You Are Here: Home » Linux » News » OS » Software

Ubuntu Malware for DDoS Attack Found in Screensaver

By Ricky on December 10th, 2009

Update: It seems like another malware was found in a theme called "Ninja Black".

A malware has been found in a .deb file claiming to be a screensaver from Gnome-Look. The malware appears to be an agent for a DDoS attack. This affects Ubuntu and other Debian based OS as well.

The .deb file in question is supposedly a screensaver of a waterfall. When installed, the "screensaver" installs some scripts with elavated privileges rather than the screensaver that is expected. The script is designed to auto-update itself and potentially to make the infected system take part in a DDoS attack.

The "screensaver" in question has been removed from Gnome-Look now. This incident highlights that fact that Linux, just like Windows, can be infected with malware if users are not careful while installing softwares outside of the official repositories and trusted PPAs.

Fix

If you have installed the malware, running the scripts given below in terminal should remove it.

sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh index.php run.bash

sudo dpkg -r app5552

Additional help may be found in the Ubuntu Forum.

« Previous Post

Related Posts by Tags: ddos, malware, ubuntu

Anon Coward

Do they have no Shame ?!? 0.0
Pingback: Malware Found Hidden In Screensaver On Gnome-Look | JetLib News
Pingback: Malware hidden inside Gnome Screensaver!!! - Raymond.CC Forum
Pingback: Malware en Linux encontrado en archivo .DEB « Zerosoul13 – The Linux Profecys
Keyser Soze

Cue Nelson Muntz quote from Windows fanbois
- Bsd Fanboi
  
  Haw Haw
  (And i'm a Bsd Fanboi thank you)
  - Derelicht
    
    Shut yer trap
http://www.ecis.com/~alizard/technology.html A.Lizard

Since it's possible, we can expect it to happen. Since .debs have to be installed as root, the usual *nix separation between user and administrative privileges isn't going to protect us.

What to do about it?

I think we're going to need malware scanners for Linux, hopefully ones with heuristics that'll catch the "zero-day" stuff.
Pingback: Descobert un troià per a Linux a un salvapantalles de gnome-look | SomGNU
Pingback: Trovato malware su gnome look, rende il vostro pc un bot per attacchi DDoS | Il Portalinux
evilghost

There is no need for a "Malware" scanner, a competent administrator, prior to installing a package, should at least attempt to inspect the contents. Something like:

dpkg –info {name of .deb}
dpkg –contents {name of .deb}
Pingback: Ubuntu を狙ったマルウェア… « Kawaji's Weblog
Pingback: Linuxin näytönsäästäjissä DDoS-haittakoodia – kohteena pelisivusto - Tietokone
Endless, Nameless

Wow. Took someone long enough to pull this. Get with the programme, script kiddies!
Pingback: Linux Boricua » Blog Archive » Malware en un protector de pantalla de GNOME-Look.org
Pingback: Difference Operator » Linux malware
Pingback: AVG Anti-Virus Free Edition for Linux « دانلود و معرفی نرم افزارهای لینوکس
Pingback: 恶意程序被发现隐藏在Gnome-Look的屏保中 « 每日IT新闻，最新IT资讯，聚合多站点消息，保证你与世界同步
Pingback: Twitted by turutosiya
Pingback: Gnome-Look e il malware che si finge screensaver « Idl3's Blog
pekutin

I think this is the biggest problem on all file sites, couse there is no need to authenticate users before they can upload their files.

These downlaod sites should use “trusted user tags” like piratebay, couse that is really good idea and it can help.

There is no need for malware scanner if there is chance to catch these malware “distributors”.
Pingback: Komputery » Blog Archive » Malware na Linuksa z Gnome-Look.org
Pingback: Malware en un protector de pantalla de GNOME-Look.org « Gabriel Vegas
Pingback: Abtraction News » Archiwum bloga » Malware na Linuksa z Gnome-Look.org
Pingback: Linux-OS » Malware en un protector de pantalla de GNOME-Look.org
Pingback: Malware na Linuksa z Gnome-Look.org | Komputery
Pingback: Malware na Linuksa z Gnome-Look.org | TechNews
Pingback: Linux-Malware-Attacke l
Pingback: InfoSec Daily » ISD Episode 28
Pingback: Use signed packages from a trusted source « Free Software Universe
Pingback: 5 consigli per rendere sicuro il proprio sistema GNU/Linux
http://security-wire.com/ Remove Spyware

Don’t download those free screensavers. Many of them have virus.
- http://www.articlesbase.com/security-articles/best-way-to-uninstall-remove-internet-antivirus-2011-virus-3828497.html remove Internet Antivirus 2011
  
  I agree with you!
http://www.articlesbase.com/security-articles/how-to-uninstall-remove-security-essentials-2011-virus-3613073.html remove Security Essentials

My computer was hacked twice just becoz I downloaded free screensavers!!