(Most of what I'm going to describe applies to other file managers like Thunar, Nemo, PCManFM (GTK+ and Qt version) etc. as well, but for the sake of simplicty I'm just going to focus on GNOME Nautilus)

Here's Nautilus 3.22 with some nice looking pictures:

Screenshot 1

Let's double click on one!

Screenshot 2

Damn.

What exactly happened here?

Somehow the following tar.xz archive found its way on your file system (e.g. as an email attachement): Screenshot 3

[test@localhost Downloads]$ ll total 4 -rw-r--r--. 1 test test 480 Jan 30 20:45 wallpaper_collection.tar.xz

With Nautilus 3.22 you can double click the file and it'll automatically extract it. Now it looks like that: Screenshot 4

[test@localhost Downloads]$ ll total 8 drwxr-xr-x. 2 test test 4096 Jan 30 21:01 wallpaper_collection -rw-r--r--. 1 test test 480 Jan 30 20:45 wallpaper_collection.tar.xz

So what's in wallpaper_collection? Screenshot 5

Those are all the nice jpg images we saw earlier. Now instead of double clicking on one of them, let's have a closer look. Here's what's actually on the file system:

test@localhost wallpaper_collection]$ ll total 20 -rwxr-xr-x. 1 test test 216 Jan 30 21:01 beautiful_wallpaper.desktop -rwxr-xr-x. 1 test test 237 Jan 30 21:01 Bokeh_Tails.desktop -rwxr-xr-x. 1 test test 222 Jan 30 21:01 Chmiri.desktop -rwxr-xr-x. 1 test test 231 Jan 30 21:01 Flowerbed.desktop -rwxr-xr-x. 1 test test 222 Jan 30 21:01 Stones.desktop

Those aren't jpg files but desktop files like documented here and usually are used to describe how applications can be launched. But how come they show up as jpg files in Nautilus?

Examine a desktop file

[test@localhost wallpaper_collection]$ cat Bokeh_Tails.desktop

gives us

[Desktop Entry] Name=Bokeh_Tails.jpg Exec=sh -c 'zenity --warning --text "Congratulation!

GNOME Malware 3.22 successfully infected your system."' Terminal=false Icon=/usr/share/backgrounds/gnome/Bokeh_Tails.jpg Type=Application Categories=Graphics

Well, we got lucky, all the malware did was launching a GTK+ dialog with a tool called zenity . But of course it could have done almost everything from fetching additional malware from the internet, encrypting all your files, adding an alias for sudo to get your user password, add a key logger which automatically starts when you login or just annoy you by deleting all your files. Chances are you wouldn't even notice for quite some time, because the malware could also just open an actual image so you don't get suspicious.

Exec=sh -c 'xdg-open $PATH_TO_JPG & $MALWARE_SCRIPT'

But why were those desktop files displayed as images? Well, Nautilus and other file managers think it's a good idea to hide the file name and instead show the Name key defined in the desktop file.

Name=Bokeh_Tails.jpg

They also show whatever icon is defined in the Icon key.

Icon=/usr/share/backgrounds/gnome/Bokeh_Tails.jpg

And once you execute the desktop file, e.g. by double clicking, the value of the Exec key gets executed.

Of course you can fake any kind of filetype this way. E.g.

[Desktop Entry] Name=CV.pdf Exec=sh -c 'xdg-open $PATH_TO_PDF & $MALWARE_SCRIPT' Terminal=false Icon=x-office-document Type=Application Categories=Office

Screenshot 6

The only reason I can think of why file managers do that is visual appeal, because they want to make actual application launchers look nice (with an application icon and the application name instead of the file name).

File manager comparison

How different file managers handle the following file:

-rwxr-xr-x. 1 test test 216 Jan 30 21:01 beautiful_wallpaper.desktop

File Manager Hides extension Shows Icon Executes file without confirmation Nautilus yes yes yes Thunar yes yes yes Caja yes yes yes Nemo yes yes yes PCManFM yes yes yes PCManFM Qt yes yes yes Dolphin no yes no

Conclusion

Hiding file name extensions in Windows was a bad idea and hiding file name extensions in Nautilus, Thunar, ... is even more stupid, since they should have known better because of all the trouble Windows had with that decision (many Windows users were tricked to execute files like Nice Picture.jpg.exe ). I really wonder why this hasn't been exploited so far.

My advice: Don't use those file managers or at least don't trust them.

Edit 1:

Since a couple of users wondered why they couldn't reproduce it. Note that the desktop files extracted from the tar.xz archive all have execute permission. That's important, otherwise Nautilus and other file managers ask for permission to execute the file and they display the correct filename. That's the reason why those files need to be distributed within an archive that preserves execute permissions. I will update my post later with a new section that goes into more details about that and how different file managers handle those files if they lack execute permissions.

Bugreports

Nautilus: https://bugzilla.gnome.org/show_bug.cgi?id=777991

PCManFM: https://github.com/lxde/pcmanfm-qt/issues/449

Caja: https://github.com/mate-desktop/caja/issues/727

Nemo: https://github.com/linuxmint/nemo/issues/1404

Thunar: I don't have an account for their bug tracker. If someone with an account is willing to report the bug please let me know and I'll add the link here.