arch-linux-aur-malware
Yet another incident which showcases that you should not explicitly trust user-controlled software repositories.

One of the most popular Linux distros Arch Linux has pulled as many as three user-maintained software repository AUR packages after it was found hosting malicious code.

Arch Linux is an independently developed, general-purpose GNU/Linux distribution composed predominantly of free and open-source software, and supports community involvement.

Besides official repositories like Arch Build System (ABS), Arch Linux users can also download software packages from several other repositories, including AUR (Arch User Repository), a community-driven repository created and managed by Arch Linux users.

Since AUR packages are user-produced content, Arch maintainers always suggest Linux users to carefully check all files, especially PKGBUILD and any .install file for malicious commands.

However, this AUR repository has recently been found hosting malware code in several instances, including a PDF viewer.

Compromised PDF Viewer Found on Arch Linux AUR


On June 7, a malicious user nicknamed "xeactor" adopted an orphaned package (software without an active maintainer) called "acroread" which functions as a PDF viewer, and modified it to add malicious code.

As per a Git commit to the package's source code, xeactor added malicious code that would download a curl script which in turn would install and run a script from a remote server.

This script installs persistent software that meddles with "systemd" and reconfigures it, and would run every 360 seconds.

The investigation revealed that the malicious script was designed to collect data on the infected systems to retrieve the following information:

  • Date and Time
  • Machine's ID
  • Pacman information (package management utility)
  • The output of the "uname-a" command
  • CPU Information
  • The output of "systemctl list-units" command

The collected data would then be posted in a Pastebin document.

Fortunately, a code analysis discovered the modifications in due time and revealed that the scripts did not appear to be a serious threat, but payloads can be manipulated by the attacker at any time to push sophisticated malicious code.

As soon as this was discovered, maintainers of AUR revert the changes made in the package, suspended xeactor's account, and also found two more packages that xeactor has recently adopted and modified in the same manner.

More Malicious Software Packages


The AUR team also removed the other two packages without revealing their names.

So if you're an Arch Linux user who downloaded "acroread" recently, you'll are highly recommended to delete it.

While the breach does not pose a serious threat to Linux users, the incident definitely sparked a debate about the security of untrusted software packages.

A comment made by Arch's Giancarlo Razzolini reads that user-provided AUR packages might contain bad code and explicitly trusting such packages is not a good security practice.
"I am surprised that this type of silly package takeover and malware introduction does not happen more often. This is why we insist users always download the PKGBUILD from the AUR, inspect it and build it themselves," Razzolini says. 
"Helpers that do everything automatically and users that don't pay attention, *will* have issues. You should use helpers even more so at your risk than the AUR itself."
So, with any user-maintained repository, users should double check what they are downloading.