Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Found Hidden In Screensaver On Gnome-Look

Posted by timothy on from the sudo-you-know-what-you're-sudoing dept.

AndGodSed writes "OMG! UBUNTU! Reports the following: 'Malware has been found hidden inside an innocuous 'waterfall' screensaver .deb file made available on popular artwork sharing site Gnome-Look.org. The .deb file installs a script with elevated privileges designed to perform a DDoS attack as well as keep itself updated via downloads. The dodgy screensaver in question has since been removed from gnome-look, and this incident was a very basic, if potentially successful, attempt.'" A similar report at Digitizor.com says that similar malware was also found in a theme called Ninja Black. For those affected, both sites also provide instruction on cleansing your system.

2 of 611 comments (clear)

  1. What the summary didn't mention... by AlgorithMan · · Score: 5, Informative

    What the summary didn't mention: the screensaver has been there less than 24 hours.
    see pro-linux.de (german)

    --
    The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
  2. Re:At least it was fixable. by FreelanceWizard · · Score: 5, Informative

    I'm afraid not. The reason this malware is easy to remove is because it doesn't do anything truly wretched, like patch libc and other applications, install a rootkit kernel module, and the like.

    Having dealt with Linux boxes that have been hit by automatic exploitation tools that go well out of their way to hide their presence, I can tell you that no matter what the operating system, the standard advice holds: once the machine is infected, the only sure way to get it back to a known state is to restore from a backup made prior to the exploitation or to wipe it completely and start over. I should also point out that these machines were rooted through the exploitation of previously-patched vulnerabilities in setuid services -- which is the exact same vector many Windows worms use, including Slammer and Conficker.

    The only difference between the tools I've run into and a full-on worm is that they run at the command of a cracker and scan IP address ranges of his choice. With a bare amount of automation, they could become very successful Linux worms, breaking into all those machines that, say, have old OpenSSH binaries that haven't been patched against its known remotely exploitable vulnerabilities.

    --
    The Freelance Wizard