Arch Linux Trojan Packages

banger

https://linuxiac.com/malware-discovered-in-arch-linux-aur-packages/

So much for Linux being immune to Malware.

Thoughts?

BuzzPCSOS

banger The requirement to have password protection for any administrator access makes the system generally less prone to virus attack than systems where User Account Control can be easily bypassed.
Making the assumption that you are invulnerable no matter what security you have or what operating system you run is foolhardy. The best protection is to air gap sensitive data, which isn't always practical in these days of on-line commerce. Limit what you do share and keep everything else strictly off line.
In fairness it only took two days before the malware was discovered and removed. Some Windows stuff was out in the wild for ages.
I'm still putting my trust in Linux.

Original-Syn

banger It was never immune. My business is in the cyber world. Nothing is immune from people downloading dangerous packages and running them. The AUR has a warning about this as they are user repositories, and it is up to the individual to investigate before installing.

brent

In endeavour I use librewolf-bin...not librewolf-fix-bin but I can see where someone can mix them up.
The AUR certainly did not come with any guarantees.
the article makes it sound like this is the first time and only cites this one package. but I think bad actors have been in the AUR before but I have no link..just memory.

Linux 'immunity' is also affected by all the bad actors in the browser extension business. For that I have peer review.

It's a wake-up, this article, for users to read the code before downloading. There's red flags that are obvious when reading code even if you don't know how to read code. I was well-instructed in them at one time...til I got lazy and forgot and just installed what I wanted 🙂.

brent

BuzzPCSOS Making the assumption that you are invulnerable no matter what security you have or what operating system you run is foolhardy.

yeppirs

BuzzPCSOS In fairness it only took two days before the malware was discovered and removed.

was a fast response I failed to note. Was an oddball package for sure.
"For those unfamiliar, a RAT is no joke—it can grant attackers full control over an infected system, enabling them to steal data, install additional malware, or spy on users."

BuzzPCSOS I'm still putting my trust in Linux.

Until B.Gates moves in the Extinguish mode, I am too 🙂

banger

What to look for in code? I only coded in Basic and Borland. But have no clue in Linux.

brent

banger I forgot.
I vaguely remember because I only did it once and it was over my head. Something about the abundance of certain punctuation, the length of some things...many people gave me good advice on how to set my radar to 'fishy' while looking at AUR package code...and I thought I got it, but...it really didn't stick.
There was a thread about how to read this stuff.
But Endeavour forums has been down for days..

banger

Original-Syn It was never immune. My business is in the cyber world. Nothing is immune from people downloading dangerous packages and running them. The AUR has a warning about this as they are user repositories, and it is up to the individual to investigate before installing.

Ok I shouldn't have said immune maybe less likely to be infected than Winblows. But there is a severe lack of tools to check for infection in Linux. I know of Clam and a couple of rootkit testers but that is it.

At least Windows has Defender which I know can be easily defeated but its better than nothing.

banger

Well I am just glad we have some decent people in Solus packaging updates. But I don't know an awful lot about them other than Solus runs smooth.

brent

banger But there is a severe lack of tools to check for infection in Linux

I know you didn't ask me but the creator of clamav abandoned it last year and agreed it was "ineffective" as it was a false positive factory. It flagged 98 of my llibre office packages as being malware in Solus last time I used it...I think for Linux an audit is where it's at. I run Lynis or Tiger once or twice a year. These things don't run signatures per se, they look in every nook and cranny and tell you what's askew, or vulnerable, or has permissions it should not (i.e. audit) then you can make the adjustments manually.
2 cents

banger

brent I know you didn't ask me but the creator of clamav abandoned it last year

A quick google seems to turn up ClamAV by Cisco.

banger

Lynis security scan details:

Hardening index : 70 [############## ]
Tests performed : 219
Plugins enabled : 0

Components:

Firewall [V]
Malware scanner [X]

Scan mode:
Normal [V] Forensics [ ] Integration [ ] Pentest [ ]

Lynis modules:
Compliance status [?]
Security audit [V]
Vulnerability scan [V]

Tried Lynis and have a lot to investigate. Also noticed Lynis checks for a Malware scanner. Any suggestions other than ClamAV?

Harvey

All those tools are dog shit. I made an app in python and used nuitka to bundle it so Windows users didn't need to install python and edit system PATH etc. Windows Defender detects it as malware. It's a very, very basic front end for a command line utility, there is nothing malicious about it. But bad actors use nuitka too so must be bad!

It is a common problem on Windows.

Solutions?

Make it harder for novice users to use your app.
Try bundle it with pyinstaller instead. (Worse performance than nuitka).
Pay money for nuitka commercial license.
Pay money and get your app signed.
Make users install it via the Windows store.

I went the pyinstaller route and Windows Defender still decided to send the binary off for testing but at least it didn't delete it and say its malware this time.

If it doesn't understand what’s happening they assume its malware.
If a heap of people haven't used that application it might be malware!
If a legitimate app does something that malicious apps commonly do... malware!

They have no fucking clue. These tools inability to stop false reporting everything as malware means no one trusts them when they do report something or they distrust the innocent application that is being falsely reported. Its a complete shit show.

For user repositories like the AUR, people who have no fucking clue should not be using them. Users who are a bit smarter need to listen to the warnings and actually read the recipes of everything they try build from the AUR. If something looks sus or you just don't understand what its doing, then don't use it.

Axios

I stopped using windows virus/malware crap years ago after a few disasters from there crap.
I run a few basic checks with linux other than that I dont worry about it with Solus period!
And Just staying informed by reading whats going in the linux security world.

Harvey

It was clamtk, a frontend for ClamAV which was abandoned last year https://github.com/dave-theunsub/clamtk/issues/163

banger

Shame I liked ClamTK.

riffer

I still use ClamTK on my NAS but I'm too lazy to just learn the commands. 🙂

SilverBird775

Not an AUR user. Yet downloading some random binary stuff here and there.

Linux is still better then windows. Why on Earth any windows installer is asking for a system change privileges? Why asking?! It's installer, so you can newer say is it legit or not. There is no choice, you just hitting yes and hope for best. It's really so confusing that WINE does not even bother to simulate any sort of UAC control and just let ruin its prefix to any malware.

And yet there is no software in Linux that asked me for a root so far. Except updates of course. Oh, and partition managers.

AlphaElwedritsch

I don't use AUR in solus, so I don't have any problems with trojan packages 😉

Axios

What happens on the GitHub repository side when something like this happens.

brent

Axios
good valid question https://github.blog/security/github-advisory-database-by-the-numbers-known-security-vulnerabilities-and-what-you-can-do-about-them/

It's looks like they are active on it...except I don't know if they block the stuff from being downloaded or simply bringing it to your attention via "github advisory database."

MS (github owners) can afford to "get on it" in this proactive way.
The Arch crew probably not so much. AUR exploitation don't seem to be as common as the flurry of instances at github (in a simple DDG search.) Great observation.
MODS: sorry if I veered this