Linux Mint website hacked - Compromised ISOs containing Tsunami IRCBot malware

[Shoob]

Linux Mint's website was compromised yesterday (February 20th) and the hackers uploaded an injected ISO, possibly containing the Tsunami malware, which creates a backdoor and grants remote access to the infected machines.

The information was posted on the Linux Mint blog and advises to get rid of Mint Cinnamon ISOs downloaded yesterday and to check their MD5 signature.

Currently the main website of Linux Mint is down.

 

Quote

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.

If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.

Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.

 

Quote

How to check if your ISO is compromised?

 

If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).

The valid signatures are below:

 

6e7f7e03500747c6c3bfece2c9c8394f  linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238  linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd  linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d  linuxmint-17.3-cinnamon-oem-64bit.iso

If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.

Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.

 

Source: http://blog.linuxmint.com/?p=2994

[Bananasplit_00]

wow this is really bad, hope not to many people downloaded it yesterday

[Guest]

Scary.

I use Mint Cinnamon. Of course being the thoughtful, courteous man that I am, I torrent all my Linux ISOs.

[dfsdfgfkjsefoiqzemnd]

I downloaded them all a while ago and am still seeding them, so I'm not too worried.  I do a hash check of every .iso or installer anyway if it's available. 

 

Still, if they can hack the site and replace the hashes with those of the modified .iso, you're out of luck if you check right away.

[Guest]

Whelp, they've taken the site down. There goes my chance to install mint today, I'm so lucky I didn't do it yesterday.

[deviant88]

lol lucky me i was just trying new linux distros like a week ago including 3 different mint flavours, hopefully i didnt catch anything sigh

[SansVarnic]

Hacker explains how he put "backdoor" in hundreds of Linux Mint downloads

By Zack Whittaker for Zero Day

Main Source: http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/

2nd sources;

http://www.brunchnews.com/zdnet/technology/hacker-explains-how-he-put-backdoor-in-hundreds-of-linux-mint-downloads-4231245

http://www.pcworld.com/article/3035682/security/hackers-planted-a-backdoor-inside-a-compromised-version-of-linux-mint.html

http://www.ghacks.net/2016/02/21/linux-mint-hacked-iso-images-compromised/

 

 

Well this is not good...

Quote

A lone hacker who duped hundreds of users into downloading a version of Linux with a backdoor installed has revealed how it was done.

News broke on Saturday that the website of Linux Mint, said to be the third most-popular Linux operating system distribution, had been hacked, and was tricking users all day by serving up downloads that contained a maliciously-placed "backdoor."

Quote

The hacker responsible, who goes by the name "Peace," told me in an encrypted chat on Sunday that a "few hundred" Linux Mint installs were under their control -- a significant portion of the thousand-plus downloads during the day.

But that's only half of the story.

Quote

Peace was "just poking around" the site in January when they found a vulnerability granting unauthorized access. (The hacker also said they had the credentials to log in to the site's admin panel as Lefebvre, but was reluctant to explain how in case it proved useful again.) On Saturday, the hacker replaced one of the 64-bit Linux distribution images (ISO) with one that was modified by adding a backdoor, and later decided to "replace all mirrors" for every downloadable version of Linux on the site with a modified version of their own.

The backdoored version isn't as difficult as you'd think. Because the code is open-source, the hacker said it took them just a few hours to repack a Linux version that contained the backdoor.

Quote

For now, the hacker's motive was "just having access in general," but they did not rule out using the botnet to carry out data mining or any other nefarious means. In the meanwhile, the hacker's botnet is still up and running, but the number of infected machines "dropped significantly since the news broke obviously," Peace confirmed.

Lefebvre did not return an email for comment on Sunday. The project's website is down, with no timeline on when the project will be back.

Well guys I guess be wary if you downloaded this during the mentioned period time and do what you must to protect yourself until the issue is resolved.

 

I am somewhat surprised by this myself but I guess was going to happen at some point.

 

Thoughts?

[Tmt97]

glad I'm not using linux mint lol.

[,,,,,,,,,,,,,,,,,,,,,,,,,,]

This is why I never use a distro based off another distro that was based off a distro. Whonix for me!

[Enderman]

this just proves how necessary an antivirus is, not just "common sense"

seemingly safe downloads can have malware or viruses

using common sense will not tell you if there is malware or viruses in the download you trusted

[EarthboundHero]

Brb running MBAM.

[QueenDemetria]

Not a good news day for Linux.

[Syntaxvgm]

I shit you not I downloaded mint and opened up slashdot a few hours later and saw the news. "Guess I'm not using that install lol"

[Pandora]

oh well i feel like $#!^ now. just recomended mint to a friend.

[Chasem121]

But I was told Linux was secure!

[Lotte]

This is rather depressing.

[suicidalfranco]

1 hour ago, Enderman said:

this just proves how necessary an antivirus is, not just "common sense"

seemingly safe downloads can have malware or viruses

using common sense will not tell you if there is malware or viruses in the download you trusted

this only proves why it's always good to perform an md5 checksum on your isos

[PCgamer324]

lmao when people don't use checksums from a website other than the source...

 

*sigh*

 

idiots

[dfsdfgfkjsefoiqzemnd]

52 minutes ago, suicidalfranco said:

this only proves why it's always good to perform an md5 checksum on your isos

Absolutely. 

 

Of course if the hacker replaced the checksum on the Mint site with his own and you verify the ISO with that checksum, you're still screwed. 

[Albatross]

Here's hoping the official website will try to protect the site better from now on.

[LukeTim]

I only ever use OG Ubuntu myself. And besides, at the moment I am not running Ubuntu at all.

 

This is really shitty though. It's good that the vulnerability has been revealed, so something can be done about it. However, it was shitty of the guy to use it for his own ends, rather than to highlight the issue for the Mint devs to sort out.

[Half-Shot]

Yay, another Wordpress hack. Been burnt personally by it before.

[Theo]

10 hours ago, Enderman said:

this just proves how necessary an antivirus is, not just "common sense"

seemingly safe downloads can have malware or viruses

using common sense will not tell you if there is malware or viruses in the download you trusted

wow man dont speak such nonsense. If common sense wasnt enough why  would so many smart people in the forum recommend it.
 

[A/C]

10 hours ago, Enderman said:

this just proves how necessary an antivirus is, not just "common sense"

seemingly safe downloads can have malware or viruses

using common sense will not tell you if there is malware or viruses in the download you trusted

 

I don't think an antivirus would recognize this as a threat as it hadn't yet been identified when it was downloaded.

[Enderman]

35 minutes ago, Theo said:

wow man dont speak such nonsense. If common sense wasnt enough why  would so many smart people in the forum recommend it.
 

its not enough, and the people who think it is are idiots...

16 minutes ago, A/C said:

 

I don't think an antivirus would recognize this as a threat as it hadn't yet been identified when it was downloaded.

i dont mean necessarily for this threat, but for anything you download

and antiviruses are updated daily so it would have caught it soon after downloading, or at least detect the malicious botnet software that the hackers could run