So I had little luck searching around but finally stumbled across something here https://bugs.launchpad.net/ubuntu/+source/ibus/+bug/1766503 because one of the processes was naming itself ibus something or other. And someone in this bug list pointed to a couple of pages describing trojans
https://bugs.launchpad.net/ubuntu/+source/ibus/+bug/1766503 and
https://www.reddit.com/r/Addons4Kodi/comments/8eto78/people_using_unofficial_kodi_addon_on_linux/ which put me onto the bad files.
I found that the bad executables were in /tmp/ and when I tried to upload one of them to virustotal.com the file disappeared. So I looked and saw that it had simply recreated itself with a new name and made a copy of the executable and uploaded THAT to virustotal. Somewhere in this process I had installed ClamAV from the repo and ran it with no luck, I also scanned this executable that I copied and ClamAV said it was fine.
VirusTotal game me the following:
ClamAV didn't recognize this at VirusTotal either but several engines did. Since the virus runs out of /tmp and is apparently installed in my user directory I didn't think reinstalling the OS would do anything so I dug a little deeper and found a link to this github that listed the files/folders that contained the scripts that started virus program up https://github.com/Saren-Arterius/dbus-daemon-trojan-sample I found and deleted the files shown and edited that .bash* files that had scripts appended to the end of them that would execute the virus.
All seems to be well now.
Oh I also did a file search in my home folder for any files matching the same size as the virus and found none remaining.
find ~/ -type f -size 3321680c -exec ls {} \;
So if you have a coin mining virus in Linux, this *might* help you.
No comments:
Post a Comment