While using the Tor Browser Bundle within the workstation (with Javascript enabled), a file within the workstation tried to open on its own – a message appeared saying “do you want to open [the file]”? The file was a .xz file downloaded from the main Tor website. Is it normal to get a message like this, or is it a sign that the workstation is compromised?
If the workstation is compromised, is there a way to check whether it is compromised or not? (e.g. by running commands, anti-virus, etc.)
Also, when the “new identity” button on the Tor Browser in the Workstation was clicked, an odd message appeared – it said “Tor Browser cannot safely give you a new identity. It does not have access to the Tor Control Port. Are you running Tor Browser Bundle?”
The file that attempted to open was a file I downloaded about one week ago. The message (in which the file attempted to open) appeared for no apparent reason.
The mysterious package tried to open on its own again (in the workstation). A message appeared asking if I wanted to open a package, even though I never tried to open a package. The message disappeared before I had a chance to read it. A few minutes later, I got this message:
Tor Browser Starter (by Whonix developers)
ERROR: Tor Browser maybe_use_open_link_confirmation error.
Failed: /usr/lib/open_link_confirmation [URL to Whonix Live]
What does this error message mean? Also, is it suspicious that something keeps trying to open on its own?
Also, another thing I noticed is that when I shut down the workstation and turned it on again, the fonts had changed in some areas. For example, when the “properties” button is clicked on a file, the attributes (“name”, “kind”, “open with”, “location”, etc.) have a different font (compared to earlier today).
I can’t tell whether any of these things are bugs, or malicious activity.
If you don’t believe that, look videos about Trojan horses etc. Malware is also “just another” commercial product or even open source. Therefore their usage, capabilities etc. are described like in advertising material for other products.
At no point the victim of a torjan horse will trivially notice it. There is zero reason for already memory resident malware to mess with fonts or to open links. Malware which allows to remotely control a victim machine is similar to an SSH / VNC session - just that the victim cannot easily know that an SSH / VNC session is running. Similar as for SSH there is no reason to mess with fonts, there is no reason to mess with fonts by malware.
Except. The attacker wants the victim to notice something. Zersetzung
In the bottom right of the taskbar, there is an “i” icon that when clicked on, opens a link to the wiki page of Whonix Live. I’m pretty sure you are just accidentally clicking things without knowing.