Commenter Burninator discovered that you don't even need the .desktop ending in the attachment. The Gnome and KDE desktops actually read the file, and don't base their decision to special-case the file on the file-name extension! So, the critical meta data here (make this something that can be executed) is NOT encoded in the filename, as some have suggested, it is actually derived by reading the first line of the file contents. So, in that respect the desktop environments are not quite as hapless as some had indicated and are not just making the same mistake as Windows has.

On the flip-side of that same discovery: You can make your attachment now even less suspicious looking. Rather than naming it something like some_text.odt.desktop, you only need to name it some_text. That has two nice side effects: Firstly, email clients will now never know what to do with the file (no useful extension) and are more likely to prompt the user to save the file to disk. Thus, you don't need to get the user to explicitly do that anymore by putting proper wording in your email. The user will be more or less prompted to do that automatically by the email client. Secondly, there is now no suspicious file-name ending. If the Name line in the launcher description file still specifies something like Name=some_text.odt then Gnome at least will actually show THAT as the name of the file, rather than the actual file name on disk. However, KDE will just show some_text, which is the actual file name. KDE will only display some_text.odt after the .desktop suffix has been added. Nevertheless, even in KDE the some_text file remains 'executable' by clicking on it. So, while on KDE the user may look at a file without a proper file extension on the desktop, the name and icon can still look convincing and the email attachment didn't have a suspicious suffix. That, combined with the email client now automatically prompting for it to be saved makes this a good strategy: No .desktop suffix in the actual name of the attachment.

One more thing about the naming of the file: You cannot just name the file some_text.odt, since then the filename extension (.odt in this example) takes precedence. The desktop will call OpenOffice if that's your word processor, based on the extension. Only if there is no extension (or the extension is .desktop?) will the content of the file be taken into account.

Someone pointed out that the trick won't work under KDE when the attachment is not saved on the desktop: KDE only treats launcher files in a special way when they are actually on the desktop. So, if an email client saves the launcher in another location (for example a ~/Downloads directory) then this wouldn't work. Well, I can only partially confirm this! When I move the launcher into a different directory the exploit still works all the same. However, the .desktop suffix becomes visible! This is yet another reason to just drop the .desktop file-name extension altogether.

The editor over at LWM.net pointed out here that the vulnerability of .desktop files was discussed back in 2006 already. I would have been surprised if I were the first person to think of this, frankly.

Several commenters felt the need to point out the technical distinction between a virus, a worm and malware. They pointed out that what I described is just a worm or malware (they couldn't agree). Well, look, I have been in the security industry long enough to know about the technical distinction, about which most people don't care anymore. As I mentioned in some responses to those comments: The popular press and indiscriminating coverage of the topic has completely blurred the line. Besides, I gave code for automatically spreading of the malware in high-level pseudo code: ...it can start to pilfer through the user's address book to harvest email addresses ... [and] ... can spread itself by email. So, get over it! I don't need to spell out everything in Python code for you, right? You can read pseudo-code, right? :-)

Commenter David F. Skoll suggests that rather than special-casing those launcher files, the first line should merely be something like this:#!/usr/bin/desktop-launch, with the rest of the script following afterwards. With the execute bit set this would become merely a normal script, which is interpreted by the specified separate 'shell' or utility, rather than something integrated into the desktop environment. Very *nix-ish. I like it.

Many people commented on issues or possible problems with the suggested means of obtaining root privileges. I can only point out again: As the article stated, the gaining of root is NOT necessary to successfully infect a system. That's why this was in an appendix. It is not the main point of the article.

A few commenters complained that I wasn't talking about anything new. That with social engineering you can get users to do even complex things like, download an executable, set execute bit and then run it. Some even say that all you need to do is send an email to a user: Please type 'sudo rm -rf /' in your terminal and that would have the same effect. My gosh, how dense are those commenters? These kinds of comments completely miss the point. The necessity of the execute bit for normal execution is a big and useful security feature of *nix OSs, such as Linux. Non-technical users probably don't know how to do that! Non-technical users also don't know how to open a terminal. Why do I have to explain this over and over? This is some of the typical, damaging arrogance of some Linux users that is at display here. So, anything that can take 'difficult' extra steps off the chain of events towards a successful infection greatly increases its chances. That's what this article was about: How to infect a user who just knows how to click with the mouse and has never heard of permissions or execute flags before. If he had, he probably wouldn't fall for this anyway.

Other people are talking about how the average Linux user is more technical than the average Windows user. Look, all I can say is: Go read the article. I talk about that, you know? Don't comment on my article until you have read the whole thing, not just the summary. That's annoying and wastes everyone's time. Geez...

Yesterday I published an article about How to write a Linux virus in 5 easy steps . There has been quite an overwhelming response for this. Within just a few hours this article became my most visited blog post ever. Wow! Just goes to show that either the article hit a real nerve, or the other articles on my blog are just really boring. :-)Anyway, a lot of interesting feedback arrived, some of which tthrough the comments on Reddit , some in the comment section of my article, some by email and others yet on different forums. I just want to take a moment to summarise some interesting points:So, there. That was a small follow up on the feedback and comments about my ' How to write a Linux virus in 5 easy steps '.Other related posts: