# The Ubuntu Forum Community > Ubuntu Specialised Support > Security > [ubuntu] Malware, Spyware, and Viruses! Oh, my!

## Kaneda

Hey everyone. I was wondering how worried I should be about things like malware, viruses, etc. while using Ubuntu.

I have searched the forums a few times, and it seems like the answer I always see is along the lines of, "Viruses and stuff are made for Windows. They don't effect Linux."

That's all well and good, but I'm still rather uneasy.

I have been running Ubuntu as my only OS for about a year now, and things have worked out quite well, but I don't have any kind of anti-malware or anti-virus software. I'm pretty sure that viruses aren't much of a problem, but _websites_ that you get malware and spyware from work on Ubuntu, so why wouldn't the malware and spyware _from_ those websites work on Ubuntu?

Let's be honest: I browse a lot of porn sites from time to time. I always do it in private browsing or incognito mode, so they shouldn't be keeping anything on my computer after I reload my browser, but I've seen it happen in windows, so I imagine it could happen in Linux, too. All of the popups/popunders from those sites don't leave me with much sense of security after I'm done, and I have no scanning software to check, either. So whenever my computer starts acting slow or weird, especially when my browsers do it, I get really paranoid.

So, what can I do about it? Am I really at no risk? If so, why (and a deeper explanation than "because it's not windows" would be appreciated)? If I am at risk, what can I do? Are there any scanning programs that I can use? The basic security sticky talks about ways that you can prevent browser spyware and such, but not how to get rid of it if you have something already... Any help there?

Thanks!

----------


## Ms. Daisy

The basic security wiki was written in part to address worries of malware & viruses on Linux.  Give that a gander & post back if it doesn't answer your questions.




> I'm pretty sure that viruses aren't much of a problem, but _websites_ that you get malware and spyware from work on Ubuntu, so why wouldn't the malware and spyware _from_ those websites work on Ubuntu?


 This is also explained in the basic security wiki.  But here's the view from 10,000 feet: there are all sorts of nasty things that can compromise your security: viruses, malware, browser exploits, trojans... They all have different names because they all work differently. When you employ smart layers of security, then you can better defend against all these different types of exploits. 




> The basic security sticky talks about ways that you can prevent browser  spyware and such, but not how to get rid of it if you have something  already... Any help there?


 Have you found something in particular that makes you think you've been compromised? Or is it a general sense of unease?

----------


## kurt18947

NoScript and adblock go a long ways to address pop-ups and similar crap.  A concern I have is browser exploits.  As I understand it, malware that exploits Firefox for Windows may also exploit FireFox for Linux unless the malware uses windows-specific functions.  I'm pretty sure there are quite a few more Firefox users than there are desktop Linux users thus a more target-rich environment.  Firefox for Windows users might be more prone to using older unsupported versions though ............

----------


## Ms. Daisy

> NoScript and adblock go a long ways to address pop-ups and similar crap. A concern I have is browser exploits. As I understand it, malware that exploits Firefox for Windows may also exploit FireFox for Linux unless the malware uses windows-specific functions. I'm pretty sure there are quite a few more Firefox users than there are desktop Linux users thus a more target-rich environment. Firefox for Windows users might be more prone to using older unsupported versions though ............


All the more reason to update the browser (and all your software & OS while you're at it).  It can be automated so you don't have to be bothered constantly with it.  I sound like a broken record, but browser security is also covered in the basic security wiki.  You could really employ the same techniques for browser security in any operating system because it's not dependent on the OS.

----------


## CharlesA

> All the more reason to update the browser (and all your software & OS while you're at it).  It can be automated so you don't have to be bothered constantly with it.  I sound like a broken record, but browser security is also covered in the basic security wiki.  You could really employ the same techniques for browser security in any operating system because it's not dependent on the OS.


This, pretty much sums it up.

----------


## Kaneda

I suppose my main issue is this: The security wiki talks about using NoScript, SafeHistory, denying cookies, using hosts files, etc. All of these are _preventive_ measures. What can I do to see if I've _already_ been compromised? And if so, how do I fix it? Surely it's not as simple as just clearing all of your cookies and browsing history, is it?

For an example as to why I feel uneasy, occasionally chrome will just stop responding... or it will start responding in odd ways, like one tab still works, but the others don't, or it won't let me close individual tabs, just the entire browser. Sure, this could all be due to bugs in the software, but I don't want to just brush it off without knowing for sure.

----------


## winh8r

My advice to you , if you are accessing a lot of sites of an "adult" nature, would be to use a live CD. That way your main browser will be safe and whatever (if anything) happens whilst you are surfing , will be deleted when you close the live session.

I would still agree with Ms Daisy that reading the securtiy wiki is the best idea, and learn how to configure your browser and use addons to your advantage.

Another option would be to use

Virtualbox

----------


## Kaneda

Yes, yes. I read the security wiki, but like I said, my main issue here _isn't_ prevention, it is finding out whether or not I have a problem _already_. You can harden your system all you want to keep intruders out, but building up the walls around your fortress does no good if the enemy is already inside.

The sticky Ubuntu Security thread and the Ubuntu Basic Security Wiki both tell you how to _secure_ your browser against attacks--I know. What I want to know is what I need to do if I've _already_ been compromised, or for that matter to simply _find out_ whether or not I've been compromised.

----------


## winh8r

You could install and run the following:

ClamAV (available in the Software Centre)

rkhunter (as above)

If you are concerned that you have been affected by malware of some sort then the best option is always to do a full back up of your data and then a full clean install of Ubuntu. Ensuring that you use different login credentials on your new installation and also change the password on your router/modem.
It sounds like overkill, but if you have suspicions that your setup is compromised then it is a sure way to get it back under your control.

In the meantime, you could also back up your bookmarks/profile in your browser and reinstall the browser itself and see if the problem goes away when you are running a fresh default install of the browser of your choice.

Hope this is of some help to you.

----------


## Ms. Daisy

Another way to see if you've been compromised is to audit your logs.  Dangertux wrote a beginner's guide to log auditing here.

----------


## SeijiSensei

Let's start with a couple of basics.

It's very hard to force an application to write somewhere outside of /home/username and /tmp.  Users simply don't have write privileges anywhere else.  So one solution is to create a new username for yourself and use that instead.  You'll have a fresh configuration for programs like Firefox.

If you're even more paranoid, you can reinstall Ubuntu and obliterate /home along the way.  Make sure you've made copies of any files you need.  Most anything bad will be hiding from view (in dotfiles, for instance) so you shouldn't worry too much about ordinary files like graphics or documents.  

A fresh installation of Ubuntu takes half-an-hour or less; a small amount of time for greater peace of mind.

----------


## CharlesA

> Another way to see if you've been compromised is to audit your logs.  Dangertux wrote a beginner's guide to log auditing here.


That's a good guide to log auditing. DT does a good job on going over everything.




> Let's start with a couple of basics.
> 
> It's very hard to force an application to write somewhere outside of /home/username and /tmp.  Users simply don't have write privileges anywhere else.  So one solution is to create a new username for yourself and use that instead.  You'll have a fresh configuration for programs like Firefox.
> 
> If you're even more paranoid, you can reinstall Ubuntu and obliterate /home along the way.  Make sure you've made copies of any files you need.  Most anything bad will be hiding from view (in dotfiles, for instance) so you shouldn't worry too much about ordinary files like graphics or documents.  
> 
> A fresh installation of Ubuntu takes half-an-hour or less; a small amount of time for greater peace of mind.


+1. Even if you think your box might have been compromised, the only way to be sure everything is clean is to reinstall. You can audit logs all you want but if the person who gained access wipes the logs, what's the point? You don't know what they did and even if you think you got everything fixed, you might have missed something.

----------


## OpSecShellshock

You may also try using Bleachbit. It's in the repositories, so you can just install from the Software Center. Once it's installed, hit the Windows/Super key on your keyboard to call p the dash, and type "ble" and there will be two options, one to run it as a regular user and one to run it as root. Pick the one to run as a regular user.

When it opens, there will be a big list of check boxes. What you'll want to do then is check the box next to Firefox, Chrome (or Chromium, whichever one you have) and also Flash and Java if you have it. That will cause all of the boxes under those applications to be checked. You can uncheck boxes for anything you want to keep, but it's fine to get rid of everything. There will be some warnings for certain operations that will take a long time to complete, but it's not really a big deal.

After that click on preview, the first time takes a while. After the preview process runs there will be a list of things it's going to remove, and at the bottom it will show how much space will be cleared. Then click on Delete and it will go through that process, which again will take a while probably. Any errors will be visible in red.

The boxes you have checked will be saved the next time you run it. Get into the habit of running it after every browsing session, should keep things fairly clean. It still won't tell you if you have malware, but you probably don't.

----------

