Ubuntu – Where should I start in tracking down Firefox malware

10.04firefoxmalwareviruses

Switched my sister to Ubuntu because I got tired of re-installing the other OS every 6 months. Now she managed to get some malware in her Firefox on Ubuntu. Without access to the computer (or when I get it next week), where should I look, what questions can I ask, what could I tell a computer novice to try over the phone?

Symptoms:
While surfing some recipe site she had an ad-window pop up with no window controls. She rebooted the computer and when she re-started Firefox it came back, full screen, no controls, on top.

I told her to just use -F2 and xkill to get rid of it, which it did but stopped Firefox completely. On re-start it was back, I told her to hit F11 which did take it back to a large screen, but not full-screen, so she could see that there was a normal browser window running underneath. She topped the normal window but the only other thing I had time to check was plug-ins, which there wasn't anything that sounded suspicious. I'm looking for ideas of what to try over the phone, or where to start next week.

I'm comfortable with the command line, and using about:config if that makes any difference in the answer.

Best Answer

I don't think there's much value in tracking down exactly what the problem is. Of course there is always some value but I can't guarantee you'll ever find out what the problem is.

In Etcher-Sketch terms, it's easier to just shake it until you have a blank canvas and then, if you want, you can pull back some of the less-likely-to-be-infected things (general settings, bookmarks, etc).

But the easiest install vector for malware in Firefox is through its extensions manager. You can check the extensions.ini file in the active profile for anything suspicious, but as I say, it may bear no fruit.

To get things back to normal, let's shake Firefox:

Nuke the old profile.

Here's a little script that moves the old profile to another location. I'm making this up as I go, so there might be a bug or two in it. You should be able to copy and paste this into a terminal.

cd ~/.mozilla/firefox/
export FFPROFILE=`cat profiles.ini | grep "Path=" | sed 's/^Path=//'`
mv $FFPROFILE $FFPROFILE.BAK
rm profiles.ini

When Firefox next launches, it will create a new profile.

Save bookmarks, saved passwords, etc

After firefox has created the new profile, you can go to ~/.mozilla/firefox/ in nautilus and copy back some of the files into the new profile and then deletes the profile configuration file so that Firefox has to create a new profile. Start by closing Firefox and then punch these lines into a terminal:

cd ~/.mozilla/firefox/
export FFPROFILE=`cat profiles.ini | grep "Path=" | sed 's/^Path=//'`
export OLDFFPROFILE=`ls -1 | grep .BAK`
cp $OLDFFPROFILE/*.sqlite $FFPROFILE/

You can of course do both these parts manually. It's actually easier to do it manually, you just need to know your way around the filesystem a little better. I was just thinking of you needing to do push this off to somebody else... it might just be easier if they copy and paste it into a terminal... Or you do it via SSH.

Related Question