Choose style:

Author Topic: Opened infected torrent download exe and lost access to WIndows partitions  (Read 656 times)

0 Members and 1 Guest are viewing this topic.

Offline snowy46

  • nOOb
  • *
  • Posts: 23
  • Karma: 1
  • New Forum User
    • View Profile
Hi,
I have a new Dell Win10 Inspiron 15 I've put Peppermint9, and Ubuntu18.4, on, and was trying to unpack an old Premiere rar exe I downloaded from somewhere (while in Pep), the screen flashed in that sickening way, and after I can't write to 2 Windows partitions, but can see and copy from them. At the time, a Windows data partition was open and I was connected to Internet. This has never happened before w Pep or Ubuntu, and is quite crippling since I wanted to use Peppermint most of the time, and only use Windows for some specific programs offline. Inability to write to the 8 or so partitions on this gigantic HD would be disastrous.  Haven't booted up Windows or connected to Internet since.

Should I try some boot scan on Windows or Pep, though not sure about how they work on GPT or Eufi discs?  Obviously it is some permission change, what would be a limited test (1 partition) command and a global command to revert it to full write permission? Anyone heard of this as an exploit against Linux?

BTW, what is a good disc burning program for Peppermint?

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25327
  • Karma: 2794
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
How exactly were you opening a windows executable (.exe) in Peppermint ?
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline snowy46

  • nOOb
  • *
  • Posts: 23
  • Karma: 1
  • New Forum User
    • View Profile
Just unpacked the rar to scan it with Clamav, thought that would be safe in Linux.

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5192
  • Karma: 939
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
I [...] was trying to unpack an old Premiere rar exe

Maybe this: https://www.engadget.com/2019/03/15/winrar-bug-malware/

A lot of users aren't aware of it...   ;)

I wouldn't touch a rar file, if you put a gun in my mouth and beat me with a rubber hose.

Just saying...

Offline snowy46

  • nOOb
  • *
  • Posts: 23
  • Karma: 1
  • New Forum User
    • View Profile
But you hear 100 times, Linux is invulnerable to viruses, so how did that change the Pep9? Or it didn't, just changed the permissions on the Windows and infected the boot? I did reboot to see if Ubuntu could write to the Windows- answer is No. Can I keep using the Peppermint safely?

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5192
  • Karma: 939
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Here's an article with the attack vectors: https://research.checkpoint.com/extracting-code-execution-from-winrar/

In the side notes:

Quote
Toward the end of our research, we discovered that WinACE created an extraction utility like unacev2.dll for linux which is called unace-nonfree (compiled using Watcom compiler). The source code is available.

'unace' & 'unace-nonfree' are still in the Ubu repos, but aren't installed in Peppermint OS by default.

The Linux community, as a whole, really isn't aware of how huge this vuln is. Maybe the upstream devs *think* Linux doesn't get viruses, too.

Who knows? It's early in the game, and I'm NOT saying that's what happened to you, without fuzzing it. But, the possibility is definitely there, IMO, as long as those utilities are present in the repos.

Circle of influence - circle of concern. The only thing I would suggest is staying away from anything to do with rar.

That's what I'm doing.  ;)
« Last Edit: April 28, 2019, 07:03:08 pm by VinDSL, Reason: Clarification »

Offline snowy46

  • nOOb
  • *
  • Posts: 23
  • Karma: 1
  • New Forum User
    • View Profile
I've got unace at:     /snap/core/6673/usr/share/bash-completion/completions  and
usr/share/bash-completion/completions

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25327
  • Karma: 2794
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Okay look, that .rar malware is used to install malware IN WINDOWS .. not IN WINDOWS VIA LINUX.

There is no way that I can think of where unpacking a .rar in Linux would cause malware to be installed to a separate Windows partition .. first the .exe would need to be able to run in Linux (highly unlikely unless you were running it in WINE), then it would need write permission outside your home directory (requiring your root password), then it would need to scan other partitions for a windows filesystem and Windows itself, then dump its payload in Windows.

I've never heard of such a thing .. though **theoretically** it'd be possible to author such a thing it would also require the Linux user to shoot himself in the foot by being logged into Linux as root .. also bear in mind if this is an old archive this trans-platform mega-virus would have made the press for sure.

This is a coincidence.
« Last Edit: April 28, 2019, 07:09:10 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline snowy46

  • nOOb
  • *
  • Posts: 23
  • Karma: 1
  • New Forum User
    • View Profile
Well, OK. But something happened and I still can't write to Windows. Program wasn't that old - Elements7, and there was a virus warning in comments, I thought it was the standard keygen thing, but that just unpacking something wasn't that dangerous in Linux. Used Peppermint/Ubuntu for 8 years and never had it not be able to write to Windows. You have any ideas for debugging or analysis??
« Last Edit: April 28, 2019, 07:31:28 pm by snowy46 »

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25327
  • Karma: 2794
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
I thought it was the standard keygen thing, but that just unpacking something wasn't that dangerous in Linux.

and you'd pretty much be correct (unless you then executed whatever was inside, it was capable of running in Linux, and could break out of your home folder because you'd been daft enough to manually execute it whilst  logged on as root) .. something tells me you weren't daft enough to shoot your own foot off by going through this unlikely series of steps, which is why I seriously doubt this is connected.



FYI...

Peppermint won't write to Windows if the Windows file system is flagged as 'dirty' (ie. corrupt, possibly because Linux was shut down incorrectly with the Windows file system mounted), Linux will mount a 'dirty' filesystem read-only to save doing further damage.

You have 4 options

a) Boot Windows, and run a file system check (chkdsk) .. once windows fixes its own file system, reboot to Linux and Linux will mount the 'clean' file system read/write.

b) Use Gparted to try fix the Windows file system. (last resort)

c) Manually remount the Windows file system read/write. (risks further damage)

d) Use a third party disk such as sysinternals (or simply a Windows installation media) to run a file system check (chkdsk).

Personally I'd go with A or D .. I only use Linux to fix Windows file systems as a last resort .. better to let Windows fix it's own file system mess.
« Last Edit: April 28, 2019, 08:22:44 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline snowy46

  • nOOb
  • *
  • Posts: 23
  • Karma: 1
  • New Forum User
    • View Profile
If I was logged into Synaptic or Software Mngr as root, could some exploit use that? 

Hmm, now that I think, maybe it was something as simple  as rebooting into Pep without doing a full shutdown of WIndows, it seems this Dell is quite sensitive to that, as I heedlessly switch between OS's. But I think I had written to Win partitions earlier in the same session. OK, thanks... will try your suggestions after I finish this episode of Billions. But, as I said, that virus infection screen flash is quite distinctive

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25327
  • Karma: 2794
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
If I was logged into Synaptic or Software Mngr as root, could some exploit use that? 

Unlikely, because neither synaptic or the software manager are able to write to a Windows partition .. any virus would first need to infect Linux, then need to recode those applications before infecting Windows.

As I said, it's not **impossible** that this kinda thing could be written, but why ?

I mean it'd be MUCH easier to just infect Linux from within Linux (or Windows from within Windows) .. and yet nobody's done the former, and if they did (and worse still make it capable of overcoming Linux defences and able to jump across platforms) it'd be MASSIVE news.

[EDIT]

And think about it .. why would anyone create a virus that uses Linux to infect Windows (with all the barriers in place to stop that), THEN HIDE IT IN AN ARCHIVE CONTAINING WINDOWS SOFTWARE (which is far less likely to ever get opened on a Linux system) :-\ .. it just makes no sense even if it were possible.

Virus authors aren't stupid (just prats), they'll take the path of least resistance and the greatest scope for spread .. they're not going to take the hardest possible path to infect Windows (via Linux), any virus written with this in mind would be doomed to failure from the getgo.
« Last Edit: April 28, 2019, 08:58:58 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline snowy46

  • nOOb
  • *
  • Posts: 23
  • Karma: 1
  • New Forum User
    • View Profile
Well, after doing careful shutdowns of both systems, I still can't write to Windows. Maybe reinstalling GRUB from Pep9 disk would delete some malware there, is that a standard boot choice??  How big is GRUB totally and where does it sit on the 1st Eufi partition (which is 500mb or so).

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25327
  • Karma: 2794
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Did you run chkdsk on the Windows partition (from within Windows) ?

I can talk you through reinstalling GRUB if it'll make you feel better .. but I'll guarantee that's not the problem here.

Open the windows partition in the file manager .. now post the output from
Code: [Select]
mount
and
Code: [Select]
dmesg | grep mount
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline snowy46

  • nOOb
  • *
  • Posts: 23
  • Karma: 1
  • New Forum User
    • View Profile
Chkdsk showed no problem. After I did the Giant Ver 1809 Windows10 Feature Update (3 hours) it now writes to Windows partitions, but I did boot up Pep in recovery mode for a change. Did find some PUP in Firefox.
ClamAV finds PUA.Win.Downloader.Aiis-6803892-0 in 4 places in var/lib/flatpak/runtime (.exe) + /repo. Is that part of NTFS mounting? Are they essential, and is warning valid?

This is Mount while Win access is OK: (sorry, have 16 partitions- home Windows is OS)

sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=3995384k,nr_inodes=998846,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=803512k,mode=755)
/dev/sda12 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=34,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=1337)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
configfs on /sys/kernel/config type configfs (rw,relatime)
tracefs on /sys/kernel/debug/tracing type tracefs (rw,relatime)
/dev/sda1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
sunrpc on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
/var/lib/snapd/snaps/core_6673.snap on /snap/core/6673 type squashfs (ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/midori_451.snap on /snap/midori/451 type squashfs (ro,nodev,relatime,x-gdu.hide)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=803508k,mode=700,uid=1000,gid=1000)
gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
/dev/fuse on /run/user/1000/doc type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
/dev/sda11 on /media/mako-pep9/_swap type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)
/dev/sda3 on /media/mako-pep9/OS type fuseblk (rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096,uhelper=udisks2)

$ dmesg | grep mount
[    5.615567] EXT4-fs (sda12): mounted filesystem with ordered data mode. Opts: (null)
[    8.654739] EXT4-fs (sda12): re-mounted. Opts: errors=remount-ro
[  556.892458] EXT4-fs (sda11): mounted filesystem with ordered data mode. Opts: (null)

Oh, when it asks "Do you want to empty trash" on closing Windows partitions, should I say yes or no? Any way to force text editor to always save as .txt? Any Peppermint tricks for Dells, had a douzy of a time getting both volume control and brightness Function keys (F2,3,11,12) to work correctly. What should be the default sound plan for a Dell Inspiron, I reverted to simple Audio Analog Stereo, but think it was more complex before (Duplex?)?