<solved> find malware/virus on linux mint

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
dotnetCarpenter
Level 1
Level 1
Posts: 3
Joined: Mon Oct 15, 2018 12:32 pm

<solved> find malware/virus on linux mint

Post by dotnetCarpenter » Fri Oct 19, 2018 11:26 am

Hi all. This is my first post, so let me know if I'm missing something.

I have for some time gotten notifications that looks like click bait. And I need help to track down the origin. Searching both in this forum and else where does not seem to yield anything usable. https://duckduckgo.com/?q=find+which+ap ... linux+mint

I have never clicked on them out of fear of triggering something much worse.

An example:

Code: Select all

[2018-10-15T15:49:36]
app_name=Firefox
summary=*** CONGRATULATIONS! ***
body=Press here to claim your reward
app_icon=5f579e96e31a5c816466345ffe1152d9
expire-timeout=5000
action-id-0=default
action-label-0=Activate
The body language is usually Danish but as you can see here, sometimes in English

I initial thought that it was from firefox, since app_name=Firefox. But I see the spammy notifications even in safe mode and I have tried to run firefox with all add-ons disabled, and going through each add-on. Activating only one per browser session. E.i. I closed firefox between each run.

I only have 3 add-ons:
  • Firefox Multi-Account Containers 6.0.0 - from mozilla
  • uBlock Origin 1.17.2 - from Raymond Hill
  • Vue.js devtools 4.1.5 (usually disabled) - from Evan You
I have switched to Chromium but there is no change - I'm still getting the same kind of notifications.

I have a slow computer and a full antivirus scan takes many hours, so I had to wait a while until I could start it and run it during the night.
I used Clam AntiVirus: Scanner 0.100.2 as sudo clamscan -v -r /

The results are:

Code: Select all

----------- SCAN SUMMARY -----------
Known viruses: 6681757
Engine version: 0.100.2
Scanned directories: 256820
Scanned files: 1529331
Infected files: 0
Total errors: 59164
Data scanned: 32465.43 MB
Data read: 70621.40 MB (ratio 0.46:1)
Time: 33047.621 sec (550 m 47 s)
Machine info:

Code: Select all

Kernel: 4.15.0-36-generic x86_64 bits: 64 gcc: 7.3.0
Desktop: Xfce 4.12.3 (Gtk 2.24.31)
Distro: Linux Mint 19 Tara
According to mintUpdate, my machine is always fully upgraded with the latest security patches.

Excerpt of notifications I'm getting:

Code: Select all

[2018-10-13T21:41:21]
app_name=Firefox
summary=Emma (370 meter fra dig)
body=
app_icon=76efd8531dde13c025c922ae2864c661
expire-timeout=5000
action-id-0=default
action-label-0=Activate

[2018-10-13T22:36:43]
app_name=Firefox
summary=Emma (370 meter fra dig)
body=
app_icon=76efd8531dde13c025c922ae2864c661
expire-timeout=5000
action-id-0=default
action-label-0=Activate

[2018-10-13T23:23:01]
app_name=Firefox
summary=Emma (370 meter fra dig)
body=
app_icon=76efd8531dde13c025c922ae2864c661
expire-timeout=5000
action-id-0=default
action-label-0=Activate

[2018-10-15T15:49:36]
app_name=Firefox
summary=*** CONGRATULATIONS! ***
body=Press here to claim your reward
app_icon=5f579e96e31a5c816466345ffe1152d9
expire-timeout=5000
action-id-0=default
action-label-0=Activate

[2018-10-15T15:49:38]
app_name=Firefox
summary=Selma visited your profile
body=
app_icon=8520f912a3c7f063dd5c4b7f24867abe
expire-timeout=5000
action-id-0=default
action-label-0=Activate

[2018-10-15T15:51:03]
app_name=Firefox
summary=Samsung belønning venter
body=Anmodning inden det udløber
expire-timeout=5000
action-id-0=default
action-label-0=Activate

[2018-10-15T16:49:49]
app_name=Firefox
summary=Selma visited your profile
body=
app_icon=8520f912a3c7f063dd5c4b7f24867abe
expire-timeout=5000
action-id-0=default
action-label-0=Activate

[2018-10-15T17:31:25]
app_name=Firefox
summary=Selma visited your profile
body=
app_icon=8520f912a3c7f063dd5c4b7f24867abe
expire-timeout=5000
action-id-0=default
action-label-0=Activate

[2018-10-15T18:13:21]
app_name=Firefox
summary=Selma visited your profile
body=
app_icon=8520f912a3c7f063dd5c4b7f24867abe
expire-timeout=5000
action-id-0=default
action-label-0=Activate
If you made it until here, I want to thank you for taking time to help me. Thanks!
Last edited by dotnetCarpenter on Tue Oct 23, 2018 8:15 am, edited 1 time in total.

gm10
Level 12
Level 12
Posts: 4146
Joined: Thu Jun 21, 2018 5:11 pm

Re: find malware/virus on linux mint

Post by gm10 » Fri Oct 19, 2018 11:48 am

Did you check your notification settings in Firefox preferences?

dotnetCarpenter
Level 1
Level 1
Posts: 3
Joined: Mon Oct 15, 2018 12:32 pm

Re: find malware/virus on linux mint

Post by dotnetCarpenter » Fri Oct 19, 2018 12:02 pm

Good catch! I didn't think about that. There is two allowed sites. One, https://www.torrentfunk.com(I've disabled the link so they don't gain PageRank), look suspicious. The other one is slack.com

I'm now blocking it and will return with whether or not it helped.

I thought that notifications were only possible when you had loaded the site in a tab. I'm getting this when the firefox process is not even running!

...and I'm a web developer... :roll: Reading up on Web Push notifications now.
Last edited by dotnetCarpenter on Fri Oct 19, 2018 12:27 pm, edited 1 time in total.

User avatar
administrollaattori
Level 14
Level 14
Posts: 5478
Joined: Tue Sep 03, 2013 4:51 am
Location: Finland
Contact:

Re: find malware/virus on linux mint

Post by administrollaattori » Fri Oct 19, 2018 12:18 pm

Via Terminal commands

Code: Select all

mv .mozilla .mozilla.bad && mv .config/chromium .config/chromium.bad

Code: Select all

rm -rf .cache/
Close browsers before those commands.

dotnetCarpenter
Level 1
Level 1
Posts: 3
Joined: Mon Oct 15, 2018 12:32 pm

Re: find malware/virus on linux mint

Post by dotnetCarpenter » Tue Oct 23, 2018 8:14 am

After blocking https://www.torrentfunk.com, I have not received any notifications.
I have also not been able to reproduce the scenario where I get notifications, even when firefox is closed, so perhaps I was wrong and had firefox running without knowing.

Anyway, the issue was that I got click-bait notifications from https://www.torrentfunk.com via firefox Push Notification API. Blocking the website solved the issue.

@gm10 Thanks for the suggestion - you nailed it!

gm10
Level 12
Level 12
Posts: 4146
Joined: Thu Jun 21, 2018 5:11 pm

Re: <solved> find malware/virus on linux mint

Post by gm10 » Tue Oct 23, 2018 8:25 am

Happy to help, and good thing it wasn't actual malware (although all those background services that live in your browser's eco-system these days can get close - yay service workers ;)).

User avatar
Pjotr
Level 20
Level 20
Posts: 10973
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: <solved> find malware/virus on linux mint

Post by Pjotr » Tue Oct 23, 2018 8:34 am

Web Push notifications come from hell. :evil:
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Post Reply

Return to “Software & Applications”