Slashdot Mirror
Malware Found Hidden In Screensaver On Gnome-Look
AndGodSed writes "OMG! UBUNTU! Reports the following: 'Malware has been found hidden inside an innocuous 'waterfall' screensaver .deb file made available on popular artwork sharing site Gnome-Look.org. The .deb file installs a script with elevated privileges designed to perform a DDoS attack as well as keep itself updated via downloads. The dodgy screensaver in question has since been removed from gnome-look, and this incident was a very basic, if potentially successful, attempt.'" A similar report at Digitizor.com says that similar malware was also found in a theme called Ninja Black. For those affected, both sites also provide instruction on cleansing your system.
The idea behind it is so that someone will put out a patch for said vulnerability without having to wait for parent company to do so...
It's not more secure because of it's market share, it's more secure because anyone can fix it.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
All it shows is that Linux is vulnerable to trojan horses. ALL operating systems are vulnerable to trojan horses. When you show me a Linux or OS X computer that's vulnerable to something like the slammer worm, get back to me.
It's the YEAR OF THE LINUX desktop! It's official! /Happy Ubuntu User
Mod me down, my New Earth Global Warmingist friends!
It looks like it's following the same pattern as Windows malware, too: make a cool screensaver, post it to sharing sites, hope people tell their friends about it. That was a common malware vector for Windows in the early part of this decade. Next there'll be dodgy "codecs" on pr0n sites, and once people start using malware scanners for Linux, they'll make dodgy fake antivirus software to con gullible users. Netbooks may be great for attracting attention to Linux, but we have to remember that this will include the kind of attention that no-one wants.
Wrong, anyone can not fix it. Any one MAY fix it.
Only the tech savvy programmer types that care enough to fix can fix it.
Why bother
You kind of have a point, but the fact is, you need root privileges to install a .deb, and I have quite successfully installed gtk/gtk2 themes/icons/etc without admin privileges. If I downloaded a .deb from a random site and then installed it, it would be just like running a .exe on windows, but for most things I need to do on linux, I don't actually have to take that risk, while on Windows it seems everything is a .exe. Not sure about screensavers, but it seems this was, like 90% of viruses for any platform, a hack relying on stupid users elevating the virus to root authority themselves.
Repositories are getting a lot better too, I don't use ubuntu any more but when I left the PPA was in ascendancy, which seemed to allow a much better enforcement of security while still letting 3rd party stuff in.
Malware doesn't need to exploit vulnerabilities in the software: it only needs vulnerable users. There is no way to patch that.
I've been telling many the same thing, but with one exception; Mac and *nix have started out with a better permissions system and therefore users who have downloaded an app from the Internet have been trained to be doubly sure about whatever it is that requires sudo power (e.g, the Mac sudo GUI prompt). Microsoft UAC, on the other hand, has had to deal with transitioning software developers to not write in "Program Files" and other public areas and to save data to personal home folders.
While I'll agree with you that Mac/*nix are not any more secure than Windows, the Mac/*nix users have been taught to take a sudo prompt seriously, while in the early stages and growing pains of UAC, Windows users were easily annoyed by UAC prompts and therefore took the UAC prompts less seriously, because UAC prompted were being triggered by transitioning software developers that did not save data in the user's home folder.
In the end, the security of any system relies on the ability for the user to authenticate and verify software downloaded. But making it more difficult, such as requiring an administrator password to be entered for elevated privileges, makes users more cautious of software requiring a sudo prompt. And while that's not inherently any more secure, at least users think twice before entering their password.
The Flash player isn't open source. The Compiler is, the player is not. As I said, the idea behind open source being more secure is that you could have potentially thousands of different solutions to prevent this thing in the future. The best one is chosen and patched into the main tree. If you have the source, you can do this in a few minutes (or put in your own temporary patch) with the proper skill and be back up and more secure than someone waiting for "Patch Tuesday." Even if a patch comes in that resolves that problem, it could have been the first solution to said problem and might have problems itself that will need to be fixed later.
It's really the potential quantity of solutions to the problem.
I could argue with you that this vulnerability might have been fixed sooner with more market share.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
This particular malware is not because of a security problem with the OS. It is more of a social engineering thing - trying to trick unsuspecting users to install a malicious script by hiding it as a theme or screensaver.
You have a poor understanding of what "malware" is or what Linux/Mac zealots claim.
Malware is piece of code, all OSes run code, therefore all OSes are vulnerable to malware. What Mac and Linux "zealots" claim is that it's not likely to get malware in Linux/Mac just by browsing a site, opening an e-mail, or just by keeping the computer on and connected to the network -- that hasn't changed.
"Repositories won't help with that, because people want 3rd party programs and games."
I am happy with 25,000+ programs available in Debian repository, I never install random package from the Internet. At least the basic packages should be available from the repos so the risk is at least reduced if not eliminated (depending on the behavior of the user)
In my experience people who use the word "zealot" lack arguments.
"It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
Except one would hope that you could trust what you get from a site like this. Not everyone can scour the source/binary of every app they get from a 'trusted' site.
And if you cant trust the 'trusted' sites for the free stuff, then the entire FreeOS movement is dead in its tracks.
---- Booth was a patriot ----
What the summary didn't mention: the screensaver has been there less than 24 hours.
see pro-linux.de (german)
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Before trolls start yelling about how "OMGZ LINUX ISN'T SECURE HAHAHA" and things like that, let me tell you something: because GNU/Linux is so open and configurable, malware like this can be very easily removed. All you have to do is run a few commands in a terminal to remove this.
Before trolls start yelling about how "OMGZ WINDOZE AV SOFTWARE IS COMPLICATED HAHAHA" and things like that, let me tell you something: because Windows is so accessible, AV software like this can be very easily deployed. All you have to do is click a few icons in the Start Menu to remove this. Blah, blah, blah
On Linux and the like, everything is simple if you already know what you want to do. Otherwise, you have to trust unaccountable internet entities to provide you abstruse commands to run and hope they aren't trying to trick you into doing even more damage to your system. It should be obvious why that is a no way to combat malware.
Ah but here is the problem.
To you, removing a virus from Linux is easy, because you are obviously an intelligent Linux user.
(Someone posted above the removal instructions)
For you to write out: sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh index.php run.bash && sudo dpkg -r app5552
seems like nothing at all, but what about the average computer user? Do you think they know what sudo is? Hell I don't use Linux and I have no idea what the shit any of that stuff means. So no, that would only work with someone who really knows what they are doing with Linux.
Now on the flip side, you say...
"On Windows and the like, things are so complicated that Anti-virus software is almost required to remove some of their malware"
Ah, but this is going off the assumption that we are dealing with an average Windows user, not an expert user (Such as your self with Linux)
An expert Windows user like myself would say "Removing Malware is easy, just go into the registry's run section, remove what looks suspicious, delete temp files, prefetch, and search for the malware running process (Example: virus.exe) in the registry, and delete it"
Ah see that to me is easy, I've done things like that all the time, and it's just cake.
So I guess the point I'm trying to make is that...To you, removing a virus like this from Linux can be really simple...to someone who knows Linux, but the same can be said to a Windows user...who knows about Windows.
The greatest revenge in life is massive success.
If gnome-look is hosting .debs and not reviewing them, it seems to me like theyre inviting disaster.
My mother managed to get some nearly-impossible-to-remove scareware on her (Windows) netbook. She swears up and down that she never visited any sketchy sites, had AV (but no anti-malware), etc. She was basically using it for several things:
1) Visiting various newspapers' websites
2) Webmail (a dedicated server for her business)
3) Word processing (OpenOffice.org)
4) Spider Solitaire
5) A few online games (jigsaw puzzles, sudoku, presumably flash-based) she found on Google. I think this is the most likely vector, but she uses the same websites all the time.
6) Visiting certain reputable, ad-free (AFAIK) sites.
She is smart enough to never download/run/open suspicious programs/files/etc and she was using Firefox 3.5. This thing was able to prevent itself from being uninstalled easily. On Linux, she could have simply killed any offending processes (O.K. that's nontrivial, but no root permissions needed in theory) and check the (graphical, so-easy-to-use-a-caveman^H^Hgrandma-could-do-it) Gnome startup programs tool for suspicious entries. On Windows, we eventually had to use "System restore" (an OS feature) -- which the program could potentially have disabled had the malware author thought to do so (it was totally rooted -- the malware was preventing the installation of some anti-malware programs) and then download the anti-malware program that had previously failed to install. Windows Vista/7 are probably more secure than XP which she has, but I'm still reluctant to blame all Windows security issues on user stupidity. Now I have her running Firefox+NoScript so that it (hopefully) won't happen again, but that's mostly because she refuses to switch to Linux. Most users would be running IE7 or so... not Firefox+NoScript. This is clearly not just "user stupidity" -- it's a windows genuine advantage^H^Hbug.
$ make available
There's also been some evidence of malware that triggers AV software on purpose, and acts as a distraction while the real dirty payload gets delivered silently elsewhere in your system. You are now fooled into thinking your system is clean because your AV caught the distraction virus, completely missing the real one that was also installed.
AVs don't get "distracted" -- either the real payload is detectable by the AV, in which case the distraction won't be successful since both will be found and removed, or else the real payload is undetectable, in which case you don't need the distraction at all, and as a matter of fact it hurts you by making user more security-conscious.
$ make available
I'm afraid not. The reason this malware is easy to remove is because it doesn't do anything truly wretched, like patch libc and other applications, install a rootkit kernel module, and the like.
Having dealt with Linux boxes that have been hit by automatic exploitation tools that go well out of their way to hide their presence, I can tell you that no matter what the operating system, the standard advice holds: once the machine is infected, the only sure way to get it back to a known state is to restore from a backup made prior to the exploitation or to wipe it completely and start over. I should also point out that these machines were rooted through the exploitation of previously-patched vulnerabilities in setuid services -- which is the exact same vector many Windows worms use, including Slammer and Conficker.
The only difference between the tools I've run into and a full-on worm is that they run at the command of a cracker and scan IP address ranges of his choice. With a bare amount of automation, they could become very successful Linux worms, breaking into all those machines that, say, have old OpenSSH binaries that haven't been patched against its known remotely exploitable vulnerabilities.
The Freelance Wizard
The idea behind it is so that someone will put out a patch for said vulnerability without having to wait for parent company to do so....
It turns out that I have patched a serious vulnerability in Linux. Please download and install my patch as root on your system.
Sincerely,
Someone
Intron: the portion of DNA which expresses nothing useful.
Personally I don't care if Linux is ever employed by the "average person". I'm not one of those people and the work I do requires people who know what's going on. Linux gives me the fine control to get in there and tweak things that Windows will probably never have.
You can make a machine smarter, but people keep getting dumber all the time. At some point you just have to say to those people forget it, you're not going to learn, you're not worth trying to explain it to. Here's your Etch-a-Sketch.