Old Malware on Mint Distros

[Pyroplotter]

I've noticed that when downloading Mint 18.2 ( any version), so far using four different mirrors plus the main source, that a malware trojan is installed. It's the same one that 17.2 had after the Mint hack. To check if it arrives I use etherape installed on, say, PcLinuxOS, or Ubuntu, on a separate system, and watch what the new install does after a fresh install on my target system. In a few mintues some rogue program on the Mint system starts to send udp packets to random addresses just like the 17.2 hack did. I've tested this using 5 different install disks now created from the above sources and the result is the same. None of the other 9 Linux distros I've used here so far have this problem. I have even had to use a firewall between my test system and the rest of the network since this malware snoops through the network also. Has anyone else noticed this and has there been a bug fix I don't know about?

 

[atanere]

Hi @Pyroplotter, and welcome to the site!

First off, the Mint hack was version 17.3, Cinnamon Edition only. Secondly, once it was known (which was very quickly) it was easily spotted because the checksum (MD5 or SHA256) of the .iso file did not match that provided by the Linux Mint team for that edition.

If you have reproducible evidence of malware contained in a .iso file provided from linuxmint.com -- please notify those folks so they may investigate their product! Their Contact Page is at https://linuxmint.com/contactus.php

If you don't think Clem and the Mint team will be responsive to your evidence, please try noted security experts Bruce Schneier, Brian Krebs, or other Linux security news sources. If you have proof, I don't think you will be ignored.... that is a pretty serious claim you are making.

Cheers!

 

[wizardfromoz]

Hi @Pyroplotter and ditto on the Welcome.

As well as the excellent advice and input from the gentleman in dark glasses, I am brainstorming, and so my comments highlighted between yours -

I've noticed that when downloading Mint 18.2 ( any version),

I take it that that is DEs (Desktop Environments, eg MATE, Cinnamon, Xfce, KDE)?

so far using four different mirrors plus the main source, that a malware trojan is installed.

I personally would not use more than LM's site and SourceForge - some of the others are reputed to add "stuff", but I can't name names for legal purposes.

Can you name the Trojan and save me looking it up? I remember the breach but not the details.

... (edited out)

I've tested this using 5 different install disks now created from the above sources and the result is the same.

Do I take it these are DVDs? If so, have you tried with USB sticks?

I also have a few more questions, regret bombarding you, but want to dot the i's and cross the t's

1. Were all of these efforts performed from within the one Distro, if so, which one, and have you tried changing downloads mirrors within your updates manager, &c?

I'm sure I have a 2. in mind, but can't think of it right now, getting late in the day for me, lol.

You could also check out my threads here -

https://www.linux.org/threads/gtkhash-–-hashing-out-the-basics.4430/
https://www.linux.org/threads/gtkhash-–-hashing-out-the-basics.4430/
and

https://www.linux.org/threads/hash-checking-rare-tips.13544/
https://www.linux.org/threads/hash-checking-rare-tips.13544/
Finally, Firefox (if you use that) plugin extension DownThemAll allows you to insert a sha256 algorithm (which is what Mint uses since the breach) as part of the download process management. Be aware that DTA and other plugins are now being marked as Legacy, as Mozilla take a different direction next month with the release of FF 57.

Cheers, hope this helps

Wizard