Malicious Backdoor Found in Linux

A patch has been released to mitigate this issue 🎉 It was made available 31 March 2024

adriancruz

Thank you, Brian!
I run MX linux so I needed to hear about this.
Fortunately MX is Debian-based & Debian fixed this some time ago in a previous version.

jons

People are missing the point. The malicious code was found, BECAUSE it was open source. If you buy a license on a binary-only software release, be it an application or operating system, then it is basically a matter of blind faith, moderated by the fact that the software developers have a reputation to detect.
And sure, you can use computer forensics to detect malicious code execution. Does that compression utility really need an internet connection and port open? That kind of thing. But having the source code helps, because it can point you to other problems. "Daylight is the best disinfectant" as the saying goes.
And sure, because it is open source, a malicious agent can compile some stuff and put it on the internet. There is no perfect solution.
But if open source was patronized by many more users, there is security in numbers. You can make almost any program or utility to do bad things. Is a utility that wipes a disk a useful one, or malware? The answer is the "use-case". If you delete people's files [without permission], or steal data, they are crimes.

roberthunter

At least it has been found and is being delbt with :)
Regardless of the OS I am happy to see when devs work together and fix major issues

welshtony

I think we need to make people aware that this is no ordinary backdooring; it was allegedly done via reasonably well organised social engineering over the course of 2-3 years, possibly by organisational or state sponsored threat actors. It's not something done due to poorly written code that has been exploited — we're potentially talking about abuse of trust and deception.

We also need to accept that such things could have happened at big tech corporations, such as Microsoft, where a bad actor manages to evade detection whilst being an employee at said corporation. However, I think the difference would be that closed-source software organisations would be able to (and probably do) suppress such incidents, whereas open-source software is considerably more transparent — again, there are pros and cons to both approaches.

Finally, I think this is a big wake-up call to open source projects, and proves trust can be easily misplaced, especially when the main project maintainer is suffering with burn-out and mental health issues. I think we need to show contempt for the con men and compassion for the conned, particularly when it is people's generosity, passion and dedication being exploited instead of greedy corporate shareholders and top-level executives.

ScottParsloe

Yeah, this is why we have testing and beta versions of software and distro's. It got caught early, it got booted early. Moving on, nothing to see here. The power of open source. ( technically it was a backdoor in GNU core utils not Linux. ) Screwed my weekend, that much I can tell you, checking Azure deployments, no compromises found. The community got a bit hysterical over that one.

notjustforhackers

Apparently it got noticed early, while the new maintainer who was fiddling with xz was still trying to perfect his mischief. So his version hadn't had time to get incorporated into the stable distros that I use. And the one Arch-based rolling distro that I use had already removed the bad version by the time that I checked.
"Your mileage may vary" of course, but the linux community seems to have gotten lucky in this instance.

Gnabbist

Yes I heard about that also and from what I read it only effects the rolling and testing versions. Not Debian stable or Ubuntu LTS. Though Debian say on their website that they have now patched their testing versions because of this. On Windows we just scan with anti-virus software. Maybe we should do the same thing on Linux. There is also anti-virus software as well as Firewalls for Linux we could use.

AndreaBorman

Great find Brian. Shows that Linux is not perfect lol. Keep up the good work.

richtech

I am 100% sure that Msoft and the establishment had absolutely nothing to do with this attack on Linux

WillyEckaslike

Pretty much no OS is 100% safe, be it Windows, MacOS or Linux.

Ghastly

No matter how secure an OS, be Linux, MAC OS or Windows maybe thought to be, unfortunately its like a lock and if a thief really wants access they will find a way in, sorry its a fact of life for us all, thanks for bringing it to attention!

lloydc

Seems like it only affected bleeding edge releases

gezb

Yes Brian this is just the tip of some floating iceberg of viruses for not only for Windows which we know is the OS we think of as your average OS user's choice and sadly now Linux. I guess as you say any OS is vulnerable simply because one doesn't have to be a rocket scientist to work out the way that any OS system and programming is made up is susceptible to anyone who is programming savvy who can just work out/manipulate the codes needed to infect any programs made by any other person.

johngoard

If I didn't know otherwise & keep my eyes, ears to the ground I'd have thought this was a April fools joke 🫵👍

Ratchet_effect

MacOS is still the most secure OS and Apple patches security holes faster than any vendor on the market

hotmixer

Good to know, but I'll take my chances.

estried

..in inux, in fedora, in PFSense, etc, , ...etc...

aletubecordoba

I have version 5.2.5-2.1~deb11u1 so I'm safe.

pcfred

Great. Watching this on my Linux Mint PC. Is there any way to determine if this program is in my OS? Thanks for the video.

mojoneko