Malware Found In The Ubuntu Snap Store

Here you can discuss every aspect of Debian. Note: not for support requests!

Re: Malware Found In The Ubuntu Snap Store

Postby Bulkley » 2018-05-13 22:41

So how does one find a сryptocurrency miner on your system? From what I've been able to find is excessive browser CPU use.
Bulkley
 
Posts: 5627
Joined: 2006-02-11 18:35

Re: Malware Found In The Ubuntu Snap Store

Postby bw123 » 2018-05-13 23:16

If you want linux to work like windows, it will work like windows.
User avatar
bw123
 
Posts: 3394
Joined: 2011-05-09 06:02
Location: TN_USA


Re: Malware Found In The Ubuntu Snap Store

Postby HuangLao » 2018-05-13 23:34

bw123 wrote:If you want linux to work like windows, it will work like windows.


Yup...the more Linux leaves its Unix roots and mimics Windows the more it will suffer from the same ailments as windows.
User avatar
HuangLao
 
Posts: 460
Joined: 2015-01-27 01:31

Re: Malware Found In The Ubuntu Snap Store

Postby sunrat » 2018-05-14 00:29

bw123 wrote:If you want linux to work like windows, it will work like windows.


Agreed. I refuse to use Snaps, Flatpaks, Appimages etc. on principle. Malware gives me an extra reason to avoid them. Pretty sure I haven't got any malware in 15 years of using Linux "the Linux way".
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!
User avatar
sunrat
 
Posts: 2451
Joined: 2006-08-29 09:12
Location: Melbourne, Australia

Re: Malware Found In The Ubuntu Snap Store

Postby ticojohn » 2018-05-14 01:12

Bulkley wrote:So how does one find a сryptocurrency miner on your system? From what I've been able to find is excessive browser CPU use.

Yeah. monitoring your CPU usage and internet usage is one way. I use Firefox ESR and installed the No Coin addon. It is supposed to block mining such as Coinhive. Don't know how well it works mainly because I don't browse a lot of unknown websites, but it is supposedly a good addon. There are a lot of addons for both Firefox and Chromium that will do the same. plus, the addon is supposed to have the ability to allow mining for a brief period if you need to allow mining while you are logging in to a site. Again, I don't know as I've never had the occasion to need it.

CAVEAT: Just noticed that the No Coin addon seems to significantly increase CPU usage. HMMM! Maybe it's not so good after all. May be better to just stick to the old tried and true methods. :oops:
Last edited by ticojohn on 2018-05-14 01:17, edited 1 time in total.
I'm not irrational, I'm just quantum probabilistic.
User avatar
ticojohn
 
Posts: 801
Joined: 2009-08-29 18:10
Location: Costa Rica

Re: Malware Found In The Ubuntu Snap Store

Postby Bulkley » 2018-05-14 01:14

bw123 wrote:If you want linux to work like windows, it will work like windows.

HuangLao wrote:Yup...the more Linux leaves its Unix roots and mimics Windows the more it will suffer from the same ailments as windows.

bw123 wrote:I refuse to use Snaps, Flatpaks, Appimages etc. on principle. Malware gives me an extra reason to avoid them. Pretty sure I haven't got any malware in 15 years of using Linux "the Linux way".

18 years for me. I agree with both of you. I am curious, though, about these miners. I may be wrong but I have the impression that they can get picked up by a browser, any browser. Is that correct?
Some websites are experimenting with in-browser mining as a revenue stream to replace advertising.
From HuangLao's first link.

When leaving a site the mining should stop. Are some sites leaving anything behind? Malfeasance is opportunity driven. There are sure to be those looking to exploit whatever and whichever. Consequently, is there a way to tell if a system is being exploited?
Bulkley
 
Posts: 5627
Joined: 2006-02-11 18:35

Re: Malware Found In The Ubuntu Snap Store

Postby Bulkley » 2018-05-14 01:21

Bulkley
 
Posts: 5627
Joined: 2006-02-11 18:35

Re: Malware Found In The Ubuntu Snap Store

Postby Lysander » 2018-05-14 08:07

So what's the takeaway from this? Use only software in the official repos? I don't use Snaps [don't know what they are, never looked into it], haven't used Flatpak in Stretch and I've only used one AppImage, which was Libreoffice 6 from the official site.

EDIT, so a snap

is a squashFS filesystem containing your app code and a snap.yaml file containing specific metadata. It has a read-only file-system and, once installed, a writable area.
is self-contained. It bundles most of the libraries and runtimes it needs and can be updated and reverted without affecting the rest of the system.
is confined from the OS and other apps through security mechanisms, but can exchange content and functions with other snaps according to fine-grained policies controlled by the user and the OS defaults.


So similar to a Windows .exe file, as far as I can see. What is the screening process for these before they are uploaded to the snap store?
User avatar
Lysander
 
Posts: 558
Joined: 2017-02-23 10:07
Location: London

Re: Malware Found In The Ubuntu Snap Store

Postby ticojohn » 2018-05-14 13:23

Bulkley wrote:ticojohn, thanks for the tip. I found this: uBlock Origin Developers Take Steps to Block Cryptocurrency Mining Scripts

My pleasure. I use uBblock but not sure if they have yet implemented their version of blocking crypto mining. I see that the article you referenced was from September 2017, so maybe they have implemented that function. Will investigate. The article would seem to indicate that they have done so.
I'm not irrational, I'm just quantum probabilistic.
User avatar
ticojohn
 
Posts: 801
Joined: 2009-08-29 18:10
Location: Costa Rica

Re: Malware Found In The Ubuntu Snap Store

Postby ticojohn » 2018-05-14 13:32

Update to Bulkley's comments on uBlock. I just took a look at uBlocks dashboard and the filters. They do indeed appear to be blocking several cryptocurrency miners, including coin hive. So, based on my limited knowledge I might recommend using uBlock.

Here is the uBlock filter list, for those interested
Code: Select all
! uBlock Origin -- Resource-abuse filters
!
! To foil sites potentially abusing CPU/bandwidth resources without informed
! consent. Any such resource-abuse scripts MUST be opt-in, with complete
! informed consent from the visitor.

! https://github.com/uBlockOrigin/uAssets/issues/659
||edgeno.de^$script,third-party,domain=~edgemesh.com
/edgemesh.*.js$script,domain=~edgemesh.com|~edgeno.de

! https://github.com/uBlockOrigin/uAssets/issues/690
||coin-hive.com^$third-party
||coinhive.com^$third-party
||cnhv.co^$third-party

! https://github.com/uBlockOrigin/uAssets/pull/706
||jsecoin.com^$third-party

! https://github.com/uBlockOrigin/uAssets/pull/725
||minemytraffic.com^$third-party

! https://github.com/jspenguin2017/uBlockProtector/issues/624#issuecomment-333700969
/c-hive.js

! https://github.com/jspenguin2017/uBlockProtector/issues/636#issuecomment-334317456
||info^$script,third-party,domain=oload.info

! https://github.com/uBlockOrigin/uAssets/issues/742
||crypto-loot.com^$third-party

! https://github.com/uBlockOrigin/uAssets/issues/746
||2giga.link^*hive$script

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/32
||ppoi.org^$third-party
||projectpoi.com^$third-party

! https://github.com/uBlockOrigin/uAssets/pull/748
||webmine.cz^$third-party

! https://github.com/uBlockOrigin/uAssets/issues/754
||coinerra.com^$third-party
||listat.biz^
||lmodr.biz^
||mataharirama.xyz^$third-party
||minero.pw^$third-party
||reasedoper.pw^$third-party

! https://github.com/uBlockOrigin/uAssets/issues/762
||coin-have.com^$third-party

! https://www.bleepingcomputer.com/news/security/the-internet-is-rife-with-in-browser-miners-and-its-getting-worse-each-day/
||coinblind.com^
||coinnebula.com^

! https://github.com/uBlockOrigin/uAssets/issues/803
||safelinkconverter.com^$script,third-party

! https://github.com/uBlockOrigin/uAssets/issues/813
/coinhive.min.js
/cryptonight.wasm
/cn.wasm
||monero-miner.net^$third-party

! https://forums.lanik.us/viewtopic.php?p=128461#p128461
||jsccnn.com^$third-party
||jscdndel.com^$third-party

! https://www.bleepingcomputer.com/news/security/cryptojacking-script-found-in-live-help-widget-impacts-around-1-500-sites/
! https://publicwww.com/websites/%22lhnhelpouttab-current.min.js%22/
/lhnhelpouttab-current.min.js
! https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/
||hatevery.info^$third-party

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/59
csgoconfigs.com##script:inject(abort-current-inline-script.js, m, CH.Anonymous)
||coinhiveproxy.com^$third-party

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/63
||coinpot.co^$third-party

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/64
||openkatalog.com^$subdocument

! https://forums.lanik.us/viewtopic.php?p=129242#p129242
/XMR-monero.js$script

! https://github.com/uBlockOrigin/uAssets/issues/986
! https://forums.lanik.us/viewtopic.php?p=129505#p129505
/noblock.js
||wty46.com^
||noblock.pro^$third-party
||cryptoloot.pro^$third-party

! https://forums.lanik.us/viewtopic.php?p=129545#p129545
/adsensebase.js$script

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/74
||csgocpu.com^$third-party

! https://thevideo.us/ts9cvh421kkp#downloadVideo
/helper.wasm

! other miners
.cf^*.wasm$third-party
.info^$script,third-party,domain=oload.tv|openload.co|streamango.com|streamcherry.com
.space^*.wasm$third-party
/cloudcoins.js
/cloudcoins.min.js
/coinblind.js
/coinblind_beta.
/coinlab.js
/cryptonight-worker.js
/deepMiner.js
/jsecoin.*/?
/miner-ui.js
/miner.js
/miner.min.js
/miner?key=
/obfus.min.js
/projectpoi.min.js
/wproxy$~third-party,websocket
/xminer.js
/xminer.min.js
/xmr.js
/xmr.min.js
://api.*/lib/native.wasm$third-party
||1beb2a44.space^$third-party
||300ca0d0.space^$third-party
||310ca263.space^$third-party
||320ca3f6.space^$third-party
||330ca589.space^$third-party
||340ca71c.space^$third-party
||360caa42.space^$third-party
||370cabd5.space^$third-party
||3c0cb3b4.space^$third-party
||3d0cb547.space^$third-party
||77.162.125.199^$third-party
||ad-miner.com^$third-party
||adminer.com^$third-party
||aeros01.tk^$third-party
||aeros02.tk^$third-party
||aeros03.tk^$third-party
||aeros04.tk^$third-party
||aeros05.tk^$third-party
||aeros06.tk^$third-party
||aeros07.tk^$third-party
||aeros08.tk^$third-party
||aeros09.tk^$third-party
||aeros10.tk^$third-party
||aeros11.tk^$third-party
||aeros12.tk^$third-party
||afminer.com^$third-party
||aleinvest.xyz^$third-party
||alemoney.xyz^$third-party
||altpool.pro^$third-party
||api.inwemo.com^$third-party
||azvjudwr.info^$third-party
||baiduccdn1.com^$third-party
||cdn.cloudcoins.co^$third-party
||cdn.cloudcoins.co^$third-party
||cloudcoins.co^$third-party
||coinhive-manager.com^$third-party
||coinhive-proxy.party^$third-party
||coinhive.com^$third-party
||coinlab.biz^$third-party
||coinminerz.com^$third-party
||cookiescript.info^$third-party
||crypto-coins.club^$third-party
||darking01.tk^$third-party
||darking02.tk^$third-party
||darking03.tk^$third-party
||darking04.tk^$third-party
||darking05.tk^$third-party
||darking06.tk^$third-party
||darking07.tk^$third-party
||darking08.tk^$third-party
||darking09.tk^$third-party
||deepc.cc^$third-party
||go.megabanners.cf^$third-party
||gus.host/coins.js
||jroqvbvw.info^$third-party
||jyhfuqoh.info^$third-party
||kdowqlpt.info^$third-party
||kiwifarms.net/js/Jawsh/xmr/xmr.min.js
||megabanners.cf^$third-party
||megabanners.cf^$websocket
||minecrunch.co^$third-party
||miner.pr0gramm.com^$third-party
||minero-proxy-*.sh^$third-party
||minero-proxy-01.now.sh^$third-party
||minero-proxy-02.now.sh^$third-party
||minero-proxy-03.now.sh^$third-party
||minexmr.com^$third-party
||mmpool.org^$third-party
||monerominer.rocks^$third-party
||now.sh/*.wasm$third-party
||onlinereserchstatistics.online^$third-party
||papoto.com^$third-party
||podrltid.info^$third-party
||pool.supportxmr.com^$third-party
||rapidvideo.com/J5xj_2.js
||rawgit.com/Pocketart/$script,third-party
||reactor.cc^*.wasm
||rocks.io^$third-party
||sbhmn-miner.com^$third-party
||secumine.net^$third-party
||siteverification.online^$third-party
||siteverification.site^$third-party
||subloader.cf^$third-party
||supportxmr.com^$third-party
||xbasfbno.info^$third-party

! https://github.com/uBlockOrigin/uAssets/issues/1106
||theappguruz.com^$csp=child-src 'none';frame-src 'self' *;worker-src 'none';
||theappguruz.com/vendor/composer/installed.js$script

! https://github.com/uBlockOrigin/uAssets/issues/1116
||d3ahinqqx1dy5v.cloudfront.net^
||cloudfront.net/mmfb2.html

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/84
||minr.pw^$third-party
||cdn.jquery-uim.download^$third-party
||cndhit.xyz^$third-party
||g-content.bid^$third-party
||statistic.date^$third-party
||ad.g-content.bid^$third-party
||cdnfile.xyz^$third-party
||cnt.statistic.date^$third-party
||web.clod.pw^$third-party
||static-net.nut.cc^$third-party
||static-02.flu.cc^$third-party
||cdn.static-cnt.bid^$third-party
||web.dle-news.pw^$third-party

! https://github.com/uBlockOrigin/uAssets/issues/1149
vidzi.tv##script:inject(abort-on-property-write.js, decodeURIComponent)
||vidzi.si^$csp=worker-src 'none';

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/85#issuecomment-354658527
||cryptobara.com/client/worker.js

! http://www.myfeed4u.net/watch/2363948/1/Mayer-Tsitsipas-ATP-Doha.html
||myfeed4u.net^$csp=child-src 'none';frame-src *;worker-src 'none';

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/85#issuecomment-354672506
||reservedoffers.club^$csp=child-src 'none';frame-src *;worker-src 'none';

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/87
||skyback.ru^$csp=child-src 'none';frame-src *;worker-src 'none';
||biberukalap.com^
||gridiogrid.com^

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/88
||extratorrent.cd^$csp=child-src 'none';frame-src *;worker-src 'none';

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/90
||thepiratebay.cr^$csp=child-src 'none';frame-src *;worker-src 'none';
*?proxy=$script

! kickass mining
||kickass.cd^$csp=child-src 'none';frame-src *;worker-src 'none';

! https://github.com/uBlockOrigin/uAssets/issues/986
||ddmix.net^$csp=child-src 'none';frame-src *;worker-src 'none';
||whathyx.com^

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/94
||analytics.blue^

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/97
/bootstrap.wasm$xmlhttprequest
||smectapop12.pl^

! https://github.com/uBlockOrigin/uAssets/issues/1318
||zlx.com.br/assets/playermon.js$script

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/101
*$csp=worker-src 'none',domain=a-o.ninja|alltube.tv|byter.tv|centrum-dramy.pl|hentai-online.pl|lewd.ninja|love-drama.pl|milujivareni.cz|tokyodrift.ga|vidfile.net
||vidfile.net/*.wasm
/angular8.js
||tubetitties.com/worker.js

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/104
||flare-analytics.com^
||fileone.tv^$csp=child-src 'none';frame-src 'self' *;worker-src 'none';

! https://github.com/uBlockOrigin/uAssets/issues/1351
||miner.nablabee.com^$third-party

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/111
||m.anyfiles.ovh^
/deepMiner.min.js

! https://github.com/uBlockOrigin/uAssets/issues/1369
/crn.wasm
||freecontent.bid^$third-party

! https://github.com/easylist/easylist/commit/b750557d82c3f56b0b4ba31bbd9a21b2536a6841#commitcomment-27140868
||300mbfilms.co^$csp=worker-src 'none';
||cryptonoter.com^$third-party
||mutuza.win^$third-party

! https://github.com/easylist/easylist/issues/861
tubettajat.net##script:inject(abort-on-property-read.js, miner)
||crypto-webminer.com^$third-party
||cryweb.github.io^
||crywebber.github.io^

! https://forums.lanik.us/viewtopic.php?f=62&t=39806
||adless.io^$third-party

! https://github.com/uBlockOrigin/uAssets/issues/1402
||movie4k.is^$csp=worker-src 'none';
||vzhjnorkudcxbiy.com^

! https://www.reddit.com/r/uBlockOrigin/comments/7tgjce/new_cryptocurrency_mining_website_not_blocked_by/
tasma.ru##script:inject(abort-on-property-write.js, decodeURIComponent)
||ogrid.org^
||igrid.org^
||stat0808.info^

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/115
||dekoder.ws^$csp=worker-src 'none';

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/137
||leitor.net^$csp=worker-src 'none';
||nablabee.com^$third-party

! https://github.com/uBlockOrigin/uAssets/issues/1503
shrink-service.it##script:inject(abort-on-property-read.js, WebAssembly)

! https://www.reddit.com/r/uBlockOrigin/comments/7wwejy/cryptojackers_defeat_all_countermeasures/
*$csp=worker-src 'none',domain=estream.to|streamango.com|vidoza.net|vidto.me|vidtudu.com
||tulip18.com^$third-party

! https://github.com/uBlockOrigin/uAssets/pull/818#issuecomment-365770341
djs.sk,mladipodnikatelia.sk##script:inject(abort-on-property-read.js, miner)
||pr0gram.org^$third-party

! https://forums.lanik.us/viewtopic.php?f=62&t=39991&p=132468#p132468
||adfreetv.ch^$csp=child-src 'none';frame-src *;worker-src 'none';

! https://github.com/uBlockOrigin/uAssets/issues/1559
||hq-porns.com^$csp=child-src 'none';frame-src *;worker-src 'none';
||staticsfs.host^

! https://github.com/uBlockOrigin/uAssets/issues/1563
||gofile.io^$csp=child-src 'none';frame-src *;worker-src 'none';
||gofile.io/js/coinGofile.min.js

! https://www.reddit.com/r/uBlockOrigin/comments/7yudc2/coinhive_getting_through/
howucan.gr##script:inject(abort-on-property-read.js, miner)

! https://github.com/uBlockOrigin/uAssets/issues/1602
||thevideo.*^$csp=worker-src 'none';
||interestingz.pw^$third-party

! https://github.com/uBlockOrigin/uAssets/issues/1649
cloudtime.to,nowvideo.sx,sickrage.ca,tomadivx.org,wholecloud.net##script:inject(abort-on-property-read.js, WebAssembly)

! https://github.com/hoshsadiq/adblock-nocoin-list/issues/165
||onlinevideoconverter.com^$csp=child-src 'none';frame-src *;worker-src 'none';
||freecontent.*./$script

! https://github.com/hoshsadiq/adblock-nocoin-list/pull/173
! https://github.com/uBlockOrigin/uAssets/issues/1698
123telugu.com,netiap.com##script:inject(abort-on-property-read.js, _0x7bc7)
||datasecu.download^$third-party
||jquery-cdn.download^$third-party

! https://github.com/uBlockOrigin/uAssets/issues/1701
||bigspeeds.com^$csp=worker-src 'none';
||gustaver.ddns.net^$third-party

! https://forums.lanik.us/viewtopic.php?f=90&t=40270
nxload.com##script:inject(abort-on-property-read.js, miner)
||cryptaloot.pro^$third-party

! https://github.com/uBlockOrigin/uAssets/issues/1782
sleeptimer.org##script:inject(abort-on-property-read.js, WebAssembly)

! https://github.com/easylist/easylist/commit/8ef593
*$csp=worker-src 'none',domain=kinokongo.cc

! https://github.com/uBlockOrigin/uAssets/issues/1826
*$csp=worker-src 'none',domain=povwideo.net|powvideo.net

! https://github.com/gorhill/uBlock/issues/3675
||potomy.ru^$csp=worker-src 'none'
||rand.com.ru^

! https://github.com/hoshsadiq/adblock-nocoin-list/pull/204
||ianimes.co^$csp=worker-src 'none';
||eth-pocket.de^$third-party

! https://github.com/uBlockOrigin/uAssets/issues/2051
||hide.ovh^
I'm not irrational, I'm just quantum probabilistic.
User avatar
ticojohn
 
Posts: 801
Joined: 2009-08-29 18:10
Location: Costa Rica

Re: Malware Found In The Ubuntu Snap Store

Postby None1975 » 2018-05-14 14:04

Snap packets and Ubuntu are not needed.
OS: Debian 9.5 / WM: Xmonad
Debian Wiki | DontBreakDebian, My config files in github
Linux User #607425
User avatar
None1975
 
Posts: 649
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius

Re: Malware Found In The Ubuntu Snap Store

Postby None1975 » 2018-05-14 14:13

ticojohn wrote:
Bulkley wrote: I use Firefox ESR and installed the No Coin addon. It is supposed to block mining such as Coinhive.

Just install xul-ext-noscript. Do not use unclear origin and quality addons.
OS: Debian 9.5 / WM: Xmonad
Debian Wiki | DontBreakDebian, My config files in github
Linux User #607425
User avatar
None1975
 
Posts: 649
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius

Re: Malware Found In The Ubuntu Snap Store

Postby Lysander » 2018-05-14 14:13

None1975 wrote:Snap packets and Ubuntu are not needed.


Can you qualify "not needed"? I think I see what you mean [for how long does one stay on Ubuntu?] but Ubuntu is a great springboard OS for many, including myself.
User avatar
Lysander
 
Posts: 558
Joined: 2017-02-23 10:07
Location: London

Next

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable