Some of our readers asked us this week, “What do you guys think of EvilGnome?”
#ICYMI, EvilGnome is a recent malware sample that’s made a few headlines, and although we haven’t seen any examples of it actually popping up in the wild, we thought we’d answer the question anyway.
Because Linux!
As you probably know, Linux malware and hacked Linux systems are very common, for the simple reason that most of the servers that power today’s internet run Linux in some form.
If you’re a cybercrook who wants to spread your Windows malware widely – keyloggers, for example, or banking Trojans, or other network nasties that thieve people’s digital stuff so it can be sold on to the next crook on the cyberunderground…
…then you’re probably going to be relying on hacked or compromised Linux systems for the bulk of your malware distribution.
For that reason, Linux malware generally doesn’t look like Windows malware, and isn’t supposed to, either.
But EvilGnome, rare and unusual though it may be, gets its media-friendly name because it was clearly written to target the comparatively small but committed community who use Linux on their laptops.
LEARN MORE ABOUT MALWARE ON LINUX
(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)
EvilGnome starts life as a self-contained file that consists of 522 lines of text – what’s called a shell script because it’s designed to run directly inside a Linux command shell, such as the command prompt you get in a terminal window – followed by a compressed blob of data that carries the rest of the malware along with it.
If you glance at the start of the malware file, all you’ll see is this:
#!/bin/sh # This script was generated using Makeself 2.3.0 ORIG_UMASK=`umask` if test "n" = n; then umask 077 fi CRCsum="XXXXXXXXXX" MD5="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" TMPROOT=${TMPDIR:=/tmp} USER_PWD="$PWD"; export USER_PWD label="setup files..." script="./setup.sh" scriptargs="" licensetxt="" . . .
That looks pretty unexceptionable – in fact, this is what’s called a self-extracting archive, and it was created with a legitimate and widely-used free software packaging system called Makeself.
Several mainstream software tools, such as Oracle’s VirtualBox software, make use of the Makeself toolkit, so the presence of Makeself’s auto-self-extraction code at the start of a Linux file isn’t itself cause for alarm.
After all, the idea is a good one – to make installing your software easier.
Instead of downloading a file in a static archive format such as ZIP, gzip, bzip2, and then decompressing and unpacking the bundle yourself before digging around to figure out how to install it, you just download one self-contained Makeself file and run it.
The shell script then extracts the embedded app into a temporary directory and automatically hands control over to a component that’s just been extracted – in this case, the uncontroversial-looking setup.sh
.
Self-extracting archives and installers are commonplace on Windows; this is a way of achieving a similarly simple way of installing even very complex Linux software tools.
Forget about ./configure; make; make install
, just run thisfile.sh
or thisfile.run
directly instead.
Linux doesn’t need file extensions in quite the same way Windows does, but the creators of the Makeself tool recommend adding an extension of .sh
or .run
anyway, just for clarity.)
What’s good for the goose
Unfortunately, the very tools that make it easier for us to construct self-installing software bundles also make things easier for the crooks.
If you run the EvilGnome self-extractor you will end up with malware installed in a directory called:
~/.cache/gnome-software/gnome-shell-extensions/
To explain.
In Unix-speak, the special filename ~/
means your home directory.
The rest of the file path refers to a temporary subdirectory used by the popular Linux desktop software known as Gnome.
Note that Unix filenames that start with a dot (also known as period and displayed as “.”) aren’t shown by default in most directory listings, so they’re essentially invisible by default.
In any case, .cache
is a standard place for apps to store files they think they’ll need again but don’t need to keep forever.
In other words, the ~/.cache/gnome-software/
directory is a great place for malware to hide in plain sight – you’ll probably never see it, but if you do you’ll expect it to be full of random-looking stuff that can largely be ignored.
If you look in the hiding place used by the malware, you’ll find the innocent-sounding files:
gnome-shell-ext gnome-shell-ext.sh
The names make them look like a Gnome shell extension, a kind of Gnome desktop plugin, but they are the malware app, plus a shell script to launch the app in the background, respectively.
The gnome-shell-ext
file is a compiled C++ program; dumping some of the debugging symbols that the crooks left behind gives an immediate hint of what it’s for:
$ nm -C gnome-shell-ext 000000000040b650 T ShooterKey::threadKeysBody() 000000000040b850 T ShooterKey::sendKeys() 000000000040b700 T ShooterKey::ShooterKey() . . . 0000000000409ce0 T ShooterFile::scanFolder() 0000000000409cb0 T ShooterFile::ShooterFile() . . . 000000000040bc10 T ShooterPing::sendStoredPackets() 000000000040c560 T ShooterPing::ShooterPing() . . . 000000000040b280 T ShooterImage::takeScreenshot() 000000000040b260 T ShooterImage::ShooterImage() . . . 000000000040c610 T ShooterSound::takeSound() 000000000040c5f0 T ShooterSound::ShooterSound() . . .
According to Intezer, who first broke the news of this malware, and gave it the name EvilGnome, these functions do pretty much what their names suggest.
The takeSound()
function can capture audio and upload it; takeScreenshot()
speaks for itself, and scanFolder()
looks for files to steal.
Intezer says that the ShooterKey::
components aren’t finished (and therefore aren’t used), but it’s easy to guess what these functions might do in a future version – log keystrokes and thereby sniff out passwords.
Lastly, ShooterPing::
not only communicates back to the crooks but can also download new malware and run it.
That makes this into a general-purpose zombie or bot, namely a remotely controllable software agent that the crooks can harness later for whatever they think of next.
The EvilGnome malware also adds itself to your crontab
(a Linux tool for running programs in the background at predetermined times) so that it gets re-launched within a minute if ever crashes or gets killed off.
That means it not only survives a reboot but also comes back to life if you notice it and terminate the suspicious process.
What to do?
As mentioned at the start, we haven’t seen this in the wild, so it’s unlikely you’ll encounter it.
But here are some tips anyway:
- Check for a process called
gnome-shell-ext
. If found, usekill -9
to terminate it. If if comes back after a minute then this malware is probably already active on your system. Do steps 2 and 3, then repeat this step to kill it completely. - Check your crontab for an entry like
0-59 * * * * /.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
. That’s a sign that the auto-reloading script has been installed. Remove it fromcrontab
. - Check for the above-mentioned
gnome-shell-ext*
files. If you remove them then the malware can’t reload even you if haven’t cleaned thecrontab
.
Alejandro
Hace tiempo que los servidores huyen hacia Windows precisamente por la pasada de frenada de algunas distros gnulinux …
Esto lógicamente no gusta a las más canónicas visiones de gnulinux .
Aquí el origen de la tensión de estos 3 o 4 últimos años entre los chicos del señor Stallman
Se han pasado de backdoors y deben tomar medidas …
Es por eso que estas últimas noticias al respecto son el resultado de negociaciones entre grupos …
Antivirus para Linux es una de ellas y encaja perfectamente con las intenciones económicas de red hat … debian, suse … bsd si .
Llega apple y llega fuerte 💪 desde la industria audiovisual, donde lleva décadas en cabeza , y toma posiciones en la informática personal y empresarial
. Jóvenes sin precauciones reunidos con adultos menos flexibles .
Paul Ducklin
My Spanish is not very good but I don’t accept that Linux server users are abandoning Linux for Windows at any great rate… so I disagreed with you from the first line.
Alejandro
There is a misunderstood.
Sysadmins older than 40 for sure to prefer Linux , even unix to their datacenters.
And you have reason in the point of in internet servers are mostly administrated by older than 40
One point , this are the same people that Carrie on Linux gnu to their desktops… and volunteers for beta testing all stuff that … hackers take him … 2008-2018 .
And now … so tired 😓 of bad arts 🎭
Backdoors . And all kind of crazy ideas borned around drinks 🍷 and smokes…
But sometimes the time run 🏃♀️ more quickly
Hackers against gamers :)
Alejandro
Servers have long fled to Windows precisely because of the slowdown of some gnulinux distros …
This logically dislikes the most canonical visions of gnulinux.
Here the origin of the tension of these last 3 or 4 years between Mr. Stallman’s boys
They have passed backdoors and must take action …
That is why this latest news in this regard is the result of negotiations between groups …
Antivirus for Linux is one of them and fits perfectly with the economic intentions of red hat … debian, suse … bsd yes.
Apple arrives and arrives strong 💪 from the audiovisual industry, where it has been leading for decades, and takes positions in personal and business computing
. Young people without precautions reunited with less flexible adults.
Paul Ducklin
Ah, see my comment above.
Sam Varghese
First, let me say that it is sad to see a nerd like Ducklin write this kind of stuff.
One of the first things that should be checked in write-ups like this is how the malware infects a system. This write-up omits that important detail. In most cases, it is a case of bad passwords and then it does not matter if it is Linux or Windows or any of the BSDs.
Secondly, in the case of Windows, it is common to see people operating with an account that has admin privileges; in the case of Linux, it is very rare. AFAIK, in the last 20 years at least, there has been only one Linux distribution (out of more than 350, many of which have died) that allowed the setting up of a system with a root user as the lone operator.
Why is this important? Because any file that gets onto a system immediately gets the same privileges as the user. And when the user is root, one has carte blanche to do anything and everything.
You can run scripts with any user logged in but the extent of damage will be greatly restricted if that user is an ordinary one and not an admin/root.
But providing all these details – and actually educating the reader – would spoil the chance of advertising some product. Hence it is left out.
Paul Ducklin
Ahhhh, the old, old chestnut that “malware is only an issue if your OS lets you login by default as an administrator, and that’s why malware is a non-issue on Linux and a huge problem on Windows.”
The problem is that this whole argument is poppycock.
The simple truth is – and always has been – that malware doesn’t need to “get root” to do you serious harm. For example, on my Linux system, logged in using my day-to-day account with no special privileges, and without using sudo or entering the root password, I can take screenshots of my whole desktop; access the microphone to record podcasts; capture the audio output while listening to it; open listening UDP and TCP network sockets accessible from other devices on the network; make outbound UDP and TCP connections anywhere I like; access USB devices I just plugged in, including copying files to them; read my browser history; change my browser history; see my command shell history (actually, I can’t – I disabled that and so should you); read in my SSH private key; download software; install and run arbitary scripts and binaries; start a keylogger to record my entire session; plus delete or rewrite any file I like in my home directory. I have the scripting languages Perl, Python, PHP, Tcl, Lua and more available by default, including PHP’s handy ‘-S’ option to create an ‘instant web server’; I’ve got nmap, ncat and socat; and so on and so on.
And if I can do all that stuff, *so can any malware that runs as me*.
(Anyway, most – or at least many – Linux distros these days set up the default user with the privilege to run sudo and ‘get root’ without knowing the root password at any time, notably for the purpose of installing new software packages, including software that’s installed officially by running a Makeself script file just like the one the crooks prepared in this case.)
On Windows, it’s much the same. No one “runs as admin” by default any more – that’s been gone for years, but that alone doesn’t stop you running ransomware by mistake and wiping out all your own files – which are typically the one’s you’re most interested in in the first place. Indeed, some Windows ransomware doesn’t even bother trying to exert admin-level powers – it just wipes out the files in your own “C:\USERS\YourNameHere” directory tree and demands its money.
In other words, it’s not so much that the potential risk posed to your personal data by malware is “greatly reduced” just by logging in as yourself (as you put it) but that the risk to the system as a whole is “greatly increased” if you do allow malware to run with root privileges.
Sam Varghese
Yes, any user on a system, be it Windows or Linux, can do plenty of things – else that account would be of no use.
But you cannot trash your system files as a user. I am not aware of what Linux distribution you use, but on the one I use – Debian – and which I have used for nearly two decades, a user cannot muck around as he or she likes.
Windows users in business set-ups may not be given admin accounts – that depends on the sysadmins who set up their machines. You generalisation about “On Windows, it’s much the same. No one “runs as admin” by default any more..” is incorrect. I attend to many friends’ Windows machines and all of them run as admin. Trying to put them on user accounts is impossible because they have gotten used to the freedom that an admin account provides.
Ordinary Windows users still operate as admins for the most part. That is because Windows still does not insist that you create a user account when you log in for the first time. Research firms like Avecto keep pointing out year after that if people used admin rights, then 80% of the critical vulnerabilities found in Microsoft products in 2017 would have no effect on a system. (https://www.itwire.com/security/removing-admin-rights-would-mitigate-most-microsoft-flaws,-report-claims.html)
You still haven’t told us how this malware of yours gets on to a system. I can write the most devastating script that will screw up your system in its entirety but if I cannot gain access to the system, it is of no use.
Paul Ducklin
This isn’t “malware of mine”, and it’s disingenuous of you to phrase your comment that way.
But as to how malware typically gets onto desktop/laptop systems when it isn’t poked in via some sort of hack or exploit or weak password – common vectors include email attachments, poisoned download repositories visited by other software or system components during updates, bogus web links and ill-considered installs of “cool” new software.
I’ve seen loads of mainstream Linux tools and packages these days that urge the user to install them simply by “cutting and pasting this string into a terminal window”, where the command is a one-liner of the curl-url-pipe-bash variety. What could possibly go wrong there, eh?
EarlyMon
Let’s please get something corrected here.
#! /bin/sh
^ That means that the contents of this file are to be interpreted by sh the program – its name is a mnemonic for shell – located in the bin directory – its name a mnemonic for binary, that is, compiled code.
/bin/sh was best known as the Unix Bourne shell, named after its author, in System 7.
Other shells include but are not limited to –
ksh – Korn shell
csh – c shell
bash – Bourne again shell
The unix model was spherical. The core is called the kernel, it’s surrounded by system code, and the minimum way for a user to get to anything was through the software at the outermost layer – the shell.
“Shell” has *never* been a reference to the console or a gui-based console window. Most shell scripts can and do run invisibly, no console interface or window of any kind required. A shell is typically so simple however that all that’s required for interactive human use is a command line interface.
Paul Ducklin
Yes, you’re right – I kind of oversimplified (or at least was overly specific) about ‘shell’. While we regularly refer to terminal sessions as ‘shells’, there’s no need for a shell to be interactive or even visible.
I’ve reworded it to make it clear that the command prompt you get in a terminal window is *a* shell, but – as you say – a shell doesn’t need a controlling terminal and is really just a command *processor*, not a command *prompt*.
(Indeed, this malware launches its binary via a shell script that runs it in the background via nohup, short for ‘no hang up’, which means to keep on running even after the parent shell – which could be a terminal window when the user first runs the malware, or the cron process after a reboot – exits.)
Alejandro
In the February 2018 [Netcraft] survey we received responses from 1,838,596,056 sites across 214,036,874 unique domain names and 7,290,968 web-facing computers. This reflects a gain of 63,000 computers, and nearly a million additional domains. Overall hostname growth was 33 million, and the number of active sites grew by 9.3 million.
Microsoft dominated this month’s domain growth, with an extra 1.1 million domains (+2.0%) taking its market share up by 0.41 percentage points to 26.5%, while Apache lost 115,000 domains. Microsoft also saw the largest hostname growth, with an additional 59 million sites taking its leading hostname share up by 2.65 points to 34.5%.
Paul Ducklin
I see no “fleeing from Linux” here. Firstly, these stats are about growth, not changes to existing servers, and they related to domain names.
Anyway… if you want to carry on discussing things like vendor market share, web hosting and domain names then I am willing to talk to you, but let’s take it offline – this article is about malware for Linux desktops and laptops, just for a bit of interest.
Xandronm
oh 😮
Yeah
Malware or back doors ?
Do you know mint ?
It is a popular backdoor for desktops .
Take care keep safe my friend
:)
Paul Ducklin
Well, Mint had an embarrasing malware glitch, sure:
https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/
But to call the whole distro a “popular backdoor” is a bit of a stretch (no pun intended), isn’t it?
One of the Extending 48%
The End User Agreement for Sophos Anti-Virus for Linux says:
“If these goods are delivered to a country within the European Union, please be advised in accordance with article 22 (10) of the EC Regulation 428/2009, that these goods are subject to controls. If they are to be exported out of the European Union the exporter must acquire the relevant export licenses.”
I could accept delivery into the UK, currently a country within the EU. But come the 31 October our new apology for a Prime Minister is determined to take us out of the EU, so I guess the “goods” become exported along with the rest of us. Am I, a poor Brexit Sufferer, the exporter or is Alexander Boris de Pfeffel Johnson, a piece of malware notorious for not attending to details, the exporter, and how do you obtain the relevant export licences?
Or am I not really meant to read the End User Agreement?
Paul Ducklin
I am not a lawyer but as far as I am aware, you can’t export a product from a country (or economic union, or customs union, or whatnot) that you are already inside. That would surely be a contradiction in terms.
So you couldn’t export our software from the UK to the UK whether the UK is a member of the EU or not. So my guess is that the question of “export controls” is moot in your case.
But your question is, in general, a fascinating one. Just the thing to cheer up a weekend 🤔
Slow Joe Crow
Since this appears to specifically target Gnome desktops would it have any effect on a system without Gnome or Gnome libraries like KDE or Enlightenment?
Paul Ducklin
Yes. It doesn’t actually target Gnome, it simply uses Gnome-like file and directory names as a way of hiding in plain sight. (Probably should have mentioned, but if the relevant directories don’t exist under ~/.cache then the malware installer quietly creates them.)
If you use KDE or some other window manager (I’m a Fluxbox man myself) you probably have at least a few GTK and Gnome libraries and other files floating around, so even if you notice the files in ~/.cache, they are unlikely to arouse any suspicion, for all that you might not have expected to see them.
fossonly
And again a somewhat glorious example of a ridiculous attempt to infect a GNU/Linux. As you can easily see, something has to be loaded and executed from untrusted sources. So an attack vector that, if at all, affects a handful of idiots who use or deface GNU/Linux like Windows. For all others, virtually insignificant, yet advanced security mechanisms must be employed. And those who already do a minimum of system hardening, or even go far beyond it, smile tiredly at the topic of malware anyway. By the way, proprietary antivirus programs working with root rights are effectively harmful for any system security and can’t even catch up with real security mechanisms.
Pete
Had to adopt Win 10 Pro two months ago. Still cannot get myself to pass through the Hell of Gates. Windows is so clumsy, archaic. And I see my laptop is running on an Administrator account. Oops, need to change that….