Malicious Screensaver: Malware on

Dec 10, 2009

A screensaver from at closer look revealed itself to be malware.

When installing an innocuous "waterfall" screensaver from, an Ubuntu user noticed something strange: apart from the screensaver not being on GNOME's approved list, it also contained a script that performed some peculiar substitutions.

Among other things, it took a file named auto.bash from the server and installed it on /user/bin/, along with a file named that it put in the /etc/profile.d/ directory. The script then issued ping requests to send very large packages to a particular server. The script presumably helped serve in a denial-of-service (DoS) attack against other servers that provide exploits for huge multiplayer games such as World of Warcraft.

The user posted his discovery in the Ubuntu Forums and the screensaver has since disappeared from the site. The guesswork as to what the script exactly did and how to remove was batted about in the forum. Apparently the Debian package installed under the name app5552. It was determined that removing the malware together with the malicious script required the command

sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/ /usr/bin/index.php /usr/bin/run.bash && sudo dpkg -r app5552

In general the lesson to be learned is if you want a secure system, don't download any software outside the official package sources without at least looking at the source code first.

Related content

  • Amarok to Better Guard Against Potential Malware

    To program an effective virus for Linux is fairly difficult. It's much easier to provide malware disguised as an add-on, however. The Amarok project now wants to protect against that.

  • Introducing Bash

    Beyond all the splash screens, screen savers, and vivid rock-star wallpaper is the simple yet powerful Bash shell.

  • Grub Customizer

    Is the simple black and white GRUB menu causing confusion and obscuring important choices? Why not customize with GRUB themes and the Grub Customizer?

  • MITRE ATT&CK Workshop

    The MITRE ATT&CK website keeps information on attackers and intrusion techniques. We'll show you how to use that information to look for evidence of an attack.

  • Gnome 2.14

    New features and a leaner, faster, prettier desktop. Are you ready for the latest Gnome?


comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More