Ubuntu – Popup ad virus on both chrome and firefox

14.04malwarepopup-adsrootkit

A pop-up ad box appears whatever site I am opening. Tried resetting settings, disabling extensions, removing all users on chrome.

It seems it is not about chrome since same thing happens on Firefox too which I hadn't even opened before.

I suspect it may have something to do with some repositories I added lately, even if so what to do?

Let me describe the pop-up since I can't upload an image because I don't have enough reputation.
It places itself at the middle of the page and not so big. Does not move with the rest of the page, stays while scrolling the page. Inside there is sometimes google ads. AdBlock blocks the content but not the pop-up itself.

An image of the pop-up

The result of inspect element:

<div id="thisisonesplashforclicktocloseidhere" style=
  "position:fixed;z-index:999900;top:50%;left:50%;margin-top:-125px;margin-left:-150px;width:300px;height:250px;background-color:#fff;border:4px solid #444;-moz-box-shadow:0 0 12px 4px #888;-webkit-box-shadow:0 0 12px 4px #888;box-shadow:0 0 12px 4px #888;-webkit-border-radius:4px;border-radius:4px;">
  <iframe frameborder="0" height="0" scrolling="no" src=
  "http://guzelyemek.com/reklam.html?gads_300x250" style=
  "display: none !important; visibility: hidden !important; opacity: 0 !important;"
    width="0"></iframe><a href="javascript:hideADSnow()" id="clickonME" style=
    "position:absolute;top:-8px;right:-7px;display:block;width:29px;height:29px;background:transparent url(http://3.bp.blogspot.com/-2pNyEIhTbiU/UWJ-FMsZktI/AAAAAAAAUKg/3FPcPp0CNko/s1600/close-button.png) no-repeat top left;"></a>

chrome://plugins:

enter image description here

Note: Using AdBlock Plus it is possible to block it. I just added the id of the box's div to the filter list but that's just curing the symptoms not the actual illness. So journey continues.

About scanning with ClamTk:
It found some 1732 threat which consist mostly (I mean almost all of them) of windows files and interestingly some of ClamAV's own files.
Only meaningful entries were these:

  • /usr/lib/shim/shim.efi
  • /usr/lib/shim/shim.efi.signed
  • /boot/efi/EFI/ubuntu/shimx64.efi
  • /boot/efi/EFI/ubuntu/MokManager.efi
  • /home/mumi/.cache/mozilla/firefox/50ug9xkr.default/cache2/entries/35CD2F7BA91E394C584FB72D214090559CC987F8

I just deleted the Firefox thing but don't think other things are harmful.

Ok, I found this suspicious code from the sources tab of Firefox debugger tool:

f (window==window.top) {
   function hideADSnow() {
     document.getElementById('thisisonesplashforclicktocloseidhere').style.display='none';
     document.getElementById('thisisonesplashforclicktocloseidhere').innerHTML =' ';
  }

  var writeNow="";
  writeNow += "<div style=\"position:fixed;z-index:999900;top:50%;left:50%;margin-top:-125px;margin-left:-150px;width:300px;height:250px;background-color:#fff;border:4px solid #444;-moz-box-shadow:0 0 12px 4px #888;-webkit-box-shadow:0 0 12px 4px #888;box-shadow:0 0 12px 4px #888;-webkit-border-radius:4px;border-radius:4px;\" id=\"thisisonesplashforclicktocloseidhere\">";

  writeNow += "<iframe src=\"http:\/\/habermatich.com\/gads\/show_ads.php?format=gads_300x250\" width=\"300px\" height=\"250px\" frameBorder=\"0\" scrolling=\"no\"><\/iframe>";

  writeNow += "<a href=\"javascript:hideADSnow()\" id=\"clickonME\" style=\"position:absolute;top:-8px;right:-7px;display:block;width:29px;height:29px;background:transparent url(http:\/\/3.bp.blogspot.com\/-2pNyEIhTbiU\/UWJ-FMsZktI\/AAAAAAAAUKg\/3FPcPp0CNko\/s1600\/close-button.png) no-repeat top left;\"><\/a>";
  writeNow += "<\/div>";
  try { 
    var checkIs = document.getElementById('ads_boxy');
  } catch(err) { 
    var checkIs = null;
  }
  if (checkIs == null) {
    var adsbox = document.createElement('div');
    adsbox.id = 'ads_boxy';
    document.body.appendChild(adsbox);
  }
  var checkIs = document.getElementById('ads_boxy');
  checkIs.innerHTML = writeNow;
}

Even when trying to install Ubuntu from start it's there.

This guy seems to have the same problem with me.
I suspect this is a root kit of some kind but both rkhunter and chkrootkit didn't find anything. Maybe it is a new root kit.

I tried another router with no luck. Restarting router numerously didn't help.
It doesn't show on the windows machine on the network or windows on my machine(it is a dual boot system) any more but I saw at least once on both. I guess I only have one option now.

Best Answer

Since you mentioned in comment that the other computer on the network started having the same issue, it may well be that your router settings are altered or the router is infected (yes, that is possible). In fact, your problem is very very similar to this post from security.stackexchange.com . FIY, you may want to use that site in such cases , cuz there's more people who deal with this type of issues.

OK, back to the problem . If you research it a little you'll find that probably a very common problem with routers is when DNS settings are altered. There's also more serious malware for routers,too. DNS server is basically a translator: since computers only deal in numbers, when you type "google.com" in a browser, your computer will send request to DNS servers saying " Hey, what's IP address for google.com? " . DNS server on his side looks through databases, and finds what IPs belong to google.com. Now, if your router's DNS settings are changed, the request goes to a fake DNS server, which will redirect you to fake website or a website that looks like real thing but with malware.

What can be done is the following:

  • Access your router's settings, and check if DNS settings have been altered. You can access them typically by typing 192.168.0.1 into address bar of Firefox or any other browser, and it should open a page with all sorts of settings for your router (read up on your router's manual to make sure the address is right). But if you've never looked at these settings before, it may be hard to determine whether or not something has been changed. Also, look if any routing settings were changed or you see something fishy there.

  • Reset the router to default settings. Again, this can be done through 192.168.0.1 . This may be under "Advanced Options", but search around the settings or just read the manual. Good idea is to reboot the router after you changed the settings back to default to make sure it takes effect. If that helps and the popup doesn't come up any more on either machine, change router's admin password to something else than before and something strong, plus maybe change wifi password (WPA PSK or whatever you're using).

  • Get a new router. You could either buy one yourself and configure it or contact your Internet service provider , explaining the situation. They may offer more options, too.

Among other things, what I'd do in such case is do some small tests.

  • You mentioned that you connect by wifi and have Windows files there. So is it a laptop ? you double boot ? Try taking it to another network, and see if pop-up persists. If it doesn't show up on another networ - it's definitely your router.

  • Does it show up in Windows ? If it's the router , it's definitelly not related to OS or your browsers or anything like that.

  • Change your settings for DNS in Ubuntu. The thing is that Ubuntu's Network Manager by default will let a dnsmaq plug in decide what DNS to use (and typically it will be your internet service provider's'). Now, you can use your own DNS regardless of what internet service provider gives. To do that - open the Networ Manager indicator in the right side corner and go to Edit connections. Select the network, and click Edit button. Go to IPv4 tab, change drop down menu from "Automatic (DHCP)" to "Automatic (DHCP) addresses only", and where DNS servers type in whatever DNS server you like. You can choose 8.8.8.8 (Google's public DNS). I use OpenDNS(208.67.222.222). these are well known and trusted. Then open terminal and type sudo nano /etc/NetworkManager/NetworkManager.conf and change line dns=dnsmasq to #dns=dnsmasq. Save file with Ctrl+O and exit with Ctrl+X. Now you could either do sudo service network-manager restart or simply reboot the computer. I'd prefer rebooting. Connect again to your network, and once ready in terminal type nm-tool | tail. It should confirm you're using your selected DNS. If popup doesn't persists with such settings - definitely router's DNS problem. Steps I've gone through here is same as I've described in my other post here

That is it. I'm in no way computer security expert, so everything in this post is the best I can suggest. Best of luck! and let us know if this helps, or how you solved the problem in the end.

Related Question