LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Track down and prevent launch of Thunderbird Bamboo plugin content? (http://www.linuxquestions.org/questions/linux-security-4/track-down-and-prevent-launch-of-thunderbird-bamboo-plugin-content-4175429994/)

snowweb 10-02-2012 12:23 AM

Track down and prevent launch of Thunderbird Bamboo plugin content?
 
I was browsing my feeds using the Thunderbird plugin 'Bamboo' a couple of days ago, when one of the feeds I opened wasn't what I expected, it opened a page advertizing the "Buddies Locator" with the page title, "Entertainment Factory".

The page did not appear to function as intended. It has no links, just bright graphics and text.

It was interesting because it displayed an input field, claiming that if you input a mobile number, it can locate that phones current position. I tried it and it didn't work, so I closed the tab.

Now everytime I open Thunderbird, it opens again, but worse still, the java or javascript it's using is causing the whole screen to flash and somehow even seemed to cause Firefox to do some weird stuff.

How can I track this down, prevent it launching, etc?

I'm running Ubuntu 12.04 with the KDE4 desktop and all the latest updates.

Thanks in advance.

unSpawn 10-02-2012 07:46 AM

Quote:

Originally Posted by snowweb (Post 4794560)
I was browsing my feeds (..) a couple of days ago, when one of the feeds (..) opened a page (..) It was interesting because it displayed an input field, (..) I tried it and it didn't work, (..) I'm running Ubuntu 12.04 with the KDE4 desktop and all the latest updates.

Both advertising and malvertising try to overcome their intrusive nature, access vector or true nature by appealing to, confusing or luring people into doing things. Careful wording and seemingly official graphics try to establish a sense of urgency or trustworthiness and the promise of equally relief or reward entices the gullible to continue. Past examples of past malvertising, malware and virus infections alike teach you that if an offer is too good to be true, then it really is.

You've shown us the perfect example of what not to do.


Quote:

Originally Posted by snowweb (Post 4794560)
Now everytime I open Thunderbird, it opens again, but worse still, the java or javascript it's using is causing the whole screen to flash and somehow even seemed to cause Firefox to do some weird stuff. How can I track this down, prevent it launching, etc?

Launch your troubled Thunderbird account in safe mode and export your email and address book, then create a new, clean account and import your email and address book and see if that works.

snowweb 10-02-2012 11:07 AM

Thanks for your reply. Are you so fast to judge everyone you've never met?

I have a dozen or so email accounts and various other types of accounts (IRC and news groups), plus themes and a couple of dozen plug-ins, so I'm afraid that is not feasible at this stage to migrate all of that to a new profile.

I have today however, discovered that if I don't open Bamboo, then the problem doesn't appear. Therefore, I suspect that by removing Bamboo, then removing the plug-ins' directory, I can then add a new Bamboo plug-in and the problem should be solved.

If that doesn't solve it, then probably rolling back the profile directory to a back up that's a 3 to 4 days old, should fix it, (since the mail itself is stored in separate directory).

Thanks for your time.

Noway2 10-02-2012 11:44 AM

I would recommend using the find command and verifying files have been modified since the time and date of the infection. If your lucky, the infection has been contained to the plugin location and removing it will solve your problem. If it does not, you will need to become more aggressive, like excising your Thunderbird account. If you have a backup to a time period prior to the incident, that would be a safer and more comprehensive approach than trying to remove the infection.

snowweb 10-02-2012 12:34 PM

Thanks for that Norway2. Hadn't thought of that. Will have a look in the morning and see what find turns up. I do have daily backups going back a long way, so will make a decision about using them, based on the result on the modified files over the last 2 or 3 days.

It's gone midnight here so must sleep now :-)


All times are GMT -5. The time now is 12:22 PM.