this post was submitted on 23 Aug 2025
91 points (96.0% liked)

Linux

9322 readers
319 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
91
Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection (thehackernews.com)
submitted 2 weeks ago by Sunshine@piefed.ca to c/linux@programming.dev
14 comments fedilink hide all child comments
top 14 comments
sorted by: hot top controversial new old
[–] pedz@lemmy.ca 22 points 2 weeks ago (3 children)

It's a good explanation and analysis of what it is and what it does.

There's just one thing that I didn't see mentioned and it's about the prevalence of having a software installed to extract rar files in the first place.

AFAIK there's nothing installed by default on Debian to open rar files. You kind of have to go out of your way to extract one. Unless this changed with the latest release.

I'm not much of a distro hopper so I'd be curious to know, are there distributions where opening and extracting a rar file only requires to click it?

[–] whyNotSquirrel@sh.itjust.works 13 points 2 weeks ago (2 children)

also: antivirus detection, you guys have antivirus? I just install things from the official repository

[–] pedz@lemmy.ca 3 points 2 weeks ago

I've been using Linux for more than 25 years and never had an antivirus. I'm also trying to just keep to official repos. From what I've seen over the years it's not viruses or malware that are the most dangerous on Linux, but vulnerabilities found in some software, that usually only requires you to update your system.

Maybe I'd be more careful if I was installing obscure packages from weird places, but I'm about as conservative as Debian when it comes to new software and bleeding edge, so usually the stuff that I install has been tried and tried again.

[–] einkorn@feddit.org 3 points 2 weeks ago (2 children)

Well, recently there have been attacks on Arch based distros via poisened AUR packages.

[–] asdfbla@lemmynsfw.com 13 points 2 weeks ago

AUR is not an official repository by the distro and malware in user repos is nothing new

[–] whyNotSquirrel@sh.itjust.works 4 points 2 weeks ago (3 children)

Isn't Arch repo a little bit faster to accept packages? From what I understood the point was to make it easier to maintain a package therefore you have the most up to date software version, not sure if this was the problem or anything else, but I have doubt that Debian repositories could be poisoned like this

[–] pontiffkitchen0@lemmy.world 8 points 2 weeks ago

Just in case you didn't circle back, the other commenter is correct. Just like Debian repositories, Arch repositories also haven't been poisoned like this . AUR has recently, but that's equivalent of like on Debian adding 3rd party repos, but AUR is just a meta collection of those unofficial user repos basically. Arch documentation even warns against blindly installing from AUR, and to read the pkg build first since it's basically the same thing as copy and pasting a curl command from a GitHub repo's readme.

[–] teawrecks@sopuli.xyz 3 points 2 weeks ago

The Arch repos are completely different from the AUR. The Arch repos are officially maintained and tested. The AUR is where anyone can go upload a little pkgbuild script to make building and installing an arbitrary package as easy as possible.

Arch's package manager (pacman) does not work with the AUR. The AUR is basically a glorified pastebin. It's a convenience for people who know what they're doing, but you should not go downloading and executing files at random from there. Arch explicitly warns against doing this, and deliberately does not ship with any easy way to do this.

[–] einkorn@feddit.org 1 points 2 weeks ago

True that, but given not everyone follows best practices when installing software, I think having a form of antivirus is a good thing, especially for casual non-techy users.

[–] skaffi@infosec.pub 6 points 2 weeks ago (1 children)

Isn't that irrelevant? According to the article, the archive itself doesn't contain any malicious code. Rather, it's encoded in the file name, and can start executing itself when being parsed by the shell - no extraction needed.

It seems to me that avoiding rar files, or limiting your ability to extract them will provide a false sense of security at best. Seems to me that this could be done using any file type at all.

[–] pedz@lemmy.ca 3 points 2 weeks ago (1 children)

The starting point of the attack is an email message containing a RAR archive, which includes a file with a maliciously crafted file name: "ziliao2.pdf{echo,<Base64-encoded command>}|{base64,-d}|bash"

Doesn't it mean that a rar archive contains the malicious file?

It's worth noting that simply extracting the file from the archive does not trigger execution. Rather, it occurs only when a shell script or command attempts to parse the file name.

[–] skaffi@infosec.pub 2 points 2 weeks ago (1 children)

Right you are! I'm not sure how that went over my head. Eh, too much morning, too little coffee. Thanks for correcting me.

[–] pedz@lemmy.ca 1 points 2 weeks ago

It's also worth saying that as much as I don't have an antivirus on Linux, and that I'm generally not too worried about malware and viruses, I have backups, follow the 3-2-1 rules, and my OS can be scarified if there is ever a problem.

But I must admit that being infected is not always detectable and taking extra care probably wouldn't hurt.

[–] lime@feddit.nu 6 points 2 weeks ago

7z can extract them, but i don't know if it's installed by default anywhere.