Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Found Hidden In Screensaver On Gnome-Look

Posted by timothy on from the sudo-you-know-what-you're-sudoing dept.

AndGodSed writes "OMG! UBUNTU! Reports the following: 'Malware has been found hidden inside an innocuous 'waterfall' screensaver .deb file made available on popular artwork sharing site Gnome-Look.org. The .deb file installs a script with elevated privileges designed to perform a DDoS attack as well as keep itself updated via downloads. The dodgy screensaver in question has since been removed from gnome-look, and this incident was a very basic, if potentially successful, attempt.'" A similar report at Digitizor.com says that similar malware was also found in a theme called Ninja Black. For those affected, both sites also provide instruction on cleansing your system.

10 of 611 comments (clear)

  1. Re:Not more safe by _merlin · · Score: 5, Interesting

    It looks like it's following the same pattern as Windows malware, too: make a cool screensaver, post it to sharing sites, hope people tell their friends about it. That was a common malware vector for Windows in the early part of this decade. Next there'll be dodgy "codecs" on pr0n sites, and once people start using malware scanners for Linux, they'll make dodgy fake antivirus software to con gullible users. Netbooks may be great for attracting attention to Linux, but we have to remember that this will include the kind of attention that no-one wants.

  2. Re:Not more safe by Anonymous Coward · · Score: 5, Interesting

    You kind of have a point, but the fact is, you need root privileges to install a .deb, and I have quite successfully installed gtk/gtk2 themes/icons/etc without admin privileges. If I downloaded a .deb from a random site and then installed it, it would be just like running a .exe on windows, but for most things I need to do on linux, I don't actually have to take that risk, while on Windows it seems everything is a .exe. Not sure about screensavers, but it seems this was, like 90% of viruses for any platform, a hack relying on stupid users elevating the virus to root authority themselves.

    Repositories are getting a lot better too, I don't use ubuntu any more but when I left the PPA was in ascendancy, which seemed to allow a much better enforcement of security while still letting 3rd party stuff in.

  3. Re:Not more safe by nurb432 · · Score: 5, Interesting

    Except one would hope that you could trust what you get from a site like this. Not everyone can scour the source/binary of every app they get from a 'trusted' site.

    And if you cant trust the 'trusted' sites for the free stuff, then the entire FreeOS movement is dead in its tracks.

    --
    ---- Booth was a patriot ----
  4. Re:Not more safe by digitalunity · · Score: 4, Interesting

    Here's an idea. Feel free to agree, disagree, tear it apart, whatever...

    Why not have a kernel network access logging module with a userland process that periodically reports to users which programs are accessing the TCP/IP network? Say once a week or once a month or something. The number of programs that do this for many users is quite low. Probably Firefox, Thunderbird, Opera, uTorrent, a short list of other programs. Users then have an opportunity to ignore those programs on future reports. Users now have a good idea if there are changes to their system that might affect security.

    There would still be opportunity for malware to access the internet, but users would either 1) notice it or 2) it would make the malware work in very complicated, noticeable ways(like uploading data to a website using a URL).

    --
    You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
  5. Re:Not more safe by mR.bRiGhTsId3 · · Score: 3, Interesting

    I'm sorry, you have no idea what you are talking about. Sudo is not an implicit privilege gain. You have to manually request elevation. The reason it looks implicit is because all of the applications that ever need elevated privileges come with launchers that do the work for you. Sudo can also be configured to function the same as su (OpenSUSE) ships it that way I believe. The same is true of the new policykit. Similarly, Vista is not an implicit elevation either. The continue prompt only occurs for administrator accounts because they are flagged with a token on login that mark them as administrators. They are required to manually take action. Furthermore, this function can be disable in group policy in order to force a password entry in the same way that non-admin users have to authenticate to perform system changes. The only reason it occurs automatically is through application manifests and heuristics. Both of these cases are explicit elevations at the behest of the application author that the user can approve or cancel.

  6. Re:Not more safe by isorox · · Score: 3, Interesting

    Actually it would really suck if Windows had just one Microsoft verified "app store" where everything is controlled like with iPhone.

    Yes it would, and in this would I would add the google repository, and perhaps the apple repository. Anyone could set up a repository (same as you can with debian), and sign their packages, but if they got compromised, or let crap in, then I'd be wary of using them in the future.

    The problem with the iphone appstore is there's only one. You cant add a competitors.

  7. Re:At least it was fixable. by philipgar · · Score: 3, Interesting

    ah yes, because linux applications have never had holes allowing someone to get a shell on a system, and users are always running the most up to date kernel that has no root exploits available for it. The main difference between windows and linux is that the linux kernel has so many different versions, and not all distros are using the same one, so that it's hard to choose which kernel vulnerability to exploit. if 99% of people used linux, and were using the same distribution (with mostly the same kernel), believe me, these exploits would exist, and we would see viruses hitting linux machines over the network. Already, there exist worms that have targeted linux machines.

    And saying the problem is not in the kernel but the software applications doesn't cut it either. The same could be said for many of the windows issues, it's just that the software applications in question are in every install and part of the windows user environment. It's no different than applications that might be part of the ubuntu user environment (gnome, samba, etc) etc.

    Phil

  8. Re:Not more safe by Thinboy00 · · Score: 5, Interesting

    My mother managed to get some nearly-impossible-to-remove scareware on her (Windows) netbook. She swears up and down that she never visited any sketchy sites, had AV (but no anti-malware), etc. She was basically using it for several things:
    1) Visiting various newspapers' websites
    2) Webmail (a dedicated server for her business)
    3) Word processing (OpenOffice.org)
    4) Spider Solitaire
    5) A few online games (jigsaw puzzles, sudoku, presumably flash-based) she found on Google. I think this is the most likely vector, but she uses the same websites all the time.
    6) Visiting certain reputable, ad-free (AFAIK) sites.
    She is smart enough to never download/run/open suspicious programs/files/etc and she was using Firefox 3.5. This thing was able to prevent itself from being uninstalled easily. On Linux, she could have simply killed any offending processes (O.K. that's nontrivial, but no root permissions needed in theory) and check the (graphical, so-easy-to-use-a-caveman^H^Hgrandma-could-do-it) Gnome startup programs tool for suspicious entries. On Windows, we eventually had to use "System restore" (an OS feature) -- which the program could potentially have disabled had the malware author thought to do so (it was totally rooted -- the malware was preventing the installation of some anti-malware programs) and then download the anti-malware program that had previously failed to install. Windows Vista/7 are probably more secure than XP which she has, but I'm still reluctant to blame all Windows security issues on user stupidity. Now I have her running Firefox+NoScript so that it (hopefully) won't happen again, but that's mostly because she refuses to switch to Linux. Most users would be running IE7 or so... not Firefox+NoScript. This is clearly not just "user stupidity" -- it's a windows genuine advantage^H^Hbug.

    --
    $ make available
  9. Re:Not more safe by mjwx · · Score: 4, Interesting

    Open source or not, you can't fix that unless the whole system is totally locked down like iPhone

    No, even the iphone has vulnerabilities. Locking down a system does not fix vulnerabilities, it only hides them from public view. An open system is more secure as everyone know when a vulnerability is discovered and syadmin's can make work arounds (or even pull the system down) until a patch is developed. With a closed system there is less chance of an exploited vulnerability being discovered by the people who want to fix it or are affected by it.

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.
  10. Re:Not more safe by timeOday · · Score: 3, Interesting

    The registry alone makes Windows impossible to clean. Who knows what is in there? It's a bunch of gibberish. Please nobody claim it's the same as /etc, because it isn't. At best the registry is /etc's evil twin.