I downloaded a cracked install from tpb (haxnode). It was a loader exe that loaded the original exe and supposedly removed the drm in RAM. It required admin permissions, I didn't trust it, but i ran in a vm and nothing happened.
Then i told myself "i have microsoft defender and windows firewall control, they will warn me" and I ran it in my main laptop, and still nothing happened. Like, literally nothing happened. The original program would not start. It would simply exit. Nothing. The other 6 almost identical torrents from the same uploader but with a different program version had a similar result. I gave up.
Then i reboot, and firstly i notice a couple DOS prompts flashing on the screen, and windows firewall control asking me if "aspnet_compiler.exe" is allowed to access the internet or not.
Suspicious, i go to check that "aspnet_compiler.exe" and it's located in the .net system folder, i scan it with microsoft defender and it doesn't report as a virus. I do not pay attention to the fact that it doesn't have a valid Microsoft signature, and i tell myself "probably just a windows update" and i whitelist it on the firewall.
After a few hours I realize "wait a minute: it's impossible that an official windows exe isn't signed by microsoft!" I go back to scan it, not infected... or it looks like, defender says "ignored because in whitelist". What? The "loader" put c:* in the whitelist!
The "crack loader" wasn't a virus per se. It dropped an obfuscated batch in startup, which had a base64 encoded attachment of the actual malware, that was copied in the .net framework directory with unassuming names...
And this for a $60 perpetual license program that i should buy anyway because it's for work
I literally just watched this video yesterday which, as you mention yourself, talks about how modern malware will add itself to the exclusion list aka whitelist.
~Anyway~ ~this~ ~is~ ~a~ ~good~ ~reason~ ~to~ ~try~ ~linux...~
Not for long, Linux will get targeted like this as it becomes more popular. It's more of an argument for OpenBSD if anything, since OpenBSD will never be popular on desktop and it's developers take security very seriously.
There are two layers to this (actually a lot more but)
What you are describing is mostly supply chain. It is the idea that the package manager's inventory should be safe. And that is already a nigh impossible task simply because so many of the packages themselves can be compromised. It seems like every other year there is a story of bad actors infiltrating a project either as an attack or as a "research paper". But the end result is you have core libraries that may be compromised.
But the other side is what impacted OP and will still be an issue even if said supply chain is somehow 100% vetted. People are inherently going to need things that aren't in a package manager. Sometimes that is for nefarious reasons and sometimes it is just because the project they are interested in isn't at the point where it is using a massive build farm to deploy everywhere. Maybe it involves running blind scripts as root (don't fucking do that... even though we all do at some point) and sometimes it involves questionable code.
And THAT is a very much unsolved problem no matter what distro. Because, historically, you would run an anti-virus scan on that. How many people even know what solutions there are for linux? And how many have even a single nice thing to say about the ones that do?
You're probably not wrong. The AUR has become an increasingly more popular target for malware.
Ubuntu had issues with it's snap store as well. I think there will be more security oriented distros in the future like Kodachi, but it's best to be cautious in general these days.
Lest we forget about the Xubuntu malware thing that just happened recently. It only targeted windows users though.
There's no reason why Linux would be immune to this. If anything you're probably not running any AV on Linux so if you did get infected you'd probably never notice until it starts being a pain.
I guess in theory you're right. If you're executing code, you're executing code. But usually when executing EXE files it tends to target Windows machines, but yeah, there's no way of telling if it'll recognize it's in a linux environment and do it's thing there as well.
Especially because OP mentioned he just clicked "Yes"/"Allow" to all the super user prompts.
Now personally I don't run an Arch system and only install software from my distro + flatpak; So I feel pretty secure for now. But I can see that trend buckling as the AUR is already under attack.
Programs running on Wine still have access to all of the files that you do. They won't be able to mess with system files unless they can find some sort of privilege escalation exploit in Wine though.