Slashdot Mirror
Malware Found In the Ubuntu Snap Store (linuxuprising.com)
An anonymous reader quotes a report from Linux Uprising: Oh, snap! Just because some packages are available to install directly from the Ubuntu Software Center doesn't make them safe. This is proved by a recent discovery of malware in some snap packages from the Ubuntu Snaps Store.
At least two of the snap packages, 2048buntu and hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations." The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas Tomb) contains a hidden cryptocurrency miner inside.
At least two of the snap packages, 2048buntu and hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations." The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas Tomb) contains a hidden cryptocurrency miner inside.
This is why Linux needs the equivalent of the Zone Alarm firewall. Something that will alert a desktop user every time a program first attempts to connect to the internet and allow the user to say yes or no to the attempt. If your firewall allows all outbound traffic by default you do no have a hope in hell of catching a malware infection...
If you've got such software then at least you know something nasty has managed to infect your machine as you'll spot it the first time it tries to "phone home"..
With all dependencies built in, there is a lot to comb through, not to mention that those dependencies may not even be completely patched and up to date.
I'd rather install software the traditional way and be sure that each component I install is verified.
How's this surprising. These containerized applications are full userland stacks, all the libs and dependencies the program needs, and then some, wrapped up. It's so easy to hide malware there, and so very difficult to audit them before inclusion, because their very raison d'etre is --- to avoid maintainership and allow "third party" vendors to distribute their mini-distros around.
Is anyone REALLY surprised by this?
It just highlights that something worse could have been attached.
However it also highlights that there's a need to also be able to invalidate cryptocurrency obtained through illegal means.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Resl trusted computing has never existed.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
If a central power has the ability to cancel a crytocurrency transaction, then that kind of ruins the point of cryptocurrencies. At that point it becomes way more efficient to just use a database, or several, like our banking system now.
"First they came for the slanderers and i said nothing."
I'm uncomfortable with the term malware too, but let's be honest: unwanted cryptocurrency mining software is going to slow down your PC, drain your battery faster if you have a laptop, and, unpredictably, cause more heat which, depending on the state of your fan, might cause problems too.
I'm still in two minds about the concept, but if we're going to see more software "funded" by mining, then we need to see some standards set otherwise "software funded by mining" will become synonymous with malware, even if the software really is funded this way (ie not prepackaged third party freeware), and controls are given to ensure the mining doesn't cause problems with the PC (ie low priority process, maxes at 5% of CPU, etc.)
You are not alone. This is not normal. None of this is normal.
I have always felt Linux people have that same false sense of security that Apple Mac users have always had. Nothing can touch them because of some lame reason.
I have always known that some people generalize the shit out of things.
No OS is completely immune while on teh intertoobz. But it doesn't take too much research to find out which major OS is the least secure. It ain't Linux, and it aint MacOS.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
They wanted to replicate the android and fruit ecosystems. Looks like they did.
> However it also highlights that there's a need to also be able to invalidate cryptocurrency obtained through illegal means.
Illegal according to whom? The Chinese government? If you shook your head no, then why wouldn't they be able to, if a government you approve of is able to do so?
Essentially you need to keep a separation between code and data. Data is something you can get from any source as dubious data will never be able to breach the security.
Code on the other hand are commands for your computer. Every new code you get onto your computer is a risk you take as it can be malevolent. Therefore you shouldn't take executing foreign code lightly. Ideally you only have your fixed set of programs which you can combine to use with data you get from everywhere.
Things like AppStores pervert that safety precaution. They act as if it was possible to have a secure system, yet download software written by dubious developers.
Sadly, we as a society seem to fall into the same trap over and over again, from Javascript to Active X. From Visual Basic for Applications to Appstores.
Because the blockchain is public, we know all the blocks that passed through this bad actor -- they were at one point registered to myfirstferrari. We can declare these coins as "radioactive", instructing our systems to not buy coins or fractions that had ever been owned by him or any of the other malware-powered miners.
The problem is legitimate activities done for the wrong reasons will classify something as malware.
For example, gathering user data for advertising purposes - gathering user data is a legitimate activity as there are apps with legitimate need. And they can use it for advertising purposes, too, since that's what Google et. al. do as well. However, it can trend into the malicious part if it's all done surreptitiously.
Likewise, designing a cryptocurrency miner is not necessarily a bad thing - there are legitimate uses. (It's also not a new thing - I believe Unity has had a plugin for Bitcoin for several years now - yes, Unity, the game engine). However, again, when done without the user's knowledge, it then becomes malware.
It's one of those things where intent and knowledge is just as much a part of the classification. There was another app that did it openly - it had a "free" version and a "pro" version. You could pay $25 for the pro version permanently, or you can do "Pro for free" where it runs a cryptocurrency miner. It was very honest about it - if you wanted to upgrade, it explained what happened. If you didn't want the pro features anymore, you could revert it to "free" status and it'll stop mining as well. (Or was supposed to - the library the developer used was buggy, and thus it did not shut down properly and had the possibility of running all the time. This unwanted behavior got the developer in a lot of trouble and was forced to remove "Pro for free" as an option).
Maintained by a team of accountable people. This was always one of the reasons a decent Linux distro was more secure than an equivalent Windows machine - because your packages came from a verified source. The concept of snaps makes things more convenient - for everyone, including malware authors. But, you know, so convenient.