If you use Emudeck to play Wii U games, you may have malware

Submitted ⁨⁨2⁩ ⁨weeks⁩ ago⁩ by ⁨Fubarberry@sopuli.xyz⁩ to ⁨steamdeck@sopuli.xyz⁩

From the Emudeck discord:

@everyone Hey everyone, apologies for the ping but since this is deemed as critical to the security of people’s devices here, I will have to. Cemu (The Wii U emulator) was recently compromised by a malicious attacker using a known developers account, this compromise took place from May 6th to May 12th, and introduces malware that is known to steal passwords, SSH keys, GitHub tokens, and likely more they are not fully aware of at this moment. We recommend anybody who is on Linux or SteamOS to go into the EmuDeck app, Manage Emulators tab, Cemu, and click Reinstall/Update, and make sure the hash of the AppImage (Located in Home/Applications, right click Cemu AppImage, go into Properties, Checksums, and Calculate the SHA256 hash) matches the non-compromised version provided by the Cemu developers, if you have used Cemu from the dates I have mentioned, and the SHA256 hash does not match what is listed, assume your system may be compromised if it was ran. If you are on Windows, MacOS, or used the Flatpak version, you are not affected by this malware. More information regarding this attack can be found here. rentry.org/cemu-security-psa

source

Comments

Sort:hotnew top

Fubarberry@sopuli.xyz ⁨2⁩ ⁨weeks⁩ ago
Also I thought this part was interesting:

Special note for Israeli users: If the malware determines that your location is Israel (it does this via locale and timezone checks) then it has a 1:6 chance that it will play a loud siren sound and run rm -rf /, essentially attempting to wipe your filesystem.

source
- SarahValentine@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago
  From the river to the C:/
  
  source
- SamueruSama@programming.dev ⁨2⁩ ⁨weeks⁩ ago
  It turns out the malware doesn’t work because it runs subprocess.run([“rm”, “-rf”, “/*”])
  
  That will never delete anything, since there is no shell to expand the glob in /* here, so rm gets a literal /* as the patht to delete 😭
  
  source
  - SpaceNoodle@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    This is why you test your code, people
    
    source
    -> View More Comments
- youcantreadthis@quokk.au ⁨2⁩ ⁨weeks⁩ ago
  That’s prettyfuvking based
  
  source
- nfreak@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago
  waow-based
  
  source
- cheat700000007@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  That’s kind of awesome
  
  source
  - youcantreadthis@quokk.au ⁨2⁩ ⁨weeks⁩ ago
    I think I’m on team malware now
    
    source
- mnemonicmonkeys@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
  Maybe now they’ll figure out that they need to vote Netanyahu out of office for being a genocidal piece of shit
  
  source
  - nfreak@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago
    tbf the vast majority of that country support him and everything he stands for, so getting rid of one fascist won’t change much
    
    source
  - youcantreadthis@quokk.au ⁨2⁩ ⁨weeks⁩ ago
    Right they need a properly omnicidal megalomanic no mere genocide
    
    source
- tanisnikana@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  That’s not malware.
  
  That’s amazing.
  
  source
  - Fubarberry@sopuli.xyz ⁨2⁩ ⁨weeks⁩ ago
    It also trys to steal passwords/keys/etc, the Russian roulette part is just extra for people in Israel.
    
    source
    -> View More Comments
- thingsiplay@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago
  Unless the option –no-preserve-root is given, it should not execute.
  
  source
  - elvith@feddit.org ⁨2⁩ ⁨weeks⁩ ago
    Fun fact:
    
    rm -rf / requires —no-preserve-root to work whereas rm -rf /* doesn’t.
    
    That’s because the /* gets expanded by the shell before the command runs and it only sees the request to delete /var, /dev, /home, /usr,… recursively but not / specifically.
    
    On another note: This line in the code doesn’t run through a shell and thus this won’t work and it just tries to delete the literal path of /* recursively - and thus fails to do any damage…
    
    source
TachyonTele@piefed.social ⁨2⁩ ⁨weeks⁩ ago

If you are on Windows, MacOS, or used the Flatpak version, you are not affected by this malware.

Flatpacker here. Thank you for including this

source
gedfromgont@piefed.ca ⁨2⁩ ⁨weeks⁩ ago

The following files and directories may be created by the malware:

/tmp/.transformers /usr/bin/pgmonitor.py ~/.local/bin/pgmonitor.py /etc/systemd/system/pgsql-monitor.service ~/.config/systemd/user/pgsql-monitor.service /tmp/kubectl The absence of these files does not prove that you are safe.

Wouldn’t the Steamdecks immutability prevent changes to the filesystem in these folders? After rebooting at least.

source
- pivot_root@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  
  /tmp/kubectl
  
  If someone has kubectl installed on their steam deck, they have more problems than just malware. For example: workaholism.
  
  source
- afaix@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  Some of the directories are in the home (the tilda ~ means home of the current user) and home directory is not immutable
  
  source
  - gedfromgont@piefed.ca ⁨2⁩ ⁨weeks⁩ ago
    You’re right, I missed the tilda.
    
    source
HeyThisIsntTheYMCA@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
I haven’t opened cemu in like a year. Am I good?

source
- Fubarberry@sopuli.xyz ⁨2⁩ ⁨weeks⁩ ago
  Yes, you would have had to downloaded a recent update, and run it at least twice.
  
  source
  - HeyThisIsntTheYMCA@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Thank you. I’ve been grinding ni no kuni 2 on the ps5 instead of trying to play whatever I was trying to play on cemu. It was one of the Zeldas.
    
    source