
EvilGnome: Rare Malware Spying on Linux Desktop Users - dominikaner
https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/
======
swebs
>EvilGnome’s functionalities include desktop screenshots, file stealing,
allowing capturing audio recording from the user’s microphone and the ability
to download and execute further modules.

I'm glad this is still considered malware in the Linux world at least, and not
just "analytics"

~~~
Scea91
This is considered malware in any world.

~~~
littlestymaar
I think this was a tongue in cheek comment about Windows 10 «analytics».

------
simion314
This incident made me think that the hackers planned to hijack some popular
extension. this would make the more damage.

My (unpopular) opinion is that GNOME should see what are the most used
extensions, accept that people want those feature and bring those features
into GNOME or make those official extension and not third party, so you at
least control what most people would install.

~~~
emerongi
GNOME has been nuking features for a while, _recommending_ people to go and
install extensions.

Extensions work by monkey-patching and once you have a critical mass of them,
you're guaranteed to run into some glitches where one monkey-patch messes up
the other. I like the KDE approach more where features are actually baked into
the DE. It's much easier to reproduce bugs and fix bugs that can depend on
different features being enabled. Everyone benefits.

~~~
AnIdiotOnTheNet
> GNOME has been nuking features for a while

That's an understatement. GNOME is so notorious for removing features that I
recall jokes on Slashdot 15 years ago about how the next version of GNOME will
just have a giant "Do Stuff" button in the middle of the screen.

------
Crinus
Note that this requires for a user to actually download and run this malware,
it doesn't randomly get into someone's computer by itself:

> This implant is delivered in the form of a self-extracting archive shell
> script created with makeself

~~~
tjoff
Most malware is. The question becomes how good they are at tricking people to
install it.

~~~
Crinus
I'd expect very little success, most people on Linux download software from
repositories or other trustworthy places (e.g. Steam).

Though some people do tend to install stuff via "curl | sudo bash"... but i
think this malware is the least of their concerns :-P

~~~
tjoff
With npm, pip and random github repositories used for plugins in various
applications I tend to disagree. It's not like it is uncommon with third-party
additions to package managers such as apt either.

~~~
Crinus
I do not consider all 3rd party places as untrusted (this sort of thinking
leads to walled gardens) and i'd put these under "downloading from trustworthy
places" in the sense that they are more of a way to download something and
less a source themselves (e.g. you can download a pip package from both a
trustworthy developer and untrusted developer). Of course the more layers
between you and whatever you want to download, the harder it becomes to judge
things.

For example i'd trust an apt repository or pip package developed by -say-
Blender developers, regardless of it being a 3rd party repository or delivered
through pip.

~~~
tjoff
Neither do I. But even if I download a pip package from blender and it depends
on 14-third party packages - how on earth am I able to assess the risk/trust
of that?

I most certainly trust that there is no ill intent from them and that it
didn't raise any flags during testing. But even if I believe they have the
resources to audit everything I might be getting a newer and infected version.

And even if my trust of a programmer/entity is rock-solid it is hard to guard
against their account being compromised, that is all it takes for most 3rd
party sources.

~~~
Crinus
You can't really, but at some point you have to trust someone, otherwise
everyone would recreate everything from scratch. Though TBH what i had in mind
wasn't really the "let's download live code from random places" repositories
like npm and pip, but more "static" repositories where all dependencies are
either part of the repository itself or assumed to be already on your system.

~~~
tjoff
And my point was that linux users depend on such repositories all the time.

There will probably be quite a few wake up-calls where this is exploited.

------
Arbalest
I imagine this is targeting Redhat Desktop installations then, as Red Hat is
pretty big on GNOME, and as we all know, GNOME/Redhat has been at the
spearhead of many unpopular systems, such as NetworkManager.

So my guess is, they're targeting Redhat Desktop, because it's the most likely
Linux desktop to be seen in the corporate space. My old university had RHEL
client machines.

Maybe they're just trying to get ahead of the curve with this?

Edit: Also, lately there has been more noise from more governments about using
Linux, so yeah, getting ahead of the curve.

~~~
quicklime
Maybe, but don't Ubuntu and Debian also come with GNOME as the default
desktop?

~~~
SmellyGeekBoy
They certainly do. Worth bearing in mind that this attack seems to be XOrg
only and current versions of Ubuntu now default to Wayland.

~~~
teekert
Not the LTS's which are over 90% of installs.

~~~
lathiat
18.04 LTS is GNOME

~~~
roryrjb
He means the LTS's are Xorg not Wayland

------
pmlnr
The more uniform linux (and linux desktop) becomes the more easier and more
valuable target it becomes as well.

Systemd, GNOME3, DBUS - they are essentially omnipresent on "modern" linuxes
these days. The questionable safety that was provided by snowflake installs is
evaporating fast.

~~~
na85
Ed. Never mind, can't read apparently.

~~~
aesh2Xa1
I reads the opposite. He said such systems are easier targets because of
uniformity.

------
gnode
I'm very surprised to see that this malware hasn't been stripped of symbols
and metadata, or disguised them in some way. It makes me wonder whether this
is an amateur operation, or deliberately designed to give the impression of
one.

Although it could be a diversion, I wonder if the mention of Rostov (a city
curiously close to Crimea) has any significance.

------
SmileyRedBall
> Linux desktop remains an unpopular choice among mainstream desktop users ..

Because it's virtually to buy a computer in the shops with a Linux Desktop
pre-installed. Even online Dell manages to keep a Linux Desktop computer well
hidden on their website.

> .. in the beginning of July, we discovered a new, fully undetected Linux
> backdoor implant ..

How does this “fully undetected Linux backdoor” get onto the Desktop in the
first place, without the end-user explicitly downloading and installing this
Linux “implant”.

> .. We have named the implant EvilGnome, for its disguise as a Gnome
> extension ..

Thanking you, so the “implant” disguises itself as a Gnome extension and
resides on some third-party website.

> .. The malware is currently fully undetected across all major security
> solutions ..

So, the defect resides in the security solutions :]

------
ga-vu
So, basically, disable Gnome extensions and you're fine.

~~~
Crinus
No, do not download and run random stuff from shady places and you're fine.
This relies on you explicitly downloading and running a self-extracting shell
script, it doesn't get installed by itself.

~~~
emidln
Who is to say that future versions of this won't be paired with some arbitrary
browser/email-based RCE. This is the persistent threat, a payload if you will,
not an exploit itself.

~~~
Crinus
If someone can force download and install an application through browser/email
then the issue isn't with the application being downloaded and installed but
whatever allowed the application to be forcefully downloaded and installed
(that is, your browser/email client).

~~~
woodrowbarlow
you're being dismissive because it sounds like a such an RCE could only be the
result of gross negligence. let me paint a more plausible scenario.

many gnome-based distros (fedora, for example) ship with firefox and the
"gnome extensions" plugin for firefox pre-installed. this extension allows you
to install extensions directly into your shell from extensions.gnome.org just
by clicking "install".

suppose an exploit was found that allows sources other than
extensions.gnome.org to trigger the firefox plugin to install a shell
extension.

seems much more likely now, doesn't it?

~~~
Crinus
I'm not sure how much of a possibility this is because i do not know exactly
how GNOME extensions work - the linked malware is not a real GNOME extension,
it just pretends to be one by placing itself in the directory where GNOME
extensions are placed, but it really is a shell script. But assuming that this
is the case, as i said above the issue would be with Firefox and/or the
Firefox extension, not with GNOME being extensible or the user being able to
download and run shell scripts (the two things that enable this to work) in
their computer (and really the "GNOME being extensible" part is minor, the
only reason the malware uses that is to hide itself, it isn't even a real
GNOME extension).

The main reason i am dismissive is because if you think this is a real threat
then you'd have to also think anything you can run on your computer to be a
real threat - which, IMO, is absurd and at that point you might as well turn
off and throw your computer out of the window.

