Comment by gpm

1 year ago

It says what the malware does, it's a remote access toolkit... It gives control of your machine to the malware operator.

The malware operator could have done anything with that access... There's no way for the maintainers to know what was done on any given infected machine.

13 comments

gpm

Reply
sp0rk  1 year ago

Announcements like this typically contain information that will help users identify if they were compromised, such as the name of files that are dropped or modified when the malware is initialized, startup entry names, etc. Obviously the person with remote access can get in and manually start doing things on individual machines, but that doesn't mean there aren't indicators present from the programmatic actions the malware took before that point or on machines that weren't manually accessed.

  • akazantsev  1 year ago

    Expecting a complete malware analysis from maintainers is a tad too much. Their goal is to notify users as soon as possible, even if no other information about the malware is available.

    Also, an attacker may leave no traces by simply dumping the payload to /tmp.

  • gpm  1 year ago

    In addition to the point about "not being expected to do a full malware analysis"...

    Assuming the malware doesn't clean up after itself, `pacman -Q firefox-patch-bin librewolf-fix-bin zen-browser-patched-bin` would tell you if they are installed... but if it did clean up after itself... how are the maintainers supposed to know what steps were taken to clean up given that it's a rat that could be running different steps on different computers...

Shellban  1 year ago

This is really scary for those who manage multiple things. I'm considering running a factory reset on everything from my router to my Steam Deck and remote server.

  • gpm  1 year ago

    Uh... did you install these AUR packages? It seems quite unlikely you installed these on either a router or a steam deck...

    That said, if you did, yeah being hacked is scary and I feel for you.

    • Shellban  1 year ago

      As @lillylizard pointed out, it turns out that these are new packages, not comprised existing packages like I first thought. Still, the nature of the hack is a Remote Execution, as you pointed out elsewhere, meaning the hacker could pull my router password from the password manager, or grab my SSH keys and log into whatever machine is listed in the known_hosts, or just mess with my Ebay account and the credit card saved on there. The hacker could in theory do literally anything I could do.

      4 replies →