Password-Stealing Linux Malware Served For 3 Years and No One Noticed (arstechnica.com) 54
An anonymous reader quotes a report from Ars Technica: A download site surreptitiously served Linux users malware that stole passwords and other sensitive information for more than three years until it finally went quiet, researchers said on Tuesday. The site, freedownloadmanager[.]org, offered a benign version of a Linux offering known as the Free Download Manager. Starting in 2020, the same domain at times redirected users to the domain deb.fdmpkg[.]org, which served a malicious version of the app. The version available on the malicious domain contained a script that downloaded two executable files to the /var/tmp/crond and /var/tmp/bs file paths. The script then used the cron job scheduler to cause the file at /var/tmp/crond to launch every 10 minutes. With that, devices that had installed the booby-trapped version of Free Download Manager were permanently backdoored.
After accessing an IP address for the malicious domain, the backdoor launched a reverse shell that allowed the attackers to remotely control the infected device. Researchers from Kaspersky, the security firm that discovered the malware, then ran the backdoor on a lab device to observe how it behaved. "This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)," the researchers wrote in a report on Tuesday. "After collecting information from the infected machine, the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd. It then uses this binary to upload stealer execution results to the attackers' infrastructure."
After accessing an IP address for the malicious domain, the backdoor launched a reverse shell that allowed the attackers to remotely control the infected device. Researchers from Kaspersky, the security firm that discovered the malware, then ran the backdoor on a lab device to observe how it behaved. "This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)," the researchers wrote in a report on Tuesday. "After collecting information from the infected machine, the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd. It then uses this binary to upload stealer execution results to the attackers' infrastructure."
Inconceivable! (Score:5, Insightful)
How could something I found on the internet called "Free Download Manager" possibly be anything other than helpful??!
Re:Inconceivable! (Score:4, Funny)
Not Linuxy enough for you? How about "Nafredom" for "Not a Free Download Manager"?
Re: Inconceivable! (Score:2)
YADM :)
Re:Inconceivable! (Score:5, Insightful)
A long, long time ago, some of them were helpful. I'm old enough to remember when web browsers would regularly freeze in the middle of a 2MB download, and if you restarted the download, the browser would start over from the beginning rather than resuming.
Web browsers are still pretty terrible, but you whippersnappers have no idea how much worse they were 25 years ago.
Re: (Score:2)
That's why back in the day we used to use apps like Gwget or FileZilla, which were included in available distros. Never-ever had a need to use a ("free") download manager from 3-rd party websites.
Re: (Score:2)
Back in the days where IE was pretty much the only game in town, a download manager extension was must, if only to get a file before a glitch caused the connection to fail. Even then, you couldn't trust much, so if you wanted downloads, you used something like VMWare and did the downloads in a nice safe virtual machine that had the ability to roll back snapshots, because even with "good" download managers, there was a high chance that your IE's install would get a lot of adware bars installed, and one prog
Re: Inconceivable! (Score:1)
But it still couldn't stop a process from shadowing memory system said it could. Which is the problem. Any app level process is now allowed to read memory as demanded without even knowing what is there. Windows was actually good at controlling that by explicitly allowing a small set of processes to call that memory. Windows exploits were mostly confined to processes running in an active user's context.
Re: (Score:2)
Back in college, all the Macs had the same problems. I did all my lab work on HP-UX systems, and the web browsers had issues there, too.
It wasn't because of some magical bullshit registry setting that only affected Windows.
Re: (Score:2)
I remember. It was the worst when you were nearing the end of the download and someone picked up the phone...
What the hell is "download manager"? (Score:4, Insightful)
I don't get it. Isn't it what wget, aria2, curl, Kget etc. do? Who would look for something else, especially outside the repositories? Anyway, what Linux user downloads apps from random websites?
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
Download managers used to be very popular back when internet connections were bad, because they handled multiple protocols in a single interface, and managed resume much better and more easily than other interfaces. Also, as some other comments have pointed out, they help manage multi-stream downloads.
Re: What the hell is "download manager"? (Score:1)
I think what they're getting at isn't "no one needs a download manager", it's that there are built-in (or readily available) open-source tools that do that, and you shouldn't really need to download a closed-source program unrelated to your distro if open-source tools suit your needs. .debs, appimages, flatpaks and snaps would have you believe, the most trustworthy (but not infallible) chain is going to be
Despite what those pushing
Re: What the hell is "download manager"? (Score:1)
Apps directly from your distro's repositories.
Arthritic thumbs fat-fingered the send button halfway through that rant.
Re: What the hell is "download manager"? (Score:2)
On mobile, there is.
Re: (Score:1)
Internet connections are still very bad in a lot of places.
Re:What the hell is "download manager"? (Score:5, Insightful)
Tree falling in an empty forest blah blah.
Re: (Score:2)
"Anyway, what Linux user downloads apps from random websites?"
I call that "Ignorant Bliss" of the apt-getters,
because yes those package systems have maintainers etc.. and build systems - but the source code could be compromised.
Don't use apt?
-> how about npm?
There was malware in the supply chains all over in the past, and when the source code repository is manipulated and not detected even apt-packages will be build from that, ready to install on your computer just one click away .. .. have you ever coun
Re: (Score:2)
"the same domain at times redirected users to the domain deb.fdmpkg" - those maintainers are expected to get the sources from the official git and they are expected to be in contact with the project they package, so they know when the website was hacked.
Re: (Score:3)
Who would look for something else
People downloading more than one thing. If you don't understand why someone would use a download manager, then you don't need a download manager.
Will wget auto-fill captchas for you?
Will wget asynchronously fetch multi-part archives and then automatically extract them for you?
Will wget download streams splitting them into their component parts in all qualities for you?
Will wget integrate with your browser to autofetch 20 links with a single click?
Will wget log into a website with your account so that you ca
Re: (Score:1)
Re: (Score:2)
More "normies" are starting to use Linux. Loads of YouTube videos trying to convince them that it's a good desktop operating system now.
So naturally the same issues that Windows has come with them. People need to download something, they search DuckDuckGo for "linux free download manager", and malware comes up.
Target audience (Score:2)
So it sat for 3 years. Cool. As others posted; yup nobody uses this. It isn't 1998 anymore. No experienced user would ever do this. Which leaves the target (whether intentional or not) audience:
High school and potentially first year college students that are used to a windows world where you go and download everything. So the attackers got a whole bunch of logins for ... ebay and newegg? Maybe their student loan info if any college kid ever tried to look at that over the course of the first year. Who
Re: (Score:3)
Re: (Score:2)
Linux still has the mentality that you should NEVER use root, but everything at a command prompt requires you to use sudo.
Windows isn't the only OS that stubbornly clings to old, bad habits. Every time you feel the urge to point and laugh at other people, take a deeper look at yourself and your own practices. Denial in not a pretty thing.
Re: (Score:2)
For any normal user (i.e. not neckbeard, not server admin) about the only time a user is required to open the command prompt they will be doing something that requires sudo.
Re: (Score:2)
I blame the Ubuntus, RHEL and friends of the Linux world for this. Every time you search for an issue you see do "sudo blah blah" to fix. So windows people just end up using sudo for everything thinking it is magic.
Along with that, Linux is slowly becoming a Windows Clone with the changes by freedesktop.org pushing DE on all of us. I just want a simple Window Manager where I decide what to do, not having popups every 5 seconds telling me something happened and it says click here to see.
Re: (Score:2)
Re: (Score:2)
Do you think high school or first year college students have ever used a download manager in their life? Other than BitTorrent clients, of course... Sure, old farts like us used them some 20 years ago, but in the last 10-15 years I don't remember doing so.
Re: (Score:2)
Cryptobros told to use Ubuntu instead of Windows.
That's a fine upgrade but then they....
Shouldda used Windows! (Score:2)
[ducking head and running for the exit...]
Re: (Score:2)
>> Shouldda used Windows!
Not really.
Windows has no repository management unified for user software, while Linux sure has this.
You don't simply download random SW from dubious sites when using linux, you simply select the software in the package manager (Synaptic or similar)
freedownloadmanager.org is suspicous anyway (Score:2)
It claims to be 100% free and open source under fucking "GPL" that in itself is a statement of quality and anker of trust.
But .. try to find that source code on the website, I looked for it and found nothing.
some quick googling brought this up
https://sourceforge.net/projec... [sourceforge.net]
That version naming is also very reassuring.
Sorry guys, but this website in itself stank even on the first look.
But let me say it in the name of random stock photo female customer "Kristen Pawlson" with a fucking praising comment
I want to thank you for developing such a wonderful tool and even offering it for free. In my opinion it is the best advertising-free download manager â" as far as I know there is no comparable tool out there.
Who nee
Prudence Habits are worth it. (Score:1)
"This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services"
_System information
Well, ok.
_Browsing history
No such thing, my browser is set to delete it on program exit.
_Saved passwords
Are you kidding me? No such thing on my computer.
_Cryptocurrency wallet files
Crypto what?
_Credentials for cloud services
See passwords
Free? (Score:1)
Re: (Score:3)
Any software that has "free" in its name is 99% malware, spyware, or bad in some way, these days...
Just like FreeBSD?
Re: Free? (Score:1)
Re: (Score:1)
Never heard of it (Score:2)
Nobody noticed, because nobody used it ... (Score:2)
So an obviously dodgy website, offered an obviously dodgy tool, that is not needed, to people who wouldn't want it, look for it, or download it ...
the very few who actually might download it, probably didn't know how to get it to run all..
Kaspersky are trying to drum up business again I see ...
Re: Nobody noticed, because nobody used it ... (Score:2)
oh, well, kaspersky is having a tough time recently. most likely at least half of their usual "advisors" have been reassigned to infantry and, subsequently, blown to pieces. one of them even shot himself in the back of the head four times while falling off a balcony!
Never heard of it (Score:2)
Probably nobody noticed because almost nobody used it.