Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security Linux

Password-Stealing Linux Malware Served For 3 Years and No One Noticed (arstechnica.com) 54

An anonymous reader quotes a report from Ars Technica: A download site surreptitiously served Linux users malware that stole passwords and other sensitive information for more than three years until it finally went quiet, researchers said on Tuesday. The site, freedownloadmanager[.]org, offered a benign version of a Linux offering known as the Free Download Manager. Starting in 2020, the same domain at times redirected users to the domain deb.fdmpkg[.]org, which served a malicious version of the app. The version available on the malicious domain contained a script that downloaded two executable files to the /var/tmp/crond and /var/tmp/bs file paths. The script then used the cron job scheduler to cause the file at /var/tmp/crond to launch every 10 minutes. With that, devices that had installed the booby-trapped version of Free Download Manager were permanently backdoored.

After accessing an IP address for the malicious domain, the backdoor launched a reverse shell that allowed the attackers to remotely control the infected device. Researchers from Kaspersky, the security firm that discovered the malware, then ran the backdoor on a lab device to observe how it behaved. "This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)," the researchers wrote in a report on Tuesday. "After collecting information from the infected machine, the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd. It then uses this binary to upload stealer execution results to the attackers' infrastructure."

This discussion has been archived. No new comments can be posted.

Password-Stealing Linux Malware Served For 3 Years and No One Noticed

Comments Filter:
  • Inconceivable! (Score:5, Insightful)

    by Local ID10T ( 790134 ) <ID10T.L.USER@gmail.com> on Wednesday September 13, 2023 @08:09PM (#63846698) Homepage

    How could something I found on the internet called "Free Download Manager" possibly be anything other than helpful??!

    • by TheRealMindChild ( 743925 ) on Wednesday September 13, 2023 @08:21PM (#63846714) Homepage Journal

      Not Linuxy enough for you? How about "Nafredom" for "Not a Free Download Manager"?

    • Re:Inconceivable! (Score:5, Insightful)

      by Waccoon ( 1186667 ) on Wednesday September 13, 2023 @10:01PM (#63846922)

      A long, long time ago, some of them were helpful. I'm old enough to remember when web browsers would regularly freeze in the middle of a 2MB download, and if you restarted the download, the browser would start over from the beginning rather than resuming.

      Web browsers are still pretty terrible, but you whippersnappers have no idea how much worse they were 25 years ago.

      • That's why back in the day we used to use apps like Gwget or FileZilla, which were included in available distros. Never-ever had a need to use a ("free") download manager from 3-rd party websites.

      • Back in the days where IE was pretty much the only game in town, a download manager extension was must, if only to get a file before a glitch caused the connection to fail. Even then, you couldn't trust much, so if you wanted downloads, you used something like VMWare and did the downloads in a nice safe virtual machine that had the ability to roll back snapshots, because even with "good" download managers, there was a high chance that your IE's install would get a lot of adware bars installed, and one prog

      • I remember. It was the worst when you were nearing the end of the download and someone picked up the phone...

  • by Flavianoep ( 1404029 ) on Wednesday September 13, 2023 @08:48PM (#63846752)

    I don't get it. Isn't it what wget, aria2, curl, Kget etc. do? Who would look for something else, especially outside the repositories? Anyway, what Linux user downloads apps from random websites?

    • Re: (Score:3, Interesting)

      by Anonymous Coward
      Not everyone uses curl and wget on the cli. Free Download Manager was probably appealing to new-to-Linux desktop users since it handled not only HTTP/HTTPS downloads with retry and resume but also Torrents and video downloads from YouTube.
    • Re: (Score:3, Interesting)

      by drinkypoo ( 153816 )

      Download managers used to be very popular back when internet connections were bad, because they handled multiple protocols in a single interface, and managed resume much better and more easily than other interfaces. Also, as some other comments have pointed out, they help manage multi-stream downloads.

    • by timeOday ( 582209 ) on Wednesday September 13, 2023 @09:39PM (#63846870)
      That's why nobody noticed it for 2 years.

      Tree falling in an empty forest blah blah.

    • by burni2 ( 1643061 )

      "Anyway, what Linux user downloads apps from random websites?"

      I call that "Ignorant Bliss" of the apt-getters,
      because yes those package systems have maintainers etc.. and build systems - but the source code could be compromised.

      Don't use apt?
      -> how about npm?

      There was malware in the supply chains all over in the past, and when the source code repository is manipulated and not detected even apt-packages will be build from that, ready to install on your computer just one click away .. .. have you ever coun

      • "the same domain at times redirected users to the domain deb.fdmpkg" - those maintainers are expected to get the sources from the official git and they are expected to be in contact with the project they package, so they know when the website was hacked.

    • Who would look for something else

      People downloading more than one thing. If you don't understand why someone would use a download manager, then you don't need a download manager.

      Will wget auto-fill captchas for you?
      Will wget asynchronously fetch multi-part archives and then automatically extract them for you?
      Will wget download streams splitting them into their component parts in all qualities for you?
      Will wget integrate with your browser to autofetch 20 links with a single click?
      Will wget log into a website with your account so that you ca

    • by azouhr ( 8526607 )
      When I saw that this is a deb package format, I immediately knew, that this was targeted at ubuntu users. And yes, maybe someone should tell them to remove that blog entry: https://ubunlog.com/en/free-do... [ubunlog.com]
    • by AmiMoJo ( 196126 )

      More "normies" are starting to use Linux. Loads of YouTube videos trying to convince them that it's a good desktop operating system now.

      So naturally the same issues that Windows has come with them. People need to download something, they search DuckDuckGo for "linux free download manager", and malware comes up.

  • So it sat for 3 years. Cool. As others posted; yup nobody uses this. It isn't 1998 anymore. No experienced user would ever do this. Which leaves the target (whether intentional or not) audience:

    High school and potentially first year college students that are used to a windows world where you go and download everything. So the attackers got a whole bunch of logins for ... ebay and newegg? Maybe their student loan info if any college kid ever tried to look at that over the course of the first year. Who

    • I would have never even guessed something like this existed or have thought to look for it, let alone installed it. Anyone else I know who runs or uses Linux is much the same. It's like a bug in some unused software function in that it remains undiscovered because no one actually uses it.
    • Do you think high school or first year college students have ever used a download manager in their life? Other than BitTorrent clients, of course... Sure, old farts like us used them some 20 years ago, but in the last 10-15 years I don't remember doing so.

    • Cryptobros told to use Ubuntu instead of Windows.

      That's a fine upgrade but then they....

  • [ducking head and running for the exit...]

    • by stooo ( 2202012 )

      >> Shouldda used Windows!
      Not really.
      Windows has no repository management unified for user software, while Linux sure has this.
      You don't simply download random SW from dubious sites when using linux, you simply select the software in the package manager (Synaptic or similar)

  • It claims to be 100% free and open source under fucking "GPL" that in itself is a statement of quality and anker of trust.

    But .. try to find that source code on the website, I looked for it and found nothing.

    some quick googling brought this up
    https://sourceforge.net/projec... [sourceforge.net]

    That version naming is also very reassuring.

    Sorry guys, but this website in itself stank even on the first look.

    But let me say it in the name of random stock photo female customer "Kristen Pawlson" with a fucking praising comment

    I want to thank you for developing such a wonderful tool and even offering it for free. In my opinion it is the best advertising-free download manager â" as far as I know there is no comparable tool out there.

    Who nee

  • "This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services"
    _System information
    Well, ok.

    _Browsing history
    No such thing, my browser is set to delete it on program exit.

    _Saved passwords
    Are you kidding me? No such thing on my computer.

    _Cryptocurrency wallet files
    Crypto what?

    _Credentials for cloud services
    See passwords

  • Any software that has "free" in its name is 99% malware, spyware, or bad in some way, these days...
  • Comment removed based on user account deletion
  • I would not have used it if i did hear of it
  • So an obviously dodgy website, offered an obviously dodgy tool, that is not needed, to people who wouldn't want it, look for it, or download it ...

    the very few who actually might download it, probably didn't know how to get it to run all..

    Kaspersky are trying to drum up business again I see ...

  • Probably nobody noticed because almost nobody used it.

IOT trap -- core dumped

Working...