Hacker News new | ask | show | jobs
by gpm 336 days ago
It says what the malware does, it's a remote access toolkit... It gives control of your machine to the malware operator.

The malware operator could have done anything with that access... There's no way for the maintainers to know what was done on any given infected machine.
2 comments
sp0rk 336 days ago
Announcements like this typically contain information that will help users identify if they were compromised, such as the name of files that are dropped or modified when the malware is initialized, startup entry names, etc. Obviously the person with remote access can get in and manually start doing things on individual machines, but that doesn't mean there aren't indicators present from the programmatic actions the malware took before that point or on machines that weren't manually accessed.
link
akazantsev 336 days ago
Expecting a complete malware analysis from maintainers is a tad too much. Their goal is to notify users as soon as possible, even if no other information about the malware is available.

Also, an attacker may leave no traces by simply dumping the payload to /tmp.

link
gpm 336 days ago
In addition to the point about "not being expected to do a full malware analysis"...

Assuming the malware doesn't clean up after itself, `pacman -Q firefox-patch-bin librewolf-fix-bin zen-browser-patched-bin` would tell you if they are installed... but if it did clean up after itself... how are the maintainers supposed to know what steps were taken to clean up given that it's a rat that could be running different steps on different computers...

link
Shellban 336 days ago
This is really scary for those who manage multiple things. I'm considering running a factory reset on everything from my router to my Steam Deck and remote server.
link
gpm 336 days ago
Uh... did you install these AUR packages? It seems quite unlikely you installed these on either a router or a steam deck...

That said, if you did, yeah being hacked is scary and I feel for you.

link
Shellban 336 days ago
As @lillylizard pointed out, it turns out that these are new packages, not comprised existing packages like I first thought. Still, the nature of the hack is a Remote Execution, as you pointed out elsewhere, meaning the hacker could pull my router password from the password manager, or grab my SSH keys and log into whatever machine is listed in the known_hosts, or just mess with my Ebay account and the credit card saved on there. The hacker could in theory do literally anything I could do.
link
akerl_ 336 days ago
Sure, but only if you’d installed the affected AUR packages. Even if they were old packages, probably your SteamOS didn’t install them from the AUR.
link
Shellban 336 days ago
Whether or not SteamOS installed them is irrelevant. All the hacker would need is to compromise a machine that had some sort of remote access to other devices (ssh in this case, with some sort of keylogger to decrypt the private key).
link
nulld3v 336 days ago
You are not compromised unless you specifically installed one of these 3 packages on one of your machines:

- librewolf-fix-bin

- firefox-patch-bin

- zen-browser-patched-bin

The packages were only available for download for 3 days, and the only way you could have installed them is if you explicitly typed one of the package names into your terminal within those 3 days.

Did you do that? If no, then you are not compromised.

link
johnisgood 336 days ago
I wonder if he even has any unofficial packages installed.
link
Shellban 336 days ago
I had the regular librewolf-bin package installed on a couple of my machines. It took me a bit of time to note that librewolf-fix-bin is something separate.
link
johnisgood 336 days ago
Yeah do not worry, you are fine.

https://aur.archlinux.org/packages/librewolf-bin#comment-103...

link