World’s biggest Linux distro infected with malware

Thanks to Tim Easton of SophosLabs for his behind-the-scenes work on this article.

Sadly, the headline is accurate.

Fortunately, however, the outcome was not as bad as it could have been.

Linux Mint sits firmly at the top of the last year’s worth of stats in the Distrowatch list, so it’s unarguably a popular distro, at least for end-users.

Mint is based on Ubuntu, which in turn is built on Debian, so it’s not surprising to see those three distros in the top spots.

Mint, you might say, is like “Ubuntu with choice,” so you aren’t stuck with Ubuntu’s look-and-feel, which is perhaps best described as similar-yet-resolutely-different.

For newcomers to Linux, especially those used to Windows, Mint can be a lot less intimidating than facing up to Ubuntu’s unfamiliar desktop, or to Debian’s technocentricity.

I’ve used it myself on a low-powered netbook and found it fast and friendly, so it’s not hard to see why it’s a popular choice for those wanting to get into using Linux without any visual or technical surprises.

What happened?

Here’s what seems to have happened, according to the commendably prompt and open disclosure of Mint’s founder and project leader, Clement Lefebvre, better known as Clem.

  • Hackers got in and modified a PHP script that was part of a WordPress installation used by the Mint project.
  • If you used Mint’s download page to find your way to your download of choice, the malicious PHP script would redirect you to an imposter site.
  • The only affected downloads were the versions known as Linux Mint 17.3 Cinnamon edition. (Each edition has its own look and feel; others versions include MATE, KDE and Xfce, none of which were affected.)
  • The imposter server contained both 32-bit and 64-bit versions of Cinnamon, but only the 64-bit version is known to have been hacked.

As Clem said on the Mint blog:

Q. [W]hich version of Cinnamon[? …Was] it 32-bit or 64-bit version affected or both?

A. 64-bit definitely, 32-bit didn’t show [signs of infection] but was found on the Bulgarian server, so it looks like they were preparing to compromise this one as well later on.

Clem’s mention of “the Bulgarian server” refers to, the IP number of the imposter site used by the attackers, which is somewhere in Bulgaria.

Because the crooks didn’t manage to hack the actual Linux Mint repositories, they weren’t able to compromise the Mint source code, or the official Mint download ISOs (disk images), or even the list of official download checksums.

In short: if you’re a Mint user, and you downloaded a Mint 17.3 Cinnamon ISO over the the weekend, and you didn’t validate the ISO’s checksum against an officially published list, and you installed the ISO, you probably have malware on your computer.

Update. A subsequent post on the Linux Mint blog confirms the bad news that, during this attack, the Mint online forum database was stolen, including usernames, hashed passwords, and user profile information. Worse still, private posts and messages were stolen, too. Change your password, and be sure to choose one that’s different from any of your other online accounts! [2016-02-22T12:30Z]

What to look for?

According to the Mint blog, an easy way to see if you’re affected is to look in the directory /var/lib/ if the directory is empty, you are probably OK; if there is a file in it, you’re probably infected.

SophosLabs reports that the malware is Linux/Tsunami-A, also known as Kaiten.

This is a rather old Linux bot, or zombie, that is readily available in source-code form.

Tsunami connects to an IRC server (a command-and-control technique rarely seen in modern bots, because so many networks block IRC traffic these days) and waits for instructions from the crooks who control the server.

Commands that the crooks can give to your computer include: ordering it to start a denial of service (DoS) attack against someone else, and instructing it to download and run additional malware.

What to do?

  • If you didn’t download a Mint Cinnamon ISO this weekend, you don’t need to worry.
  • If you downloaded an ISO but didn’t install it yet, just delete the ISO, and then you don’t need to worry.
  • If you had Mint already installed and did any sort of update (not a reinstall) over the weekend, you don’t need to worry.
  • If you don’t have any files in /var/lib/, you probably don’t need to worry.

In the unlikely event that you are infected, just get a fresh ISO and install again to replace the infected version.

By the way, if you run your own WordPress installation, why not take this as a reminder to check it out?

Make sure that your operating system, version of WordPress, PHP, plugins and themes are all up-to-date, and do a quick security review.

Just in case!

Update. The Mint online forum database was stolen during this attack, including usernames, hashed passwords, user profile information, private posts and private messages. So you should change your password, and be sure to choose one that’s different from any of your other online accounts. [2016-02-22T12:30Z]

Did you know?

Sophos Antivirus for Linux is free for desktops and servers at home and at work.

You can find out more about it on the Sophos website.

If all you want to do is check for malware without installing anything, why not try Sophos Bootable Antivirus (SBAV), our standalone, Linux-based malware cleaner that you can boot from CD or USB?

SBAV is also great for scanning Windows computers after a clean boot, thus avoiding the interference of any rootkits or other malware that might be in the way.

If you’re still not convinced that cybercrooks and malware are a problem in the Linux world, have a listen to our When Penguins Attack podcast:


(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)