[Solved: It probably wasn't] Possible Malware on Manjaro KDE Iso?

Update 9/18/2020: To future Googlers, this was determined to be an IT overreaction and I should not have posted it without proper research. The issue was likely our firewall incorrectly identifying a mirror server as malicious.

A few days ago I was installing Manjaro KDE on my laptop. I downloaded the manjaro-kde-20.0.3-200606-linux56.iso from the OSDN link, flashed it on Windows 10 using Rufus, and ran the install off of a freshly formatted flash drive.

I finished the install over my employer’s guest network, and within 5 minutes of booting into the system our IT director was in my office asking why a device called Manjaro was attempting to break through our firewall into the production network and install malware on the server. I immediately disconnected from WiFi, and wanting to get as far away from the issue as possible I downloaded ArcolinuxD, flashed it from my android phone, and installed that over Manjaro. My IT has confirmed no further suspicious activity since.

I am not sure whether the issue lies with Manjaro, or possibly with some pre-existing malware in my Windows 10 or Rufus installs, and since this is my personal machine I really don’t want to take any further risks to test this on our company network, and don’t really know how to identify the issue myself. I would really like to get my laptop running Manjaro, but I am nervous to try it again. Like an idiot, I did not verify the SHA1SUM of the ISO file, and the file was wiped out when I installed over Windows.

Since I am not really in a position to check in on this, so I wanted to put this out here in case someone with Manjaro wants to investigate. I am hopeful that any issues may have been eliminated with the new ISO that was just posted as I type this.

I know that Manjaro will ping (or try to ping) archlinux.org regularly, because of Network Manager.

But I have never heard of any malware on the ISO.

Can your IT department get a little more concrete on what it was actually doing?

4 Likes

I will ask and get back to you.

I’ve made regular visits to archlinux.org over the network, and since Arco is an arch-based distro I would expect it to be doing the same sort of ping.

can you try with Ventoy ?
can you also check version iso ?

For me it would be interested to know why 20.0.3-200606 of our KDE build should have any Malware. It can also happen with the tools flashing it to your USB. We mostly use Etcher to create USB-Sticks. All our ISOs get generated by using our tools:

Additionally we have all our profiles used to configure the ISOs public:

As a company we work with many hardware vendors together and check ISOs on regular basis to be secure. ArcolinuxD most likely has a newer build as the 20.0.3 was. You may try 20.1 release to check.

However it would be great to know if your IT-Department would be able to be more specific on what had happen. We will check also from our end that particular ISO.

2 Likes

Our ISOs have an integrated checksum routine to ensure that nothing is tempered with. Otherwise it won’t boot.

10 Likes

I didn’t know about that…

That is horrible claim - while the live system is called manjaro - the rest is pure nonsense and the only result is FUD.

Just downloaded the files from https://osdn.net/projects/manjaro/storage/kde/20.0.3 and they verify as expected.

$ cat manjaro-kde-20.0.3.200606-linux56.iso.sha256           
85ac48d8248ad452223321797c44fdfb864a2ea33484c2b96073b1c2eb0de435  manjaro-kde-20.0.3-200606-linux56.iso
$ sha256sum manjaro-kde-20.0.3-200606-linux56.iso
85ac48d8248ad452223321797c44fdfb864a2ea33484c2b96073b1c2eb0de435  manjaro-kde-20.0.3-200606-linux56.iso
$ gpg --verify manjaro-kde-20.0.3-200606-linux56.iso.sig manjaro-kde-20.0.3-200606-linux56.iso
gpg: Signature made lør 06 jun 2020 10:17:47 CEST
gpg:                using RSA key E4CDFE50A2DA85D58C8A8C70CAA6A59611C7F07E
gpg:                issuer "philm@manjaro.org"
gpg: Can't check signature: No public key
1 Like

Would nethogs, iftop or other networking tool identify what was trying to access the network?

I don’t have much experience in network security, so i wonder what kind of activity was actually spotted to be interpreted that way…

The ‘IT guys’ saw their firewall asking for a new device accessing the internet probably, and deduced it was an attack through their production network installing malware on the servers lol Probably/surely something along these lines… We may never know.

Alright, hold the presses.

It turns out my IT manager was maybe being a little overdramatic about the nature of the issue. As best we can tell, there was no actual attack on the network. He just received a notice from the firewall that my device was connecting to a server that had been identified as potentially malicious, though apparently it did not actually log the url/IP address of the server.

The email he received from the firewall read as follows:

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Characteristics

· Enables remote access

Affected Operating Systems

The threat is associated with the command and control servers used by malware.

Note: C2/Generic-A is not detection of a malware payload on an infected machine.

Firewall is blocking network traffic (reputation or IPS filtering) to a remote machine believed to be a C&C server. The alert indicates that a machine within the network is compromised with malware.

My best guess would be that maybe one of the international mirror servers was on our firewall’s blacklist and triggered this alert when the pacman-mirror command pinged it, especially given that the Manjaro device name suggest that I was still in the live environment when this alert was triggered.

Sorry for the potentially inflamatory post. I should have done some more digging before making this public.

3 Likes

Yes, you should have.
Thanks for following up.

I called it. It was 100% typical IT guy non sense lol.

It would be interesting to know which one.

heh.
so busybox and xzcat, etc, are all virus?
I dont think so …
looking at the virustotal reports … they are actually flagged as ‘possible unwanted program’ and other similar/generic ‘threats’ …

Not to mention … please dont necro.
Especially for something entirely unrelated.
ventoy is not used or contained in any manjaro ISO by default.