LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-01-2012, 11:23 PM   #1
snowweb
Member
 
Registered: May 2008
Distribution: Ubuntu12, CentOS6
Posts: 61

Rep: Reputation: 0
Track down and prevent launch of Thunderbird Bamboo plugin content?


I was browsing my feeds using the Thunderbird plugin 'Bamboo' a couple of days ago, when one of the feeds I opened wasn't what I expected, it opened a page advertizing the "Buddies Locator" with the page title, "Entertainment Factory".

The page did not appear to function as intended. It has no links, just bright graphics and text.

It was interesting because it displayed an input field, claiming that if you input a mobile number, it can locate that phones current position. I tried it and it didn't work, so I closed the tab.

Now everytime I open Thunderbird, it opens again, but worse still, the java or javascript it's using is causing the whole screen to flash and somehow even seemed to cause Firefox to do some weird stuff.

How can I track this down, prevent it launching, etc?

I'm running Ubuntu 12.04 with the KDE4 desktop and all the latest updates.

Thanks in advance.
 
Old 10-02-2012, 06:46 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by snowweb View Post
I was browsing my feeds (..) a couple of days ago, when one of the feeds (..) opened a page (..) It was interesting because it displayed an input field, (..) I tried it and it didn't work, (..) I'm running Ubuntu 12.04 with the KDE4 desktop and all the latest updates.
Both advertising and malvertising try to overcome their intrusive nature, access vector or true nature by appealing to, confusing or luring people into doing things. Careful wording and seemingly official graphics try to establish a sense of urgency or trustworthiness and the promise of equally relief or reward entices the gullible to continue. Past examples of past malvertising, malware and virus infections alike teach you that if an offer is too good to be true, then it really is.

You've shown us the perfect example of what not to do.


Quote:
Originally Posted by snowweb View Post
Now everytime I open Thunderbird, it opens again, but worse still, the java or javascript it's using is causing the whole screen to flash and somehow even seemed to cause Firefox to do some weird stuff. How can I track this down, prevent it launching, etc?
Launch your troubled Thunderbird account in safe mode and export your email and address book, then create a new, clean account and import your email and address book and see if that works.
 
Old 10-02-2012, 10:07 AM   #3
snowweb
Member
 
Registered: May 2008
Distribution: Ubuntu12, CentOS6
Posts: 61

Original Poster
Rep: Reputation: 0
Thanks for your reply. Are you so fast to judge everyone you've never met?

I have a dozen or so email accounts and various other types of accounts (IRC and news groups), plus themes and a couple of dozen plug-ins, so I'm afraid that is not feasible at this stage to migrate all of that to a new profile.

I have today however, discovered that if I don't open Bamboo, then the problem doesn't appear. Therefore, I suspect that by removing Bamboo, then removing the plug-ins' directory, I can then add a new Bamboo plug-in and the problem should be solved.

If that doesn't solve it, then probably rolling back the profile directory to a back up that's a 3 to 4 days old, should fix it, (since the mail itself is stored in separate directory).

Thanks for your time.
 
Old 10-02-2012, 10:44 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I would recommend using the find command and verifying files have been modified since the time and date of the infection. If your lucky, the infection has been contained to the plugin location and removing it will solve your problem. If it does not, you will need to become more aggressive, like excising your Thunderbird account. If you have a backup to a time period prior to the incident, that would be a safer and more comprehensive approach than trying to remove the infection.
 
Old 10-02-2012, 11:34 AM   #5
snowweb
Member
 
Registered: May 2008
Distribution: Ubuntu12, CentOS6
Posts: 61

Original Poster
Rep: Reputation: 0
Thanks for that Norway2. Hadn't thought of that. Will have a look in the morning and see what find turns up. I do have daily backups going back a long way, so will make a decision about using them, based on the result on the modified files over the last 2 or 3 days.

It's gone midnight here so must sleep now :-)
 
  


Reply

Tags
malware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to make a bootable cd/dvd to prevent change any content from original? hocheetiong Linux - Newbie 2 01-14-2009 11:39 PM
How to launch Thunderbird from Firefox. Red Knuckles Suse/Novell 14 02-22-2006 02:26 PM
Thunderbird only launch as root chug Linux - Newbie 4 07-26-2004 02:55 PM
launch script for thunderbird? webazoid Linux - Software 2 07-11-2004 09:31 PM
Can't launch thunderbird. akihandyman Mandriva 5 06-23-2004 05:42 PM


All times are GMT -5. The time now is 07:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration