Many years ago, my mentor in Linux invited me to switch to the penguin system and among what he said there was a "in Linux there are no viruses." That was neither nor is it true; What is certain is that, since it is more secure and is used by an immense minority (on the desktop), we are not the main target of cyber criminals. But neither strength nor being a "small" objective guarantees us to be 100% sure, something that has been demonstrated again after the discovery of EvilGnome.
The first thing to keep in mind is that the "Gnome" part that appears in the name with which they have baptized this virus is related to the famous graphic environment for Linux, but that does not mean that it will affect a few operating systems. Best of all, its discoverer, Intezer (here! his article on malware) discovered the malicious software while it was still in the early stages of development, although it already included several dangers in the form of tools to spy on users.
EvilGnome, a rare Linux virus
EvilGnome does not look like most viruses that have been discovered for Linux. It has been difficult to discover it, but once in the spotlight it has been known that it was designed to capture all kinds of data from our computer, such as desktop screenshots, stealing files, recording audio or even loading and executing other malicious modules, all without us noticing what is happening.
Its name comes from trying to impersonate an extension of GNOME, the graphical environment. It is presented as a script created with make yourself, a small shell script that generates a compressed and self-extracting TAR archive from the desktop. It is kept in the operating system using crontab and sends data to a remote server owned by the attacker.
Persistence is achieved by registering gnome-shell-ext.sh to run every minute in crontab. Finally, the script runs gnome-shell-ext.sh, which in turn launches the main gnome-shell-ext executable.
A malware with 5 parts
EvilGnome is made up of 5 modules, all of them malicious:
- ShooterSound use PulseAudio to record audio from the microphone.
- ShooterImage use Cairo to take screenshots.
- ShooterFile use a list of filters to scan files.
- ShooterPing receives new commands from remote server.
- Shooter Key it is a keylogger.
The five modules above will send / receive the data to / from the attacker's server.
To check if we are affected, we have to look for the executable file "gnome-shel-ext" in the path ~ / .cache / gnome-software / gnome-shell-extensions. As I mentioned before, that EvilGnome receives its name from GNOME Desktop and pretends to be an extension of the graphical environment does not mean that, for example, Plasma users are safe, especially if we have to test a lot of software. This malware could install itself in the mentioned path.
On the other hand and as always, it is recommended to keep the software updated and download the software only from official sources.