Most times I see, “Don’t do this, it might give apps privilege escalation and they’ll have full access to your PC!”, but what the implications of that is isn’t explained. The first thing that comes to mind is bricking your motherboard: I heard on UEFI systems with systemd you can brick your motherboard by deleting a specific EFI related directory. The second ‘worst’ example (I imagine different people have different priorities) is probably data loss or getting ransomewared (although, I don’t see why you’d need root for that, considering your stuff is in your home directory with normal user permissions), and then you have keylogging, with which people could gain access to your online accounts.
Of course, what malicious things can be done that aren’t apparent to the user? I ask because I ran a programme called TLauncher a few months ago, as root (I know, shame on me) and since that nothing’s really happened. So recently I ran the thing as root again but I logged what it does with apparmor, and the worst it seems to do is run dmidecode to get my system information, some lspci command and ldconfig -p. However that was a very loosey-goosey approach.
So yeah, my main question is, assuming that it has done something to my system (undetected by rootkithunter, and apparmor), what are the common shenanigans it could be carrying out?
Other questions: I’ve been encouraged to wipe my drives. Is it ok to wipe my root partition only, or do I wipe my entire SSD, or do I wipe all partitions of all storage devices on my system?
Lastly, I’ve been worrying about UEFI firmware level malware, but then I read somewhere saying that it’s incredibly difficult to write malware for individual motherboards, but then again, dmidecode does give out motherboard information. Is there a way I can check if my motherboard’s not been tampered with? Could updating the firmware ensure the previous ‘tainted’ firmware is gone?
I don’t think there is any reason to panic because of this particular program. If you want to be absolutely sure, then yes, you have to format all of your drives. But I wouldn’t do that in this case.
Just don’t do that again. Even for trusted GUI programs, do not run them as root.
One of the most common things an untrusted program with root access can do is install a very hidden cryptominer on your PC. They can be really difficult to detect, as they typically only work when the computer is idle, and they can even spoof the temperature measurements from your CPU and GPU sensors.
Another common thing malware does is log your keystrokes, to find out your passwords and usernames for online accounts.
When it comes to ransomware and destroying your data, that’s quite rare, simply because there is very little to gain from doing it and it can easily be prevented with a backup.
If you use a sound judgment and avoid questionable sites, don’t click links in unsolicited/unexpected emails unless you examined the endpoint - or at least checked the endponit address - then there is absolutely no reason to be paranoid - unless of course you live in country cut of from the outside world - in which case you already know to thread carefully.
I have been actively using public internet since late 90’es - and I have always executed sound judgment and I was only hit a single time caused by a - normally clean - thrid party software was hijacked.
I wouldn’t dream of executing such program even if it claims to be a test of vulnerability - use your common sense.
PiratedGames
TheInvitable-Cry7214
Such naming is an immediate turnoff - no testing needed
I have a huge collection of malware samples - playing with in closed environments - even that demands a great deal of thought to ensure it doesn’t spread uncontrolled.
And you did it with sudo… I don’t know what to tell you. Probably you’re fine, because you’re on Linux, but there is no guarantee. If you were on windoze, I’d advise you to wipe your drive clean (and install Linux, but that is regardless of this incident ).
There certainly exists malware for Linux, and it’s especially nasty because it’s difficult to detect or remove. But it’s just nowhere near as common as for windoze.
One common thing that happens which isn’t malicious is that you run a program with root and writes a bunch of config files as root into your home directory and then you can’t read or modify them in the future which can cause all kinds of strange behaviour. In general, many modern GUI applications aren’t designed to be run as root and doing so can cause all kinds of chaos. There are, of course, exceptions and applications that are intended to be run as root.
Yeah, in this case the programme creates its folder in $HOME if you’re running it as your normal user, but creates its folder under /root/ if you run it as root.
Not necessarily, but yes, that can happen. It can also write into your user’s home directory and mess up the permissions there.
The main reason why you shouldn’t run any GUI program as root is because it hasn’t been designed to run as root. GUI programs usually have a bunch of linked libraries in them. So even the simplest of GUI programs can run millions of lines of code, which nobody intended to be run as root or tested it, creating all sorts of unpredictable outcomes.
We have established that TLauncher probably has malware in it, but it’s almost certainly windoze malware. If it contains Linux malware in it, your system is completely compromised, the program can install anything on it, give anyone full access to it. The fact you haven’t noticed anything after months is a good sign. Probably the worst outcome right now is that you have a hidden cryptominer working while your computer is idle, consuming more power and increasing your electric bill.
).
