Kirsle.net logo Kirsle.net

How to write a Linux virus in 5 easy steps

November 13, 2009 by Noah
I stumbled across a blog entry titled How to write a Linux virus in 5 easy steps. It's an interesting read, but things have changed a tiny bit since it was written...

It basically relied on the fact that GNOME, KDE, and Xfce treat .desktop files specially, in the way that Windows treats .exe files specially. .desktop is the file extension of Launchers in modern desktop environments, and they used to be launchable without even requiring execute permissions first. With them you could distribute a simple .desktop file via e-mail which downloads and executes malware from the web in one easy "click-and-run" motion from the victim. Read the linked blog post for all the details.

In Ubuntu 8.10 and Fedora 10, as mentioned there, this is how GNOME treated .desktop files; in Fedora 11 (and probably more recent Ubuntu's) things are a little different. Now, .desktop files are inherently untrusted and will prompt the user when they try to execute them. The user can then mark them trusted (which requires them to try and execute them a second time), or just launch them this one time.

When a launcher is untrusted, it displays in Nautilus as a text file. Its icon is a preview of the first couple lines of the text inside the launcher file, instead of the custom icon specified for it, and the .desktop extension is displayed to the user. When marked as trusted they work as before: the .desktop extension is hidden and the launcher gets its custom icon displayed.

Anyway, when you put files into a tarball (e.g. tar -czvf), the files keep their permissions and attributes. Thus, if you put a file with execute permissions into a tarball, it keeps that permission. If extracted on any other unix system in the world, it's extracted with execute permission.

After some poking around, I discovered that the mechanism by which launchers are marked as trusted is simply based on the execute permission. When a program such as wine creates a launcher (for instance, if you just installed a Windows app that puts an icon on your desktop), the launcher is currently untrusted by default, so you'd have e.g. "Mozilla Firefox.desktop" on your desktop; it's not a trusted launcher. When you run it and mark it trusted, all that happens is that GNOME adds execute permissions to the file. You could also run chmod +x "Mozilla Firefox.desktop" in a terminal to do the same thing.

So... for the "virus" in that blog entry to still work on Fedora 11, you'd need one additional step: e-mail them a tarball containing your desktop launcher and have them extract the contents, and then run the launcher. This makes it a little bit less likely that the victim will actually run it, though, especially because if they look inside the tarball first they'll see its real file name (including the .desktop), and GNOME's archive manager won't execute it if they open it directly from inside the tarball; instead they'll get the contents of the file displayed in their text editor.

Tags:

Comments

There are 0 comments on this page. Add yours.

Add a Comment

Used for your Gravatar and optional thread subscription. Privacy policy.
You may format your message using GitHub Flavored Markdown syntax.