back to article Classic Shell, Audacity downloads infected with retro MBR nuke nasty

Classic Shell and Audacity downloads were booby-trapped this week with an old-school software nasty that knackered victims' Windows PCs. Hackers were able to inject some retro-malware into the popular applications' installers hosted on fosshub.com, an official home for Classic Shell and Audacity releases among other software …

Page:

  1. Anonymous Coward
    Anonymous Coward

    I don't have an MBR. Will these cretins consider supporting GUID partition table / UEFI in their next release?

    1. Destroy All Monsters Silver badge
      Paris Hilton

      What, you want support by virus writes?

      1. Anonymous Coward
        Gimp

        Nobody likes being ignored :(

        Can we have an OS X MacOS version too, please?

    2. jacksawild
      Alert

      Careful what you wish for, overwriting efivars on the MB could brick your computer in the kind of way which can't be rescued with any boot disk.

      1. Hans 1 Silver badge
        Happy

        >Careful what you wish for, overwriting efivars on the MB could brick your computer in the kind of way which can't be rescued with any boot disk.

        Upvovoted, but, Windows Cleaner and Suface Experts do not understand that downloading something from some rogue website and installing it is insecure. They do not know what MBR is, or EFI for that matter ... else they would have jumped to Linux/FreeBSD/AnythingButRedmond a long time ago.

        In short, you are wasting your time with these n00bs.

    3. anonymuos

      UEFI affected as well

      This particular malware was very new and detected only by AVG and Kaspersky as a generic threat. It makes UEFI PCs unbootable as well. Only Secure Boot PCs were not affected.

      1. Anonymous Coward
        Anonymous Coward

        Re: UEFI affected as well

        "This particular malware was very new and detected only by AVG and Kaspersky as a generic threat."

        Which in my opinion only goes to show you of what poor quality most virus scanners actually are. I'm not talking about detection here but prevention. Surely it's not that hard to intercept disk writes to the boot sector and partition table and ask the user for approval first?

        1. Ken Hagan Gold badge

          Re: UEFI affected as well

          "Surely it's not that hard to intercept disk writes to the boot sector and partition table and ask the user for approval first?"

          I had a BIOS that did that, about twenty years ago, so it's not that hard. However, I haven't had a similar warning anytime recently, so apparently it isn't something that modern BIOSes bother with.

      2. Anonymous Coward
        FAIL

        Re: UEFI affected as well

        > It makes UEFI PCs unbootable as well. Only Secure Boot PCs were not affected.

        Get a grip!

        Only PCs running M$ Windows were affected.

        1. anonymuos

          Re: UEFI affected as well

          This malware ran from Windows but the OS is irrelevant here. Once it gets admin rights, it can run from any OS to overwrite the MBR or wreak havoc on the EFI system partition. The installer was not signed but users ignored it. It was user-error.

      3. Duffaboy
        Trollface

        Re: UEFI affected as well

        So did not Norton detect it ?

        1. Kiwi Silver badge
          Trollface

          Re: UEFI affected as well

          So did not Norton detect it ?

          That should be pretty obvious. It's malware. Of course Norton wouldn't detect it!

  2. Kanhef

    UAC limitation

    A lot of FOSS isn't signed – many developers don't seem to want to bother with the hassle – so the warning isn't too unusual. The only way it would have prevented an infection is if someone had installed the program enough times to notice that it's usually signed, but this time it wasn't.

    1. Ilgaz

      Re: UAC limitation

      It isn't the hassle, signing software requires real money and these apps are free. Some people are also ideologically against it.

      Also signed apps can still do nasty things, signature just means signature, there is no kind of control there.

    2. Ken Hagan Gold badge

      Re: UAC limitation

      Had it been signed by Ivan Beltchev, would you have installed it?

      1. Dan Paul

        Re: UAC limitation

        The correct version was signed by Ivan Beltchev and I just happen to know that is his creation.

        He is one of the few FOSS software people who do sign their work properly.

  3. Anonymous Coward
    Anonymous Coward

    I'm curious whether any AV packages picked this up, by pattern or heuristics

    1. Ilgaz

      same here

      Actually I will pay a yearly subscription if there is any AV which detected it just by heuristics. Back in 1990 we had a-tool on Amiga which could detect such out of nowhere boot block overwrites. If they can't detect such attacks, why do they waste CPU?

  4. AustinTX
    Thumb Up

    Download Only From Sources You Can Trust

    This is yet another reason one should only download safe and signed applications from the Microsoft Online Store!

    1. Anonymous Coward
      Anonymous Coward

      Re: Download Only From Sources You Can Trust

      Signed repositories are the solution to software distribution.

      But I'm guessing Microsoft's policies aren't very FOSS friendly?

    2. h4rm0ny

      Re: Download Only From Sources You Can Trust

      Software doesn't need to be from the MS Store to be signed. As this story shows, Classic Shell normally is signed and a different and quite clear warning was displayed for the pirated version.

      1. Anonymous Coward
        Paris Hilton

        Re: Download Only From Sources You Can Trust

        Seems a couple of commentards have forgotten to turn on their sarcasm detectors this morning!

        (Check OP's punctuation!)

        !!!!one

        1. Anonymous Coward
          Anonymous Coward

          Re: Download Only From Sources You Can Trust

          See the Joke , Get My Coat Icons? They are there for pointing out joke comments, otherwise you can just end up looking like a tit.

          1. VinceH Silver badge

            Re: Download Only From Sources You Can Trust

            Sometimes a joke is funnier when its nature is less than obvious to some.

          2. Yag

            Re: Download Only From Sources You Can Trust

            If you need a huge obvious icon to detect such an obvious joke, try to avoid watching political meetings, rallies and debates...

    3. Mark Simon
      Paris Hilton

      Re: Download Only From Sources You Can Trust

      This is humour, isn’t it … ?

    4. Chika
      FAIL

      Re: Download Only From Sources You Can Trust

      Shill alert!

      Or at the very least an attempt at humour. Weak!

    5. AustinTX

      Re: Download Only From Sources You Can Trust

      Aaaaargh! Have mercy, good people! Of COURSE it was sarcasty!

      But I think it's hilarious how many people were unsure and actually downvoted!

  5. frank ly Silver badge

    A good example

    "We did not have the right safeguards in place, namely, to monitor external files. We clearly have not been vigilant enough. Over the next few weeks we will be working to become a safer, more secure organization."

    Admit you made mistakes, recognise your shortcomings and work like heck to put them right. It's a refreshing change and I hope it starts a trend.

    1. Anonymous Coward
      Unhappy

      Re: A good example

      I think it's disgusting....

      We all know should be:

      "We take our customers safety very seriously and are suggesting they reset their passwords. We apologise for any inconvenience caused."

      No joke icon, as it's the normal boilerplate reply.

      1. VinceH Silver badge

        Re: A good example

        You forgot that it should mention "small number of users" that were affected.

        1. Anonymous IV

          Re: A good example

          You also forgot to finish with

          © 2016 Dido Harding

  6. wolfetone Silver badge

    The problem with that pop up window is that people who know about computers will know it's a pain in the ass, but they'll have gotten their software from a trusted source.

    People with no idea about computers will click OK to anything because they know that's the only way to install the thing they downloaded.

    There is no patch for human stupidity, but there may be a way to alter their MBR?

    1. Hans 1 Silver badge

      >There is no patch for human stupidity, but there may be a way to alter their MBR?

      Hey, you, get off your high horses for a second ... these are ordinary citizens who were force-fed Windows X^3 and who really want their Win7 back, hence they revert to downloading some software from some rogue website .... ALLL BECAUSE FSCK'ING REDMOND DECIDED TO DO AWAY WITH WHAT EVERYBODY WAS ACCUSTOMED TO SINCE 1995 .... and failed to recognize their error when Windows 8.x tanked .... they are not asking a lot, just an option to revert to "sensible Windows", whatever that means ....

      1. wolfetone Silver badge

        "Hey, you, get off your high horses for a second ... these are ordinary citizens who were force-fed Windows X^3 and who really want their Win7 back, hence they revert to downloading some software from some rogue website .... ALLL BECAUSE FSCK'ING REDMOND DECIDED TO DO AWAY WITH WHAT EVERYBODY WAS ACCUSTOMED TO SINCE 1995 .... and failed to recognize their error when Windows 8.x tanked .... they are not asking a lot, just an option to revert to "sensible Windows", whatever that means ...."

        But Windows 7 has the same stupid notification bullshit that allows this problem to carry on.

    2. Nolveys Silver badge

      The problem with the popup window is that users have to click on such windows _all_ _the_ _time_ and that the message is completely non-specific. A message such as:

      "This software wishes to:

      - install itself for all users to use

      - add itself as a service

      - hook into explorer.exe

      - hook into winlogin

      - perform low-level disk modifications

      Do you wish to continue?"

      Would help immensely. Of course this would require some sort of capabilities-based privilege elevation and associated API.

      1. Ken Hagan Gold badge

        On paper, MSIEXEC could do all of that. The MSI file that you feed it could be just data and the operations that it requests on its behalf could be sanity checked and classified for end-user (well, Administrator) approval.

        In practice, MSIEXEC lets you do anything that can be written as an MSI and MSI files can contain custom DLLs that do anything you want as the running user. To add insult to inury, there's an instance of MSIEXEC that runs as SYSTEM, in case Administrator isn't sufficiently god-like.

        All this has been true since MSI debuted almost (?) 20 years ago. MS has never felt it necessary to add these features. There *may* be an option, buried deep inside some Group Policy template, to disable custom actions. Or there may not. Since it isn't enabled, or advertised, by default it hardly matters whether it exists or not.

        Tl;dr: the Windows Installer is utter, utter loathesome crap.

        1. Anonymous Coward
          Anonymous Coward

          >In practice, MSIEXEC lets you do anything that can be written as an MSI and MSI files can contain >custom DLLs that do anything you want as the running user. To add insult to inury, there's an >instance of MSIEXEC that runs as SYSTEM, in case Administrator isn't sufficiently god-like.

          You mean like running a program as root on Linux?

          1. Naselus

            "You mean like running a program as root on Linux?"

            Yes, but that's different, because reasons.

  7. petur

    more info

    http://www.classicshell.net/forum/viewtopic.php?f=12&t=6441

    and to help fix it

    http://www.classicshell.net/forum/viewtopic.php?f=12&t=6440

    1. Anonymous Coward
      Anonymous Coward

      Re: more info

      Very good link to their forums, seems they know what they are doing and they were very helpful.

      And no snark like here!

  8. Tony W

    Would this be detected on check?

    As others have pointed out, quite a lot of legitimate sw produces unknown publisher warning. I scan all exe and zip downloads before running though. I also use Scotty that detects changes to startup programs. Am I just getting a false sense of security by doing this?

    1. phuzz Silver badge
      Thumb Down

      Re: Would this be detected on check?

      A virus scanner is unlikely to pick up a brand new threat (although I assume this one is in the databases of most virus scanners by now), so that probably wouldn't have helped you.

      Also, a change to the MBR is 'before' any OS is loaded, or startup programs, so monitoring here wouldn't have helped either (assuming this malware just altered the MBR and didn't install it's own startup program).

      What would keep you safe from this is enabling (the much reviled in anti-Microsoft circles) SecureBoot, which checks that the bootcode is cryptographically signed. Or simply just using a GPT boot block, rather than MBR.

      tl/dr: no, your current defences would probably not have helped defend against this specific malware.

      1. Pascal Monett Silver badge

        Re: Also, a change to the MBR is 'before' any OS is loaded

        I don't think so. The MBR was changed by the execution of the nasty. Besides, if no OS is loaded, how can any change be made ? Something has to run the code that makes the change.

        Why this MBR rewrite could fly under the AV radar is beyond me. Is the MBR being regularly rewritten by the OS all day ? Don't think so. So why does MBR access not trigger a humongous red screen with nukular* blast in the background and big white lettering saying "HEY, SOMEBODY WANTS TO RECONFIGURE YOUR DISKS - ARE YOU SURE ???" and a nice red button with "FUCK NO" written on it to abort.

        But no, apparently any piece of code can just go and write to the MBR. No problem here, no sir, carry on while I slow the Internet down with all the Flash checking I have to do. . .

        * yes, I did write nukular on purpose

        1. Jim Mitchell
          Flame

          Re: Also, a change to the MBR is 'before' any OS is loaded

          @ Pascal Monett

          Even without AV, the OS should block this. Windows UAC will query for writes to system files, but I can blow away the MBR without any question? On a related note, I was surprised when the BIOS update program from the manufacturer ran fine without Windows asking for user approval of any kind.

          1. phuzz Silver badge

            Re: Also, a change to the MBR is 'before' any OS is loaded

            I assume that the malware did bring up a UAC prompt, but as the users thought they were installing legitimate software they clicked it without noticing that it was unsigned.

            I have seen BIOS's which block any writes to the MBR, but of course you have to turn this off before you install an OS, and remember to turn it on later. I've not seen it in a BIOS for a few years now.

      2. jelabarre59 Silver badge

        Re: Would this be detected on check?

        What would keep you safe from this is enabling (the much reviled in anti-Microsoft circles) SecureBoot, which checks that the bootcode is cryptographically signed. Or simply just using a GPT boot block, rather than MBR.

        SecureBoot is not reviled because it checks your boot process. It's reviled because Microsoft have appointed themselves God And Holy Gatekeeper of SecureBoot, allowing no others control over it. Properly done you should be able to register your OWN keys into it's index when you install a new OS. But MS are doing everything possible (and I didn't even say everything "legal") to make sure it stays that way.

  9. Anonymous Coward
    Anonymous Coward

    "We did not have the right safeguards in place"

    Nice breath of fresh air admitting how they fucked up & how they're fixing it:

    Non-commercial outfit -> Honesty...

    Commercial outfit -> Lies / Spin...

    1. Anonymous Coward
      Unhappy

      Re: "We did not have the right safeguards in place"

      Non-commercial - no point suing.

      Commercial - chance to sue.

      Unfortunately that's the way of the world these days. Run by lawyers and opportunists with short term aims.

  10. yossarianuk

    More reason to use Linux

    Installing Audacity on Linux is genrally done via a centralised package manager where it is far far far harder for an attacker to upload a malware version - you are much safer that finding the same software on Windows.

    Opensource of windows involves visiting random sites, which often have about 20 different download links (most are not real download buttons but just a link to another random advert).

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019