Text only | Text with Images

Peterborough Linux User Group (Canada) Forum

Linux & Android => Security and Privacy => Topic started by: Jason on September 12, 2023, 06:21:21 PM

Title: Password-stealing Linux malware served for 3 years... (Ars Technica)
Post by: Jason on September 12, 2023, 06:21:21 PM
If you have or had this program, the article tells you how to check if you downloaded the malware version. It's insidious. Some received the legitimate program, some were redirected and received a malware version. And it went on for years without anyone noticing.

https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/?utm_source=pocket_saves
Title: Re: Password-stealing Linux malware served for 3 years... (Ars Technica)
Post by: ssfc72 on September 13, 2023, 02:23:09 AM
Thanks Jason for the heads up on this Linux malware.

To save everyone from having to click the Link to find out what Linux program was infected.

The program/App that has the malware is a download manager called, freedownloadmanager and was available at freedownloadmanager[.]org
Title: Re: Password-stealing Linux malware served for 3 years... (Ars Technica)
Post by: Jason on September 13, 2023, 07:15:28 AM
Thanks, Bill. I edited your comment just so the link isn't clickable (as was done in the article). Just remove the brackets around the dot in the link to visit. I don't want people accidentally going to it since the company didn't responded when Ars Technica contacted them. That's a sign to me that they can't be trusted so even though the malware isn't necessarily there anymore, I'd be very very careful.

The link to the alert (in the article) explains more about it in detail (more detail than most members want to see). But at the end, it tells you want to look for since even removing the program will still leave the files intact that give a backdoor into your system.

Look these files and delete them if you find them. They won't hurt anything since they're in /tmp. The /tmp directory is often used to drop malware so users won't see it and because it has lower directory permissions.

File paths
/etc/cron.d/collect
/var/tmp/crond
/var/tmp/bs
/var/tmp/atd


Another moral to the story is whenever possible to look in your package manager and install programs from there, not from a website download. It's not always possible to do so but do it where you can.

Title: Re: Password-stealing Linux malware served for 3 years... (Ars Technica)
Post by: Jason on September 13, 2023, 07:24:27 AM
The malware allowed complete control of your computer so you should consider changing important passwords. And changing doesn't mean just adding numbers on the end or using a variant of the existing password (e.g. same word(s), different order).
Text only | Text with Images