EvilGnome, new and rare malware that affects Linux, in case you thought you were safe


Many years ago, my mentor in Linux invited me to switch to the penguin system and among what he said there was a "in Linux there are no viruses." That was neither nor is it true; What is certain is that, since it is more secure and is used by an immense minority (on the desktop), we are not the main target of cyber criminals. But neither strength nor being a "small" objective guarantees us to be 100% sure, something that has been demonstrated again after the discovery of EvilGnome.

The first thing to keep in mind is that the "Gnome" part that appears in the name with which they have baptized this virus is related to the famous graphic environment for Linux, but that does not mean that it will affect a few operating systems. Best of all, its discoverer, Intezer (here! his article on malware) discovered the malicious software while it was still in the early stages of development, although it already included several dangers in the form of tools to spy on users.

EvilGnome, a rare Linux virus

EvilGnome does not look like most viruses that have been discovered for Linux. It has been difficult to discover it, but once in the spotlight it has been known that it was designed to capture all kinds of data from our computer, such as desktop screenshots, stealing files, recording audio or even loading and executing other malicious modules, all without us noticing what is happening.

Its name comes from trying to impersonate an extension of GNOME, the graphical environment. It is presented as a script created with makeself, a small shell script that generates a compressed and self-extracting TAR archive from the desktop. It is kept in the operating system using crontab and sends data to a remote server owned by the attacker.

Persistence is achieved by registering gnome-shell-ext.sh to run every minute in crontab. Finally, the script runs gnome-shell-ext.sh, which in turn launches the main gnome-shell-ext executable.

A malware with 5 parts

EvilGnome is made up of 5 modules, all of them malicious:

  • ShooterSound use PulseAudio to record audio from the microphone.
  • ShooterImage use Cairo to take screenshots.
  • ShooterFile use a list of filters to scan files.
  • ShooterPing receives new commands from remote server.
  • ShooterKey it is a keylogger.

The five modules above will send / receive the data to / from the attacker's server.

To check if we are affected, we have to look for the executable file "gnome-shel-ext" in the path ~ / .cache / gnome-software / gnome-shell-extensions. As I mentioned before, that EvilGnome receives its name from GNOME Desktop and pretends to be an extension of the graphical environment does not mean that, for example, Plasma users are safe, especially if we have to test a lot of software. This malware could install itself in the mentioned path.

On the other hand and as always, it is recommended to keep the software updated and download the software only from official sources.

Related article:
HiddenWasp: a malware that affects Linux systems

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

9 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Macana said

    If we start out not knowing the difference between viruses, Trojans and rootkits ... we are off to a bad start. If we get down to the typical cliché of "how few use it there are fewer viruses. Typical stupidity defended by stupid people who repeat the mantra once heard. A lie repeated a hundred times comes to be taken for truth. GNU Linux is not more secure because fewer people use it, GNU Linux is more secure because it has a permission system that makes it more secure than other operating systems. Linux was born to be a multi-user system and has been developed on this premise. Unlike windows, for example, which was created by pressing on to be a single-user system and on this basis and weighed down by backward compatibility it has evolved in the way it has. Design problems that creep over time. In windows many system processes run with normal user permissions, unlike in linux where to run these processes you need root permissions. No system is invulnerable, but some are more secure than others by design. In a world where most internet servers run on Linux, it would be more logical to attack those servers since millions of computers connect to them in one way or another. If you poison the pond where the herd drinks, you will poison the entire herd. If it is difficult to attack those servers for something it will be and it is not because they are less used. Most are GNU Linux.

    1.    Pablinux said

      Hello, Macana. I have not said that it is "safer because we use it less", if not "because it is safer And we use it an immense minority" which is very different. Virus developers focus on easier targets AND one that more people use. Virus developers rarely waste time developing viruses for Linux because it is more secure AND is used by far fewer people. And being able, of course you can, but it's not worth it. If Windows is more vulnerable AND more people use it, the logical thing is to develop them for Windows. Even if Windows were more secure, I think they would continue to focus on a system that is around 90% market share.

      A greeting.

      1.    Macana said

        No. Virus developers focus on the system that is easier to attack, like weekend climbers focus on climbing Everest and not K2. Virus developers have a lot of time to waste as long as they can choose to achieve a goal. Nobody pays them and nobody controls them. They do not have to clock in or out. Attacking the Linux servers of Bank X will earn them more money, if they succeed, than attacking 1000 Windows PCs of their users. So why don't you attack the bank's server and attack the users' PCs? Because it is more difficult to attack the server even if you have its source code in view. Design issue. A Formula 1 car is not safer than a utility vehicle because fewer people use it. It is safer because it has been designed to be more secure. Design issue. Although in the hands of an ignorant it can be as unsafe as a Chinese car. If you want to convert to Windows more secure, you just have to give up backward compatibility and rewrite the system from scratch, establishing strict user account control (as Linux does). As long as you don't, it will continue to be a drain because all you will do is patch and patch to infinity. And continuing with the topics, it is foolish not to use a system that is more secure than another, regardless of what you think is more secure. Because we are talking about security and not about how many use it or stop using it. Because regardless of what it is, is Linux more secure than Windows, currently? If then why don't you use it? Because patatin…. because they potato…. does not matter. They will find a thousand and one excuses not to use it. That if nobody uses it, if they don't like penguins, if they prefer Batman ... In psychology we call this cognitive dissonance.

        1.    Pablinux said

          I have met hackers and they attack / work what makes them money. If they "attack" banks, I will not give details, but I know of one who did not work and "took" his money from the banks. But we are not talking about viruses / malware, but about hacking. Malicious software has to work automatically and has to spread. That is to say: the attacks do them to the important thing that can give them money; the automatic is extended according to user base. Android "is" Linux, it is used by + 80% of all users in the world and what mobile operating system do they attack?

  2.   Juan Gimenez said

    Lots of speculation and looooong blah based only on your personal way of perceiving things. At the kilometer you can see that you have never worked for something serious like a bank or government data centers. If you knew that only less than 30% of the vulnerabilities that are discovered echo and reach pages like this, you would not walk around as a mentor-computer guru-ego + 9000 explaining those stupid things that you say in the most arrogant way that comes out.
    Hahaha So you know criminals and don't report them to the authorities? Either you are his accomplice or you speak of yourself in the third person…. hahaha be careful with what you say ... if someone really sees you as a father-I confess and tell you his reasons why he should be in jail xD

    1.    Pablinux said

      Hello John. I don't keep in touch with that person. I met him through a friend of a friend, with whom I did become friends, and he came to offer me things, but I thought about it, I didn't get close to him and I also ended up distancing myself from the other. You see, I put "I have known", not "I know." I knew enough to know that I didn't want to be around those kinds of people. And also to know how it "worked."

      About reporting, I think you are right, but that is something that you do not think at the time, and less if you think about what could be involved.

      A greeting.

  3.   Tómbola said

    Viruses for Linux must be installed by the user for the most part. Even with a vulnerability it is difficult for a user-space bad program to escalate privileges autonomously. As they say above for the permit system.

    The problems are the users poorly educated technologically by Windows systems (in which it is normal to search for software in Google and pirate proprietary software).

    Although stones also fall within the community from the hand of Ubuntu and MS lovers that bring postmodernism to systems with attempts of new software installation systems (nor that it was difficult to choose a program from a repository with software that does not even show the packages like those included in Debian or Fedora with their GUI included). Or even with the stupidity of sudoers ... which are nothing but opportunities open to attacks by social engineering, where malicious software or a vulnerability could trick the user and ask for the session password to escalate privileges.

    It is absurd that an MS system is generally compared to the hundreds of GNU / Linux distributions in the same bag. But even more so is the sensationalism of putting a community that can solve critical bugs in hours on the same level as a system (Windows) that can be infected by a rootkit simply because it is connected to the internet.

  4.   caranabo said

    A vulnerability in gnome is not the same as a vulnerability in Linux, dear turnips.

    1.    Well look said

      They are talking about GNU / Linux Caranabo. Linux is a kernel.