2

Yesterday I ordered a package and today received an email from "DHL". I downloaded an attachment from the email and clicked it. It opened a htm page. (I did not fill out any information.)

I now realize it was malware.

I run Linux/Ubuntu. This link says this type of malware only affects Windows. I am busy and a complete reinstall would take valuable time.

Do I need to do anything? Can I do anything less than a reinstall (including /home) of the system?

cvr
  • 119
  • 4

2 Answers2

2

This does not look like malware but "only" like phishing: the attacker tries to steal login credentials from you by claiming that these are needed to proceed. These kind of attacks are very common and try to phish credentials to login to various web mail accounts or whatever the gullible victim is willing to enter in order to continue. I've got a lot of these mails myself.

Thus, while there might be also some malware inside the mail it is unlikely that you got infected since you only clicked on a HTML page attached to the mail (that's what I assume from your description) and you did this on Linux. While HTML attachments are also used to deliver malware this is usually done by embedding Javascript which downloads the malware from inside the page or rarely which embeds the malware directly. But these scripts then relies on Windows specific functionality (windows scripting host) to execute the malware and this does not usually work on Linux. It might maybe work if you are using Wine though to execute Windows programs in Linux but you probably need to have some really strange setup which makes HTML pages open with a Windows based browser instead of the Linux native one.

Of course, there might still be some attack going on which uses some previously only bugs and specifically targets Linux to delivers the payload. But unless you are a high-value target it is unlikely that such precious exploits are wasted on you, given that getting or creating this kind of yet unknown exploits is hard and can cost a lot of money.

To summarize: you are likely not infected. But maybe be more careful in the future anyway.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 1
    I once saw a system so screwed up that HTML _did_ open in Wine's Internet Explorer. Stranger still, so did JPEG images. You don't know confusion until you click a PNG and it opens in GIMP, and you click a JPEG and it opens in Wine IE. – forest Jun 11 '18 at 06:40
  • Thanks for an extensive reply. I can't remember ever clicking one of these. But yesterday I made an order and expected a package, 5 a.m. and a busy day ahead so I botched up. Not so many get past Hotmail spam protection. I wonder if they somehow detected I had an order going. (Swedish store, might send from Germany, probably not by DHL). – cvr Jun 11 '18 at 07:30
  • I wonder what they might gain from phishing DHL accounts. Maybe some people use the same passwords as for other accounts. Or maybe there is valuable information in DHL accounts. – cvr Jun 11 '18 at 08:27
  • 1
    @ycc_swe: It might just be a coincidence or the anti-spam heuristics might have realized that you are expecting mail from DHL and thus let this one pass (while blocking previous mails), assuming it was an expected mail from DHL. If an attacker sends 1000s of such mails the chance is high that some of these are received by users which actually expect mails from DHL at the moment. And, users are often confused which credentials they should enter there especially if they don't have a DHL account - so they just enter whatever credentials they usually use and hope it works. – Steffen Ullrich Jun 11 '18 at 09:30
0

Direct Quote from the Sec.SE's Canonical Q/A: Help! My home PC has been infected by a virus! What do I do now?

Do I really need to do a full reinstall? Can't I just run a couple of virus programs, delete some registry keys, and call it a day?

In theory, it is not always necessary to fully reinstall. In some cases you can clean the virus off the hard drive without a full reinstall. However, in practice it's very hard to know that you have gotten it all, and if you have one virus it is likely you have more. You might succeed in removing the one that causes symptoms (such as ugly ad popups), but the rootkit stealing your password and credit card numbers might go unnoticed.

The only way to kill everything is to wipe the hard drive, so your best option is always to nuke it from orbit. It's the only way to be sure.


This being said, you know the potential risks ... is it worth it? Only you can really decide. Personally I would do it as penance for the mistake of clicking that link.

CaffeineAddiction
  • 7,567
  • 2
  • 21
  • 41