This news is already a week old, but it only got submitted to us today, and I didn’t notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
The two cases were discovered shortly after one another. First, it was discovered that malware was masquerading as a screensaver. It came as a .deb package, but instead of installing a screensaver, it would execute a script which would mess with some files and download a few other scripts which would make the affected machine take part in a DDoS attack, while also allowing it to update itself.
Not long after, a similar problematic package was discovered, but I can find little information on that one, other than that it was a theme called “Ninja Black”. Since only one removal instruction has been posted, I’m assuming it was the same .deb package/script uploaded under a different name.
Speaking of removal instructions – if you’ve been hit, here’s the fix:
sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh index.php run.bash
sudo dpkg -r app5552
This minor incident highlights both the inherent strength of the repository system, as well as one of its weaknesses. First, though, let’s make it very clear that this very minor incident in no way means that Linux, Debian, Ubuntu or other .deb-based distributions are insecure. This is a clear case of social engineering, and there’s no remedy for that yet. Of course, GNOME-Look is partly to blame too, but I guess it’s virtually impossible to keep such a large site clean. For what it’s worth, they removed the offending packages very quickly.
The inherent strength this little incident illustrates is that if you stick to the official repositories for Ubuntu, there’s very little to be afraid of. Those packages are well-tested and secure (i.e., they contain no malware, but could of course still contain regular security flaws), and can be installed without fear of repercussions.
The weakness this case illustrates is that quite a few times, the official repositories are simply not enough. A new version might not be there, a program you wan’t isn’t in the repositories, or whatever other scenario. In those cases, installing something from outside of the repositories is appealing, but it does mean opening yourself up to potential hazards.
All in all though, this is a very minor case, but noteworthy nonetheless, as I think it’s one of the first pieces of malware for Ubuntu.
This was bound to happen at some point and I’m surprised it hasn’t been in the past.
Personally, I think they should ban the upload of binary packages to such sites, they just cannot be trusted.