[HN Gopher] Free Download Manager backdoored - a possible supply... ___________________________________________________________________ Free Download Manager backdoored - a possible supply chain attack on Linux Author : donutshop Score : 60 points Date : 2023-09-12 19:46 UTC (3 hours ago) (HTM) web link (securelist.com) (TXT) w3m dump (securelist.com) | codedokode wrote: | This is one more reason to run every program in a sandbox rather | than with full privileges. | Obscurity4340 wrote: | Should people reflexively refuse prompts to authenticate as | admin and see if the underlying programs still work as | expected? This comes up all the time for Macs and the keychain | acatton wrote: | I disagree. This is more another reason to not run programs | which are not from the official repository. | throwaway71271 wrote: | why do you think this can not happen in the official | repository? | acatton wrote: | Because the official repository has a strict vetting | process. You cannot just show up and put your shaddy | software in the official repository. | | Debian packagers have a mutual trust process which you need | to gain. Only trusted Debian packagers can approve packages | to be included. Also some Debian maintainers will just | randomly check packages from time to time. (e.g. | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792580 ) | throwaway71271 wrote: | the list of contributors is huge, you just need to hack | one person https://contributors.debian.org/ | | not to mention libraries like libxslt that is used by | like half the packages | | even kernel.org was hacked, and git saved us, and luckily | it was before the sha1 collision attacks were viable | | https://www.reddit.com/r/linux/comments/k0mco/kernelorg_c | omp... | https://crypto.stackexchange.com/questions/99767/how- | easy-is... | wfurney wrote: | Nice classic email spam at the end of that thread! | | > "All we require from you is your willingness and | ability to receive the funds in question" | amenghra wrote: | You can report the spam by clicking on the link at the | very bottom (or just going to https://bugs- | master.debian.org/cgi-bin/bugspam.cgi?bug=79258... and | confirming). | kelnos wrote: | But Debian packagers aren't always super careful. They | generally don't audit the full changeset between each | version they package and publish. They mostly trust that | upstream has not been compromised and continues to be | trustworthy. | | I'm not trying to minimize all the hard work Debian (or | any other distro) packagers do, but "only use official | repositories" is not sufficient as a malware-avoidance | strategy. Yes, it's better than installing random | binaries from random websites, but let's not give | ourselves a false sense of security. | | The suggestion upthread to run everything in a sandbox is | a good one. I wish that was more common and that there | was a better UX when doing so. | [deleted] | professor_m221 wrote: | I see free. I download! | NotYourLawyer wrote: | If you intentionally install something called Free Download | Manager, you should not be surprised when it turns out to be | malware. | mulmen wrote: | Yeah who would ever trust a free BSD? | DiabloD3 wrote: | Why would you use a "Free Download Manager" when wget is right | there? Or a web browser, such as Firefox? Or torrent clients to | deal with large Linux ISO downloads? Or the various storefronts, | like Steam? Or your own distro's package manager? | | This wasn't packaged on any distro, so this isn't even a | meaningful attack: Users had to go out of their way to install it | from a foreign source. This is no different than if you | downloaded a random .exe off and ran it on Windows with admin | access. | | Its not a supply chain attack, its a PEBKAC attack. | ryandrake wrote: | From their website[1]: | | > FDM can boost all your downloads up to 10 times, process | media files of various popular formats, drag&drop URLs right | from a web browser as well as simultaneously download multiple | files! | | No, I still don't a clue what it actually does that the OS and | existing tools can't. It sounds like those scam "RAM doubler" | programs from the 90s. Run this executable to _boost your | system 's chakras_. | | 1: https://www.freedownloadmanager.org | [deleted] | pixl97 wrote: | Who uses a download manager in the days of high speed internet | access and, in general, cloud services? | sneak wrote: | Download managers are _more_ important on high speed links than | ever. | | The more bandwidth you have (and use), the less adequate the | little "downloads" pane in your browser is. | jandrese wrote: | People who are still on dialup modems or very slow wireless | ISPs with flaky connections. High Speed Internet is not | universal even today, despite what web developers seem to | think. Ever try to surf raw Facebook on a 128kbps wireless | link? It's not fun. Cloud services are a joke for these people. | | Hacker News is one of the last holdouts in the low bandwidth | friendly website game. | OfSanguineFire wrote: | A decade ago, I remember buying 500MB or 1GB of mobile | internet credit and burning through that in an evening just | reading news and stuff. Today, with uBlock Origin and | NoScript, I can buy the same amount of mobile internet and it | lasts me quite a while. I therefore concluded that, while | website bloat does exist, what really consumes bandwidth is | advertising, and that can be avoided. Moreover, a decade ago | lazy loading of images was not common, but now the respective | CSS tag exists, is supported by browsers, and widely | implemented by CMSs like Wordpress. | blackhaz wrote: | Happy FileZilla user here, on my FreeBSD laptop. I move tons of | files from remote astronomical observatory routinely, sometimes | need to define custom rules - what to download, upload, filter | across folders, etc. Sometimes I need to push a file from very | low data-rate link from somewhere in the middle of nowhere to | the observatory, sometimes over a satellite link. Sometimes I | want a throttled download of a large queue so I won't overload | my connection and leave some bandwidth to other users. Also, I | have a directory of different FTP servers I work with, it's | easy to keep them in one place. So, there you have it. | postmodest wrote: | R sync has a --bwlimit option. | | But I suppose you're probably talking about devices that only | know about internet protocols before 1991.... | jpc0 wrote: | On linux... | | I mean if I found something called free download manager on a | technologically challenged family member's PC I would just | assume its malware to start with. | NoZebra120vClip wrote: | Honestly, there were several download managers which were | essentially forced by folks like Microsoft and Logitech. If I | remember correctly, when I had an educational license with | Microsoft Imagine, the most challenging bit was getting the | mandatory download manager working. IIRC, I didn't actually | have a Windows machine to put it on or something. So, I had | to jump through some hoops. The software was plain | inaccessible without going through the proprietary download | manager. | | Logitech did similar hijinks for a long time. I can't | remember whether it was mandatory, but it sure was difficult | to avoid. | aborsy wrote: | Similar software is used in some products. For example, | synology DSM has a package called download station. Who knows | if it's based on some obscure .deb (or scripts such as youtube- | dl). | | It could give rise to a supply chain attack. | bubblethink wrote: | axel -n 10 | andersa wrote: | They can be very useful for: | | - bypassing antiquated per connection throttles on otherwise | fast servers by downloading chunks in parallel | | - downloading files such as videos from sites that don't really | want you to download the file | | I have never heard of the program in the article, but this one | still sees many active users on windows for the above reasons: | https://jdownloader.org/ | | There's even a little community still making and maintaining | plugins for extracting files from uncooperative websites. | Really does feel like the kind of program you only ever want to | be running in a sandbox though! | dataflow wrote: | I do. Just because your internet access is fast that doesn't | mean remote servers don't throttle on a per connection basis. | pohuing wrote: | Or that everyone else also has fast Internet | vorpalhex wrote: | It's really handy to be able to kick bigger or automated file | operations to a backend service. | [deleted] | meepmorp wrote: | I'm trying to imagine the kind of user that's both able to | blindly install a random .deb downloaded from a website, while | also being willing to do so. Linux geeks with no sense of | danger on the internet? | zem wrote: | not too terribly different from `sudo (curl | bash)` | lcnPylGDnU4H9OF wrote: | One can google "install .deb fedora" and get a litany of web | pages which will contain words explaining how to do this. | Fedora (and other distributions) is easy enough to install | that one doesn't really need to be a "Linux geek" in order to | be on Linux and such a person is not quite so likely to | wonder whether or not they trust the code they're running. | | Couple that with the fact that it works out well Most Of The | Time[0] and you've got a pretty likely scenario even if it | affects a relatively small number of people. | | [0] I mean in general when downloading software as well as in | the context of this particular story[1]. | | [1] > Starting in 2020, the same domain at times redirected | users to the domain deb.fdmpkg[.]org, which served a | malicious version of the app. | lstamour wrote: | If you have a web browser and Linux, you can often install a | .deb just by opening it in Software Centre or other graphical | utilities to install apps. The comparison might be someone on | windows trusting a random .msi or installer .exe or someone | on Mac installing a random .app package. It's somewhat normal | these days. Package managers are sometimes harder to | understand and app stores often don't have the app you want | or the newest version. Sometimes the app directs you to the | website to install an update - or updates itself from a | compromised location. | dang wrote: | Url changed from | https://arstechnica.com/security/2023/09/password-stealing-l..., | which points to this. | | Submitters: " _Please submit the original source. If a post | reports on something found on another site, submit the latter._ " | - https://news.ycombinator.com/newsguidelines.html | fortran77 wrote: | But I thought there were no viruses or malware on Linux! For | example: https://www.howtogeek.com/135392/htg-explains-why-you- | dont-n... | yjftsjthsd-h wrote: | Look, if the malware spreads by users _manually installing it_ | , 1. it's not really an OS problem, 2. an AV wasn't going to | save them. | Gigachad wrote: | That's how almost all malware was installed though. Linux | really isn't any more resistant to malware than anything | else. | acatton wrote: | This is installed by adding a shady repository to your apt | sources.list... | | How is this a supply chain attack? My official debian repository | have never been breached so far. | | This is no different from downloading an .exe off a shady website | and blindly running the .exe. | | Also: | https://packages.debian.org/search?keywords=download+manager... | lists: | | * uget: https://sourceforge.net/projects/urlget/ | | * kget: https://apps.kde.org/en-gb/kget/ | | * persepolis: https://persepolisdm.github.io/ | | why use "Free Download Manager" when high quality ones are | already officially packaged by debian? Is this targeting new- | comers from windows? | sva_ wrote: | > This is installed by adding a shady repository to your apt | sources.list... | | How is this possible? Aren't the packages signed like on | ArchLinux so that you can use any mirrorlist? | sudobash1 wrote: | This is more like using AUR (except the packages are prebuilt | with no way to inspect source). They are entirely user | submitted. | acatton wrote: | No. This is not AUR, this is an _entire third party | repository._ It would be the equivalent of these https://wi | ki.archlinux.org/title/Unofficial_user_repositorie... | acatton wrote: | Yes, they are signed, but not with the official key. If you | add it through the UI, it will auto-accept the key from the | repository. (I'm not sure how it exactly works, it might ask | the user for the confirmation) | | If you do it from the command line, by editing files, you | will have to add the key manually. | | But most inexperienced users will just copy/paste and run the | "curl | sudo apt-key add" command from the shady repository | website, because they want to run the software. | | This is not much different from downloading an .exe from an | untrusted website, and ignoring the warning from windows when | running the .exe. | [deleted] | baz00 wrote: | Basically, as per everything these days, the entire software | industry is based on "download and run any old shit off the | Internet" with little to no fucks given about the source or | trustworthyness or correctness. End users are no better because | for most people, including a lot of novice Linux users, this | isn't even considered as part of fixing or dealing with any | particular problem. Cut / paste / job done. | | Worst is I've seen CD/CI systems which just pull unsigned | unverified binaries off the internet and build software from | github, random APT and YUM repos, all sorts of shit. This is | then all thrown together and pushed into production systems. | acatton wrote: | It doesn't have to be. Corporations which are FedRAMP[1] | compliant, have to build software reproducibly in a fully | isolated environment, only from reviewed code.[2] | | [1] https://en.wikipedia.org/wiki/FedRAMP | | [2] https://slsa.dev/ ___________________________________________________________________ (page generated 2023-09-12 23:00 UTC)