Malware Found In the Ubuntu Snap Store

An anonymous reader quotes a report from Linux Uprising: Oh, snap! Just because some packages are available to install directly from the Ubuntu Software Center doesn't make them safe. This is proved by a recent discovery of malware in some snap packages from the Ubuntu Snaps Store.

At least two of the snap packages, 2048buntu and hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations." The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas Tomb) contains a hidden cryptocurrency miner inside.

Re:

[account_deleted]

Comment removed based on user account deletion

*Nix needs a Zone Alarm equivalent

[Anonymous Coward]

This is why Linux needs the equivalent of the Zone Alarm firewall. Something that will alert a desktop user every time a program first attempts to connect to the internet and allow the user to say yes or no to the attempt. If your firewall allows all outbound traffic by default you do no have a hope in hell of catching a malware infection...

If you've got such software then at least you know something nasty has managed to infect your machine as you'll spot it the first time it tries to "phone home"..

Re: *Nix needs a Zone Alarm equivalent

[Anonymous Coward]

Most people block incoming by default, but not outgoing. The reason is simply convenience; if the desktop environment showed you a GUI popup asking permission every time an outgoing connection was attempted, it would be much easier for the average user to adopt. Pretty sure that's what the grandparent was talking about; if you still think its trivial, I'd love a link to instructions :)

Re: *Nix needs a Zone Alarm equivalent

[Anonymous Coward]

For users that are neither gamers nor developers there arent really that many programs that needs to connect to internet. Especially not when upgrades are managed by a packet manager.

If the browser, mail program and updater are all installed and flagged as OK by the OS, any popup that asks about internet access should be fairly uncommon.

Re:

[tepples]

If the browser, mail program and updater are all installed and flagged as OK by the OS, any popup that asks about internet access should be fairly uncommon.

Add to that list your chat client, your file backup client, your RSS reader, your weather widget, your NTP (time of day updating) client, your music streaming client, your video streaming clients...

Re:

[antdude]

That is not user friendly to non-technical users. He is asking something like Zone Alarm, Conseal PC Firewall, Norton, Outpost, PC Tools Firewall Plus, etc. They have nice GUI and pop-ups to let users allow or deny.

Re:

[johnsie]

This isn't the 1980s. A more user friendly approach would be far more useful for a majority of desktop users.

Re:

[cfalcon]

> BTW Snaps are basically containers so some of the damage is contained.

The malware in question doesn't eat your files or snoop your keyboard or any of the more traditional vectors that a bad actor asks "what would be good lulz and/or allow me to steal data from the owner that I can use elsewhere". It will probably still allow you to be part of a botnet for a DDOS or something like that, but in this case it wasn't network shenanigans either- it was cryptocurrency. It's very unusual to try to preserve y

Re:

[Opportunist]

You mean like ufw?

Re:

[Anonymous Coward]

I've never cared much for ufw. It's basically just a GUI for setting rules for iptables. When I'm working with iptables, I'd rather set them manually through a shell.

I believe GP just meant something that would give a notification when a program tried to communicate out that's not on the "approved" list.

I'd much prefer something along the lines of atguard, before Symantec raped it. The feature I liked from atguard was the "Rule Assistant" that would give a popup when something didn't match one of the rules.

Re:

[ArchieBunker]

Give that asshole Poettering five minutes and he'll shit out some systemd code.

Re: *Nix needs a Zone Alarm equivalent

[niftydude]

It's called firestarter. Been around for ages.

Re: unsafe?

[Z00L00K]

It just highlights that something worse could have been attached.

However it also highlights that there's a need to also be able to invalidate cryptocurrency obtained through illegal means.

Re: unsafe?

[phantomfive]

If a central power has the ability to cancel a crytocurrency transaction, then that kind of ruins the point of cryptocurrencies. At that point it becomes way more efficient to just use a database, or several, like our banking system now.

Re:

[cfalcon]

> However it also highlights that there's a need to also be able to invalidate cryptocurrency obtained through illegal means.

Illegal according to whom? The Chinese government? If you shook your head no, then why wouldn't they be able to, if a government you approve of is able to do so?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[tlhIngan]

I'm uncomfortable with the term malware too, but let's be honest: unwanted cryptocurrency mining software is going to slow down your PC, drain your battery faster if you have a laptop, and, unpredictably, cause more heat which, depending on the state of your fan, might cause problems too.

I'm still in two minds about the concept, but if we're going to see more software "funded" by mining, then we need to see some standards set otherwise "software funded by mining" will become synonymous with malware, even if

This is so wrong on so many levels

[Provocateur]

As a linux fanatic, I find his deed reprehensible. Where do we begin? Let's see:

1. Install Ubuntu. Then--

Enough! 20 years in the electric chair!

Re: Source Code

[Z00L00K]

Resl trusted computing has never existed.

Re:

[Ol Olsoc]

I have always felt Linux people have that same false sense of security that Apple Mac users have always had. Nothing can touch them because of some lame reason.

I have always known that some people generalize the shit out of things.

No OS is completely immune while on teh intertoobz. But it doesn't take too much research to find out which major OS is the least secure. It ain't Linux, and it aint MacOS.

Not on topic: google passwords?

[BlueCoder]

I do own multiple password authentication methods... not even talking about my android phone! I like chrome but how many times a year do I have to physically type my password?

Snaps are impossible to verify

[Anonymous Coward]

With all dependencies built in, there is a lot to comb through, not to mention that those dependencies may not even be completely patched and up to date.

I'd rather install software the traditional way and be sure that each component I install is verified.

Re:

[Anonymous Coward]

I'd rather just not use Linux.

Because Windows is malware done right?

Re:

[hduff]

I'd rather just not use Linux.

Because Windows is malware done right?

It's the *best* platform for malware.

O'rly!

[Anonymous Coward]

How's this surprising. These containerized applications are full userland stacks, all the libs and dependencies the program needs, and then some, wrapped up. It's so easy to hide malware there, and so very difficult to audit them before inclusion, because their very raison d'etre is --- to avoid maintainership and allow "third party" vendors to distribute their mini-distros around.

Is anyone REALLY surprised by this?

Who didn't see this coming?

[Fly Swatter]

They wanted to replicate the android and fruit ecosystems. Looks like they did.

Re:

[ilsaloving]

That depends. If all they did was make an app store available, then they did _not_ replicate said ecosystems.

Apple and Google both have some form of curation process to help keep malicious applications out. (I'm not going to get into who does it better cause that's beside the point).

If Ubuntu, or anyone else, wants to maintain snap repos, then they are going to have to maintain the same protection infrastructure. A perfect example is the Cydia ecosystem. It's a god forsaken mess, and at this point it's

More and More

[hduff]

so . . Ubuntu is becoming more and more like Microsoft Windows?
Good to know . . .

It's a general problem

[Casandro]

Essentially you need to keep a separation between code and data. Data is something you can get from any source as dubious data will never be able to breach the security.

Code on the other hand are commands for your computer. Every new code you get onto your computer is a risk you take as it can be malevolent. Therefore you shouldn't take executing foreign code lightly. Ideally you only have your fixed set of programs which you can combine to use with data you get from everywhere.

Things like AppStores pervert that safety precaution. They act as if it was possible to have a secure system, yet download software written by dubious developers.
Sadly, we as a society seem to fall into the same trap over and over again, from Javascript to Active X. From Visual Basic for Applications to Appstores.

Use blockchain history to mark "radioactive" coins

[OpenGLFan]

Because the blockchain is public, we know all the blocks that passed through this bad actor -- they were at one point registered to myfirstferrari. We can declare these coins as "radioactive", instructing our systems to not buy coins or fractions that had ever been owned by him or any of the other malware-powered miners.

That's kind of the point of a verified package rep

[fluffynuts]

Maintained by a team of accountable people. This was always one of the reasons a decent Linux distro was more secure than an equivalent Windows machine - because your packages came from a verified source. The concept of snaps makes things more convenient - for everyone, including malware authors. But, you know, so convenient.