You have an actor who has system level permissions that allowed creating and registering launchd scripts. A browser extension cannot do that by itself. You've stopped the obvious parts of this malware, and that's absolutely all.
This machine needs to be wiped. If you don't have backups - move critical files and media to a new machine, ideally running a different OS, or to a cloud service.
And change your internal network passwords as well after you do the fresh install. The old ones are probably already in the hands of that malware author(s)
Might not be enough, since some viruses are using firmwares and other things to be made more difficult or impossible to remove properly, if you can remember the story about HDD firmware being infected. Rootkit have been existing for a long time now.
Not to mention the intel management engine thing, wifi firmwares, etc.
I believe in the conspiracy theory that computers are now built with low security in mind, to make it easier to compromise by 3 letter agencies, as long as those 3 letters agencies are holding supremacy in the cyber weapon warfare.
This still enables a few rogue black hats to lockpick those vulnerabilities every once and then, until most of them are caught and neutralized (either sent to prison or forced to work for those agencies).
> Might not be enough, since some viruses are using firmwares and other things to be made more difficult or impossible to remove properly
I object to this vague and incurable diagnosis as an everyday response. I don't enjoy this topic but I practice good hygeine, habits and backups.. keep the possibility in mind? sure, lets not be naive. Every time, destroy the hardware? no, just no
certainly if the user executes or opens them (eg for a .doc) they're powned. but automated systems can also have exploits. i'm trying to make a list of these services (and maybe disable them) to minimize my footprint (often testing out untrusted code from github etc in a small secretive community, ie easy to target)
for ubuntu 21.04+, i'm aware of:
- gnome-tracker-miner
- gnome-thumbnailer (may require browsing in nautilus)
- mlocate
at least the first two appear to be sandboxed, though unclear of the efficacy.
any other services that you're aware of that would be automated vectors ?
> i'm trying to make a list of these services (and maybe disable them) to minimize my footprint (often testing out untrusted code from github etc in a small secretive community, ie easy to target)
If you're running a lot of "untrusted code from github", then the list of services you have enabled or disabled on your system isn't going to make a difference.
For someone who frequently runs untrusted code, I'd recommend learning any of:
1. qemu / virsh / how to quickly and efficiently spin up isolated VMs
The first two options will be a more secure way to run untrusted code and provide actual protection. The 3rd has better usability, though isn't as secure.
Disabling local thumbnailing services... yeah, sure, do that, but don't expect it to really do much against "testing out untrusted code".
Some good tips on running untrusted code in VMs. If possible I'm interested to learn why you consider qemu based VMs as more secure than QubesOS? If I get it right QubesOS is Xen based so is it about the hypervisor or something else that favours qemu in your opinion?
QubesOS inherently has a higher attack surface due to the features it's added to be more usable.
An AWS VM in the cloud I ssh into can't possibly snoop on another window I have open.
QubesOS on the other hand includes usability features like displaying graphical interfaces from VMs, clipboard sharing features, etc etc https://www.qubes-os.org/doc/gui/
These usability features increase attack surface, whether they're implemented on top of a Xen or KVM hypervisor.
My assumption for a local qemu setup is that the user wouldn't use things like 9p or display sharing, which I think means a smaller enough attack surface to make a difference.
i explicitly said "if the user executes ... they're powned" and never said anything about "running". you're implying i'm taking far more risk than i am
i'm trying to understand (and minimize, if needed) the automated risks of having untrusted files *stored* locally, which would give me time to read them and develop a level of trust
fwiw, if i need to run something untrusted, i'm using #2 some, but mostly:
4. a 2nd (untrusted) machine running locally, which is beefier than my laptop and also used for benchmarking.
i've never seen any unusual behavior from it, but treat it as though it's compromised
KnockKnock looks for malware like this rogue launchd service.
You use it to quickly check for the presence of some forms of malware. It can integrate with VirusTotal databases.
BlockBlock runs as a background process, and blocks installation of launchd services and kernel extensions. It displays a (rather technical) alert when something tries to install such features. Relatively lightweight.
I also use Little Snitch, from (unrelated) Objective Development:
It's quite a bit more complicated, a firewall with a sophisticated user interface that blocks outgoing traffic by default. The alerts let you add rules to allow such traffic. It can generate a _lot_ of alerts as you gradually build up a set of rules that match your usual usage.
I've recently re-installed macOS from Recovery, and I was pleasantly surprised that Little Snitch wasn't often triggered as I went about using my Mac.
I wouldn't necessarily recommend blocking firewall like Little Snitch for usual users; they wouldn't be able to deal with all the alert noise. Like Windows Vista, all over again. But I've come to rely on it... ObjectiveSee has a similar, free tool, if you want to see what I mean.
I strongly recommend ObjectiveSee tools. They are free and (I believe) open source.
I guess it has been a while since i last checked objective-see. Last i was there, i was considering installing Lulu instead of Little Snitch, but felt the overall user experience was better with Little Snitch.
Seeing that they've made a whole host of privacy oriented tools surprised me a lot. I will be trying out a few of them.
I had a similar experience with my significant other. Instead of typing "selectmedical.com" she didn't type the "c" and got "selectmedial.com". It prompted her to install a browser extension "necessary for the site to work". I imagine that the authors partner did something similar.
I've looked through the network inspector on redirects like these and it's actually pretty interesting. Usually they start with a parked domain on a service like Sedo, or other ad services like PropellerAds, then you're redirected through sites that buy (potentially low quality) traffic, detect bots, and resell the now bot-free traffic for more than they bought it for. One company that does this is Intango. (They own forwrdnow.com, clksite.com, mybetterdl.com, 7proof.com, etc) The adware extensions and tech support scams and Capital One Shopping then buy that traffic and do their thing.
It’s crazy how Capital One Shopping fits into that sentence so nicely. The first time I got a Capital One popunder I googled for minutes in shock that it was actually Capital One and not a scam using their brand without permission.
> A Chrome extension can basically deny the "normal" uninstallation route by preventing you from getting to chrome://extensions (and presumably about://addons for Firefox, etc.)
This seems like something that the Chrome/Firefox security teams could explore changing. Have you considered opening tickets with them? It's possible that they are simply unaware of this behaviour.
Heh, I actually use a productivity extension for Firefox that prevents me from visiting certain sites during certain hours, and it deliberately offers the ability to disable about:addons as well during that time so that I can't easily turn the blocking off.
Your machine is still infected, and who knows what else it’s targeted. Wipe it, and if your partner works with anything sensitive on the laptop I’d consider that compromised.
> And as the last step after removing the malware, I took the opportunity to install uBlock Origin on my partner's computer. I'm sympathetic to website operators who want to support their free sites using ads, but these ads are often malicious ...
Exactly. this is why I will never side with LTT's "adblock is piracy and hurts creators waaaa waaa" bullshit. Ads are more often than not malicious, using clickbait to get people to.. Click on them.
If google would make a paid adblocker extension that allows you to "pay" to not be shown any Google ads anywhere, on your phone, on your PC, youtube, google search, or any other website that shows them, I wouldn't mind paying for that.
Since no one offers what I want in a way that gets them paid, I'll use the free method instead.
> I'm sympathetic to website operators who want to support their free sites using ads, but these ads are often malicious, leading to installers for malware like the one described in this post.
Put linux on the net with a weak ssh enabled root password and watch it get infected within minutes - I did that with a memory only installation, and multiple different people attacked it.
I assume they fought with each other for control of the machine, but I rebooted it instead.
Try it - it's interesting, use a USB stick to boot it, and make sure to physically disconnect all hard drives.
I think they mostly just want to send spam emails.
Worked at a smaller mom and pop business. We only had two sys admins. One day, I went over to ask about some web hosting. The one admin was sitting there, eating lunch and giggling, while lines and lines of code kept scrolling by on of his monitors.
ME: "What's so funny?"
Dan: "You see that? Take a closer look."
ME: "What am I even looking at?"
Dan: "Simple script I built to track bots trying to break into our Linux box (server). What you're watching is a metric fuck ton of Chinese and other bots trying to brute force the login."
He explained that any new server being connected to the internet, regardless of OS will be instantly attacked like you said. The server in question was only online for about 30 minutes and we were watching an endless stream of automated attacks from different bots. The failed login attempts were blocked after two attempts and the IP addresses logged for further review; but the bots would just respawn at different IP ranges and try again, it was pretty crazy.
It was a big eye opener for me. I had no idea it was that bad. Man, was I naïve!
It was also 'yet' for the first 20 years i used MacOS.
Get a large enough user base, and malware will follow, and that may be the reason Linux is still relatively free from malware. Despite advancements, normal people still don't run Linux. It's either IT people or people who had their IT friend/child/whatever install it for them.
With browser extensions being used as delivery platforms, it may not be long until it hits Linux as well. The same delivery method (using a user lauchd job) would work for a user systemd job.
Wine got good enough to run at least some malware. You might need some weird config flags though. Don't really know if this is a pro linux or contra linux comment.
An elephant in the room, is that noone really reports on how mobile phone's get pwned, just the bigger personal computing devices ie laptops and desktops.
3 years ago, india blocked my internet access(well, for an entire population of around 8 million) for around 7-8 months. anyways, i was expected to do tax compliance and the government "permitted" limited access terminals as a sort of olive branch because they were charging late fees/interest for late filings.
Long story short, i had to access internet on unsecured windows 7 machines that was as dirty as a public restroom in a fair. i had to upload documents on multiple occasions and i managed to infect my media with all sorts of viruses.
i decided to "keep" then, maybe if someone is interested in testing out these in a vm or something,i would be glad to share
He sure did deleted the malicious extension and the associated launchctl entries, but did he closed whatever holes from which the malicious extension got installed in the first place?
Kind of interesting that whatever attacker was on the computer had code execution access but limited themselves to adware. You'd expect malware with this amount of privileges to do something more profitable (like install ransomware or a botnet for mining coins while the machine is idle). Ads pay millicents per view, it's gotta be tough to make any money from them unless you've managed to get a huge amount of installs!
You have an actor who has system level permissions that allowed creating and registering launchd scripts. A browser extension cannot do that by itself. You've stopped the obvious parts of this malware, and that's absolutely all.
This machine needs to be wiped. If you don't have backups - move critical files and media to a new machine, ideally running a different OS, or to a cloud service.
Then do a completely fresh install of the OS.