Recent Flash Impostor (virus) can't be blocked?

[VIRIDIAN]

On eee pc, virus comes in encrypted as a flash update
and installs hidden .adobe and .macromedia folders
which reappear immediately after deleting when firefox
or mozilla or seamonkey is running.

Would never have noticed if it didn't slow down puppeee.
It temporarily was blocked only by disabling SSL but soon
found another way. It creates SOL files just like regular
flash but seems to be communicating constantly with
something. (Apparent zombie and spyware.)

There is one libflashplayer.so file that can't be removed,
although I've been told flash can't be installed or updated without it.
It is in the same place as init.rd and also appears in /usr,
the duplicate needs deleting twice but also comes back
soon after.

Yesterday a neighbor had one WinPC crash and another captured
2 bad flash updates with McAffee.
(Before then, nobody believed, and just laughed at the problem.)

So I wonder how to delete the libflashplayer.so
The Pupeee eee pc is unusable because the virus is updating
very frequently (once per minute) and can't be kept out.

Boot device is a rare write-protectable USB drive which I pull out
immediately after boot, leaving only the VM in RAM (and wondering
about a BIOS infection). The virus appears to be aware of other
wireless devices nearby such as cellphones but it may just be
interference since they are on the same bands.

Starting with removing undeleteable libflashplayer.so, any ideas
how to prevent and block and stop this?
Automatic hidden installs are totally unexpected (and unbelievable) in linux.

vamachine nsynth

[aarf]

new operas supposedly dispense with flashplayer. give'm a try.

[upnorth]

Yeah, the newest opera snapshots are great. One can unzip the file anywhere on hard drive, click the "opera" wrapper script in the created directory to run it. It can be shared among different puppy installations when it's run "outside the envelope" like this - no need for installation.
The newest firefox 3.6.4 beta is the same way when the .bz2 file is downloaded. It however uses any existing profile.
-------------------------------------------------------------------------------------

The libflashplayer.so in /initrd/pup_ro2/usr/lib/mozilla/plugins is legitimate. /initrd/pup_ro2 is the pristine read-only layer as I understand it.

To install the newest libflashplayer.so see:
http://www.adobe.com/products/flashplay ... #section-3

You can also right-click on a flash element and select "about adobe flashplayer" to get to adobe's web interface.
On the newer firefox's you can use the plugin check:
http://www.mozilla.com/plugincheck/


Some good info on flashplayers as spyware. See:

http://www.wired.com/epicenter/2009/08/ ... hink-again


Here is an extension that works in firefox and seamonkey2. It can delete the "local shared objects" automatically every minute and upon start and exit of browser.
http://netticat.ath.cx/BetterPrivacy/BetterPrivacy.htm

The quick way to aleviate the flash cookie accumulation is to delete the .macromedia folder, then assuming current working directory is /root in terminal type:

Code: Select all

ln -s /dev/null .macromedia

Very few sites won't function fully when this method is employed. To reset to normal, just delete the symlink named .macromedia.

You can always use netstat -tu and netstat -tn to see your tcp/ip connections. Make sure your firewall is activated by viewing the output of iptables -v -L. It should generate a long list.

[cthisbear]

McAfee >> A virus in itself.

Took out everyone bigtime.
Even Intel

Coles stores in Oz were stuffed.

http://www.murga-linux.com/puppy/viewtopic.php?t=54704

Chris.