Suspected Malware/Bootkit

Hello! I have recently joined this community and nice to meet you all.

To begin with my question, I will explain the situation first. Before I recently switched to EndeavourOS, I was a Manjaro user. When I was using Manjaro, I had an insecure situation that I think might have lead to a malware/bootkit infection.

I will tell you how it happened chronologically. I will upload whatever logs you need, and also will be welcome to any advice how to get rid of bootkits/rootkits on Arch Linux.

I was a user of up-to-date Manjaro, and I received a strange video via e-mail, and opened it. It was .mp4, and I thought that Linux is pretty much protected from these kinds of malware, and also I had VLC updated to the newest version (3.0.20). It would be worth to mention that I think that the provider doesn’t have a virus scan.

However, once I opened it (I didn’t do anything out of the ordinary that day except that) and turned on my laptop tomorrow, I noticed an increase in how my fan performs, it was louder than before, I will freely say, about 30%. louder than it was before. I was lucky to have done a Manjaro install a month before, and had files in a backup (external hard drive), so I just reinstalled it by wiping everything, from scratch, without any files remaining, so a clean reinstall.

Once I updated my UEFI, reinstalled it, and reinstalled my programs, the problem persisted. Then, I was advised on another forum to switch to EndeavourOS, which I did. I must say it works much better on my laptop. The new Endeavour OS installation didn’t cause a loud fan during the first two boots, but after the third one, it is still loud, but not as loud as Manjaro’s. Therefore, I still suspect that I might have a bootkit. I know it’s rare, but that’s the only thing I can think of.

If someone here could provide some advice about the issue, I would be much obliged.

Edit: If this is the wrong sub-forum, feel free to transfer the topic to the applicable one. I will also repost if needed.

Thankful in advance,

Leeroy

1 Like

So the only symptom is that your fan is louder? Did you try cleaning the machine?

2 Likes

Thank you for responding / Koszonom szepen, Mihaly. :slight_smile:

I didn’t try cleaning the machine yet, as it happened suddenly after I opened that file and did a first restart. It suddenly occurred, and didn’t cause problems before.

I will be cleaning the machine in the following days, just I would like to know if there are any ways to determine if I actually have a bootkit or not?

If you truly suspect malware activity, you should probably do more than just note the fan’s volume. I’d start with checking your network usage and see if the device is constantly sending suspicious bytes out without you doing anything. You can do this with any network monitoring tool like TCPDump.

2 Likes

Do you still have that file? Perhaps you could submit it to a malware scan engine or something to that effect.

5 Likes

Thank you, Anthony.

Is there some good tutorial I can follow, that you find legit?

I don’t have it anymore, unfortunately. I deleted it once I opened it, as it was very unusual.

It’s a shame that you didn’t exercise such caution when you actually opened the file. :sweat_smile:

2 Likes

Nope, nothing is protected from this kind of user error.
Never open anything that you doesn’t sure about, especially from e-mail.

3 Likes

You can’t go wrong with the man pages. But if you prefer a tutorial format, you can check this out:

https://www.hackingarticles.in/comprehensive-guide-to-tcpdump-part-1/

2 Likes

Or you didn’t notice it before. After you got that file, you started looking for things that might not work correctly. It’s highly unlikely to catch a malware on systems that are fairly up to date.

2 Likes

I agree, Anthony. I figured out exploits through .mp4 could not be executed on Linux due to root permissions, etc, but I later read that I was wrong.

@anon79608109

Have a look at this: https://wiki.archlinux.org/title/Rkhunter

It won’t harm if you run this tool. Beware that it may produce some false positives.

There is also lynis which, if I remember correctl, will scan the system for rootkits as well

2 Likes

If you truly suspect a malware, you should start to monitor your system’s behavior. I mean, it makes little sense for a malware to just sit there and do nothing except make your fans go louder…

I’d start with monitoring the following:

  1. Network activity
  2. Disk activity
  3. Resource Usage (cpu and RAM)

To rule out the possibility that it isn’t due to a bunch heavy processes (like your desktop environment) putting load on your CPU, drop to a tty and kill the display server. After that, note the fan behavior.

To detect unusual system behavior, you probably need run the system in a fairly minimal and isolated environment. That means no applications should be open. Preferably, just run your system from a plain tty without a display server, like I mentioned above.

2 Likes

Thank you, pebcak.

I ran rkhunter, but was told later that its signatures are not up-to-date. I ran Lynis too, but I couldn’t fully comprehend its results. It didn’t inform me that I had any malware directly, but said that some files were “different”.

1 Like

Especially that I didn’t give any root permissions to that file, it was opened from /home directory. I will try and clean my laptop, and let you know how it went.

Should I then exit all the apps, run tty2 for example, and then kill the display server and monitor my fan?

Also one more question for you all. Can rootkits themselves persists once I reinstall linux by wiping my drive (through the installer)? Also, how about scanning for bootkits especially(so the ones that are attached to my motherboard)? Are there some good tools for it? Any advice is welcome, thank you all for being helpful so far. Also, what is the safest way to transfer my backed-up files from my external hard drive once I am sure that there is no malware? I’ve read that hard drive firmware might be infected by the malware too.

To my knowledge, this depends on where the rootkit lives. If the rootkit lives in your normal partitions, then wiping the drive would of course make them go away. But if the rootkit messed with/embedded itself within your firmware or UEFI… that’s a whole different story.

I’m by no means an expert on this subject, of course. You should wait for more experienced users (@dalto @Kresimir @joekamprad )to chime in.

2 Likes

No problem, Anthony, you have been very helpful, and thanks.