Posted July 26, 2019 (edited) Article i used: https://nakedsecurity.sophos.com/2019/07/25/evilgnome-linux-malware-aimed-at-your-laptop-not-your-servers/ Quote EvilGnome, rare and unusual though it may be, gets its media-friendly name because it was clearly written to target the comparatively small but committed community who use Linux on their laptops. Quote The takeSound() function can capture audio and upload it; takeScreenshot() speaks for itself, and scanFolder() looks for files to steal. Intezer says that the ShooterKey:: components aren’t finished (and therefore aren’t used), but it’s easy to guess what these functions might do in a future version – log keystrokes and thereby sniff out passwords. Lastly, ShooterPing:: not only communicates back to the crooks but can also download new malware and run it. Quote What to do? As mentioned at the start, we haven’t seen this in the wild, so it’s unlikely you’ll encounter it. But here are some tips anyway: Check for a process called gnome-shell-ext. If found, use kill -9 to terminate it. If if comes back after a minute then this malware is probably already active on your system. Do steps 2 and 3, then repeat this step to kill it completely. Check your crontab for an entry like 0-59 * * * * /.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh. That’s a sign that the auto-reloading script has been installed. Remove it from crontab. Check for the abovementioned gnome-shell-ext* files. If you remove them then the malware can’t reload even you if haven’t cleaned the crontab. The Linux Gamer also made a video on the virus: My thoughts: it was only going to be a matter of time until viruses targeted at regular Linux users were going to pop up. The increased popularity of Linux makes it interesting to hackers. As always it's best practice to have antivirus installed on every sytem you have, even if it runs Linux. Edited July 28, 2019 by Twilight She/Her Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 26, 2019 It's worth noting that the average user who installs packages from the repositories does not need to worry about this. Don't ask to ask, just ask... please sudo chmod -R 000 /* Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 26, 2019 (edited) Author On 7/26/2019 at 1:13 PM, Sauron said: It's worth noting that the average user who installs packages from the repositories does not need to worry about this. that's not entirely true. Edited July 28, 2019 by Twilight She/Her Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 26, 2019 7 minutes ago, Twilight said: EvilGnome, rare and unusual though it may be, gets its media-friendly name because it was clearly written to target the comparatively small but committed community who use Linux on their laptops. I literally just got Manjaro Gnome installed on my ZenBook no more than 5 days ago. My timing is so unreal. 8 minutes ago, Twilight said: My thoughts: it was only going to be a matter of time until viruses targeted at regular Linux users were going to pop up. The increased popularity of Linux makes it interesting to hackers. As always it's best practice to have antivirus installed on every sytem you have, even if it runs Linux. Is it bad to admit that I don't have an anti-virus as I trust myself enough to use Manjaro - for a lack of a better word - naked? Additionally, I only ever browse YouTube and stuff so I wouldn't come across any dark alley websites, and anything I do install, it's through software manager. mechanical keyboard switches aficionado & hi-fi audio enthusiast switch reviews • how i lube mx-style keyboard switches Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 26, 2019 Author 4 minutes ago, seoz said: Is it bad to admit that I don't have an anti-virus as I trust myself enough to use Manjaro - for a lack of a better word - naked? Additionally, I only ever browse YouTube and stuff so I wouldn't come across any dark alley websites, and anything I do install, it's through software manager. You did use the AUR there are always risks there. you can install a free and open-source antivirus if you want. just install clamtk using pacman. it doesn't scan in real time so you need to run scans manually. regardless it's better than nothing. be sure to check the settings too because by default it's set up really stupid and won't scan directories recursively and it won't scan large files etc. make sure to enable all of that. She/Her Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 26, 2019 6 minutes ago, Twilight said: You did use the AUR there are always risks there. It is extremely hard to get malware through the AUR though - the most popular packages are maintained by the same people who maintain the main repos and recently adopted packages are always watched carefully. Even in the rare times it happens it's caught in a matter of a few hours. You can generally trust it. Don't ask to ask, just ask... please sudo chmod -R 000 /* Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 26, 2019 And even if you grab flatpak direct from the main devs' sites, you're still quite unlikely to get hit... So you'd literally have to have worse browsing habits than the average grandma... Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 26, 2019 3 minutes ago, Tenelia said: And even if you grab flatpak direct from the main devs' sites, you're still quite unlikely to get hit... So you'd literally have to have worse browsing habits than the average grandma... I'm betting this is who it's targeting, grandparents with a windows-skinned KDE or something that don't know better but are protected from most things since it's Linux. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 26, 2019 5 hours ago, seoz said: I literally just got Manjaro Gnome installed on my ZenBook no more than 5 days ago. My timing is so unreal. Is it bad to admit that I don't have an anti-virus as I trust myself enough to use Manjaro - for a lack of a better word - naked? Additionally, I only ever browse YouTube and stuff so I wouldn't come across any dark alley websites, and anything I do install, it's through software manager. I've used Linux for years with no antivirus and haven't had any issue, but as previously mentioned, just stick to official repos and you'll be good. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 27, 2019 13 hours ago, HarryNyquist said: I'm betting this is who it's targeting, grandparents with a windows-skinned KDE or something that don't know better but are protected from most things since it's Linux. Exactly... Being in the server space, there's actually tons of malware that can run on Linux (centos or ubuntu or otherwise), but you'd have to intentionally download them *and* run them because the operating permissions are extremely granular on what hardware and software interactions are allowed. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 27, 2019 Its a good thing I run MacOS so I don't need to worry about these virus doo-dads Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 27, 2019 2 hours ago, floofer said: Its a good thing I run MacOS so I don't need to worry about these virus doo-dads Meanwhile the Linux community are still in denial that anything bad can happen. Grammar and spelling is not indicative of intelligence/knowledge. Not having the same opinion does not always mean lack of understanding. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 27, 2019 17 hours ago, IAmAndre said: I've used Linux for years with no antivirus and haven't had any issue, but as previously mentioned, just stick to official repos and you'll be good. i love this argument "ive used X for years without antivirus and never had any virus" well no shit, you wouldnt know about it because theres nothing to tell you lmao MSI GX660 + i7 920XM @ 2.8GHz + GTX 970M + Samsung SSD 830 256GB Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 27, 2019 https://github.com/MrMEEE/bumblebee-Old-and-abbandoned/issues/123 Linux has plenty of malicous software already Spoiler like GNOME Though huge part of them can be nullified by just running SELinux that limits what parts of the system every process can access. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 27, 2019 9 hours ago, mr moose said: Meanwhile the Linux community are still in denial that anything bad can happen. Its a bad precedent, especially when many Linux machines are high-performance systems for research. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 27, 2019 Author 12 hours ago, mr moose said: Meanwhile the Linux community are still in denial that anything bad can happen. i've never been in denial. don't generalize. it's very well known that viruses exist on Linux, and i always installed antivirus on my linux desktops. She/Her Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 27, 2019 1 minute ago, Twilight said: i've never been in denial. don't generalize. it's very well known that viruses exist on Linux, and i always installed antivirus on my linux desktops. Have you read many of the comments people make regarding Linux and security? It's not a generalization, its an observation of many peoples commentary on the subject. Grammar and spelling is not indicative of intelligence/knowledge. Not having the same opinion does not always mean lack of understanding. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 27, 2019 Author Just now, mr moose said: Have you read many of the comments people make regarding Linux and security? It's not a generalization, its an observation of many peoples commentary on the subject. i have. i also watch a few youtubers that do video's on linux and they always recommend installing AV. please don't generalize all linux users. She/Her Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 27, 2019 1 minute ago, Twilight said: i have. i also watch a few youtubers that do video's on linux and they always recommend installing AV. please don't generalize all linux users. I'll tell people what I see when i see it, I'm sorry if that upsets you, but even in this thread there are people claiming you'll be fine if you only use certain repositories etc. It is a very common theme within the Linux community, alongside many other claims. Grammar and spelling is not indicative of intelligence/knowledge. Not having the same opinion does not always mean lack of understanding. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 27, 2019 Author 1 minute ago, mr moose said: I'll tell people what I see when i see it, I'm sorry if that upsets you, but even in this thread there are people claiming you'll be fine if you only use certain repositories etc. It is a very common theme within the Linux community, alongside many other claims. sure there are misconceptions in the linux community. so? what community doesn't have some false information in it? there are also people saying that all you need on Windows is windows defender which has been often debunked. She/Her Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 27, 2019 12 minutes ago, Twilight said: sure there are misconceptions in the linux community. so? what community doesn't have some false information in it? there are also people saying that all you need on Windows is windows defender which has been often debunked. Well in that case lets not talk about anything. I really don't know why you don't want anyone talk about the misconceptions? Grammar and spelling is not indicative of intelligence/knowledge. Not having the same opinion does not always mean lack of understanding. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 28, 2019 It is strange to me that they went through the trouble of reinventing the wheel for a malicious implant with commodity post exploitation functions. All of these features exist in multiple free command and control frameworks already. I mean I haven't gone through the code myself but the post-exploitation features are probably better implemented in Empire or Meterpreter, in that they evade detection's better. People seem to think that really the only way they would get malware on a Linux box would be through something malicious involving their package manager, this is far from the case. A legitimate website that has been compromised through JavaScript, XSS, or iFrames, could easily download something like this without your knowledge. If you have any public facing services, or unintentionally public facing services, is your home firewall configured correctly? Are you immune to spearphishing links and attachments? I can tell you an attacker learning something as seemingly innocuous as a software version number can lead to full system compromise. ClamAV is a joke, it is better than nothing, but not by much. You would almost be better off dragging and dropping files into VirusTotal. The endpoint protection space on the Linux/Unix side of things is atrocious and way further behind than where it stands with Windows, which also isn't in a good place. A few vendors in the Windows space are at best doing a questionable job with fileless malware, PowerShell, csc.exe, MSBuild.exe, VBScript. These attacks occasionally get picked up now (an improvement from 2 or 3 years ago.) This is not the case with Linux/Unix generally speaking. I think they are adding some of the same type of security features that PowerShell has implemented into Python3 but I think that has a long way to go still. The fact of the matter is most Windows/Linux/Unix machines and their users wouldn't know if they had a malicious PowerShell or Python one-liner ran on them. When was the last time you went through your PowerShell logs in Event Viewer? Who has sophisticated logging setup for Python, and actually checks it? Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 28, 2019 slightly off topic but do you guys have antivirus recommendations, i am running ubuntu Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted July 28, 2019 It usually a great idea not to update anything when it first release for the public unless it important security update. A good sys admin will test update on a separate system, as update is know to break as update can't be tested on all hardware/software configuration. 20 hours ago, floofer said: Its a good thing I run MacOS so I don't need to worry about these virus doo-dads Mac is not completely safe from malware as well... Magical Pineapples
