Browser hijacking or something else?

Question

Distro: Lubuntu

Browser: Mozilla SeaMonkey

I downloaded a file from zippyshare.com the other day. I got one of those "Hello Microsoft (sic) user! You have won an iPad!" messages, and it correctly identified my ISP. It locked me out of the browser to the extent I couldn't close the tab, turn off javascript, or even close the browser. I had to kill the browser via Task Manager. Before doing so, I noted the URL of the page with the message and added the host to my hosts file.

Today, I went to zippyshare again and got a different message with a different URL. I think it was an alarmist "You have been infected" message or something similar. Again, it completely locked me out from doing anything. I killed the browser and added that host to my hosts file.

I re-opened the browser, selected to restore the session except for any tabs related to zippyshare. Then, without any action by me, I found among my browser tabs a page open to my router logon page. That was not anything I had clicked.

I'm now wondering if there is malware on my system -- or some sort of browser hijacking scheme in place -- and how to get rid of it.

Steps I've taken so far:

• I changed by DNS server to 8.8.8.8. I thought it was that already, but it apparently wasn't.

• I checked for unusual browser extensions. I don't remember if Chatzilla was preinstalled in SeaMonkey but I removed it, since I would never use a program like that. Everything else looked fine.

• I turned off modem/router and disconnected all cables. By the time I get home from work, I will have a new IP address. I plan to log into my router page (with the router still off) and see if any settings have been changed.

Are there any anti-malware programs for Linux like Malwarebytes for Windows?

Is there anything else I should do?

Thanks!

Answer 1

This is a very difficult and broad question to answer, but I'll try.

ZippyShare

Based on what I've seen of ZippyShare, they use an Ad Revenue model to generate income. I've also noted that the site is heavily laden with popups and dialogs.

Locked out of your browser

Being locked out of your browser is probably the result of a hidden, or covered dialog box. If a dialog box pops up, and you cannot see it, you will find that the browser seems locked until you close that dialog box.

This is a technique used to force you to click on the dialog box, but can get mixed up with other windows/tabs/popups and actually make it near impossible to click/close.

Killing it off with the task manager is the only real option.

You have been infected

Again, just a more alarmist way of trying to take your money. With statements like "We've detected XXX amounts of malware on your system, click here to repair" etc.

Router Login Page

It's unlikely this was caused by any Malware, it's easy to guess the address for the majority of home user routers/modems. For example, they'll usually be in the 192.168.X.X range, or the 10.1.X.X range. IF a malicious script tried to open it, it wouldnt be out of the question for it to guess.

Malware

Malware on Linux is unlikely, but increasingly possible. If you're truly concerned, then I'd recommend ClamAV, and Bleachbit, both are available in the Ubuntu App Store or via apt-get/apt/aptitude.

Browser Safety

Outside of that, I'd suggest resetting your browser defaults, removing any unknown addons/plugins, and resetting your homepage. Additionally, adding an Adblocker like uBlock Origin to help when on places like ZippyShare, and a privacy plugin like Privacy Badger or Ghostery.

Comment contributed options:

• AdBlockPlus
• Windscribe
• NoScript

(thanks @Zacharee1 and @Marton)

Hosts File Blocking

This is a good way to stop the ads before they begin, but can be a little tricky. You can get a copy of a hosts file that can be used to block ads from hpHosts which is under the MalwareBytes umbrella.

Basiclly, you extract the file; copy the contents and add it to your /etc/hosts.

Safety Report

Here is a copy of Google's Safe Browsing report for zippyshare.com:

• Some pages on this website send visitors to dangerous websites.
• Some pages on this website install malware on visitors' computers.
• Some downloads on this site are new or not commonly downloaded by users, and may be dangerous. Safe Browsing is warning users on these downloads. In these cases, the warnings are lifted automatically if the content is verified to be safe.
• Dangerous websites have been sending visitors to this website, including: safelinkconverter.com, href.li, and gdaily.org.