Yet More Malware Found on Gnome-Look

By , Published December 9, 2009

Yesterday we were the first to bring you the news about malware being targeted at Ubuntu users, and today, sadly, another malicious file was uploaded to gnome-look, this time masquerading as a theme called ‘Ninja’.

imageIf you fear you’ve installed it head over to the ubuntuforums @ This thread to help get a fix.

I’ve e-mailed Gnome-look twice for a response or comment regarding these rogue finds but as of 5PM-ish I’m yet to receive a reply. It would be great to know whether gnome-look (or any of their affiliated sites) intend to introduce safeguards to stop the exploitation of trusts that the Linux community has built up.

Again, Thanks to Noah for the alert.
Article originally appeared on omgubuntu.co.uk

Related posts:

  1. Malware Hidden Inside Screensaver On Gnome-Look
Post a comment or leave a trackback: Trackback URL.
  • hantohonto

    Sorry to tell you this, but what’ you’re saying isn’t true.. This is a new thread about the one malware found in there, this isn’t about another malware found there.. :P

    • Noah

      No, it is true. A theme called “Ninja Theme” was found to contain the same files.

      • hantohonto

        OMG! Now no one will use the binaries I make because they’ll be afraid of viruses..

        • http://omgubuntu.co.uk/ d0od

          If you have a good reputation etc then i’m sure you’ll be fine.

          I e-mailed gnome-look asking whether they were going to implement any new procedures of rules to safe guard users but no reply. Which isn’t promising…

        • Noah

          I recommend you don’t use binaries anyway.

          • hantohonto

            I think that gnome-look should put a filter that doesn’t let you upload .deb files, or make a team of top-trusted users that use to comment or something like that to check the files (because they can upload them somewhere else that isn’t gnome-look)

          • http://omgubuntu.co.uk/ d0od

            Noah, do you know if it was the same person responsible as the waterfall screensaver? (Long shot question, but hey!)

          • hantohonto

            well, it could be the same person in a different account.. Perhaps they should block that IP

          • http://omgubuntu.co.uk/ d0od

            Thanks for the reply.

          • http://mindwired.blogspot.com/ Ra

            Yea right, like that would do any good. Just another ip blocked. People have dynamic ip’s and you can use wifi in public places.

          • Noah

            As far as we know – yes. The person in question set up a fake website using a free hosting service and these pieces malware are both using the same scripts(but edited slightly – the new one is more of a threat – it will delete some of the system files – but fortunately the person hasn’t mastered the art of system damage). It is possible that it is a copycat person, but I doubt it.

          • http://omgubuntu.co.uk/ d0od

            it is, oddly, in a roundabout way, a genius way of doing something. So subtle… Yet had i been a windows user i would’ve been suspicious from the get-go about installing a screensaver from a site with no safe-guards etc. At least he’s provided us with a wake-up call if nothing else

          • Noah

            Well, not so much genius – he was discovered ;) I think this was probably a windows users trying to prove a point – he certainly doesn’t have very good scripting qualities.

          • http://profiles.yahoo.com/u/XL5IMN4PO2XAFS7FXAWFGIFRNM KnifeySpooney

            Could have possibly been a copycat — the original “hacker” released a “phishing kit” on an online MMO forum as I have read in the Ubuntu Forums. The thread of his phishing kit has 5 pages and not one has a negative comment. They all say “Wow, great job!”.I would link to the thread, but I don’t wanna boost the PageRank. Here’s the post in UF:http://ubuntuforums.org/showpost.php?p=8463890&…

            Edit: Oof, according to that forum, the hacker is 14 years old…

          • Anonymous

            Right. Because compiling the source and installing it yourself protects you from malware, right?

            When was the last time the average Ubuntu user read through AND UNDERSTOOD every line of source of a package they’d just downloaded.

  • http://www.jellykernel.org Jelly Kernel

    Thanks a lot for the info.

  • Balaknair

    All the more reason not to download and install binary files from untrusted sources(and not to add random unsigned repositories). That’s why I avoid all themes(including the Shiki series though it looks great) installed via a binaries. Just a bit of paranoia carried over from the days when I was a Windows user(reinforced by the tons of malware I still find on XP/Vista systems I’ve had to degunk for friends even after I set up restricted accounts for them).
    At least with the usual GTK themes and stuff, you can install it without sudoing, for just your user account, so no system critical files are messed up.
    Ubuntu may be more secure by design compared to Windows, but the weakest link is still the user. As attributed to Albert Einstein “Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.”

    In a way this is a wake-up call for all Linux users.

    BTW, love your blog, d0od. Great work.

  • Anonymous

    I guess this is good that you can preview the files that a .deb is installing now.

  • Anonymous

    Well this just proves that Linux users can’t get sucked into the false perception that Linux is bulletproof – just like all other operating systems, the real security is in the user. It’s the user that can break the system by tampering as root or under sudo, and it’s the user that can install .debs without first checking their validity. Same goes for Mac and Windows – fortunately Linux is more secure than Windows, so things like this don’t pop up often – but it still pays to be wary.

    http://www.interesting.co.nz

  • http://batterypoweredgames.blogspot.com/ Daniel “NeoStrider” Monteiro

    Really sad. Looks like someone is trying to bring down gnome-look credibility. Too bad, as I distribute a maemo game in it.

  • http://tec9.co.za/ Marco Valente

    I hope this isn’t the inauguration of a Linux needs antivirus era!

  • http://batterypoweredgames.blogspot.com/ Daniel

    Reports on Linux Malware are largely exagerated =-P
    There`s no need for anti-virus yet, just a matter of reasonable use of the system.

  • Alex

    I think that it is important to say that this was no virus…
    Event an antivirus would have let that one untouch…
    It is only code run by the user.

    Am I wrong ?

    • http://omgubuntu.co.uk/ d0od

      I certainly never referred to it as a Virus but as Malware – the definition of which is software designed to perform a malicious task without the users consent to do so.

      • Alex

        I know you didn’t referred to it as a virus.
        But I’ve read a lot on ubuntuforums.org and things like :
        “first semi-massive Linux virus/trojan?”
        “Keep viruses in the windows world ”
        “what yo have there is a trojan”
        Ect…

        Wich is pretty ignorant I think…
        :)

  • Will

    I’ve emailed *-look.org before regarding filters/classifications/general quality control, especially given that KDE at least (don’t know about gnome) hooks directly into the sites allowing you to download and install wallpapers and so on directly in the DE itself.
    To this date I’ve not recieved a reply… perhaps *-look.org websites need to be put under more scrunity before being accepted as a de-facto provider?

    • http://omgubuntu.co.uk/ d0od

      I’m annoyed they’ve not replied to anyone that i know of that has e-mailed them. As you say the -look.org sites have a very solid reputation as THE place to go for artwork/applications and such. To ignore concerns – especially given they’re not unfounded – is a bit of a, excuse my language, piss take. They make money from people using the site (through adverts) so, in a round about way, have a relative responsibility to at least reassure and reply to one user if not all. They’re doing their rep no favours atm…

  • http://linuxtoy.org/archives/author/lovenemesis/ Tommy He

    Hi, I put a piece of this news in Chinese on LinuxTOY with a reference to here:

    http://linuxtoy.org/archives/alert-malwares-appear-on-gnome-look.html

    Thank you for your alert.

    • http://omgubuntu.co.uk/ d0od

      No problem, thanks! =)

  • Yfrwlf

    IMO, that’s what you get for having random scripts be your method for installing things like this. Instead of trusting a script to not do something bad to you, there should be better methods for users to install theme packs. While there are theme packs you can drag into your Appearance Preferences Gnome theme window to install (or by selecting the theme pack file via the install button), they don’t have an API like this for sounds and other things AFAIK, and it is either a manual process or you use scripts or packages. The two latter methods are more dangerous. Scripts you can read, but who wants to spend time doing that (nor would normal users understand 99% of it), and packages, unless they are defined as theme packages and thus confined by PolicyKit to only be allowed to modify theme-related directories, are going to be insecure as well.

    Linux needs to secure itself more by tightening its policies so that even if a user does download malware, it won’t work, or won’t work very well. While I fully agree that security is ultimately up to the user, that doesn’t mean there’s no point in making it easier for the user to stay protected, and that’s what security is really about, what to do to protect yourself IN CASE someone is a moron or gets compromised by someone. If you have an API that only pulls specific things out of a “theme package” the system can protect itself much more easily from users installing malicious themes. They need to extend the Gnome theme package API to include all aspects of the desktop, including setting Emerald themes I think (not sure why Emerald isn’t used with Compiz as the default as it has much nicer-looking effects than metacity does).

    • Yfrwlf

      And now I read your post about the window effects they’re adding to GTK. :P Still confused why they don’t just use Emerald though which is, what, 7 years old now I think?

      • http://omgubuntu.co.uk/ d0od

        Emerald is a window border replacement, the RGBA stuff being included in GTK affects the look of applications themselves, not their borders.

        • Yfrwlf

          I see and you’re right, thanks. Seeing any kind of GTK improvements will be nice. Now if more programs would utilize wxWidgets or something else which helps makes programs be more cross-DE so they can look native on both GTK and Qt desktops, that would be even nicer. You haven’t blogged about it yet, but I just unpacked Thunderbird 3 and found it looking completely “naked” with standard X-windows buttons it seems like, using neither GTK or Qt, but that’s off-topic.

  • http://batterywpoweredgames.blogspot.com/ Daniel

    Aren’t we going offtopic here?

  • http://security-wire.com/ Remove Spyware

    That’s a sad news!

  • http://security-wire.com/ Remove Spyware

    That’s a sad news!