Slashdot Mirror
Malware Found Hidden In Screensaver On Gnome-Look
AndGodSed writes "OMG! UBUNTU! Reports the following: 'Malware has been found hidden inside an innocuous 'waterfall' screensaver .deb file made available on popular artwork sharing site Gnome-Look.org. The .deb file installs a script with elevated privileges designed to perform a DDoS attack as well as keep itself updated via downloads. The dodgy screensaver in question has since been removed from gnome-look, and this incident was a very basic, if potentially successful, attempt.'" A similar report at Digitizor.com says that similar malware was also found in a theme called Ninja Black. For those affected, both sites also provide instruction on cleansing your system.
It's been told to all the linux zealots so many times that Linux itself isn't really more secure against malware than Windows. It's only so because it's marketshare is like 0.5%, if even that, and it makes much more sense to make malware where the (non-geeky) users are.
This just shows that if ever linux did gain marketshare with casual people enough, the malware problem will be there too. Repositories won't help with that, because people want 3rd party programs and games.
The funny thing about this is the same that as with Mac OS X users. All of the zealots yelling that Linux/Mac OSX are secure about malware, which results in normal people thinking they can run whatever downloaded "because my OS is secure!".
And before everyone jumps on the "but you can't get infected by just browsing on porn sites on linux!", why not? What was the last time you got infected by Windows vulnerability? Those attacks are usually against 3rd party programs like PDF or Flash. And guess what, those apps are on Linux too and are just as well exploitable.
The only reason malware problems are smaller on Linux than Windows is because of the almost-non-existing desktop marketshare and that those who use it on desktop are usually more tech savvy.
This just shows that if Linux had 95% marketshare on desktop, and Windows 0.5%, it would be the same thing but just turned around.
Hey malware creators just got wise to the fact that Geeks make more money than the average Joe?
Why bother
It's the YEAR OF THE LINUX desktop! It's official! /Happy Ubuntu User
Mod me down, my New Earth Global Warmingist friends!
"sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh index.php run.bash && sudo dpkg -r app5552"
Man. I'm going to have to get me some anti-malware software...
This is why you only install packages from the repositories.
He scurries in the darkness because he fears the light that is the Sun Source... Sinanju.
So Solaris users are unaffected?
So a user runs untrusted software as root and gets malware. Never heard of this happening.
Okay, this scares me.
1. What happens when a publisher includes auto-updating code, but not specific attack code, like the DDoS software in the mentioned examples? If discovered it will appear to be a security risk, but not specifically malicious...
2. What happens when a software developer produces some completely innocuous software, gets into the repositories - and then months down the road, produces an update with DDoS capability, and has the update pushed into the repositories and automatically distributed?
I swear to god, not thirty seconds before I came to slashdot and saw this story, I closed the gnome-look.com tab and had just finished pimpin' out my Gnome desktop. Good thing I didn't download any screensavers...
Like windows or any operating system linux is only as secure as the user keeps it. In a way this is sort of a win because it means linux is now popular enough for the malware makers to pay attention to it, and it will motivate the linux community to be more vigilant. Welcome to the mainstream and everything that comes with it. This highlights the advantage of using software repositories as well............
Before trolls start yelling about how "OMGZ LINUX ISN'T SECURE HAHAHA" and things like that, let me tell you something: because GNU/Linux is so open and configurable, malware like this can be very easily removed. All you have to do is run a few commands in a terminal to remove this. On Windows and the like, things are so complicated that Anti-virus software is almost required to remove some of their malware. I am glad to use an OS that doesn't restrict me like that. :)
"Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen
What the summary didn't mention: the screensaver has been there less than 24 hours.
see pro-linux.de (german)
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
The Gnome team is working with several university neurology departments to develop a patch for human nature that fixes this problem. It will be included in Gnome 4.
Computer Science is all about trying to find the right wrench to bang in the right screw. -T.Cumbo?
You can't patch stupid!
The tools exist that would have rendered this form of attack useless.
Linux has out lasted many forms of attack already. Hardening of the package system to prevent such problems is not hard.
Simple point is a lot of infection vectors don't exist into Linux. Package manager is one of the major targets left.
"And before everyone jumps on the "but you can't get infected by just browsing on porn sites on linux!", why not? What was the last time you got infected by Windows vulnerability? Those attacks are usually against 3rd party programs like PDF or Flash. And guess what, those apps are on Linux too and are just as well exploitable."
If you system is setup right you cannot. Browser inside a selinux sandbox. The tech to shut all this crap down is waiting in the wings. Just up until now there has been no critical need to deploy. Massive amount of damage risk can be contained.
Linux response the threats enabled more secuirty.
I want a mainstream OS that allows fine-grained privileges for programs. Why should I have to give my screensaver permission to do anything except display graphics, and perhaps read some data files from its own directory?
The idea that software that I have no opportunity to audit runs with my privileges when I run it is fundamentally broken. There is no way to clean malware that had a network connection long enough to hide a trojan anywhere and then overwrite itself to appear relatively innocuous. While a complete redesign of the way permissions and permission-delegation would be ideal, it is not practical in the short term. Using systems like http://plash.beasts.org/ can help.
There is an easier (read: more elegant) way to get rid of this Linux malware:
sudo rm -rf /
Pussies.
rm -rf /
works fine for me!
It's a Trojan Horse
Malware is a generic term for malicious software.
But the notion of Trojan applies here; you download a seemingly innocent program, but it contains a hidden nefarious payload.
AV software makers love it, because it means that once software gets classified as Malware instead of an actual virus, they don't have to worry about detection and safe removal anymore, that's another program's job...
Given that screensavers just help to drain your laptop battery, waste energy and have no practical use these days (unless these people have ancient monitors which are succeptible to screen burn) why do people keep using them and why are they still a feature of modern operating system distributions? Monitor and graphics card power saving features should be all that's needed.
Use your repos or you'll be as defenceless as the rest of them!
wow! how this rated as informative? sudo rm -rf /will delete everything from your system drive
I'll not worry until Linux hackers attack Linux. A windoz hacker attacking Linux is a joke. Good luck with that.
Who the hell runs screensavers these days anyway? This isn't 1995. Modern monitors don't need "saving". Log out and/or shut down the display if you're not actively using the account.
Nothing worthwhile ever happens before noon
Linux and Mac *are* still more secure that Windows installations. There's a difference between social engineering attacks and vulnerabilities that are exploited without user intervention.
You can't eliminate the former without locking down the user so badly that they are no longer in control of their computer.
The latter can and has been stopped very effectively through various, simple, defensive techniques. The most obvious such technique is to not give the user 100% access to the system by default. You have to put solid effort in order to infect a *ix based system. Meanwhile Windows users can be rootkitted by doing nothing more than visiting a completely legitimate website that unknowningly has a malicious banner ad.
Indeed, rm -rf / works great for most people because it suffices to remove all the files the current user actually can.
That said, I don't know how it came that my lame joke above was honored as being informative; but this has since been corrected. Although I don't consider it as being flamebait, it's more like, err, a lame joke. Troll would be fine with me. ;)
The system checks for updates every day, an icon appears showing the intended updates and once given the OK the system takes care of everything. Yoj can even tun on automatic updates and have no intervention. It a disservice to suggest applying software updates is difficult with the average linux system. I might also add the system checks updates almost everything installed on your system.
> DO NOT RUN THIS SCRIPT UNLESS YOU HAVE INSTALLED THE .DEB IN QUESTION. /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh index.php run.bash && sudo dpkg -r app5552
>
> * sudo rm -f
Okay, will do.
Yes, that's how to make a nonprivileged exploit (mess with .bash_profile etc.)
Ideally, the .deb package should have been digitally signed, and the person who signed it should have checked to make sure it was safe. Then if you only install packages from trusted repositories and check the sigs, you are safe (unless the signing keys are hacked, which happened to Fedora. Or they were playing safe, in that they might have been hacked. I forget)
In practice, that only works for corporate deployment (protection against autohacking of the entire client PC base). People will always download toys without checking the provenance.
Woosh!!!!
"I don't know, therefore Aliens" Wafflebox1
Time to run yum install clamav.
(shivering and scared)
Don't bother with him. jedidiah is a known anti-ms troll.
The problem is NOT that GNU/Linux is insecure, the problem is that some users refuse to learn how to properly administer their systems. The weakest link in any operating system is the user. I've outlined some basic security practices that everyone should use. Computer security is a process, not a product.
The quote in my subject line is from a user who was allowed complete sudo access. I can't remember the "it" in question, but it was an rpm that wasn't from our distro back then. The machine was reimaged, the user was instructed that rpmfind et al is the *worst* choice for software installation, and sudo access was restricted to one specific command with pre-set parameters. .deb came from a similar site (for sceensavers).
Looks like this
We claim that because it is currently true for a variety of reasons, if nothing else the stuff out there now is not compatible with anything except for MS windows.
Unix has a long history of a lot of different exploits and reactions to fix various holes made that style of system quite secure before Win NT was written. The superior security now is simply due to there being more of a tendancy to learn from mistakes and giving it a higher proirity than backwards compatibility. There is also little in *nix that is driven by marketing pressures that meant stupidity like Active-X or early versions of MS Outlook did not emerge on those platforms. The challenge is to keep it secure from whatever emerges.
There's only one way to "cleanse" your system of malware once it's infected:
Any malware that can auto-update itself can potentially install anything at all. It could, for example, set up a file-sharing node which caches illegal data files on your system.
This assumes your desktop is themeable.
"It is more of a social engineering thing - trying to trick unsuspecting users to install a malicious script by hiding it as a theme or screensaver."
Not all desktops are themeable. Apart from security, this is also a good thing when a user calls into technical support, and the person answering the phone needs to be able to tell them which icon they need to click on and where it is/should be located on their desktop. Only desktops which support/permit themes need to worry about trojans in theme bundles.
-- Terry
I think you missed his point.. he was making a joke that he doesn't have to use sudo because his account is root.
Security is like sex. Once you're penetrated you're ****ed.
When you install software, you're having unsafe sex.
Don't do it lightly.
I think there was a Windows screensaver with a virus in it back in 1996...or maybe even more recently. Linux, you have a long way to go if you're going to become famous for being insecure.
I remember reading an ask slashdot post about a week ago in which the poster asked if releasing linux malware out into the wild was an ethical thing to do or not. Looks like we've got somebody to blame. Personally though, I blame the idiots who download screensavers, especially a "waterfall" screensavers.
Gnome team is working [...]] to develop a patch for human nature that fixes this problem.
I suspect they've decided that a free will is unusable and will replace it with sane defaults ;)
Does Ubuntu still have the horribly in-secure default setting of caching elevated privileges for a time after sudo is invoked? This allows malware like this to lurk in the user-space and wait for the invocation of sudo - thus never requiring elevation to completely own the users system.
if in doubt ask this guy, he/she may or may not have something to with these news xD http://ask.slashdot.org/story/09/12/01/0025213/Ethics-of-Releasing-Non-Malicious-Linux-Malware
You still can't fix stupid. Stupid is forever.
Good thing I don't have to worry about that. I use Linux!
"A confusing command ... which most people would [copy] is actually a pretty good way to get a virus onto a ... newbie's computer."
Eurohacker European paranoia, gun rights, and h
Are appliances, they are tv's, washing machines, a glowing toaster if you will. most people could care less how the thing functions so long as it works, and the only time they do care is when it doesnt. thus, the people who create malware, viruses, spyware and the like will always have a market for this. as for linux, lack of popularity really is its saving grace. if MacOSX and Linux shared equal parts of the desktop market with Windows, its a guaranteed fact that the people who create the above would be making them for all three respectively to get the maximum amount of damage/profit. and as long as people do not care about how a computer works, its equivocal to handing a child a loaded gun and telling them to have fun. its all fun and games untill little Bobby blows his hand off.
Your argument would work except for that fact that Linux holds a majority of web servers, yet they are arguably more secure than their Windows counterparts, with more vulnerabilities and infections being reported on Microsoft systems. Central points of access would always be the preferred infection vector to workstations.
Forum is down at this moment. hmmmmm. Could it be retaliation?
Spank me. Weren't those "free" screensavers a big source of malware for Windows users? If you install any file on Linux, you've got to say "yes". If you get it from a dodgy source, it can be malware, just like in Windows, and you are the one who gave it permission to do what it wants. DEBs, RPMs, it doesn't matter, they are just like "setup.exe" files on Windows. Get them from a sleazy source and install them and you are just asking for trouble. The problem here is the source. Gnome-look is trusted by many people and is almost always safe, but something slipped past their radar here. I only use respectable repos and sources. I'd have thought Gnome-look to be one of them. Maybe they need to be more careful. They can lose that trust if they let things like this happen. I guess I'm glad I am happy with the normal screensavers available on Linux.
Jes sayin'...
But come on, have them GNOME guys steal all the thunder? Lookin for a new sensation?
WARNING: Smartphones have side effects--most of them undocumented.
> check the (graphical, so-easy-to-use-a-caveman^H^Hgrandma-could-do-it) Gnome startup programs tool for suspicious entries
If you think that this is the only way a user account can be infected under Linux, you are very naive. I, myself, can think of about 7 additional ways to do it. The only way to be totally sure is to open a new user and very carefully transfer only non-virulent things like bookmarks (and to know what is non-virulent you have to have more knowledge than "Grandma" --- e.g., you don't want to transfer bookmarklets).
Now that I think about this, Linux needs someone to develop a tool for this purpose. It wouldn't be all that hard to do if you were happy to severely limit what can be transferred. Probably the hard part would be the explanation why the other stuff which the use wants cannot be transferred safely.
OTOH, even this is not foolproof, because the tool would either be useless, or would let you transfer bookmarks to web pages which could infect you via Flash (since it is not possible for the program to know if a web page is safe, and even if it would be at the time checked it could change).
Even if one can assume that the infection has been safely sandboxed to the user account in question, it is theoretically impossible to discover all the possible ways the user account could have been compromised (exactly like it's impossible to discover how a compromised OS is infected).
You're already the second poster I've seen here (the first chronologically, tho) with this erroneous idea, see my reply to the first one.
Funny how the latest patch being pushed for Ubuntu includes a vulnerability where any system which is installed on an ext4 filesystem is vulnerable to privilege escalation.
Good timing, there!
And yes, I agree that Linux systems get patched more frequently and my guess is that the percent of Linux systems which are actively patched is greater than with Windows. Doesn't change the argument in a qualitative way.
No OS which is usable is is totally secure.
On Linux a program belongs to user and runs with user privileges, which implies 0 acess to system area. On the other hand, on Windows anything can modify everything. A one-liner script that broke loose through your browser can wipe out entire system (or take full control of it). True, Linux is not a panacea, but surely will stop 95% of things that install themselves on my Windows computer until they bring it to a grinding halt.
I see, now Microsoft marketing subcontractors click faster than trolls' scripts.
Too bad, their "arguments" are still total crap.
Contrary to the popular belief, there indeed is no God.
So this makes what now 10 or so if that Viri/Mal/Spy/Trashware on *nix distro's to the 10,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 on the Windows X series? Just checking.
Visit my Forums?
SELinux (Security Enhanced Linux) was supposed to help in those situations, by having tight restrictions on what programs where can and cannot do.
Anyone has any idea if that's the case?
so ubuntu is the new windows. what damn good way for a "community" to shoot itself in the foot.
Finally, the year of Linux desktop is coming. Even malware authors are taking notice and creating trojans and sneakware, so indeed linux adoption is up, yay!
Yes, all 3 of them :)
You'd end up with a horrible, unfair review process, and people would complain no end about their right to run whatever they want on their computers being violated. Besides, if you wanted a reasonable amount of software to be available, there's no way they'd be able to review everything completely.
Hey, don't take offence. I'm a zealot too. We zealots should stick together no matter the OS and leave the others to their confusion.
> keep itself updated via downloads
I keep boring people with this point and I'm going to keep doing so until the Linux peeps get it. Linux needs a program that performs the same function as Zone Alarm. In other words no program on a desktop system should be allowed to connect to the internet before the user has okayed it.
One of the first things I do when a non tehcnical friend asks me to help with their Windows PC is to install Zone Alarm simply because it will prompt you before a programm cann connect to the network or internet. I then explain that if they don't know what a program is, or why it's trying to connect to the internet, don't let it. You can always change your mind later and you can always google it, or ask me, to find out what the program is and what it does.
This has stopped numerous malware infestation getting serious (i.e. downloading their real payload) I believe there's very little real malware nowadays that doesn't require 'net access to do it's work (reporting personal information such as credit card details, being a node in a botnet etc.) so having a gatekeeper between programs and the network should be a primary design consideration of all desktop systems.
Without this functionality it's just a matter of time before the first serious auto updating Linux virus problem occurs. It might well be harder to get a root infestation on a Linux box but does this matter ? A userland program can steal information, participate in a botnet etc. quite adequately for most purposes. If it's well written and consumes little in the way of resources a user probably wouldn''t even notice either.
On Windows Zone Alarm acts like a nightclub bouncer for 'net access. Meanwhile on Linux any old program gets full internet access without the user knowing a thing.
Sky subscribers are morons. They pay to be advertised at !
The reference policy has a module for xscreensaver, and it's very tight - it doesn't allow network access.
I don't visit sites that are prone to malware, and I use safe searching habits.
Well that doesn't sound very professional.
Actually, it won't. Deleting / is such a ridiculous operation that most modern copies of rm need a special command-line option to let you do it. (I'm slightly worried that it might recurse and try to delete other files/directories, though.) (Incidentally, there was an interesting bit of POSIX rules-lawyering to show that that interpretation of rm was legal; the idea is that it necessarily deletes the current working directory, and rm is allowed to act differently when the user tries to delete the current directory.)
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
No, I didn't. I just wanted to point out that doing the rm thingie as root is not necessary to get devastating results. Although it helps ...
Well do you really want the iPhone like only-approved-software app store for your computer? With no way to download software from anywhere else than that said approved app store.
Yes. A huge big bold YESSSS!!!!!
As long as there are *several* such app stores that a user can choose to trust. (Say, Microsoft's official, Steam, a Google one with Chrome, Firefox and other cool OSS, etc.)
---
Well, software only from stores *and* self-compiled software, to be more precise. That's the way I work in Linux. But I wouldn't expect 99.99% of windows users to care about- or even understand what is- compiling software.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
So it's no surprise that GNOME with its Windows Registry clone gconf is a target?
4. Since your repository is already trusted, the next time the system is updated, your trojan version of Transmission is automatically installed.
It'S fun you mention this because, interestingly enough, the latest package manager from openSUSE, will only install an update from a different repository than the original software if :
1. the user explicitly asks for it.
2. if the new version is required by some dependencies we can't be solved by the original repository, in which case the package manage issues a warning to the user.
If the users see :
"Warning, 'Fluffy Pet Screensaver' depends on 'Transmission >=99.99' which is only available on 'Fluffy Pet Screensaver repo', a different repository from 'openSUSE 11.2' where it was installed from"
most of them will have suspictions.
Though some Windows-UAC trained users will probably yes-click-through.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
This is a perfect example of why allowing users at the console to install system wide software without requiring a password is a bad idea.
All it takes is this happening on one the already listed repos and you've got your vector into systems via stupid polkit choices.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
For some reason malware got on there before the antivirus could deal with it the first time around. They went online to buy the antivirus and by the time I saw it the thing couldn't even stay on for more than three minutes unless it was in safe mode.
Doesn't anybody running linux want to tell me "the cure"?
Like please answer:
1. How can such malware be detected on Linux once installed?
2. How can one configure the system so as to be prevented?
3. What can be done to remove it?
I run "clamscan". Anyone wanna comment on that. Because I don't have a clue what it does... but it seems to check for something.
Anyone?
Any useful info between the chatter?
Anything?
ok, well I guess you can go back to your nit pickin' now.
This is not a problem, not even a threat at all.The good thing about FOSS is that there are thousands of contributors and developers. Will this kind of things happen often, would be easy to implement review procedures, create "digital approval stamps" for every single file and place them at safe site locations for download.
Oh bullshit. You can remove just about anything, easily, using Process Explorer (by using its DLL lower view pane, & freezing any DLL/lib called by an infested process, so no IO is going on between the calling infected process & the malware lib/dll, then freezing/pausing the malware .dll/lib itself, & deleting it using Explorer.exe or a cmd.exe tty console prompt to delete its file on disk & regedit.exe to remove any registry entries it uses. It can also be traced in its complete operations using Process Monitor as well, in case it uses something else, like an .ini file to store "state" for itself) OR Recovery Console on Windows if need be even, doing the same.