police ransomware and linux mint 18

Discussion in 'all things UNIX' started by taleblou, Jul 10, 2016.

  1. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    Hi:

    Turned my pc on this morning as usual and when opened chrome browser I was shocked to see the police ransomware locked my chrome. All was fine last night and I did not download anything bad and did not go anywhere shady. I did what I usually do. I have a variety of security extension like trafficlight, ublock, wot and others and have tweaked chrome for the highest security setting and I clean all traces of the browser constantly. I even have bleachbit installed and have checked all browser options for cleaning and clean them constantly. so how the heck did this thing took-over chrome?

    Luckily my pc is mint 18 and only browser was locked and a reset of browser to default fixed it. If this was a windows then the police ransomware could have infected the pc.

    I have no idea how i was infected. Anyone else with similar thing happened to you.

    Now I have added AVIRA browser safety to my extensions and changed ublock to adguard with alot of blocking checked.

    ANy suggestion for a good anti-ransomwhere extension on chrome that I can use to block these threats? Thanks in advance.

    By the way I scanned my linux mint 18 with comodo and clamav AVs and all were clean.
     
  2. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    Any 3rd party programs installed in the last 6 months?

    I think one of the best measures regarding web-browsing is blocking scripts and ads since both can infect a browser or computer. I can surely see a malicious ad or website locking a web browser on Linux.
     
  3. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    No my linux is a few weeks old.

    Also scriptblocking is good but it also interferes with streaming or watching videos online and constant whitelisting is a pain. I have starting using paid safeDNS as it has antimalware and other protection. If you know of any script blocking add-ons for chrome that does not interfere with flash streaming and video watching. please let me know.
     
  4. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    Hard to believe this story, although theoretically it could happen.
     
  5. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    here is all the options at my safeDNS filtering page. Any suggestion on what else should I block to bring the protection to maximum without interfering or too much filtering the web. Your suggestion is welcomed.
    Screenshot from 2016-07-10 12-21-48.png

    Screenshot from 2016-07-10 12-22-09.png
     
  6. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    Yeah wow! Times are a' changing...

    Unless im thinking wrong (surely possible), it appears the chrome sandbox did its job and/or the malware wasnt written to crack a linux system.

    Im really going to have to double down on my firefox profile backups and such. I wonder when a piece of ransomware is going to full-scale hammer a linux system? Anything is crackable and I would imagine its coming- I know one encrypted some files in the home directory etc already and now this...
     
  7. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    If chrome sandbox blocked it then why cleaning chrome and closing and opening it did not get rid of it unless i defaulted the browser?

    So its scary that ransomeware infect a browser in linux. Could have been a driveby police ransomware or maybe a legit web site has been infected?? If anything like this happens again I will take a snapshot of it and post it here.
     
  8. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    How did you "clean" chrome? I would imagine any ransomware designed to exploit chrome would be able to modify chromes profile which in order for the browser to function would have to be inside the sandbox... right? This seems logical to me but im not an expert or authority on this matter.

    At least your system wasnt affected. This to me demonstrates the value of a MAC option like AppArmor, RBAC, tomoyo, or SELinux... if that ransomware had been designed to work on a linux system I imagine it could have retrieved/encrypted files in /home though linux's DAC (discretionary access control- assigning filesystem access rights and system call rights based on the rights of the user who launched the process). With MAC (mandatory access control- assigning filesystem access rights and system call rights based on a policy file that determines access by process regardless of the user launching it), even ransomware designed for Linux would have been contained.

    Of course, malware could then try to gain root, which is where grsecurity protections try to come in and prevent, etc etc. Security is a never-ending nightmare (that is terrifying and yet somehow for me also fun to mess with).

    And yeah, if it happens again, please do post here. FOSS gets better by disclosure to these sorts of things. People need a "face" to identify with a threat.
     
  9. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    all I did was to go to chrome setting and under advanced did a "reset setting": restore setting to its original and closed chrome and open it and it was gone.

    Also if this happen I will post a snapshot here. But with safeDNS active now and avira browser security and adguard added, maybe these will stop future ransomware hopefully??
     
  10. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    That's why I use Firejail and simply run Firefox with this command:

    firejail --private firefox -no-remote

    This will make Firefox think it's starting from a new /home and it won't have any addons or settings setup :D
     
  11. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    i tried it and in firejailing a browser ( i did with chrome) lost all extension and Favorited. It was like a new first install browser without adding anything each time I opened it in firejail. Also firejail caused an issue with my network and my internet played funny and disconnection and DNS page load errors. Had to uninstall it and my linux worlds fine and internet issue is gone.
     
  12. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    Firejail is an overkill for average Linux desktop users. Think about all the Windows users. Most of them are fine. No reason Linux users should not be fine without using Firejail. Period.
     
  13. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    How about firejail and apparmor at the same time? :p

    I dont see whats wrong with firejail or even a MAC implementation if it doesnt really cost anything. One can have plugins, history, cache, cookies (bad for tracking tho), and normal operation with these protections silently in the background. It really only costs the time it takes to aa-logprof a policy file for apparmor, and firejail is literally just change the launcher to have firejail in front of your browser name (assuming its known enough to have a profile). RBAC requires more since the whole system must be profiled, SELinux I believe would be harder to create, and tomoyo im not sure.

    Also, Im not sure I agree with you in terms of firefox- with Chrome/Chromium I can see your argument (fantastic seccomp-bpf sandbox). There has been ransomware that has encrypted files in /home and malware that actually grabbed ssh data. Given that firefox doesnt even have a sandbox and has full access to home (given normal discretionary access controls), I think we are approaching the realm of even desktop linux being in danger. Firejail would stop those attacks especially on a grsecurity patched kernel (enhanced chroot jail protections- harder to break out of one). AppArmor would work too in a completely different way, as would any of the other MAC options setup correctly.
     
  14. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Streaming sites are notorious for drivebys. If you want to stream video, it is best to have a dedicated computer for that purpose and not use it for anything else. Have a back up image of the system in case it gets borked and just enjoy. Restoring an image of Mint which is usually well under 16gb takes less than a minute with an SSD and 2 to 3 on a mechanical drive. Do all your important work on another computer with script blocking and other security measures. More security always means less convenience and it is best to separate work and play so you can enjoy the computers you play on. On those computers, have nothing that's worth any kind of ransom and then, even if it did get hit with ransomware, you could just laugh as you restored the system and start watching again.
     
  15. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    :argh:
    I think this right here best sums up the state of necessary security :D

    One guy says no need because linux, one guy says use a sandbox and MAC, and yet another guy is like you need a dedicated computer specifically for streaming.

    In other words, do what you think is best because we certainly arent going to come to any consensus :cool:
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    I think this is not malware. This is just aggressive javascript on one of the pages you visited.
    That's what I think you encountered here.
    Mrk
     
  17. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    Maybe not. Because This happened after I rebooted my pc for the first time in the morning and opened chrome for the first time in the morning that I saw this police ransomware taken over my chrome. The night before all was well and before shutting the pc down for the night I cleaned it using bleachbit (all browser boxes checked plus I use click and clean extension to clean the browser many times) and turned it off.

    So I have no idea form where or how it got there? Heck I even have firewall active on mint 18. My other pc with linux peppermint 6 was ok. I use the other one to visit movie and streaming sites alot and never had issue. So the linux mint 18 on this pc which I use it for normal stuff has this ransomware suddenly appearing out of nowhere in a fresh start in the morning is very strange.

    I decided to move to mint 18 from peppermint 6 because mint has more option and is more easily to work with.
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    What is the site you visited in the morning?
    Can you share that? Do not link, just type the name something like xyz dot com.
    Do you have more details as to what you did? Assume nothing.
    Mrk
     
  19. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    no site visited. just opened chrome to my home page which was google.ca but instead the police ransomware showed up. Tried a few more links but all were police ransomware page. SO reset chrome and reopened and all was well. The night before logging off I was watching an episode of "unsealed alien file" online on Youtube. then i used click and clean as usual and closed chrome and then used bleachbit to clean as usual and then shut down the pc until next morning.

    by the way I have scanned the pc with comodo linux and clamav and all was clean. I also have comod linux av shield and active protection on so it should have detected if anything tried to download.
     
  20. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    If you use the command I posted, then yes.

    See "man firejail"

    That's not supposed to happen.

    That's a very hard and conservative approach. Just recently Firefox had a vulnerability that allowed the attacker to grab any file on the user's /home folder. Firejail easily prevented that.

    There's a thread here showing how Chromium's sandbox can be bypassed. Not sure about nowadays, though.
     
  21. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    why you don't try

    Code:
       usermod --shell /usr/bin/firejail yourusername  
    then restart computer, laptop. And then open terminal you can se alot locked stuff, sudo not work, root not work, update and upgrade only work with gui Software updater.

    I use first thing after install config ufw&iptables, update & upgrade & dist-upgrade,install new kernel 4.7, install bleachbit&macchanger macchanger-gtk&firejail&firetools.
     
  22. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    624
    Location:
    United States
    So after another reboot that setting is off? No this is permanent. What's the specific advantage over setting up a standard user account?
     
    Last edited: Jul 13, 2016
  23. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Did you sign in to a Google account and synced the (corrupted) settings?
     
  24. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    After reboot that settings is off ? For me is always On
     
  25. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    624
    Location:
    United States
    You're right I created a standard user and used that command. It definitely locks things down. You'd have to get into etc/firejail from the admin account to change the settings.

    Firejail has so many options it's really amazing.
     
Loading...