[sf-lug] Another reason to avoid Gnome

Rick Moen rick at linuxmafia.com
Mon Aug 12 15:30:52 PDT 2019


Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

> Hi LUGers,
> 
>     Well I doubt that this is a problem for anyone but
> never-the-less for more agile
> minds than mine to ponder, I bring this here from the PCLinux Forum.
> 
> <https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/>

Hi, Bobbie.  I saw you post this just as I and my wife were leaving for
Ireland, and I hadn't had a chance to comment until now.  In a nutshell:
No, there may be excellent reasons to avoid GNOME, but this isn't one of
them.

Since I already commented on that subject on July 17th on the DNG
mailing list, I'll just quote that post (which you're welcome to cite to
PC-Linux Forum if you wish):


Date: Wed, 17 Jul 2019 22:06:36 -0700
From: Rick Moen <rick at linuxmafia.com>
To: dng at lists.dyne.org
Subject: Re: [DNG] EvilGnome spyware

Quoting golinux at devuan.org (golinux at devuan.org):

> EvilGnome: A New Backdoor Implant Spies On Linux Desktop Users
> https://thehackernews.com/2019/07/linux-gnome-spyware.html

My view:  The only _actually interesting question_ in any report about
malware is how the code gets executed.  The cited story says exactly
zero about that -- leaving the natural suspicion that this codebase has
no means of entry whatsoever, but rather would be installed by certain
script kiddies after user-level compromise by other means entirely.

I checked the referenced 'new report Intezer Labs shared with The Hacker
News' to see if it were any better.  Paul Litvak, writing for Intezer
Labsi, is perfectly honest and straight-forward about this:  He doesn't
know, since this codebase was discovered as a 'a test version that was
uploaded to VirusTotal, perhaps by mistake'.  Fair enough.  The author
semi-almost-implies one speculation:

  Gamaredon Group is an alleged Russian threat group. It has been active
  since at least 2013, and has targeted individuals likely involved with
  the Ukrainian government. Gamaredon Group infects victims using
  malicious attachments, delivered via spear phishing techniques.
  [...]  Our investigation into EvilGnome yielded several similarities
  between the threat actors behind EvilGnome and Gamaredon Group: [...]

'Phishing' means sending users deceptive simulated requests for the
user's login credentials, e.g., to webmail.  'Spear phishing' is a
gimmicky bit of AV-biz marketing jargon, where the meaning is just
phishing but sent to key individuals whom the criminals particularly
would find useful to fool in that way.

But Litvak doesn't otherwise say anything about a means of execution on
the target user's machine.  My surmise is that it's just another trojan,
which is to say it's something that would be installed after entry and
compromise through other means entirely,   Litvak referring to it as a
'Linux backdoor implant' supports this surmise.  It's common for
computer crackers (or their scripted tools) to install backdoor
processes so that the criminal can have a means of re-entry if the user
or the user's admin starts killing malware processes (or they die,
etc.).

Basically, this doesn't strike me as even a tiny bit interesting.
The template of '$EVILCODE does $STUFF to your system if you run it'
raises the obvious question of 'What about _not_ running it?'  By and
large, code doesn't run itself, so failure to answer that 'one
interesting question' means the interesting bit got omitted.


Of possible interest:
http://linuxmafia.com/faq/Essays/security-snake-oil.html

It's poor form to be amused at my own writing, but I rather like where I
said to the AV-biz guy

  Hey, am I being trolled?  Posting references to "Hey, download me
  and I'll mail you a lollipop" trojans isn't new.  Throwing in two
  local privilege-escalation attacks to silently gain root on unpatched
  systems, _if_ the user is dumb enough to download and run untrustworthy
  code from nobody in particular, isn't new either.  So, wow: A user
  acting in an extremely stupid manner is likely to hurt
  his/her system.  News at 11.


Also of possible interest:
http://linuxmafia.com/~rick/faq/



More information about the sf-lug mailing list