Linux = Trojan free?

[Guest cord]

Well, last October I experienced a cross-platform browser hijacking. I was using Netscape 7.2 running in Win98 to access the Web, but from time to time I'd use Mozilla in Mandrake 10.0 (Community Powerpack) for this. I was learning about Linux and thinking about ditching Windows, at least for Web browsing.

 

At the end of that month I suddenly found that Navigator was 1) being directed to a prescription drugs website or 2) being prohibited from going to the site/page I'd intended and getting an error message. I wouldn't be redirected or receive the error messages consistently. I could always, and thoroughly, as far as I tested, access some prominent websites such as Google or eBay without problems. But I'd have trouble visiting less prominent sites. Sometimes I'd get redirected or get the error message, and sometimes I wouldn't. Sometimes I could go to a site's homepage but no further. Or I could go to an internal page but not the homepage.

 

I was surprised that Navigator had been hijacked. A few days later, thinking I'd be safe in Linux, I went online in Mozilla. I was sent to the drugs website. The other browsers installed in Mandrake weren't immune either (Konqueror, Epiphany). I didn't experiment with IE -- I hadn't been using it.

 

I needed to update my Spybot Search & Destroy. When I ran it, it detected problems, but wouldn't complete a scan. I sent an email to SS&D's tech support describing my problems, but didn't receive a response. Through Google I learned that there was a bug in that update that caused false reports, so I suppose I was ignored for that reason. Anyway, I downloaded the next (corrected) update, ran Spybot and it detected CoolWWWSearch.Leftovers. It removed it or crippled it. I didn't have problems again -- neither in Windows nor Mandrake -- so I assume that CoolWWWSearch.Leftovers was the culprit. However, I haven't used Mandrake very much to go online since then. I'd think that there'd be something malicious installed on that drive.

 

Here's one of Spybot's reports of a stalled scan which includes both one of the erroneous detections (Cabrotor) and an accurate detection (CoolWWWSearch.Leftovers). In a couple tests it mistakenly found Interfun.

 

 

--- Report generated: 2004-11-02 16:39 ---

 

Error during check!: Cabrotor (Datei C:\WINDOWS\win.ini kann nicht geöffnet werden. The process cannot access the file because

it is being used by another process) ()

 

 

CoolWWWSearch.Leftovers: Code storage database (Registry key, nothing done)

HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\Win32 Classes

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

 

--- Spybot - Search && Destroy version: 1.3 ---

2004-08-11 Includes\Cookies.sbi

2004-10-26 Includes\Dialer.sbi

2004-10-26 Includes\Hijackers.sbi

2004-10-07 Includes\Keyloggers.sbi

2004-05-12 Includes\LSP.sbi

2004-10-26 Includes\Malware.sbi

2004-05-12 Includes\Revision.sbi

2004-10-25 Includes\Security.sbi

2004-10-26 Includes\Spybots.sbi

2004-10-21 Includes\Tracks.uti

2004-10-26 Includes\Trojans.sbi

2004-08-11 Includes\plugin-ignore.ini

 

--------------------------------------------

 

 

It's been my suspicion that I may have caused this when I slipped up and opened spam in my Netscape inbox.

 

My computer has 3 hard drives: Win98 and apps are on C: (hda), a single FAT32 partition for storage is on D: (hdb), Mandrake is on the 3rd drive (through an adapter card). I was running McAfee VirusScan, Zone Alarm free edition, and the Proxomitron (in Windows, of course).

 

Other anti-malware software (for Windows), including HijackThis, didn't discover anything. At the time, they were the current versions.

 

I didn't and don't (unless necessary) enter Mandrake as root. I hadn't added security fixes.