[ltp] Spyware - my Intrepid under attack?

cr linux-thinkpad@linux-thinkpad.org
Sun, 13 Sep 2009 12:28:10 +1200


On Sunday 13 September 2009 07:45:09 Stephen Ryan wrote:
> On Sat, Sep 12, 2009 at 3:36 PM, Andrea Levin <andrea.b.levin@gmail.com>=
=20
wrote:
> > Whew, and thanks so much for the reassuring and informative replies - a=
nd
> > indeed, The Thing looked exactly likeTthe Thing on the link at
> > http://likuidkewl.blogspot.com/2009/05/oh-no-windows-viruses-on-my-linu=
x-
> >box.html. Now that I've caught my breath, I can see it was one of those
> > rogue security software things.=C2=A0 And still wondering exactly how i=
t came
> > in.
>
> I downloaded the same spreadsheet and saw the same screen, so I'm
> pretty sure that's where it came from; I just killed the browser to
> get rid of the popups.

I think it runs in Java in your browser.

I got that damn thing a few days ago - in Opera, running under Debian.   I=
=20
have no idea what site it came from.    It was obviously a spoof since it w=
as=20
showing Windows directories that don't exist on my system (and equally=20
obviously a Windows virus scanner won't even run under Linux).   So it must=
=20
have been running in Java in my browser.   It popped up an 'error box' and=
=20
when clicked on to close it, just popped it up again before I could reach t=
he=20
tab page 'close' button, so making it impossible to close the tab.   [*]   =
I=20
found hitting 'Enter' also closed the errorbox, so I moved the mousepointer=
=20
to the browser's 'Tab close' button, hit 'Enter' to close the errorbox and=
=20
clicked on the 'Tab close' before the errorbox could respawn.     Then I=20
disabled Java in Opera.

The moral is, if some phony app starts telling you about all the *Windows*=
=20
viruses you've got in your Linux system, you can be sure it's bogus.

[*]  I've actually omitted a bit here for brevity - I actually did Alt-1 to=
=20
get to another window, used 'top' in a command-line window to find Opera's=
=20
PID, and killed it.   But when I reloaded Opera, it was set to reload its=20
pages so the offending spoof came right back.   That's when I figured I had=
=20
to close that tab somehow.

cr