Jump to content


EvilGnome: A New Backdoor Implant Spies On Linux Desktop Users


  • Please log in to reply
26 replies to this topic

#1 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,708 posts

Posted 17 July 2019 - 03:12 PM

Quote

Security researchers have discovered a rare piece of Linux spyware that's currently fully undetected across all major antivirus security software products, and includes rarely seen functionalities with regards to most Linux malware, The Hacker News learned.

It's a known fact that there are a very few strains of Linux malware exist in the wild as compared to Windows viruses because of its core architecture and also due to its low market share, and also many of them don't even have a wide range of functionalities.

In recent years, even after the disclosure of severe critical vulnerabilities in various flavors of Linux operating systems and software, cybercriminals failed to leverage most of them in their attacks.

Instead, a large number of malware targeting Linux ecosystem is primarily focused on cryptocurrency mining attacks for financial gain and creating DDoS botnets by hijacking vulnerable servers.

However, researchers at security firm Intezer Labs recently discovered a new Linux backdoor implant that appears to be under development and testing phase but already includes several malicious modules to spy on Linux desktop users.

EvilGnome: New Linux Spyware


Dubbed EvilGnome, the malware has been designed to take desktop screenshots, steal files, capture audio recording from the user's microphone as well as download and execute further second-stage malicious modules...........


To check if your Linux system is infected with the EvilGnome spyware, you can look for the "gnome-shell-ext" executable in the "~/.cache/gnome-software/gnome-shell-extensions" directory....
https://thehackernew...me-spyware.html
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#2 OFFLINE   ebrke

ebrke

    Board Bigwig

  • Forum MVP
  • 2,878 posts

Posted 17 July 2019 - 04:57 PM

Okay, dumb question. I thought something like what's described above would need user to run chgmod to make the shell script executable. I'm sure I'm missing something, but can someone clue me in?

#3 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,708 posts

Posted 17 July 2019 - 05:40 PM

Not if you installed the extension yourself. Self-inflicted "attack".
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#4 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,708 posts

Posted 17 July 2019 - 06:38 PM

Just because you are running Linux doesn't mean that you can just run any random thing. The user is always the weakest link in security.
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#5 ONLINE   raymac46

raymac46

    Discussion Deity

  • Forum MVP
  • 3,997 posts

Posted 17 July 2019 - 08:30 PM

I have a couple of GNOME Shell Extensions but I get them from the GNOME project's website. I wouldn't be installing stuff from a phishing scheme or out on the Web.
Posted Image

#6 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,708 posts

Posted 17 July 2019 - 08:32 PM

View Postraymac46, on 17 July 2019 - 08:30 PM, said:

I have a couple of GNOME Shell Extensions but I get them from the GNOME project's website. I wouldn't be installing stuff from a phishing scheme or out on the Web.

Well things like this do not target people like us..
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#7 ONLINE   raymac46

raymac46

    Discussion Deity

  • Forum MVP
  • 3,997 posts

Posted 17 July 2019 - 08:41 PM

I think it's possible to lock a GNOME user down so they can't add Shell Extensions.
Posted Image

#8 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,708 posts

Posted 17 July 2019 - 09:00 PM

Yeah, have them run a different DE. :hysterical:
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#9 OFFLINE   abarbarian

abarbarian

    Thread Kahuna

  • Forum MVP
  • 5,741 posts

Posted 18 July 2019 - 03:09 AM

Hmm I do not seem to be able to find the “~/.cache/gnome-software/gnome-shell-extensions” directory. :228823: So it looks like Window Maker users should be safe from this :Muahaha:
Install ARCH
You'll never need to install it again
"I did and I'm really happy"

Posted Image~~~~~~~~~~~~~Posted Image

#10 ONLINE   raymac46

raymac46

    Discussion Deity

  • Forum MVP
  • 3,997 posts

Posted 18 July 2019 - 09:17 AM

A GNOME user might add this crap as a Shell Extension from a dodgy website. GNOME is the default in quite a few distros including commercial ones like Red Hat.
However this malware only masquerades as a GNOME Shell Extension. It could affect anyone who runs a script in an email or gets and executes a download from a hacked site.
For most knowledgeable Linux users it isn't that much of a threat but we have to admit that just because you run Linux you can't do any dam' thing you please and stay safe.

Edited by raymac46, 18 July 2019 - 09:19 AM.

Posted Image

#11 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,708 posts

Posted 18 July 2019 - 10:35 AM

Exactly :thumbsup:
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#12 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,788 posts

Posted 18 July 2019 - 11:25 AM

No Gnome of any sort in Slackware. YAY!

#13 ONLINE   raymac46

raymac46

    Discussion Deity

  • Forum MVP
  • 3,997 posts

Posted 18 July 2019 - 02:33 PM

Well since I am using GNOME 3 on my Thinkpad's Debian Buster install I did check and I have no problems either.
Posted Image

#14 OFFLINE   ebrke

ebrke

    Board Bigwig

  • Forum MVP
  • 2,878 posts

Posted 18 July 2019 - 03:19 PM

View PostV.T. Eric Layton, on 18 July 2019 - 11:25 AM, said:

No Gnome of any sort in Slackware. YAY!
Well I install Gnome libs to support GnuCash, but I don't run the Gnome DE.

#15 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,788 posts

Posted 18 July 2019 - 05:48 PM

The only gnome in my Slackware is the old fart sitting at the keyboard. ;)

#16 OFFLINE   abarbarian

abarbarian

    Thread Kahuna

  • Forum MVP
  • 5,741 posts

Posted 19 July 2019 - 04:24 AM

View PostV.T. Eric Layton, on 18 July 2019 - 05:48 PM, said:

The only gnome in my Slackware is the old fart sitting at the keyboard. ;)
:hysterical:
Install ARCH
You'll never need to install it again
"I did and I'm really happy"

Posted Image~~~~~~~~~~~~~Posted Image

#17 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,708 posts

Posted 19 July 2019 - 06:48 AM

It's funny that Patrick got tired of Gnome so he completely removed it from his distro.

Quote

"After long consideration, Pat Volkerding has removed GNOME from Slackware. Pat mentions in the -current ChangeLog that GNOME takes a lot of time to package, so this move should allow more time to be spent on the rest of Slackware."

From the changelog: "Please do not incorrectly interpret any of this as a slight against GNOME itself, which (although it does usually need to be fixed and polished beyond the way it ships from upstream more so than, say, KDE or XFce) is a decent desktop choice."
https://tech.slashdo...-from-slackware

Granted that was 14 years ago but still, I found it funny. :hysterical:
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#18 OFFLINE   saturnian

saturnian

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,198 posts

Posted 19 July 2019 - 07:43 AM

View Postraymac46, on 18 July 2019 - 02:33 PM, said:

Well since I am using GNOME 3 on my Thinkpad's Debian Buster install I did check and I have no problems either.

Same in Buster GNOME here. Anyway, I like GNOME Shell with no extensions.

#19 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,968 posts

Posted 19 July 2019 - 07:58 AM

siduction has given up on Gnome too.

Quote

some of the desktop environments we ship have had no maintainer for a while. For the next release (which is not far away), we stop releasing images for the desktop environments GNOME, MATE and LXDE. That leaves us with images for KDE Plasma, Xfce, Cinnamon and LXQt. We also keep releasing the minimal entry points noX and Xorg.

registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#20 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,788 posts

Posted 19 July 2019 - 10:18 AM

> Pat Volkerding has removed GNOME from Slackware.

Yup. That was just before my Slackware time. By the time I became a full-time Slacker, KDE was the "official" DE. You could install a modified Gnome package that was SlackBuilt just for Slackware... I can't remember the name of it, but I tried it once. Wasn't impressed and went back to KDE (until 4.x happened).

#21 ONLINE   raymac46

raymac46

    Discussion Deity

  • Forum MVP
  • 3,997 posts

Posted 19 July 2019 - 11:49 AM

I think it was called Dropline GNOME,
Posted Image

#22 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,788 posts

Posted 19 July 2019 - 01:07 PM

Yup. That's it.

#23 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,968 posts

Posted 19 July 2019 - 08:23 PM

View Postraymac46, on 19 July 2019 - 11:49 AM, said:

I think it was called Dropline GNOME,

A prescient title! :shifty: :lol:
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#24 ONLINE   raymac46

raymac46

    Discussion Deity

  • Forum MVP
  • 3,997 posts

Posted 20 July 2019 - 07:26 AM

As a new Linux user I was totally freaked out by text based installers. I had to use one to install Vector Linux 4.8 on my old Compaq laptop. That was the only distro that could keep the fan running with the Compaq's archaic APM system.
Then I got an off lease Dell Optiplex GX270 and started distro farming. Urmas and Eric talked me through a Slackware install and since I knew about Vector Linux it worked. Back then Bruno had a lot of tips about Slackware and there was some sort of dependency checker called SwareT. So I made out OK. Just couldn't wrap my head around KDE back then so it was on to the next distro. If Xfce had been the default desktop, I might be a Slacker to this day. Or I might have discovered Arch Linux a lot sooner.
Posted Image

#25 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,788 posts

Posted 20 July 2019 - 01:49 PM

> Back then Bruno had a lot of tips about Slackware and there was some sort of dependency checker called SwareT.

Well, SwareT didn't have any dependency checking capabilities. It was just another updater application. Currently, Slackware uses Slackpkg for that purpose. You don't even have to worry about dependency issues in Slack as long as you stick to software in the official repos, as with most Linuxes. However, when trying to install outside apps/programs, dependency does come into play. I've never really had any serious trips into Dependency Heck with Slackware, though.

SwareT was a great little updater, though. Sadly, it wend south with the advent of Slack 12 or 13, I think.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users