Malware Found in Arch Linux AUR Package Repository

[tao]

Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages.

 

The malicious code has been removed thanks to the quick intervention of the AUR team.

Info-stealer found in "acroread" Arch Linux package

The incident happened because AUR allows anyone to take over "orphaned" repositories that have been abandoned by their original authors.

 

On Saturday, a user going by the pseudonym of "xeactor" took over one such orphaned package named "acroread" that allows Arch Linux users to view PDF files.

 

According to a Git commit to the package's source code, xeactor added malicious code that would download a file named "~x" from ptpb.pw, a lightweight site mimicking Pastebin that allows users to share small pieces of texts.

 

When the user would install the xeactor package, the user's PC would download and execute the ~x file [VirusTotal, source code], which would later download and run another file named "~u" [VirusTotal, source code].

 

Besides downloading ~u, the main purpose of the first file (~x) was also to modify systemd and add a timer to run the ~u file at every 360 seconds.

Malware didn't do much

The purpose of the second file (~u) was to collect data about each infected system and post these details inside a new Pastebin file, using the attacker's custom Pastebin API key.

 

Collected data includes details such as the date and time, machine's ID, CPU information, Pacman (package manager) details, and the outputs of the "uname -a" and "systemctl list-units" commands.

 

No other malicious actions were observed, meaning the acroread package wasn't harming users' systems, but merely collecting data in preparation for... something else.

 

There isn't a self-update mechanism included, meaning xeactor would have needed a second acroread package update to deploy more intrusive code, or potentially another malware strain.

Two other yet-to-be-named packages also found infected

The AUR team also said it found similar code in two other packages that the xeactor user has recently taken over, but has not revealed their names.

 

All malicious changes to all three packages have now been reversed, and xeactor's account has been suspended.

 

The Arch Linux team is the second Linux distro that has found malware on its user-submitted package repository this year. In May, the Ubuntu Store team found a cryptocurrency miner hidden in an Ubuntu package named 2048buntu.

 

< Here >

[steven36]

Yes the way Arch is  maintained  we been looking for this to happen for  a long  time because anybody can take a Linux package  for a  open source app they not the devs of and summit it to there website ,back when i use to use manjaro some stuff they didn't have in there distro so if you wanted it to use it you had to get it from Arch  and some of the maintainers were submitting broken packages that would not even install.   The bitcoin miner was in a app Ubuntu snap package  in the store done by a rouge developer put in his app they removed the package from the store and ban him. And it was not the team who found it was a user who found it and posted about it on github and he didn't even know the right place to post it so they pointed him to were to post the info, I been a member of the store every since snap was new.  that  happens on windows everyday they been allowing  devs to put pup and spyware in there installers every since i been on the internet.

 

It's a whole lot easier for us to get something removed from GNU Linux than it is windows  because most Linux software is community maintained were on  Windows it's very hard to get most software removed . Even there is some software open source with open candy adware in the installers on windows and the same software is clean on Linux because they have 0 tolerance for spyware. And example is Media Info witch is a great program by the way.

 

Most proprietary software on Linux is maintained by closed source vendors and has always been install at you're own risk and people who preach foss say don't use  it but some people need it for work , school or entertainment so they alow it . It's the users choice . But on windows you have no choice its proprietary software to begin with.

 

Using Arch is like building you're own OS, you go to there website and pick what you want too install ,its very bleeding edge and it's not for noobs you have to do lots of reading to even use it so most of there users are elitist  . If you are a noob best to start with a fork like manjaro witch is pre built Arch.