If we suppose that attacker have a 0day exploit for Firefox or other browser and can use this vulnerability by Man-In-TheMiddle attack or other, how can Linux/Ubuntu user secure himself from downloading suspicious-ware (like keyloggers or other stuff that can can access to user's OS / escalate previlegies) and executing command on users OS?

Also what other ways attack can root the user's OS if user do not downloading suspicious software and using auto-updates from original server? I think thats updates can be substituted too by the Man-In-The-Middle attack. Am I right?

With 0-day exploit no security is possible. Though you can limit it with selinux, or other macs, running with a non-root user, sandboxing. To minimise exploit you should turn javascript off or else only visit trusted sites. even if javascript is disabled there may be exploits of loaded images, videos, audios and even html/xhtml.

Updates are usually signed with public cryptography keys to check the authenticity and integrity of downloaded updates. So a man in middle attact is eliminated but only if you installed the OS from a genuine source and by checking it's integrity in the first place. The genuine OS has the public keys off upstream.

if you are really "paranoid" you can run a new, different os in a vm and run the browser inside. After browsing you drop the image and restore the saved original, so all of the occasional modifications will be lost.

In other words get in the internet by the LiveCD?

What means checking the integrity in first place?

I dont know english very well , dont understand what is this mean

The iso or physical cd/dvd has public keys used for signing the packages. They are used to check integrity as well as authenticity of the packages in that iso/cd/dvd as well as any package/transaction through internet to the distro site(upstream). But you should be sure that iso/cd/dvd is genuine in first place. For iso they usually post a checksum; md5 or sha. But there can be man in the middle attack of the network and other attacks that can alter this md5, sha hash. Best is using pgp or gpg to check digital signature of the downloaded iso (if the distro provides). For even digital signatures you need to get the public key from a trusted party (key signing party).

He ment using a VirtualBox, Qemu or Vmware to run the distro in Virtual Machine. After install you make a baseline snapshot of the system. And then use it to browse the internet and revert back to baseline snapshot for a new start of browser session.

You can use a live-cd also. But it won't provide the necessary isolation. But even VM's had bugs which make their isolation broken.

What chances that Firefox or Chrome have a 0day vuln. in hacker's underground? Or somebody it have? We never know but anyway its really possible?

However, I think I got the some backdoor on my Ubuntu. Earlier I thought it happens by replacing Ubuntu updates but (I sure about distro is original) you crush my supposes by this public keys thing. So now I'm starting to think that I got backdoor by MITM attack with Firefox vulnerability.

And I doubt that rkhunter or some other tools can help me out because attack on me personified so I dont think public tools can solve my problem. And I can't 100perc proof about compromising my system but I have some guesses and I think best way to keep clean system is be 100perc sure that my OS can not be compromised thats why I'm asking this really paranoid theoretically thinks about 0-day. The point is that attack on me is personified.

You can have a measure of bug/vulnerabilities by seeing security announcements in sites like lwn.net, or cve.mitre or in the browsers release pages (which quote number of bugs fixed since previous release).

One thing to be remembered software (OS + Apps/Programs) are developed with either security at first in mind (E.g. openbsd.org) or otherwise. And I say browsers (Firefox or Chromium) and most general applications are developed in the latter category. You will see/read in news that google organises bug bounty programs ( Find bugs for prize/cash) but yet you would read 0-day and other security vulnerabilities in them.

1 members found this post helpful.

Rkhunter only detects known rootkits. It won't find all specially yet unknown ones.

Please read openbsd.org page on security.

There are even hardware and software developed for military spec grades; web search to find them.

There are also OS's based on microkernel's which provide increased security. E.g. SeL4, Fiasco. Pistachio

1 members found this post helpful.

Noone knows and also If someone knows about one he would not tell you that.

If you have already got a backdoor you ought to reinstall that os (or solve it somehow). Move your important data onto another drive and be able to replace your os quickly.

Install and run clamav, that should detect most known viruses, trojans and other malware. rkhunter will help too.

So you believe that someone wrote malware specifically for you, and that it thus won't be detected by publicly available tools. That's really paranoid, like you said. What makes you think this ?

I think you are using these terms without knowing exactly what they mean. Just relax a bit and provide more info about why you think you are the target of malware.

1 members found this post helpful.

Yes, Reinstall OS is not a problem. But If it (compromising) happens once it can happens X times more... Because of ways that can compromise me (or probably compromised already) I think relatively to web-browser vulnerability.

I dont sure about software writed especially for me, but I mean personified attack that its not have a purpose infect a maximal pc's but just spy for one person. So its may (Im quite sure it do) use some extraordinary/unusual methods to compromise OS. I really can't tell you why I think it about myself but its connected to my opposition politician activity in [undisclosed country].

If your only concern is downloading malicious software (and it probably shouldn't be), don't download anything. If someone has a zero day for Firefox, don't use Firefox. The chances that someone has a zero day for a less-used browser like links are really quite small, even though it is less clear that they are less exploitable, just of less interest to 'ordinary' hackers/crackers.

Oh, and never have anything to do with Flash. Nothing. Turn everything off that you can in your browser. Virus scan everything that you can (even though it probably won't help). Use rkhunter before you ever connect to the internet and establish a baseline. Repeat the rkhunter thing regularly and frequently (having read the documentation first, of course...for some reason that isn't the way people always approach it).

Do as much as you can in a VM, and probably use a separate VM for accessing the internet to the one you use for everything else. Consider nuking the VMs from time to time.

Of course, this all implies backups. That shouldn't need saying. But it might be worth saying that, if you have all these backups around, someone might try to steal one.

Could you explain that in other words, because I'm not sure that I've fully understood.

There is a possibility of MitM attacks, but it should be difficult, given your Distro's package signing, but I can't say that I know enough about it for that particular distro. Obviously, you should not use public WiFi for any updates, as that does make MitM attempts easier. Probably run your own DNS cache, connecting to at least a vaguely trusted DNS server (say DNSMasq, not connected to the most obvious upstreams (and with DNSSEC deployed to an upstream that uses that)...not Bind, as it is just too heavy for a personal workstation, and too widely used and too frequently in receipt of security updates, you could also try DJBDNS, which by default at least, used to use root servers as its upstreams and has a good history - not everyone can or would like to do this, particularly as there would be a speed penalty).

@veerain
From memory, that isn't true. As far as I remember, when you run it in 'initial scan' mode (that isn't what it is called, as will be quickly apparent, when you read the documentation), it takes a fingerprint of a variety of key executables. If they change, it will report that on subsequent runs.

This is why it is critical to make that initial scan run before there have been any changes (pref before connecting to the internet at all), and to keep up with re-running, so that you see immediately/quite soon if anything critical has changed. Apart from anything else, if you find out that something critical changed four months ago, the chances are that you have no idea whether there was a legitimate change then which explains it. Four minutes ago and that's a different story.

And that's the reason that statement is wrong. If you detect a change, that is a change, whether that change is personalised to you or not. Now that's not to say that Rkhunter will detect everything that is, or could be, malicious, but it isn't the case that it has no application in the case that some greater power is trying to get at you personally (and has/thinks it worthwhile to deploy the resources needed to do this).

One thing that does concern me a little, and seems quite common, puzzlingly, is that you seem to trying to do a few things (the few things that you have heard of, presumably) superbly, rather than trying to do everything adequately well. There are many security threats, and you have to be on top of each of them, and having done a 'Fort Knox job' on one or two (yeah, even physical security threats) isn't going to do it.

1 members found this post helpful.

Oh, well in that case you have a powerful and dangerous adversary. You better lock your system down tight. Even so, consider your system as potentially compromised.

The only way that malware can be undetectable is if it is new or if it is hardware or firmware based. Hardware and firmware based malware is very difficult to detect.

Make sure to run a firewall, closely monitor traffic for any unusual activity. As said before do full scan with clamav and rkhunter. Any packages you install should be verified to be signed using the private key of your distribution (use 'gpg --verify' on the .asc file).

If you want to know more about public key cryptography, check the wiki and the gnupg documentation. Basically, a file signed by the private key of a trusted entity using a good hash algorithm is your best guarantee that the file has not been maliciously modified in transit or otherwise.

//Just so you know: please note that while it's the OP's own responsibility to remove, obfuscate or leave out any identifying markers I thought it best to remove country details here.

If you are personally targeted by a skilful adversary then there are at least three things to consider:
0) past data (on record) tied to your Real Life person and or aliases,
1) ensuring a safe working environment,
2) ways to hamper, evade or mislead surveillance (to "decouple the hounds" so to speak).

As for #0 only you know how long and where you've been acting in less - or insecure ways and in which way your actions may (have) attract(ed) attention. While it seems like an insurmountable task you should assess the "damage" as objectively and precisely as possible. With respect to #1: while some tout using Live CDs or disposable VMs as better-than-sliced-bread it actually is not something you should rely on. That's convenient for your adversary and not for you because by erasing volatile data you have no audit records of what went on. You have to widen your scope, think up a strategy first, then think about the implications and risks and only then act on it. This, together with #2, will make you aware of what you must be prepared to do (and where) to minimize the risks for you and yours. Chances are you will at least have to limit yourself to the most basic means of communication as "modern" hardware and software in terms of hooks for data acquisition and tracing. Depending on what you're up to it would also be wise to (openly?) seek out and gain (legal?) advice from practically skilled, knowledgeable persons in your area or organizations who know "the lay of the land" so to speak to establish some "plan B".

It would be helpful if you could post more detail on what you hardware / software you use, what you suspect et cetera.