Arch Linux AUR packages found to be laced with malware

Three Arch Linux packages have been pulled from AUR (Arch User Repository) after they were discovered to contain malware. The PDF viewer acroread and two other packages that are yet to be named were taken over by a malicious user after they were abandoned by their original authors.

A user by the name of xeactor took ownership of acroread and tweaked the source code of the package, lacing it with malware. In this particular instance there were no major consequences, but it highlights the security issues associated with user-submitted software.

See also:

• Canonical releases new infographic to show how Ubuntu Linux 'connects everything'
• Gentoo Linux Github Organization repo hack was down to a series of security mistakes
• elementary OS 5.0 'Juno' Beta 1 Linux distro now available, but you shouldn't install it
• SUSE Linux sold for $2.535 billion

While the problem might at first seem serious, there are a few things to consider. The first is that users have to opt to use AUR, and it has the same dangers associated with it as just about any other third party software repository. This is something the site itself warns: "AUR packages are user produced content. Any use of the provided files is at your own risk."

Secondly, it seems that the person who hijacked acroread and two other packages either didn't finish his work, or didn’t really know what he was doing. While technically malicious, the malware didn't really do anything harmful -- but that's not really the point.

What the malware did was collect certain pieces of information about infected computers (such as CPU details, machine ID and so on) and upload it to pastebin.com. Except it didn't even manage to do that because there was an error in one of the scripts.

Bleeping Computer explains:

According to a Git commit to the package's source code, xeactor added malicious code that would download a file named "~x" from ptpb.pw, a lightweight site mimicking Pastebin that allows users to share small pieces of texts.

When the user would install the xeactor package, the user's PC would download and execute the ~x file, which would later download and run another file named "~u".

Besides downloading ~u, the main purpose of the first file (~x) was also to modify systemd and add a timer to run the ~u file at every 360 seconds.

All of the affected packages have been rolled back to their original state, and the account of the perpetrator has been suspended.