Background Image

Blog Post

Jul 18

Malware Found In Arch Linux

3 or more packages in the Arch Linux user repositories were found to contain malware due to orphaned repository ownership changes, and the resulting packages in question are marked as follows. The packages themselves pose minimal risk but should be removed by anyone using Arch (or any Arch based distro) or anyone using Arch User Repo packages via apt or pacman via source change audits. 

acroread 9.5.5-8
balz 1.20-3
minergate 8.1-2

The Author Of The Exploited Packages


On Saturday, a user going by the pseudonym of "xeactor" took over one such orphaned package named "acroread" that allows Arch Linux users to view PDF files.

According to a Git commit to the package's source code, xeactor added malicious code that would download a file named "~x" from, a lightweight site mimicking Pastebin that allows users to share small pieces of texts.

When the user would install the xeactor package, the user's PC would download and execute the ~x file [VirusTotalsource code], which would later download and run another file named "~u" [VirusTotalsource code].

Besides downloading ~u, the main purpose of the first file (~x) was also to modify systemd and add a timer to run the ~u file at every 360 seconds. - via Bleeping Computers


The Rundown

These packages collected user data and posted it to pastebin via a script but had no integrated update mechanism rendering it roughly as dangerous as an average flappy birds clone. By contrast, the flashlight apps on android / apple phones and tablets that ask for user data, contact data, credit card info generally are considered at best a nuisance but pose more direct dangers to users.  Granting that it is unusual to see open source repositories misused in this way, you should consider the malware available on every mainstream platform through their own app stores etc. It becomes a case of over hyped overreaction when anything happens on Linux for a variety of reasons. Yes it was an attempt at malicious gathering of data to whatever intended purpose, but how many scam phone calls a day manage to get further with fewer lines of scripting? All of them.

Degree of difficulty on Xeactor's hack attempt? 2 out of 10. Had it been 100% effective what would he/she have gained? Not much really, less than a fake microsoft employee trying to remote access a senior citizens computer.  

Is Linux Less Safe Somehow

No, if we were to compare the sheer volume of malware, viruses, trojans, and vulnerabilities on every operating system platform the numbers would speak for themselves. So lets do that now and end the debate. Bear in mind the numbers reflect vulnerabilities and dates may be time sensitive so look up any specific vectors you wonder about if you need up to the date estimates as it relates to any given exploit. - Also check that patch rate because Linux fixes theirs very very quickly.

*Vulnerabilities shown on the following links are the only numbers reflected and are not suggested indications of viruses. Please note that - as shown after the names of each company - numbers of viruses are estimated averages as offered by a wide number of sources including: McCaffe, Semantec, and Kaspersky Labs etc. Paths through which such exploits may have been employed are directly displayed on the resulting cvs and not indicated by the estimated virus and malware numbers. This is an important distinction to make as the reflected vulnerability list is similar between all companies but demonstrates the areas most likely to be affected by exploits. ** Also look at vulnerabilities related to code execution as those are the most dangerous.

Microsoft Approximately 68,000 known viruses, trojans, worms, and other malware types many of which do "approximately nothing harmful" to the end user.

Mac Approximately 70 known about 8 of which are serious cause for concern

Linux  Around 45 known and 3 of which have ever caused any real issues.

Add Comment:
Please login or register to add your comment or get notified when a comment is added.
1 person will be notified when a comment is added.