Password-stealing Linux malware served for 3 years and no one noticed (Ars Technica)

[Posted September 12, 2023 by jake]

Ars Technica reports on a credential-stealing Trojan horse that would infect only some of those who installed the "Free Download Manager". The article is based on a Kaspersky report that details the malicious payload offered up at that site from 2020 to 2022.

The site, freedownloadmanager[.]org, offered a benign version of a Linux offering known as the Free Download Manager. Starting in 2020, the same domain at times redirected users to the domain deb.fdmpkg[.]org, which served a malicious version of the app. The version available on the malicious domain contained a script that downloaded two executable files to the /var/tmp/crond and /var/tmp/bs file paths. The script then used the cron job scheduler to cause the file at /var/tmp/crond to launch every 10 minutes. With that, devices that had installed the booby-trapped version of Free Download Manager were permanently backdoored.

Password-stealing Linux malware served for 3 years and no one noticed (Ars Technica)

Posted Sep 14, 2023 12:56 UTC (Thu) by wittenberg (subscriber, #4473) [Link]

This is a very old problem. I refer you to Ken Thompson's Turing Award lecture "Reflections on Trusting Trust" from 1984 describing how he put a back door in the earliest Unix systems.

https://dl.acm.org/doi/10.1145/358198.358210

In order to trust a system, you have to trust everything the system is built on, including the hardware, the OS, the compiler and so on. That means not only trusting the author, but also trusting all the tools he used. That's a whole lot of people you have to trust. That's one reason security is hard.

--David

Password-stealing Linux malware served for 3 years and no one noticed (Ars Technica)

Posted Sep 15, 2023 14:17 UTC (Fri) by FDM_team (guest, #166968) [Link] (3 responses)

Greetings from the Free Download Manager team. We acknowledge the reports regarding the security concerns and assure you that we're actively investigating their history. As of now, all links on the FDM website are secure and functional. For a comprehensive overview of the situation, we've made an official announcement on our website. We encourage everyone to get more insights here: https://www.freedownloadmanager.org/blog/?p=664

Password-stealing Linux malware served for 3 years and no one noticed (Ars Technica)

Posted Sep 15, 2023 14:29 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link] (2 responses)

It would be helpful if you link to incident from your web page, explain in a lot more detail what caused it, how it was resolved and the specific steps taken to strengthen security.

Password-stealing Linux malware served for 3 years and no one noticed (Ars Technica)

Posted Sep 15, 2023 15:21 UTC (Fri) by Wol (subscriber, #4433) [Link] (1 responses)

PLEASE DON'T SHOOT THE MESSENGER.

And no, they don't have a time machine. As I read the message, the information you are asking for is not *currently* available. Which is why it's not there - quelle surprise.

Whether they'll post it when they have it, I don't know. But don't jump the gun, please.

(Unless, given your name, English is not your first language and you've used the wrong present tense, in which case sorry ...)

Cheers,
Wol

Password-stealing Linux malware served for 3 years and no one noticed (Ars Technica)

Posted Sep 15, 2023 15:56 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]

CAPS = shouting and it isn't necessary here

> And no, they don't have a time machine. As I read the message, the information you are asking for is not *currently* available. Which is why it's not there - quelle surprise.

The report is available but it isn't being linked to. They note that the security issue was fixed accidentally but don't go into the details as to how. None of that requires any kind of time machine

Password-stealing Linux malware served for 3 years and no one noticed (Ars Technica)

Posted Sep 21, 2023 9:12 UTC (Thu) by FDM_team (guest, #166968) [Link]

Greetings from the Free Download Manager team! Here is our latest update regarding the issue. We have created a bash script that you can use to check the presence of the malware in your system. Please review our instructions on our official page: https://www.freedownloadmanager.org/blog/?p=664
We once again sincerely apologize for any inconvenience that might have been caused.