Mailinglist Archive: opensuse-security (81 mails)

< Previous Next >
Re: [suse-security] Intrusion spyware malware key stroke detection
  • From: Crispin Cowan <crispin@xxxxxxxxxx>
  • Date: Wed, 22 Feb 2006 05:55:26 -0800
  • Message-id: <43FC6D4E.6000508@xxxxxxxxxx>
Martin wrote:
> I use suse 9.3 pro on home network. Boxed retail DVD set. Suse firewall.
> Security updates are current. KDE Konqueror and / or Firefox. Comcast
> cable internet service provider. No alias.
>
> Everyday I am seeing spam email which is a reflection of complex
> sensitive key word phrases I had typed into google just a few days
> previously.
>
That is *very* spooky. Of course I don't know what is happening, but
here are some possibilities:

* Coincidence: Are you sure that the spams are resulting from your
google queries? Or just that you are getting spam on topics that
you are interested in?
* Malicious web sites: If you typed the queries into google, you
presumably then went to click on the links google produced. The
sites you visited can read your e-mail address from your web
browser (if you told your web browser your e-mail address) and
thus the destination sites may be producing the spam.
* You've been hacked: Such spyware is common on Windows, but I have
never heard of it on Linux.


> What are the security implications of this? How do I configure what I have to
> stop this? What additional measures might be appropriate? Is this spying
> for commercial purposes or could it be US Government spying? The linux
> network worm?
>
It is very unlikely to be government spying.

Securely cleaning spyware is very difficult, because the places spyware
can hide is near infinite. Here are a range of options for verifying and
cleaning your system:

* Verify your RPMs: do an "rpm -V" on all of your packages. This is
a lot of work, as you likely have thousands of packages. Read the
RPM man page to interpret the verbose output.
* Verify your RPMs from clean media: Do the above, but do it with
respect to the .rpm files on your DVD, in case the spyware has
changed your RPM meta-data on your system.
* Verify your RPMs from rescue media: the spyware may have installed
a kernel rootkit that makes all verification invalid, so to be
really sure you have to boot from rescue media instead of the
installed kernel, and then do these RPM verification steps.

All of which is a lot of work. You may find it easier to do a clean
re-install of your OS. Upgrade to SUSE 10 while you are at it :)

So all of your remediation steps are a lot of work. Therefore, it would
be worth while to test the "malicious web site" theory first.

1. Make up 2 obscure search terms that you *never* would use.
2. Enter one of them into google.
3. Go visit the resulting web sites.
4. See if you get spam.
5. Enter the other search term into google
6. Do *not* visit any of the resulting web sites.
7. See if you get spam.

If you get spam from both obscure search terms, then perhaps you have
spyware, and you should re-install. If you get spam only from the first
obscure search term, then it is likely the web sites doing it to you.
But that is quite surprising, as it doesn't happen to me. If you get no
spam for the obscure search terms, then I suspect coincidence, and
someone is just spamming you on topics you commonly search for.

> Aliasing? Fire wall configuration? Stop always connected cable internet and
> go back to using on demand dialup.?
>
Going to dialup is unlikely to help, as all suspected cases here have to
do with client interaction, not hosted services.

Firewall configuration will not help, as you will configure your
firewall to allow out HTTP and DNS, and spyware can send its stuff out
those ports.

I don't know what you mean by "Aliasing".

> My first reactions are to look into aliasing. Or go back to on demand dialup.
>
> But if keystrokes are being detected then there is no security. Very
> alarming.
>
To be secure against this stuff, I would recommend a clean install of
SUSE 10.0 or 10.1, and add AppArmor profiles to all of the client
applications that you use (Firefox, Konqueror, Evolution, KMail,
Thunderbird, Gaim, etc.). That should prevent re-installation of the
suspected spyware.

Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Olympic Games: The Bi-Annual Festival of Corruption


< Previous Next >
Follow Ups
References