50 comments

[ 0.16 ms ] story [ 96.0 ms ] thread
I imagine this is targeting Redhat Desktop installations then, as Red Hat is pretty big on GNOME, and as we all know, GNOME/Redhat has been at the spearhead of many unpopular systems, such as NetworkManager.

So my guess is, they're targeting Redhat Desktop, because it's the most likely Linux desktop to be seen in the corporate space. My old university had RHEL client machines.

Maybe they're just trying to get ahead of the curve with this?

Edit: Also, lately there has been more noise from more governments about using Linux, so yeah, getting ahead of the curve.

Maybe, but don't Ubuntu and Debian also come with GNOME as the default desktop?
They certainly do. Worth bearing in mind that this attack seems to be XOrg only and current versions of Ubuntu now default to Wayland.
Not the LTS's which are over 90% of installs.
18.04 LTS is GNOME
He means the LTS's are Xorg not Wayland
Only the "ShooterImage" component relies on Xorg (the other components work regardless of window system). Note that the reason Wayland isn't affected is because the malware doesn't use the API needed for taking screenshots.
>Ubuntu now default to Wayland.

I think Ubuntu changed their minds and went back to Xorg, also Wayland+GNOME Shell has the terrible issue where the shell crashes would bring down your session and you lose all your work.

Debian just switched to Wayland so in the fallowing months we will see the effects, it could be a new pulse audio situation where you will get a lot of "fixes" starting by removing Wayland.

Only 17.10 defaulted to Wayland, all older and newer versions default to xorg.
I would expect Gnome to be the window manager of >80% of Linux installs. I don't think Redhat is particularly special in this regard, even if it is a particularly juicy target.
The more uniform linux (and linux desktop) becomes the more easier and more valuable target it becomes as well.

Systemd, GNOME3, DBUS - they are essentially omnipresent on "modern" linuxes these days. The questionable safety that was provided by snowflake installs is evaporating fast.

Ed. Never mind, can't read apparently.
I reads the opposite. He said such systems are easier targets because of uniformity.
Didn't look like it to me. More that security by obscurity in having heterogeneous infrastructure across different distributions no longer applies, not that systemD was improving the situation.
Yup, monoculture versus polyculture. I'm always amazed at how similar computer software behaves to biological life.
> The more uniform linux (and linux desktop) becomes the more easier and more valuable target it becomes as well

This is an oversimplification. There is a sweet spot for security between monoculture and excessive fragmentation.

Most lesser-famous Linux distributions struggle to provide extensive and timely security updates (or provides no security fixes at all by doing only "rolling" releases that track upstream).

To provide security a skilled security team, as well as a large enough userbase is needed.

Linux Desktops are not very common, which leads to wonder if more uniformity can be a good thing.

Wouldn't uniformity be a bad thing for less common Linux distributions since whatever targets the famous distros would also work with the less common distros but while the former have the big userbase and skilled security team, the latter will be left exposed? And in turn create a vicious circle where the less common distros will be used even less and the more common distros even more, thus creating a monoculture that despite being open source gives control to a few organizations and/or individuals?

(of course this issue with uniformity can also happen outside of security reasons - e.g. if all distros provide more or less the same experience then why bother with a small distro?)

Note that this requires for a user to actually download and run this malware, it doesn't randomly get into someone's computer by itself:

> This implant is delivered in the form of a self-extracting archive shell script created with makeself

Most malware is. The question becomes how good they are at tricking people to install it.
I'd expect very little success, most people on Linux download software from repositories or other trustworthy places (e.g. Steam).

Though some people do tend to install stuff via "curl | sudo bash"... but i think this malware is the least of their concerns :-P

With npm, pip and random github repositories used for plugins in various applications I tend to disagree. It's not like it is uncommon with third-party additions to package managers such as apt either.
I do not consider all 3rd party places as untrusted (this sort of thinking leads to walled gardens) and i'd put these under "downloading from trustworthy places" in the sense that they are more of a way to download something and less a source themselves (e.g. you can download a pip package from both a trustworthy developer and untrusted developer). Of course the more layers between you and whatever you want to download, the harder it becomes to judge things.

For example i'd trust an apt repository or pip package developed by -say- Blender developers, regardless of it being a 3rd party repository or delivered through pip.

Neither do I. But even if I download a pip package from blender and it depends on 14-third party packages - how on earth am I able to assess the risk/trust of that?

I most certainly trust that there is no ill intent from them and that it didn't raise any flags during testing. But even if I believe they have the resources to audit everything I might be getting a newer and infected version.

And even if my trust of a programmer/entity is rock-solid it is hard to guard against their account being compromised, that is all it takes for most 3rd party sources.

You can't really, but at some point you have to trust someone, otherwise everyone would recreate everything from scratch. Though TBH what i had in mind wasn't really the "let's download live code from random places" repositories like npm and pip, but more "static" repositories where all dependencies are either part of the repository itself or assumed to be already on your system.
And my point was that linux users depend on such repositories all the time.

There will probably be quite a few wake up-calls where this is exploited.

This is something I have wondered myself.

Would love if someone would chime in on the reality here.

>EvilGnome’s functionalities include desktop screenshots, file stealing, allowing capturing audio recording from the user’s microphone and the ability to download and execute further modules.

I'm glad this is still considered malware in the Linux world at least, and not just "analytics"

This is considered malware in any world.
I think this was a tongue in cheek comment about Windows 10 «analytics».
This incident made me think that the hackers planned to hijack some popular extension. this would make the more damage.

My (unpopular) opinion is that GNOME should see what are the most used extensions, accept that people want those feature and bring those features into GNOME or make those official extension and not third party, so you at least control what most people would install.

GNOME has been nuking features for a while, recommending people to go and install extensions.

Extensions work by monkey-patching and once you have a critical mass of them, you're guaranteed to run into some glitches where one monkey-patch messes up the other. I like the KDE approach more where features are actually baked into the DE. It's much easier to reproduce bugs and fix bugs that can depend on different features being enabled. Everyone benefits.

I agree with you, but if the GNOME devs can't change their "vision" the next best thing is to adopt the popular extensions the downstream distribution use and bring them in the main repository, at least you reduce the risks and maybe keep the extensions more updated.

I am a KDE user and to be fair during KDE4 days ,Plasma had a maintainer with big ego that had a similar mentality with GNOME devs, we could not get a patch merged in to hide the Cachew thingy. Makes me wonder if all this GNOME vision of removing non default options is just one guy with big ego and lot of influence

> GNOME has been nuking features for a while

That's an understatement. GNOME is so notorious for removing features that I recall jokes on Slashdot 15 years ago about how the next version of GNOME will just have a giant "Do Stuff" button in the middle of the screen.

I think that opinion is only unpopular among GNOME devs. Even ignoring security concerns the whole process of installing Tweaks and chrome-gnome-shell and navigating to the extensions website and then the extensions breaking every time GNOME updates just because you want a dock or panel is really annoying.
Wow, so this is what GNOME has become. I've ditched them in favor of Mate at some point and later made that into an i3/Mate combination. Something about editing text files for configuration is just inherently better over clicking through dozens of menus.
what's an i3/mate combination? do you mean you switch between them as you feel like it, or somehow have a combined workspace with both? don't you need to log out to switch?
Not OP, on most DEs(desktop environment) you can change the WM (window manager) , like in the past you could replace Mutter or KWin with Compiz. I am not sure if this is possible this days with GNOME.
Mate has good i3 integration. I'm running i3, but have the mate panel and menus and stuff.
So, basically, disable Gnome extensions and you're fine.
It looks like this is not dependent on Gnome at all, it's simply pretending to be a Gnome shell extension in order to hide. I don't think disabling shell extensions will do anything at all.
No, do not download and run random stuff from shady places and you're fine. This relies on you explicitly downloading and running a self-extracting shell script, it doesn't get installed by itself.
Who is to say that future versions of this won't be paired with some arbitrary browser/email-based RCE. This is the persistent threat, a payload if you will, not an exploit itself.
If someone can force download and install an application through browser/email then the issue isn't with the application being downloaded and installed but whatever allowed the application to be forcefully downloaded and installed (that is, your browser/email client).
you're being dismissive because it sounds like a such an RCE could only be the result of gross negligence. let me paint a more plausible scenario.

many gnome-based distros (fedora, for example) ship with firefox and the "gnome extensions" plugin for firefox pre-installed. this extension allows you to install extensions directly into your shell from extensions.gnome.org just by clicking "install".

suppose an exploit was found that allows sources other than extensions.gnome.org to trigger the firefox plugin to install a shell extension.

seems much more likely now, doesn't it?

I'm not sure how much of a possibility this is because i do not know exactly how GNOME extensions work - the linked malware is not a real GNOME extension, it just pretends to be one by placing itself in the directory where GNOME extensions are placed, but it really is a shell script. But assuming that this is the case, as i said above the issue would be with Firefox and/or the Firefox extension, not with GNOME being extensible or the user being able to download and run shell scripts (the two things that enable this to work) in their computer (and really the "GNOME being extensible" part is minor, the only reason the malware uses that is to hide itself, it isn't even a real GNOME extension).

The main reason i am dismissive is because if you think this is a real threat then you'd have to also think anything you can run on your computer to be a real threat - which, IMO, is absurd and at that point you might as well turn off and throw your computer out of the window.

I'm very surprised to see that this malware hasn't been stripped of symbols and metadata, or disguised them in some way. It makes me wonder whether this is an amateur operation, or deliberately designed to give the impression of one.

Although it could be a diversion, I wonder if the mention of Rostov (a city curiously close to Crimea) has any significance.

> Linux desktop remains an unpopular choice among mainstream desktop users ..

Because it's virtually to buy a computer in the shops with a Linux Desktop pre-installed. Even online Dell manages to keep a Linux Desktop computer well hidden on their website.

> .. in the beginning of July, we discovered a new, fully undetected Linux backdoor implant ..

How does this “fully undetected Linux backdoor” get onto the Desktop in the first place, without the end-user explicitly downloading and installing this Linux “implant”.

> .. We have named the implant EvilGnome, for its disguise as a Gnome extension ..

Thanking you, so the “implant” disguises itself as a Gnome extension and resides on some third-party website.

> .. The malware is currently fully undetected across all major security solutions ..

So, the defect resides in the security solutions :]