graeme_p - 8:06 am on Sep 14, 2012 (gmt 0)

That is what I am talking about.

.desktop files can show on the desktop, or in menus, and will run an arbitrary command - so it offers a way to run a file that has not been marked executable.

It used to be the case that they would run if clicked on anywhere. That has largely been fixed, but it still means that if an attacker can get a simple text file into ~/.config/autostart or ~/.local/applications they can run an arbitrary command (perhaps running a script they dropped elsewhere).

What it needs is something much simpler than a virus scanner. It needs to search for files with name s *.desktop, and look for any running a command that looks suspicious (anything other than just an executable: even passing a file to it is potentially an issue).