How to stop writing my ISO's as Rock Ridge/Joliet

Support
1

Edit: I may have included too much additional information, I tried to provide enough data so others that have experienced this or may experience it in the future are able to locate this thread through search engines and hopefully get a resolution the issue.

This gets called anytime I download an ISO and I can’t figure out how to make it stop. Its able to replace the freshly downloaded ISO with the Rock Ridge version instantaneously before I could even run a dd command or launch disk image writer to get the fresh ISO written to disk before it is modified.

xorriso -as mkisofs -R -r -J -joliet-long -l -cache-inodes -iso-level 3 --grub2-boot-info --grub2-mbr /usr/lib/grub/i386-pc/boot_hybrid.img -efi-boot-part --efi-boot-image -v -A “application_id” -p “preparer” -publisher “publisher” -V “cdlabel” --modification-date=20240XXXXXXXX -no-emul-boot -boot-load-size 4 -boot-info-table -b boot/grub/grub_eltorito -eltorito-alt-boot -e boot/grub/efi.img -no-emul-boot -isohybrid-gpt-basdat -isohybrid-apm-hfsplus -o /home/user/derivative-binary/17.2.3.7/Kicksecure-Xfce-17.2.3.7.iso /home/user/derivative-binary/Kicksecure-Xfce_iso-tmp

I don’t think I’m on the real Kicksecure anymore. A lot of things that shouldn’t be enabled by default are enabled like the bluetooth.service, overlayfs, fuse, and ntfs3g are also enabled. My xdg-user-dirs is normally /home/user/.config I think, it has been changed to point to /usr/bin/share/, that way I load flatpaks from the wrong directory just like the flatpak escape 0day did.

The doocumentation (man pages for example) aren’t even the same and my grub menu shows that lines have been removed, there is a new line added that is a if fi statement to insert two more kernel modules named lzopio and xen (I think that’s the name of them, very close if not). It seems like the lower deck of the overlayfs is hooking into upper deck with some malicious binaries and shared objects, deleting anything hooked into the upper deck causes a crash, the lower deck is all lib32 software running on a squashfs.img and its dependencies get mangled in with my own, I have to download SSH libs for apps that don’t require networking to function or other random packages that should not be dependencies. I also have to delete the boot order using efitbootmgr and modify my grub entry in order to actually boot into the system at the lower deck. Even figuring out how to boot into the lower deck of the system doesn’t solve the problem though unfortunately.

It’s not as simple as reformatting my USB drive and secure erasing my SSD then using a fresh ISO, it’s like the data doesn’t really get wiped from the USB even though it appears that way to software like gparted and gnome-disks reading the disk image. I have wiped it then brought it over to a remote location, away from my potentially infected machine and it still manages to write that same ISO with the overlayfs and Rock Ridge ISO.

So, what I’m trying to get at as is, has anyone dealt with this before? What can I do aside from considering my devices trashed? I’m strongly considering dumping this data publicly out of frustration but something doesn’t feel right about doing that, somebody certainly put a lot of time and effort into devoping and writing documentation for this system.

As mentioned earlier, the man pages and python documentation are not standard, almost all of the binaries serve an alternate purpose than their name would lead you to believe, for example I can run ‘gpic FILENAME > OUTPUT.txt’ and deobfuscate data hidden inside of files. There is a man page for GNUstep (if I recall correctly) that’s as long as novel and it goes into detail about how to write code in order to cause a buffer overflow in the kernel. So sharing something like that publicly seems to me like I would be destroying the hard work of someone or some group of individuals who have put a lot of time into it. As much I hate what they did to me, I’m also in awe of their work and complexity of the system at the same time.

Is this a known thing that others are getting attacked with in the wild, is it more likely a targeted attack and not wide spread? Locally it seems to spread like a worm via usb and through the network, the boot loader they force me to boot from contains a kernel for Windows, Mac, and Linux (version 5.1, unsupported and out of date), so even switching operating systems does not solve the problem. I hope someone can provide a solution that doesn’t involve throwing my machine into the dump.

2

Where, how do you see that this command gets executed anytime you download an ISO?

I highly doubt it.

I highly doubt that too.

Sounds like the most sophisticated malware ever.

Even Stuxnet, Flame, Duqu, Operation Triangulation aren’t multi operating system capable.

Such highly sophisticated malware would usually attempt to stay stealth. The user wouldn’t notice it. This is elaborated in wiki chapter Valid Compromise Indicators versus Invalid Compromise Indicators.

This is because the development effort to create such malware is so expensive, that it’s not supposed to be detected. How expensive? My first guess is far excess in access of $ 100 K USD and several months or years of development work.

So you must be an extremely valuable target.

However, this case is a strange combination, because…

This is impossible to happen by accident as a side-effect of the malware. The XZ Utils backdoor - Wikipedia had side effects such as high CPU usage and longer SSH login times, but nothing even remotely similar to what you’re describing.

This can only happen if source code was specifically written to purposefully change the system behavior. Someone must have written that novel or at least copied it into the source code of malware or installed it later post system compromise.

So what would be happening here is Zersetzung - Wikipedia. Because these effects are intentional and no malware developer can be as stupid as replacing a man page with a novel by mistake. This can only be intentional.

The Kicksecure project does not offer system / malware audits. For reasons why that is so, see wiki chapter Malware Audits.

I had an interesting chat with ChatGPT about this topic, which might be useful for inspiration on what you can do next.

1 Like
3

You might want to take a look at Malware, Computer Viruses, Firmware Trojans and Antivirus Scanners, malware as a general rule does not make itself obvious because that runs entirely against the point of making malware in the first place.

Where did you get that xorriso command from?

Bluetooth is intentionally enabled in Kicksecure, there are features that make it safer baked into the distro.

overlayfs is intentionally provided in Kicksecure, it is even used in the “live mode” feature.

FUSE is intentionally provided in Kicksecure, it’s necessary to run AppImages and the like and should be present on pretty much all distros.

NTFS-3g lets you access NTFS drives, which is another thing many distros enable and which is useful for many users.

You haven’t indicated what you think the manpages should look like, so I’m not sure what’s unusual there.

I think you understand what I’m getting at. So far none of what you’ve shown indicates compromise for sure. That’s not to say you definitely aren’t compromised (you can’t prove a negative), but there isn’t sufficient evidence of it here. If you are a high-profile target (most people aren’t), whoever’s targeting you probably isn’t foolish enough to make themselves this obvious. If you aren’t a high-profile target, it’s very unlikely that someone would rationally pour this much effort into attacking you.

1 Like
4

To expand on that…

Extremely valuable target either due to monetary richness or other factors of power such as public influence. Normal people are not being attacked with such extremely sophisticated malware.

So if this is a priority issue for your to resolve, if affordable, this is the best time ever to hire a professional IT support company, malware researcher. (No specific recommendations are being made.)

Unfortunately, I am certain, that in many places, you would get accused of trolling. But then again, Artificial Intelligence can help.

I’ve just posted your public forum post into the AI and added:

Some commentators are accusing the user of trolling. What can be done to not get perceived as trolling?

Here is the result:

The technological points ChatGPT is making aren’t that great but the general advice on how to draft these kind of inquiries are helpful.

For communication in free, public support places (such as this forum), I suggest to report 1 very specific issue at a time only. See also:

For example:

Steps to reproduce the behavior :

man gnustep

Expected result:

My an page should have same content as on GNUstep(7) — gnustep-common — Debian bookworm — Debian Manpages.

Actual result: