• Welcome to Peterborough Linux User Group (Canada) Forum.
 

Password-stealing Linux malware served for 3 years... (Ars Technica)

Started by Jason, September 12, 2023, 06:21:21 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Jason

September 12, 2023, 06:21:21 PM
If you have or had this program, the article tells you how to check if you downloaded the malware version. It's insidious. Some received the legitimate program, some were redirected and received a malware version. And it went on for years without anyone noticing.

https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/?utm_source=pocket_saves
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

#1
September 13, 2023, 02:23:09 AM Last Edit: September 13, 2023, 06:54:43 AM by Jason Reason: Link edited so nobody clicks on it accidentally
Thanks Jason for the heads up on this Linux malware.

To save everyone from having to click the Link to find out what Linux program was infected.

The program/App that has the malware is a download manager called, freedownloadmanager and was available at freedownloadmanager[.]org
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

#2
September 13, 2023, 07:15:28 AM
Thanks, Bill. I edited your comment just so the link isn't clickable (as was done in the article). Just remove the brackets around the dot in the link to visit. I don't want people accidentally going to it since the company didn't responded when Ars Technica contacted them. That's a sign to me that they can't be trusted so even though the malware isn't necessarily there anymore, I'd be very very careful.

The link to the alert (in the article) explains more about it in detail (more detail than most members want to see). But at the end, it tells you want to look for since even removing the program will still leave the files intact that give a backdoor into your system.

Look these files and delete them if you find them. They won't hurt anything since they're in /tmp. The /tmp directory is often used to drop malware so users won't see it and because it has lower directory permissions.

File paths
/etc/cron.d/collect
/var/tmp/crond
/var/tmp/bs
/var/tmp/atd


Another moral to the story is whenever possible to look in your package manager and install programs from there, not from a website download. It's not always possible to do so but do it where you can.

* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

#3
September 13, 2023, 07:24:27 AM
The malware allowed complete control of your computer so you should consider changing important passwords. And changing doesn't mean just adding numbers on the end or using a variant of the existing password (e.g. same word(s), different order).
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13
Print
Go Up Pages1
User actions