware has changed your RPM meta-data on your system. * Verify your RPMs from rescue media: the spyware may have installed a kernel rootkit that makes all verification invalid, so to be really sure you have to boot from rescue media instead of the installed kernel, and then do these RPM verification steps. All of which is a lot of work. You may find it easier to do a clean re-install of your OS. Upgrade to SUSE 10 while you are at it :) So all of your remediation steps are a lot of work. Therefore, it would be worth while to test the "malicious web site" theory first. 1. Make up 2 obscure search terms that you *never* would use. 2. Enter one of them into google. 3. Go visit the resulting web sites. 4. See if you get spam. 5. Enter the other search term into google 6. Do *not* visit any of the resulting web sites. 7. See if you get spam. If you get spam from both obscure search terms, then perhaps you have spyware, and you should re-install. If you get spam only from the first obscure search term, then it is likely the web sites doing it to you. But that is quite surprising, as it doesn't happen to me. If you get no spam for the obscure search terms, then I suspect coincidence, and someone is just spamming you on topics you commonly search for.
Aliasing? Fire wall configuration? Stop always connected cable internet and go back to using on demand dialup.?
Going to dialup is unlikely to help, as all suspected cases here have to do with client interaction, not hosted services. Firewall configuration will not help, as you will configure your firewall to allow out HTTP and DNS, and spyware can send its stuff out those ports. I don't know what you mean by "Aliasing".
My first reactions are to look into aliasing. Or go back to on demand dialup.
But if keystrokes are being detected then there is no security. Very alarming.
To be secure against this stuff, I would recommend a clean install of SUSE 10.0 or 10.1, and add AppArmor profiles to all of the client applications that you use (Firefox, Konqueror, Evolution, KMail, Thunderbird, Gaim, etc.). That should prevent re-installation of the suspected spyware. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Olympic Games: The Bi-Annual Festival of Corruption
First: thank you, Crispin Cowan, for your prompt and comprehensive reply. Makes me feel even more certain that my dedication to SuSE extending back many years has been a good thing. I certainly have received much more value than I would have from MS. > * Coincidence: Are you sure that the spams are resulting from your > google queries? Or just that you are getting spam on topics that > you are interested in? Second: good thought. Most likely some one there is passing on my address. I don't believe those privacy statements anyway.. >* Verify your RPMs: do an "rpm -V" on all of your packages. This is > a lot of work, as you likely have thousands of packages. Read the > RPM man page to interpret the verbose output. > All of which is a lot of work. You may find it easier to do a clean > re-install of your OS. Upgrade to SUSE 10 while you are at it :):) Third: The rpm-V process might be OK for a few packages, but for all of them, Thanks but no thanks. Will start looking for version 10.+. > So all of your remediation steps are a lot of work. Therefore, it would > be worth while to test the "malicious web site" theory first. > 1. Make up 2 obscure search terms that you *never* would use. 2. Enter one of them into google. 3. Go visit the resulting web sites. 4. See if you get spam. 5. Enter the other search term into google 6. Do *not* visit any of the resulting web sites. > 7. See if you get spam. Fourth: Good idea. If only for my own peace of mind. Will do. > I don't know what you mean by "Aliasing" Fifth: As I understand it, this is using a remote machine with a different address. My machine only connects to it. It has the internet connection. Having though more and written this I see that it would be no solution because I would still be connecting via internet. >.To be secure against this stuff, I would recommend a clean install of >SUSE 10.0 or 10.1, and add AppArmor profiles to all of the client >applications that you use (Firefox, Konqueror, Evolution, KMail, >Thunderbird, Gaim, etc.). That should prevent re-installation of the >suspected spyware. Sixth: I've seen the discussion about AppArmor on the security site. I gather it is not available for versions < 10. RIght? or Wrong? Seventh: What is *clean* install? Necessary to overwrite and loose /home/~ and /usr? ..................................................... On Wednesday 22 February 2006 08:55, you wrote: > Martin wrote: > > I use suse 9.3 pro on home network. Boxed retail DVD set. Suse > > firewall. Security updates are current. KDE Konqueror and / or > > Firefox. Comcast cable internet service provider. No alias. > > > > Everyday I am seeing spam email which is a reflection of complex > > sensitive key word phrases I had typed into google just a few days > > previously. > > That is *very* spooky. Of course I don't know what is happening, but > here are some possibilities: > > * Coincidence: Are you sure that the spams are resulting from your > google queries? Or just that you are getting spam on topics that > you are interested in? > * Malicious web sites: If you typed the queries into google, you > presumably then went to click on the links google produced. The > sites you visited can read your e-mail address from your web > browser (if you told your web browser your e-mail address) and > thus the destination sites may be producing the spam. > * You've been hacked: Such spyware is common on Windows, but I have > never heard of it on Linux. > > > What are the security implications of this? How do I configure what I > > have to stop this? What additional measures might be appropriate? Is > > this spying for commercial purposes or could it be US Government spying? > > The linux network worm? > > It is very unlikely to be government spying. > > Securely cleaning spyware is very difficult, because the places spyware > can hide is near infinite. Here are a range of options for verifying and > cleaning your system: > > * Verify your RPMs: do an "rpm -V" on all of your packages. This is > a lot of work, as you likely have thousands of packages. Read the > RPM man page to interpret the verbose output. > * Verify your RPMs from clean media: Do the above, but do it with > respect to the .rpm files on your DVD, in case the spyware has > changed your RPM meta-data on your system. > * Verify your RPMs from rescue media: the spyware may have installed > a kernel rootkit that makes all verification invalid, so to be > really sure you have to boot from rescue media instead of the > installed kernel, and then do these RPM verification steps. > > All of which is a lot of work. You may find it easier to do a clean > re-install of your OS. Upgrade to SUSE 10 while you are at it :) > > So all of your remediation steps are a lot of work. Therefore, it would > be worth while to test the "malicious web site" theory first. > > 1. Make up 2 obscure search terms that you *never* would use. > 2. Enter one of them into google. > 3. Go visit the resulting web sites. > 4. See if you get spam. > 5. Enter the other search term into google > 6. Do *not* visit any of the resulting web sites. > 7. See if you get spam. > > If you get spam from both obscure search terms, then perhaps you have > spyware, and you should re-install. If you get spam only from the first > obscure search term, then it is likely the web sites doing it to you. > But that is quite surprising, as it doesn't happen to me. If you get no > spam for the obscure search terms, then I suspect coincidence, and > someone is just spamming you on topics you commonly search for. > > > Aliasing? Fire wall configuration? Stop always connected cable internet > > and go back to using on demand dialup.? > > Going to dialup is unlikely to help, as all suspected cases here have to > do with client interaction, not hosted services. > > Firewall configuration will not help, as you will configure your > firewall to allow out HTTP and DNS, and spyware can send its stuff out > those ports. > > I don't know what you mean by "Aliasing". > > > My first reactions are to look into aliasing. Or go back to on demand > > dialup. > > > > But if keystrokes are being detected then there is no security. Very > > alarming. > > To be secure against this stuff, I would recommend a clean install of > SUSE 10.0 or 10.1, and add AppArmor profiles to all of the client > applications that you use (Firefox, Konqueror, Evolution, KMail, > Thunderbird, Gaim, etc.). That should prevent re-installation of the > suspected spyware. > > Crispin
Dear Martin. Which browser are you using? Have you ever considered clearing the cookies upon Browser exit? I know of sites that will search your cookies to find information you entered at other sites... Such as Hometown or e-mail.... Cheers, Thorsten -- Contact me on ICQ: 7656468 DSL-Aktion wegen gro�er Nachfrage bis 28.2.2006 verl�ngert: GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl
That's very odd. Do your search queries frequently take you to the same web server? If so, that server's logs will contain the search query you entered. There may be additional possibilities, but I can't think very clearly at the moment; the noise from all of the black helicopters makes it very difficult to concentrate. On Wednesday 22 February 2006 3:53 am, Martin wrote:
I use suse 9.3 pro on home network. Boxed retail DVD set. Suse firewall. Security updates are current. KDE Konqueror and / or Firefox. Comcast cable internet service provider. No alias.
Everyday I am seeing spam email which is a reflection of complex sensitive key word phrases I had typed into google just a few days previously.
What are the security implications of this? How do I configure what I have to stop this? What additional measures might be appropriate? Is this spying for commercial purposes or could it be US Government spying? The linux network worm?
Aliasing? Fire wall configuration? Stop always connected cable internet and go back to using on demand dialup.?
My first reactions are to look into aliasing. Or go back to on demand dialup.
But if keystrokes are being detected then there is no security. Very alarming.
Thanks to any who can help Martin
-- Regards, Chris Quinn chris@quinns.net ____________________ http://blog.quinns.net
I just furtively took a peak out the window. No black helicopters. No black SUVs. No men in black suits. No men in white suits either. I'll keep checking. Even paranoids have enemies. ............................ On Wednesday 22 February 2006 09:10, Chris Quinn wrote:
That's very odd. Do your search queries frequently take you to the same web server? If so, that server's logs will contain the search query you entered.
There may be additional possibilities, but I can't think very clearly at the moment; the noise from all of the black helicopters makes it very difficult to concentrate.
On Wednesday 22 February 2006 3:53 am, Martin wrote:
I use suse 9.3 pro on home network. Boxed retail DVD set. Suse firewall. Security updates are current. KDE Konqueror and / or Firefox. Comcast cable internet service provider. No alias.
Everyday I am seeing spam email which is a reflection of complex sensitive key word phrases I had typed into google just a few days previously.
What are the security implications of this? How do I configure what I have to stop this? What additional measures might be appropriate? Is this spying for commercial purposes or could it be US Government spying? The linux network worm?
Aliasing? Fire wall configuration? Stop always connected cable internet and go back to using on demand dialup.?
My first reactions are to look into aliasing. Or go back to on demand dialup.
But if keystrokes are being detected then there is no security. Very alarming.
Thanks to any who can help Martin
-- Regards, Chris Quinn chris@quinns.net ____________________ http://blog.quinns.net
LOL. You know, you're not paranoid if they really are out to get you. If it's any consolation, 90% of my current web server traffic is coming from IPs in DC and VA. Seriously. (Political blog). Let us know what you find out about the spam. It's interesting. On Wednesday 22 February 2006 9:22 am, Martin wrote:
I just furtively took a peak out the window. No black helicopters. No black SUVs. No men in black suits. No men in white suits either. I'll keep checking. Even paranoids have enemies. ............................
-- Regards, Chris Quinn chris@quinns.net ____________________ http://blog.quinns.net
On Wednesday 22 February 2006 2:53 am, Martin wrote:
I use suse 9.3 pro on home network. Boxed retail DVD set. Suse firewall. Security updates are current. KDE Konqueror and / or Firefox. Comcast cable internet service provider. No alias.
Everyday I am seeing spam email which is a reflection of complex sensitive key word phrases I had typed into google just a few days previously.
What are the security implications of this? How do I configure what I have to stop this? What additional measures might be appropriate? Is this spying for commercial purposes or could it be US Government spying? The linux network worm?
Aliasing? Fire wall configuration? Stop always connected cable internet and go back to using on demand dialup.?
My first reactions are to look into aliasing. Or go back to on demand dialup.
But if keystrokes are being detected then there is no security. Very alarming.
Thanks to any who can help Martin
This may be completely unrelated, but do the subject lines for the spam you refer to start with "Amazing, "? -- Don
I wrote an agent that watches current google search queries in realtime
(not quite realtime, but quite close)
This is not hard to do, either. I suspect this is what's going on.
Log into your machine as root and do a ps aux and show us the output. I
highly doubt there is a piece of malware
running, but it's worth checking for.
Tim
Don Raboud
On Wednesday 22 February 2006 2:53 am, Martin wrote:
I use suse 9.3 pro on home network. Boxed retail DVD set. Suse firewall. Security updates are current. KDE Konqueror and / or Firefox. Comcast cable internet service provider. No alias.
Everyday I am seeing spam email which is a reflection of complex sensitive key word phrases I had typed into google just a few days previously.
What are the security implications of this? How do I configure what I have to stop this? What additional measures might be appropriate? Is this spying for commercial purposes or could it be US Government spying? The linux network worm?
Aliasing? Fire wall configuration? Stop always connected cable internet and go back to using on demand dialup.?
My first reactions are to look into aliasing. Or go back to on demand dialup.
But if keystrokes are being detected then there is no security. Very alarming.
Thanks to any who can help Martin
This may be completely unrelated, but do the subject lines for the spam you refer to start with "Amazing, "?
-- Don
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Tim, Martin, On Wednesday 22 February 2006 07:07, trainier@kalsec.com wrote:
I wrote an agent that watches current google search queries in realtime (not quite realtime, but quite close) This is not hard to do, either. I suspect this is what's going on.
Log into your machine as root and do a ps aux and show us the output.
Why as root? There is no output from "ps" that's available to root only. At the same time, if there actually were some spyware or other exploit with a foothold on the OP's system (very unlikely, I agree), then exposure could conceivably be increased by logging in as root.
I highly doubt there is a piece of malware running, but it's worth checking for.
Tim
...
Everyday I am seeing spam email which is a reflection of complex sensitive key word phrases I had typed into google just a few days previously.
If these "complex" "key word phrases" (a contradiction in terms, by the way) are truly "sensitive," then you should not be sending them to Google. While Google may (for now) protect search terms from being associated with the individuals that submit them, they do not in any way guarantee that all they'll do with them is use them to conduct the search you request. Randall Schulz
Right.
I guess my thought was that you may need root to kill the process(es). Not
necessarily though.
For reporting purposes, I agree, log in as a non-super user.
Tim
Randall R Schulz
Tim, Martin,
On Wednesday 22 February 2006 07:07, trainier@kalsec.com wrote:
I wrote an agent that watches current google search queries in realtime (not quite realtime, but quite close) This is not hard to do, either. I suspect this is what's going on.
Log into your machine as root and do a ps aux and show us the output.
Why as root? There is no output from "ps" that's available to root only.
At the same time, if there actually were some spyware or other exploit with a foothold on the OP's system (very unlikely, I agree), then exposure could conceivably be increased by logging in as root.
I highly doubt there is a piece of malware running, but it's worth checking for.
Tim
...
Everyday I am seeing spam email which is a reflection of complex sensitive key word phrases I had typed into google just a few days previously.
If these "complex" "key word phrases" (a contradiction in terms, by the way) are truly "sensitive," then you should not be sending them to Google. While Google may (for now) protect search terms from being associated with the individuals that submit them, they do not in any way guarantee that all they'll do with them is use them to conduct the search you request.
Randall Schulz
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Nope nothing about Amazing. ............................. On Wednesday 22 February 2006 10:00, Don Raboud wrote:
On Wednesday 22 February 2006 2:53 am, Martin wrote:
I use suse 9.3 pro on home network. Boxed retail DVD set. Suse firewall. Security updates are current. KDE Konqueror and / or Firefox. Comcast cable internet service provider. No alias.
Everyday I am seeing spam email which is a reflection of complex sensitive key word phrases I had typed into google just a few days previously.
What are the security implications of this? How do I configure what I have to stop this? What additional measures might be appropriate? Is this spying for commercial purposes or could it be US Government spying? The linux network worm?
Aliasing? Fire wall configuration? Stop always connected cable internet and go back to using on demand dialup.?
My first reactions are to look into aliasing. Or go back to on demand dialup.
But if keystrokes are being detected then there is no security. Very alarming.
Thanks to any who can help Martin
This may be completely unrelated, but do the subject lines for the spam you refer to start with "Amazing, "?
-- Don
On Feb 22, Martin
Everyday I am seeing spam email which is a reflection of complex sensitive key word phrases I had typed into google just a few days previously.
Can you post the spam mail (including headers)? Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
participants (8)
-
Chris Quinn
-
Crispin Cowan
-
Don Raboud
-
Markus Gaugusch
-
Martin
-
Randall R Schulz
-
Thorsten Wolf
-
trainier@kalsec.com