EvilGnome – Linux malware aimed at your desktop, not your servers

Some of our readers asked us this week, “What do you guys think of EvilGnome?”

#ICYMI, EvilGnome is a recent malware sample that’s made a few headlines, and although we haven’t seen any examples of it actually popping up in the wild, we thought we’d answer the question anyway.

Because Linux!

As you probably know, Linux malware and hacked Linux systems are very common, for the simple reason that most of the servers that power today’s internet run Linux in some form.

If you’re a cybercrook who wants to spread your Windows malware widely – keyloggers, for example, or banking Trojans, or other network nasties that thieve people’s digital stuff so it can be sold on to the next crook on the cyberunderground…

…then you’re probably going to be relying on hacked or compromised Linux systems for the bulk of your malware distribution.

For that reason, Linux malware generally doesn’t look like Windows malware, and isn’t supposed to, either.

But EvilGnome, rare and unusual though it may be, gets its media-friendly name because it was clearly written to target the comparatively small but committed community who use Linux on their laptops.

LEARN MORE ABOUT MALWARE ON LINUX

(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)

EvilGnome starts life as a self-contained file that consists of 522 lines of text – what’s called a shell script because it’s designed to run directly inside a Linux command shell, such as the command prompt you get in a terminal window – followed by a compressed blob of data that carries the rest of the malware along with it.

If you glance at the start of the malware file, all you’ll see is this:

#!/bin/sh
# This script was generated using Makeself 2.3.0

ORIG_UMASK=`umask`
if test "n" = n; then
    umask 077
fi

CRCsum="XXXXXXXXXX"
MD5="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
TMPROOT=${TMPDIR:=/tmp}
USER_PWD="$PWD"; export USER_PWD

label="setup files..."
script="./setup.sh"
scriptargs=""
licensetxt=""
. . .

That looks pretty unexceptionable – in fact, this is what’s called a self-extracting archive, and it was created with a legitimate and widely-used free software packaging system called Makeself.

Several mainstream software tools, such as Oracle’s VirtualBox software, make use of the Makeself toolkit, so the presence of Makeself’s auto-self-extraction code at the start of a Linux file isn’t itself cause for alarm.

After all, the idea is a good one – to make installing your software easier.

Instead of downloading a file in a static archive format such as ZIP, gzip, bzip2, and then decompressing and unpacking the bundle yourself before digging around to figure out how to install it, you just download one self-contained Makeself file and run it.

The shell script then extracts the embedded app into a temporary directory and automatically hands control over to a component that’s just been extracted – in this case, the uncontroversial-looking setup.sh.

Self-extracting archives and installers are commonplace on Windows; this is a way of achieving a similarly simple way of installing even very complex Linux software tools.

Forget about ./configure; make; make install, just run thisfile.sh or thisfile.run directly instead.

Linux doesn’t need file extensions in quite the same way Windows does, but the creators of the Makeself tool recommend adding an extension of .sh or .run anyway, just for clarity.)

What’s good for the goose

Unfortunately, the very tools that make it easier for us to construct self-installing software bundles also make things easier for the crooks.

If you run the EvilGnome self-extractor you will end up with malware installed in a directory called:

~/.cache/gnome-software/gnome-shell-extensions/

To explain.

In Unix-speak, the special filename ~/ means your home directory.

The rest of the file path refers to a temporary subdirectory used by the popular Linux desktop software known as Gnome.

Note that Unix filenames that start with a dot (also known as period and displayed as “.”) aren’t shown by default in most directory listings, so they’re essentially invisible by default.

In any case, .cache is a standard place for apps to store files they think they’ll need again but don’t need to keep forever.

In other words, the ~/.cache/gnome-software/ directory is a great place for malware to hide in plain sight – you’ll probably never see it, but if you do you’ll expect it to be full of random-looking stuff that can largely be ignored.

If you look in the hiding place used by the malware, you’ll find the innocent-sounding files:

gnome-shell-ext
gnome-shell-ext.sh

The names make them look like a Gnome shell extension, a kind of Gnome desktop plugin, but they are the malware app, plus a shell script to launch the app in the background, respectively.

The gnome-shell-ext file is a compiled C++ program; dumping some of the debugging symbols that the crooks left behind gives an immediate hint of what it’s for:

$ nm -C gnome-shell-ext

000000000040b650 T ShooterKey::threadKeysBody()
000000000040b850 T ShooterKey::sendKeys()
000000000040b700 T ShooterKey::ShooterKey()
. . .
0000000000409ce0 T ShooterFile::scanFolder()
0000000000409cb0 T ShooterFile::ShooterFile()
. . .
000000000040bc10 T ShooterPing::sendStoredPackets()
000000000040c560 T ShooterPing::ShooterPing()
. . .
000000000040b280 T ShooterImage::takeScreenshot()
000000000040b260 T ShooterImage::ShooterImage()
. . .
000000000040c610 T ShooterSound::takeSound()
000000000040c5f0 T ShooterSound::ShooterSound()
. . .

According to Intezer, who first broke the news of this malware, and gave it the name EvilGnome, these functions do pretty much what their names suggest.

The takeSound() function can capture audio and upload it; takeScreenshot() speaks for itself, and scanFolder() looks for files to steal.

Intezer says that the ShooterKey:: components aren’t finished (and therefore aren’t used), but it’s easy to guess what these functions might do in a future version – log keystrokes and thereby sniff out passwords.

Lastly, ShooterPing:: not only communicates back to the crooks but can also download new malware and run it.

That makes this into a general-purpose zombie or bot, namely a remotely controllable software agent that the crooks can harness later for whatever they think of next.

The EvilGnome malware also adds itself to your crontab (a Linux tool for running programs in the background at predetermined times) so that it gets re-launched within a minute if ever crashes or gets killed off.

That means it not only survives a reboot but also comes back to life if you notice it and terminate the suspicious process.

What to do?

As mentioned at the start, we haven’t seen this in the wild, so it’s unlikely you’ll encounter it.

But here are some tips anyway:

  • Check for a process called gnome-shell-ext. If found, use kill -9 to terminate it. If if comes back after a minute then this malware is probably already active on your system. Do steps 2 and 3, then repeat this step to kill it completely.
  • Check your crontab for an entry like 0-59 * * * * /.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh. That’s a sign that the auto-reloading script has been installed. Remove it from crontab.
  • Check for the above-mentioned gnome-shell-ext* files. If you remove them then the malware can’t reload even you if haven’t cleaned the crontab.

By the way, Sophos Anti-Virus for Linux is 100% free for home and business use – why not try it?

Our product detects and blocks all types of malware on a Linux system, including Windows and Mac malware.

That means it also stops you serving up dodgy files to other people if some rogue has deliberately uploaded malware to use your server as a temporary malware repository.