How do I find out if a shady program messed with my stuff?

[Dr. Banana]

Please don't judge me too harshly for this, but I ran a minecraft launcher (TLauncher) as root, and then I learned that it is known spyware: https://old.reddit.com/user/Inevitable-Cry7214/comments/t7wyit/stop_using_spyware_just_so_you_can_play_free/

However, it seems (and I am hoping) that the malicious side of it is only present in the windows build, such as this: https://old.reddit.com/r/PiratedGames/comments/xo5rf2/about_tlauncher_spywaremalware_sorry_for_made/

My first impulse was to completely wipe my root partition, then I started wondering, what if I ran it with root again, but this time I would monitor what it accesses. So I tried using strace for that first, but it is too verbose, and I don't really understand most of the output. I tried firejail --trace, but there isn't any documentation on the output. So what I did was make a barebones apparmor profile and load it in complain mode, launch the programme (with sudo), close it and then read the apparmor related lines in journalctl. I've skimmed through the lines starting with 'AVC apparmor' and did a searchfor instances when the programme tried to execute something (the lines with `allowed_mask="x"` in them) or tried to write to something (the lines with `allowed_mask="w` in them), and it only seemed to write/execute stuff in it's own directory in /root (/root/tlauncher), some mesa shader cache stuff and things in /tmp, although there are a few shady lines saying that it apparently wrote to a file that has no path, and whose name is a random assortment of upper case letters and numbers.


So I was wondering if anyone experienced in this area would help me with two main things: determining whether the programme is doing something truly malicious, and some precautions I should take now that I have run it as root (e.g. change my revoke my gpg key).

Here is the output of journalctl (only the lines containing 'audit' at the beginning, and I've left out the middle part): https://raw.githubusercontent.com/DrBanana419/projects/master/jc2
_________________
Haters gonna hate,
Potatoes gonna potate.

[psycho]

Hi Dr. Banana.

As you already know (from "please don't judge me too harshly for this"), if you run something like this as root, you are flushing your system's security straight down the toilet, so personally I'd go with your first instinct there and fully reinstall from a clean backup: if I knew a system had run something like this on it as root, I'd regard that system as compromised and no longer trustworthy. You could argue that a full reinstall is a waste of time if the malware hasn't succeeded at doing anything worthwhile with its full permissions to do whatever it wants... but for rigorous security you should assume the worst on the grounds of "you don't know what you don't know". What you do know is that this malware had root access to your system, which is the holy grail for malware. If you know your chicken dinner's been infected by a deadly bacterium, do you get out the microscope and cut off the bits that look infected and then enjoy that meal? I guess if the thought of wasting good chicken horrifies you more than the thought of food poisoning, you might do that... but I'd just toss out the whole thing and get a clean one.

[Hu]

To pile on, unless you can statically examine the logic of the questionable program, your traces cannot prove anything. How could you know that it has not made some innocuous looking modification that serves as a flag telling future runs not to do the evil changes? Your trace will show it reading that innocuous value, then not show any evil now because it was advised that the evil has already been done.

[NeddySeagoon]

Dr. Banana,

If you need to ask, throw it all away and start again.
Restore your user data from your last known clean backups.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.