[sf-lug] "RANSOM VIRUS" ATACHED TO WEB SITE?

Rick Moen rick at linuxmafia.com
Thu Jun 8 11:19:21 PDT 2017 

Quoting acohen36 (acohen36 at SDF.ORG):

> While maybe not _directly_ related to Mikki's Startpage FF/IW Add-on
> "Ransom Virus", I'm wondering whether the similar advice for Debian
> Linux at 'DontBreakDebian' wiki.debian.org/DontBreakDebian applies
> here as well??

Yes.  Very much.

Having slept on the matter and read some of Michael P.'s links about
Startpage (which I hadn't heard about before last night), I can hazard a
few extra comments.

1.  If I seemed to have implied that Startpage's extension is malign,
nasty software, no.  Not my intention.  In fact, the project's intention
seems commendable.  Quoting Michael's Wikipedia link:

  Ixquick (styled "ixquick") is a metasearch engine based in New York
  and the Netherlands that highlights privacy as its distinguishing
  feature from other internet search engines.

(Startpage is a project of Surfboard Holdings B.V. doing business as
Ixquick.)

As Michael says, the function of the (scarily unmaintained)
proprietary-software extension is to reroute all search queries through
Web site Startpage.com (which the firm owns).  Startpage.com then serves
as a proxy and retransmits those queries to Google Search on the user's
behalf.  The ostensible benefit of this proxying is that Google Search
isn't able to log the user's IP address and correlate it with search
contents.  Fair enough.  OTOH, the privacy loss you avoid suffering to
Google, Inc., you then turn around and suffer to Surfboard Holdings
B.V., so it's not clear to me this is -- even in theory -- an advantage,
merely more complicated than without the extension.

Rule of thumb:  Just adding more layers of complexity is a poor way of
achieving security.  (See also: antiviral software.)

Surfboard Holdings B.V. d/b/a Ixquick seem like nice people, don't get
me wrong.  (OTOH, a browser extension that's not only proprietary but
also hasn't been maintained for nearly 8 years is bad news.)


2.  Michael's link to the guy claiming the Startpage.com Web site is
'infected by JS:ScriptIPinf[Trj]' is actually an erroneous user report
-- but a revealing one.

Complaining user vcatao starts out his/her report with a statement that 
Startpage.com is 'the default search engine in [Firefox]', which is not
the case.  The highest-rated commenteer picked up on this telling
detail, and advises vcatao that he/she must have accidentally executed
some malware that redirected his choice of search engine (and doubtless 
carried out other mischief).

It is unfortunately very common for naive users to get suckered into 
installing 'toolbars' and similar shiny-object software of doubtful
nature and from doubtful sources.  That software then trojans the user's 
desktop environment.

In fact, there are a variety of well-known trojans (such as one called
Trojan-StartPage) that, when executed (among other things) set the
user's browser home page to StartPage.com, 'commonly done to display
advertising to the user, exploit the browser to run other threats, or to
promote misleading application'.


3.  The best way to deal with the presence of trojan software lurking
around the Internet is, very simply, not to run it.  E.g., don't install
'toolbars' from nobody-in-particular.  As mentioned upthread, your Linux
distribution's package-management system and software-distribution chain
exist for a reason -- to ensure that you get only maintained, vetted
software that isn't doing tricks for Internet criminals.  You abandon
the protection of that system at your peril.


4.  In this case, I suspect the original poster's problem originated 
in doing exactly that, but that what got unwisely run was something
_other_ than the Startpage extension for Firefox.  I suspect that 
Startpage's role is an incidental side-effect of the original poster
having fetched and executed trojaned software.




> >From what I've read related to this, I think there have been
> >similar
> heightened concerns about using Personal Package Archives (PPA's)
> _specifically_ on Ubuntu and its derivatives.
> E.g., see askubuntu.com/questions/35629/are-ppas-safe-to-add-to-my-system-and-what-are-some-red-flags-to-watch-out-for

Sure.  Same caution as the one I made about addons.mozilla.org applies.
ppa.launchpad.net is a public bazaar (albeit not nearly as scary as
addons.mozilla.org), and any software you get from there is only as good
and reputable as its publisher is.  The offerings are from private
indivduals, not from Canonical, Ltd.

More information about the sf-lug mailing list