Trojan in Ubuntu? DigiNotar

Question

On Wednesday, I installed an old copy of Ubuntu 10.04LTS onto a pristine desktop PC that I built w/ brand new hardware--DSL modem, too--except for the CPU. Then, I downloaded Ubuntu 12.04 from Ubuntu.com, and compared hash values before erasing v10.04 & installing the new OS. The old 10.04 disk & the virgin CD onto which I burned the Ubuntu v12.04 ISO file are the only external media this PC has seen.

As a new convert to Open Source & a paranoid ex-Windows user (for good reason), I have been scanning every file I download, and randomly scanning the entire system every few hours, with ClamTk. It found trojans in

• Ubuntu's built-in Ruby program;
• a Photoshop file and
• a SysInternals tool I downloaded last night; and
• several files in the Firefox cache.

All but one malware specimen belong to the same family. When instructed to quarantine the infected files in the Firefox cache, ClamTk appeared to do so but the quarantine list was empty. As a precaution, I emptied the cache. Note: ClamTk REFUSES to quarantine the infected Ruby & Photoshop files. Is that normal?

Google provided sparse info about the trojans, except they were first noted about 10 years ago. There does seem to be a surge of inquiries about them in Google over the past 2 weeks. It's unlikely that Ruby has had a known trojan all this time, that ClamTk simply ignored till now... I doubt these malware are false-positives.

Some questions:

1. Is anyone else finding PUA.Win32.xxxxx with ClamTk?

2. Is Ubuntu naturally immune to malware named "Win32"?

   Actually, what compels me to post here is finding, while I was checking my Firefox Preferences, six DigiNotar entries in the list of security certificates (Advanced-->Encryption-->View Certificates). The IT security world ostracized DigiNotar last Fall, & Mozilla permanently removed DigiNotar from its list of approved certification providers (see http://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/).

   So, I am wondering:

3. Did Ubuntu developers forget to remove DigiNotar from Ubuntu's version of Firefox in v12.04?
4. Does anyone else have DigiNotar in your list of certification authorities?
5. Are the DigiNotar certificates and the trojans I am finding related?

Thanks for any information you can provide.

Answer 1

1. If anybody was able to find it successfully, it would be either because of Dual boot in other Partition, Torrents Downloads or Untrusted Third party sharing or Downloading. I never found it in my system.

2. Ubuntu is not immune to any trojan named under win32.

   And you don't have to worry about that. DigiNotar is Not Trusted by Default. To see, select the Edit trust option under it. So it is as good as non-existent. Just make sure that the option Ask me Every time option is selected.

   

3. To confirm, the Security team did address this issue here under version nss (3.12.11-3) unstable; urgency=high stating it as Explicitly Distrust not Deleted, whereas current version stands at nss (3.13.1.with.ckbi.1.88-1ubuntu6.1) precise-security. So you don't have to worry at all.

   

4. Actually there are two Certificates menus in Certificate Manager as Server and Authorities. DigiNotar is present in my Server section, the first listed one is Expired, need to delete it manually.

   

5. Only the Affected Certificate authority or Security testing team can confirm.

Answer 2

1. No, and not in anything Ruby-related either.
2. No, the 'name' of malware doesn't matter. If you mean malware executables intended to run on Windows, then yes, those wouldn't work on Ubuntu.
3. I don't think so, Mozilla does that and Debian/Ubuntu just packages stuff, and adds patches and configuration tweaks for their own distro's
4. I can't find any such certificates in Firefox on 12.04
5. I have no idea, maybe? You mention in the beginning a 'fresh' system, but then you go on saying you find trojans in a Photoshop file, and in stuff you downloaded...

Answer 3

It seems that you have two systems here - One running Windows and the other Ubuntu - is that clear?

One - Your Windows looks like it got a Trojan, and now your Ubuntu has maybe the same Trojan...

Secondly - Trojans, is malware coming in without you knowing it is actually there, that is why you have an anti-virus to scan an pick it up.

Thirdly - The Trojan went form Windows, over to you Ubuntu installation files - infecting your Ubuntu, while most of the Trojans that comes from (actually all) Windows, won't be able to even run and do anything in Ubuntu, as they are not created for Ubuntu

Fourthly - You can scan and delete things, but with ClamTK, but remember, ClamTk isn't that good, because they don't tent to work on that anti - virus as much, because there shouldn't be viruses, so why creating a supper ClamTk and waste time developing it if they aren't going to use it actually...

You can try to install a better anti - virus like Avast, look on Google how to do that, and look what you can do... I doubt that you will have any problem - as Ubuntu is so immune to viruses, and definitely to that Photoshop files. Go into Windows and scan the disk - Hard disk and get it clean from that side, then everything should be fine....