February 22, 2016
ISO file for free operating system download infected with botnet malware, and user forum details also stolen.
Distro duck: Botnet malware hitches ride on Linux Mint ISO
The Linux Mint operating system software download has been hacked on the community-driven distribution’s own website. The Linux Mint ISO ‘disk image’ data contents were maliciously altered, meaning than anyone downloading and installing the software over the weekend of 20/21 February 2016 will find that their machine has been compromised.
The Linux Mint operating system, which is a ‘variant’ based upon Debian and Ubuntu (two other popular Linux OS distributions), has enjoyed popularity as a result of its combination of packaged software, its focus on desktop functionality and its appealing graphical user interface (GUI).
In what can be regarded as something of a setback for fans of free and open source software (FOSS) distributions, the only compromised version was Linux Mint 17.3 Cinnamon edition.
According to the Linux Mint official blog, “We were exposed to an intrusion today. It was brief and it shouldn’t impact many people. Hackers made a modified Linux Mint ISO, with a backdoor in it and managed to hack our website to point to it.”
Who is NOT affected?
The team points out that users who downloaded another release or another edition are not affected. Users who downloaded Linux Mint via torrents or via a direct HTTP link are also not affected.
The Linux Mint blog is currently visible and details the specific technical reasons behind the attack. However, the Linux Mint website itself is offline at the time of writing. The process for checking whether an ISO file installation has a valid MD5 signature is detailed at the aforementioned blog link.
For those with an interest, an MD5 (message-digest algorithm) is a cryptographic technique used to check whether a file has been altered.
As Tim Anderson explains, “The infected ISOs installed the operating system complete with the IRC (Internet Relay Chat) backdoor Tsunami, giving miscreants access to infected systems via IRC servers.”
Tsunami is a manually configurable bot that talks to an IRC server to send a ‘flood’ of traffic to compromised websites and servers. As detailed by F-Secure, it acts as a distributed denial-of-service (DDoS) flooder that is also capable of downloading files and executing shell commands in an infected system.
Creator of Linux Mint, Clem Lefebvre, has said that the hack is connected to Sofia, Bulgaria and his team has pinpointed the names of three possible perpetrators. It later transpired that this might simply be the location of the file server used to store the hack’s details.
“We don’t know their roles in this, but if we ask for an investigation, this is where it will start. What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this,” said Lefebvre.
User forum details also hacked
This is not the only element in the Linux Mint hack story. Lefebvre has also confirmed that hackers have stolen a complete copy of the site’s forum login details. Members’ passwords, addresses, birthdates and profile pictures are all thought to have been copied.
The Linux Blog states, “It was confirmed that the forums database was compromised during the attack led against us yesterday and that the attackers acquired a copy of it. If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible.”
If the Linux Mint team remains clueless then they should perhaps talk to ZDNet’s Zack Whittaker who claims to have already had an encrypted chat with the hacker responsible, who goes by the name ‘Peace’.
Peace told Whittaker on Sunday that a “few hundred” Linux Mint installs were under his control and that this is ‘a significant portion’ of the thousand-plus downloads during the day.
According to ZDNet’s Whittaker, “Peace declined to give their name, age, or gender, but did say they lived in Europe and had no affiliations to hacking groups. The hacker, known to work alone, has previously offered private exploit services for known vulnerabilities services on private marketplace sites he is associated with.”
Peace was apparently ‘just poking around’ on the Linux Mint site when he or she found the vulnerability granting unauthorised access.
An external view
Richard Cassidy, technical director EMEA at Alert Logic, told SC this particular exploit strikes at the very core of open source and will go some way in affecting user confidence in this specific distro.
“What is very interesting is that the exploit is attributed to an IRC botnet enabling DDoS attacks; we’ve seen a stark rise in popularity of DDoS from bad-actor groups. Infecting core distros of popular open source software is a very effective way to spread a Botnet network very rapidly and effectively; furthermore it’ll remain in the public domain for some time, given file-sharing sites and torrent download areas,” he said.
“The challenge is that open source technologies and sites are far less funded and, as such, maintaining high-levels of protection with limited funds is always going to be a challenge. This particular exploit would have been effectively detected and thwarted through a well defined web application layer inspection rule set and profile, but users would have been easily able to detect something amiss through MD5 hash checking of the downloaded image – unfortunately not a process followed often enough by average users of open source software,” added Cassidy.
Overall though, Cassidy asserts that this will not affect confidence in the Mint distro.
“Not least given the sites forum details being stolen and many users details compromised. It’s time for open source providers to take note and understand that open source does not imply security by any stretch,” he added.
In line with other media covering this story, at the time of writing SCMagazineUK.com has not been able to confirm when the Linux Mint project will be fully functional again.