Malware Found in Arch Linux AUR Package Repository

An anonymous reader shares a report: Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages. The malicious code has been removed thanks to the quick intervention of the AUR team. The incident happened because AUR allows anyone to take over "orphaned" repositories that have been abandoned by their original authors. On Saturday, a user going by the pseudonym of "xeactor" took over one such orphaned package named "acroread" that allows Arch Linux users to view PDF files. According to a Git commit to the packag's source code, xeactor added malicious code that would download a file named "~x" from ptpb [dot] pw, a lightweight site mimicking Pastebin that allows users to share small pieces of texts.

A rare photo of a malware author being born.

[AlanObject]

From the looks of it the bad actor xeactor didn't have any expectation beyond finding out if his little trick would work or not.

On the other side this could be a case study about the immune system that open source provides.

Re:Moar Fake News!

[phantomfive]

No one ever said that open source was perfect. But consider that we are talking about one piece of malware......then notice how much malware has been found in the Apple store and the Android store.

Why so little malware?

I'm more interested in why there is so little malware. I would have expected lots of malware without any packages needing to be hijacked.

Re:Why so little malware?

[jmccue]

I kind of wonder this also. I do not know how many package maintainers in ARCH or how it works, but with the amount of packages available in some distros these days I guess I should not be surprised.

Sad that distro maintainers may have to vet maintainers now, adding an additional burden. But as a user we should always be careful with non-core packages.

Re: Why so little malware?

[hairyfeet]

Heartbleed ring ANY bells? That was exploited for God knows how long before anybody got hit with a clue bat (in fact last I checked there are STILL servers out there with the exploit unpatched) but again because everyone ASSUMES the code is being vetted that bug was able to stay in there for decades.

Then there is the infected Quake 3 Arena that stayed in the Ubuntu repo for over a year, the KDELook trojan that lasted nearly 2 years, hell i could go on all day listing times where nasty shit got completely overlooked because everyone assumed that SOMEBODY was checking this shit...but they weren't and as I pointed out just a teeny tiny bit of logic blows the entire premise to shit.

But lets here it Einstein, because I'm sure we'll all find the insane logic hoops you'll be jumping through REALLY funny...explain to us where these magical security IT teams are coming from to vet every single package on the repo of your choice because as I pointed out unless they have years of exp spotting obfuscated C code is DAMN hard, who is paying the many millions to have them do nothing but check all that code, and how they are able to check the hundreds if not thousands of packages that change in any given year on your average distro.

Because I'm willing to bet my last dollar that if you look at who is accessing the code for the boring bits and bobs that make up your average distro, all the dull parts from the calendar function to the googly eyes to the code that controls the wallpaper, that the only ones accessing that code are the guys doing the changes who you again ASSUME that they are never gonna turn out to be a bad actor...yeah GL with that. Before there really wasn't any point attacking Linux because there just wasn't enough users to make it a juicy target...now there is crypto bugs where you can make an assload using every CPU and GPU you can get your hands on to mine coins....yeah I have a feeling you are seeing the tip of the iceberg and it won't take long before the crypto bugs come in force...again GL with that.

Caught within 1-3 hours. Phone apps stay for month

[raymorris]

He was caught within a few hours, because all changes all public:

https://aur.archlinux.org/cgit...

Possibly bad guys would rather add trojans to iPhone and Android apps, which may stay in the store for months without detection. You can't tell what changes have been made to compiled apps you download on iPhone, Android, or Windows.

Affected Packages

[Philotomy]

According to posts on aur-general, the known affected packages are:

• acroread 9.5.5-8
• balz 1.20-3
• minergate 8.1-2

According to comments on the AUR acroread package, the script the compromised package installed (to upload system details) contained an error and wouldn't function properly. The script also installed a systemd timer, and the comments advise checking your system for:

• /usr/lib/xeactor
• /usr/lib/systemd/system/xeactor.timer
• /usr/lib/systemd/system/xeactor.service

As a side-comment, for those unfamiliar with Arch, these compromised packages are not part of the official Arch repositories. The AUR is a "user repository": a collection of user-supplied packages which require deliberate download and installation. AUR packages should [i]always[/i] be reviewed before installing them, and not installed if you don't trust the package. As the AUR documentation explains, "Warning: Carefully check all files. Carefully check the PKGBUILD and any .install file for malicious commands. PKGBUILDs are bash scripts containing functions to be executed by makepkg: these functions can contain any valid commands or Bash syntax, so it is totally possible for a PKGBUILD to contain dangerous commands through malice or ignorance on the part of the author. Since makepkg uses fakeroot (and should never be run as root), there is some level of protection but you should never count on it. If in doubt, do not build the package and seek advice on the forums or mailing list."

AUR is not secure by design, but that's fine

[damaki]

It is written basically everywhere in the AUR official documentation: do not trust AUR packages, verify everything before install! AUR packages are like Ubuntu PPAs, there is no security policy and no patch policy. But that is totally fine! It is entirely the point of AUR; anybody can contribute to it. For AUR packages security, you are on your own and you should check the sources thoroughly when you install an AUR package!

Re:It's a matter of trust

[aquabat]

I think the whole system is screwed up.

It could be just your keyboard driver. If you think you've been infected, maybe check that one.