back to article Classic Shell, Audacity downloads infected with retro MBR nuke nasty

Classic Shell and Audacity downloads were booby-trapped this week with an old-school software nasty that knackered victims' Windows PCs. Hackers were able to inject some retro-malware into the popular applications' installers hosted on fosshub.com, an official home for Classic Shell and Audacity releases among other software …

  1. Anonymous Coward
    Anonymous Coward

    I don't have an MBR. Will these cretins consider supporting GUID partition table / UEFI in their next release?

    1. Destroy All Monsters Silver badge
      Paris Hilton

      What, you want support by virus writes?

      1. Anonymous Coward
        Gimp

        Nobody likes being ignored :(

        Can we have an OS X MacOS version too, please?

    2. jacksawild
      Alert

      Careful what you wish for, overwriting efivars on the MB could brick your computer in the kind of way which can't be rescued with any boot disk.

      1. Hans 1 Silver badge
        Happy

        >Careful what you wish for, overwriting efivars on the MB could brick your computer in the kind of way which can't be rescued with any boot disk.

        Upvovoted, but, Windows Cleaner and Suface Experts do not understand that downloading something from some rogue website and installing it is insecure. They do not know what MBR is, or EFI for that matter ... else they would have jumped to Linux/FreeBSD/AnythingButRedmond a long time ago.

        In short, you are wasting your time with these n00bs.

    3. anonymuos

      UEFI affected as well

      This particular malware was very new and detected only by AVG and Kaspersky as a generic threat. It makes UEFI PCs unbootable as well. Only Secure Boot PCs were not affected.

      1. ShelLuser

        Re: UEFI affected as well

        "This particular malware was very new and detected only by AVG and Kaspersky as a generic threat."

        Which in my opinion only goes to show you of what poor quality most virus scanners actually are. I'm not talking about detection here but prevention. Surely it's not that hard to intercept disk writes to the boot sector and partition table and ask the user for approval first?

        1. Ken Hagan Gold badge

          Re: UEFI affected as well

          "Surely it's not that hard to intercept disk writes to the boot sector and partition table and ask the user for approval first?"

          I had a BIOS that did that, about twenty years ago, so it's not that hard. However, I haven't had a similar warning anytime recently, so apparently it isn't something that modern BIOSes bother with.

      2. Anonymous Coward
        FAIL

        Re: UEFI affected as well

        > It makes UEFI PCs unbootable as well. Only Secure Boot PCs were not affected.

        Get a grip!

        Only PCs running M$ Windows were affected.

        1. anonymuos

          Re: UEFI affected as well

          This malware ran from Windows but the OS is irrelevant here. Once it gets admin rights, it can run from any OS to overwrite the MBR or wreak havoc on the EFI system partition. The installer was not signed but users ignored it. It was user-error.

      3. Duffaboy
        Trollface

        Re: UEFI affected as well

        So did not Norton detect it ?

        1. Kiwi
          Trollface

          Re: UEFI affected as well

          So did not Norton detect it ?

          That should be pretty obvious. It's malware. Of course Norton wouldn't detect it!

  2. Kanhef

    UAC limitation

    A lot of FOSS isn't signed – many developers don't seem to want to bother with the hassle – so the warning isn't too unusual. The only way it would have prevented an infection is if someone had installed the program enough times to notice that it's usually signed, but this time it wasn't.

    1. Ilgaz

      Re: UAC limitation

      It isn't the hassle, signing software requires real money and these apps are free. Some people are also ideologically against it.

      Also signed apps can still do nasty things, signature just means signature, there is no kind of control there.

    2. Ken Hagan Gold badge

      Re: UAC limitation

      Had it been signed by Ivan Beltchev, would you have installed it?

      1. Dan Paul

        Re: UAC limitation

        The correct version was signed by Ivan Beltchev and I just happen to know that is his creation.

        He is one of the few FOSS software people who do sign their work properly.

  3. Codysydney

    I'm curious whether any AV packages picked this up, by pattern or heuristics

    1. Ilgaz

      same here

      Actually I will pay a yearly subscription if there is any AV which detected it just by heuristics. Back in 1990 we had a-tool on Amiga which could detect such out of nowhere boot block overwrites. If they can't detect such attacks, why do they waste CPU?

  4. AustinTX
    Thumb Up

    Download Only From Sources You Can Trust

    This is yet another reason one should only download safe and signed applications from the Microsoft Online Store!

    1. Anonymous Coward
      Anonymous Coward

      Re: Download Only From Sources You Can Trust

      Signed repositories are the solution to software distribution.

      But I'm guessing Microsoft's policies aren't very FOSS friendly?

    2. h4rm0ny

      Re: Download Only From Sources You Can Trust

      Software doesn't need to be from the MS Store to be signed. As this story shows, Classic Shell normally is signed and a different and quite clear warning was displayed for the pirated version.

      1. Anonymous Coward
        Paris Hilton

        Re: Download Only From Sources You Can Trust

        Seems a couple of commentards have forgotten to turn on their sarcasm detectors this morning!

        (Check OP's punctuation!)

        !!!!one

        1. Anonymous Coward
          Anonymous Coward

          Re: Download Only From Sources You Can Trust

          See the Joke , Get My Coat Icons? They are there for pointing out joke comments, otherwise you can just end up looking like a tit.

          1. VinceH Silver badge

            Re: Download Only From Sources You Can Trust

            Sometimes a joke is funnier when its nature is less than obvious to some.

          2. Yag

            Re: Download Only From Sources You Can Trust

            If you need a huge obvious icon to detect such an obvious joke, try to avoid watching political meetings, rallies and debates...

    3. Mark Simon
      Paris Hilton

      Re: Download Only From Sources You Can Trust

      This is humour, isn’t it … ?

    4. Chika
      FAIL

      Re: Download Only From Sources You Can Trust

      Shill alert!

      Or at the very least an attempt at humour. Weak!

    5. AustinTX

      Re: Download Only From Sources You Can Trust

      Aaaaargh! Have mercy, good people! Of COURSE it was sarcasty!

      But I think it's hilarious how many people were unsure and actually downvoted!

  5. frank ly Silver badge

    A good example

    "We did not have the right safeguards in place, namely, to monitor external files. We clearly have not been vigilant enough. Over the next few weeks we will be working to become a safer, more secure organization."

    Admit you made mistakes, recognise your shortcomings and work like heck to put them right. It's a refreshing change and I hope it starts a trend.

    1. Anonymous Coward
      Unhappy

      Re: A good example

      I think it's disgusting....

      We all know should be:

      "We take our customers safety very seriously and are suggesting they reset their passwords. We apologise for any inconvenience caused."

      No joke icon, as it's the normal boilerplate reply.

      1. VinceH Silver badge

        Re: A good example

        You forgot that it should mention "small number of users" that were affected.

        1. Anonymous IV

          Re: A good example

          You also forgot to finish with

          © 2016 Dido Harding

  6. wolfetone Silver badge

    The problem with that pop up window is that people who know about computers will know it's a pain in the ass, but they'll have gotten their software from a trusted source.

    People with no idea about computers will click OK to anything because they know that's the only way to install the thing they downloaded.

    There is no patch for human stupidity, but there may be a way to alter their MBR?

    1. Hans 1 Silver badge

      >There is no patch for human stupidity, but there may be a way to alter their MBR?

      Hey, you, get off your high horses for a second ... these are ordinary citizens who were force-fed Windows X^3 and who really want their Win7 back, hence they revert to downloading some software from some rogue website .... ALLL BECAUSE FSCK'ING REDMOND DECIDED TO DO AWAY WITH WHAT EVERYBODY WAS ACCUSTOMED TO SINCE 1995 .... and failed to recognize their error when Windows 8.x tanked .... they are not asking a lot, just an option to revert to "sensible Windows", whatever that means ....

      1. wolfetone Silver badge

        "Hey, you, get off your high horses for a second ... these are ordinary citizens who were force-fed Windows X^3 and who really want their Win7 back, hence they revert to downloading some software from some rogue website .... ALLL BECAUSE FSCK'ING REDMOND DECIDED TO DO AWAY WITH WHAT EVERYBODY WAS ACCUSTOMED TO SINCE 1995 .... and failed to recognize their error when Windows 8.x tanked .... they are not asking a lot, just an option to revert to "sensible Windows", whatever that means ...."

        But Windows 7 has the same stupid notification bullshit that allows this problem to carry on.

    2. Nolveys Silver badge

      The problem with the popup window is that users have to click on such windows _all_ _the_ _time_ and that the message is completely non-specific. A message such as:

      "This software wishes to:

      - install itself for all users to use

      - add itself as a service

      - hook into explorer.exe

      - hook into winlogin

      - perform low-level disk modifications

      Do you wish to continue?"

      Would help immensely. Of course this would require some sort of capabilities-based privilege elevation and associated API.

      1. Ken Hagan Gold badge

        On paper, MSIEXEC could do all of that. The MSI file that you feed it could be just data and the operations that it requests on its behalf could be sanity checked and classified for end-user (well, Administrator) approval.

        In practice, MSIEXEC lets you do anything that can be written as an MSI and MSI files can contain custom DLLs that do anything you want as the running user. To add insult to inury, there's an instance of MSIEXEC that runs as SYSTEM, in case Administrator isn't sufficiently god-like.

        All this has been true since MSI debuted almost (?) 20 years ago. MS has never felt it necessary to add these features. There *may* be an option, buried deep inside some Group Policy template, to disable custom actions. Or there may not. Since it isn't enabled, or advertised, by default it hardly matters whether it exists or not.

        Tl;dr: the Windows Installer is utter, utter loathesome crap.

        1. Anonymous Coward
          Anonymous Coward

          >In practice, MSIEXEC lets you do anything that can be written as an MSI and MSI files can contain >custom DLLs that do anything you want as the running user. To add insult to inury, there's an >instance of MSIEXEC that runs as SYSTEM, in case Administrator isn't sufficiently god-like.

          You mean like running a program as root on Linux?

          1. Naselus Silver badge

            "You mean like running a program as root on Linux?"

            Yes, but that's different, because reasons.

  7. petur

    more info

    http://www.classicshell.net/forum/viewtopic.php?f=12&t=6441

    and to help fix it

    http://www.classicshell.net/forum/viewtopic.php?f=12&t=6440

    1. Anonymous Coward
      Anonymous Coward

      Re: more info

      Very good link to their forums, seems they know what they are doing and they were very helpful.

      And no snark like here!

  8. Tony W

    Would this be detected on check?

    As others have pointed out, quite a lot of legitimate sw produces unknown publisher warning. I scan all exe and zip downloads before running though. I also use Scotty that detects changes to startup programs. Am I just getting a false sense of security by doing this?

    1. phuzz Silver badge
      Thumb Down

      Re: Would this be detected on check?

      A virus scanner is unlikely to pick up a brand new threat (although I assume this one is in the databases of most virus scanners by now), so that probably wouldn't have helped you.

      Also, a change to the MBR is 'before' any OS is loaded, or startup programs, so monitoring here wouldn't have helped either (assuming this malware just altered the MBR and didn't install it's own startup program).

      What would keep you safe from this is enabling (the much reviled in anti-Microsoft circles) SecureBoot, which checks that the bootcode is cryptographically signed. Or simply just using a GPT boot block, rather than MBR.

      tl/dr: no, your current defences would probably not have helped defend against this specific malware.

      1. Pascal Monett Silver badge

        Re: Also, a change to the MBR is 'before' any OS is loaded

        I don't think so. The MBR was changed by the execution of the nasty. Besides, if no OS is loaded, how can any change be made ? Something has to run the code that makes the change.

        Why this MBR rewrite could fly under the AV radar is beyond me. Is the MBR being regularly rewritten by the OS all day ? Don't think so. So why does MBR access not trigger a humongous red screen with nukular* blast in the background and big white lettering saying "HEY, SOMEBODY WANTS TO RECONFIGURE YOUR DISKS - ARE YOU SURE ???" and a nice red button with "FUCK NO" written on it to abort.

        But no, apparently any piece of code can just go and write to the MBR. No problem here, no sir, carry on while I slow the Internet down with all the Flash checking I have to do. . .

        * yes, I did write nukular on purpose

        1. Jim Mitchell
          Flame

          Re: Also, a change to the MBR is 'before' any OS is loaded

          @ Pascal Monett

          Even without AV, the OS should block this. Windows UAC will query for writes to system files, but I can blow away the MBR without any question? On a related note, I was surprised when the BIOS update program from the manufacturer ran fine without Windows asking for user approval of any kind.

          1. phuzz Silver badge

            Re: Also, a change to the MBR is 'before' any OS is loaded

            I assume that the malware did bring up a UAC prompt, but as the users thought they were installing legitimate software they clicked it without noticing that it was unsigned.

            I have seen BIOS's which block any writes to the MBR, but of course you have to turn this off before you install an OS, and remember to turn it on later. I've not seen it in a BIOS for a few years now.

      2. jelabarre59 Silver badge

        Re: Would this be detected on check?

        What would keep you safe from this is enabling (the much reviled in anti-Microsoft circles) SecureBoot, which checks that the bootcode is cryptographically signed. Or simply just using a GPT boot block, rather than MBR.

        SecureBoot is not reviled because it checks your boot process. It's reviled because Microsoft have appointed themselves God And Holy Gatekeeper of SecureBoot, allowing no others control over it. Properly done you should be able to register your OWN keys into it's index when you install a new OS. But MS are doing everything possible (and I didn't even say everything "legal") to make sure it stays that way.

  9. Anonymous Coward
    Anonymous Coward

    "We did not have the right safeguards in place"

    Nice breath of fresh air admitting how they fucked up & how they're fixing it:

    Non-commercial outfit -> Honesty...

    Commercial outfit -> Lies / Spin...

    1. Anonymous Coward
      Unhappy

      Re: "We did not have the right safeguards in place"

      Non-commercial - no point suing.

      Commercial - chance to sue.

      Unfortunately that's the way of the world these days. Run by lawyers and opportunists with short term aims.

  10. yossarianuk

    More reason to use Linux

    Installing Audacity on Linux is genrally done via a centralised package manager where it is far far far harder for an attacker to upload a malware version - you are much safer that finding the same software on Windows.

    Opensource of windows involves visiting random sites, which often have about 20 different download links (most are not real download buttons but just a link to another random advert).

    1. cambsukguy

      Re: More reason to use Linux

      Presumably MS do not charge authors for free programs in the store.

      So, if the win32 'wrapper' system is available, (soon/now?) then any of these downloads can be 'wrapped' and supplied via the store rather than as an msi, at least for Win10.

      1. yossarianuk

        Re: More reason to use Linux

        Can Microsoft really put GPL applications in their 'windows store' without breaking the GPL ?

        1. Jim Mitchell

          Re: More reason to use Linux

          @ yossarianuk

          "Can Microsoft really put GPL applications in their 'windows store' without breaking the GPL ?"

          Why not? They just need to make the source available with the download.

        2. Ken Hagan Gold badge

          Re: More reason to use Linux

          "Can Microsoft really put GPL applications in their 'windows store' without breaking the GPL ?"

          I don't see why not. They aren't offering as part of their own product. It's just a transfer of data. Last time I downloaded some GPL-ed code, the bits passed through a number of commercial operations, such as my ISP. Even RMS doesn't have a problem with that ... surely?

          1. Vic

            Re: More reason to use Linux

            "Can Microsoft really put GPL applications in their 'windows store' without breaking the GPL ?"

            I don't see why not

            Then you might want to read the licence, as it gives the answer most explicitly.

            They aren't offering as part of their own product. It's just a transfer of data

            That does not matter one bit. If they are redistributing the code that is permissible only under the terms of the licence - which, for a commercial redistribution as this would be, requires either the transfer of source with the binary, or else a binding promise to supply that source on demand.

            Vic.

      2. Pen-y-gors Silver badge

        Re: More reason to use Linux

        Somehow I can't see MS being keen to distribute Classic Shell - an alternative to their own official crappy Start menu.

    2. Palpy

      Yes, the Linux repositories are safer. Sigh.

      But there is much more software available for Windows. AFAIK, Linux Audacity users don't have access to the variety of plugins that Windows Audacity users enjoy.

      The range of non-commercial software written for Windows used to be a lot of fun to explore. But once download sites started bundling PUPs with the installers and malware writers started co-opting downloads, the thrill done gone.

      (Written from non-Windows, non-Mac grandpaw box. Just so's you know it's not from a Win fanboi.)

      1. yossarianuk

        Re: Yes, the Linux repositories are safer. Sigh.

        Not more (validated) opensource available,

        Linux audacity seems to have a fair amount of plugins, its lacking some VST plugin's sure, however has plenty.

        Also using the jack plugin in Linux with a realtime kernel gets you as close to 0 latency as possible, something Windows cannot really do (using software alone)

      2. Mage Silver badge

        Re: There is much more software available for Windows

        Used to be true. However most of the engineering stuff I use hasn't been updated for years and doesn't work on various versions of Windows since XP (depending on application and version of windows).

        I've had good success with WINE on Linux Mint + Mate. The only newer programs I want are English QQ, which doesn't exist on Linux (nor work on WINE), Digiguide, Kindle Reader and Notepad++ (which all do work on WINE). Compilers are no problem. LibreOffice, Inkscape, Thunderbird, Calibre, Celestia, Gimp, Audacity, Filezilla, PuTTY, Eagle CAD, Xchat (or clone), Scratch, Stellarium, Apache, PHP, MySQL, Skype, etc are all on Windows and Linux "natively". Many programs have less bloated Linux alternatives. I guess maybe Sage Accounts and Payroll might be a problem, I don't know as I don't do IT support any longer, thank God.

      3. breakfast

        Re: Yes, the Linux repositories are safer. Sigh.

        I use Audacity a lot and around the current version there's not much difference between platforms.

        If you're dealing with a lot of VSTs that is a little different, though they do often work under Wine, but those tend to be more in the realm of serious studio recording, for which one would plausibly use something like Ardour on Linux rather than Audacity.

    3. Anonymous Coward
      Anonymous Coward

      Re: More reason to use Linux

      Yes that has its advantages, but I can't be the only Windows user who LIKES the fact that single files can be executables, easily downloaded, stored and transfered (and often still working on later versions of Windows), which is really convenient in many ways.

      And the downside on Linux is that, unless you're a real neckbeard Penguinista, you're forced to upgrade when your OS is getting long in the tooth and the repository is no longer maintained. I still haven't got to grips with how it all works behind the scenes and how to work around such things. I enjoy many things about Mint but I don't want to get that greasy under the hood right now!

      Plus, there's nothing stopping someone from setting up a centralised package manager system for Windows software - but it there such a thing? If the answer is no, then it's not lilkely that the demand is there, is it?

      And could Linux repositories be hacked anyway? Could the national security service intercept a download request and insert their own malicious version? Inquiring minds would like to know beneath their tinfoil hats!

      I'm just glad I haven't chosen to update my Audacity at the wrong time.

      Windows and Mint user (who sees both sides of the story)

      1. ADRM

        Re: More reason to use Linux

        This utility is a start in the right direction. I have used it a time or two on new installs of 7. Pick what you want and then off it goes.

        https://ninite.com/

      2. Jamie Jones Silver badge
        Devil

        Re: More reason to use Linux

        Could the national security service intercept a download request and insert their own malicious version? Inquiring minds would like to know beneath their tinfoil hats!

        I don't know about Linux, but FreeBSD keeps sha256 checksums of all it's distfiles (seperate from the distfiles themselves!)

        1. Anonymous Coward
          Linux

          Re: More reason to use Linux

          > I don't know about Linux, but FreeBSD keeps sha256 checksums of all it's distfiles (seperate from the distfiles themselves!)

          Very much the same on Debian & derivatives (secureapt)

          To the best of my knowledge, all the others have equivalent security mechanisms.

          1. Jamie Jones Silver badge
            Thumb Up

            Re: More reason to use Linux

            I suspected as much.

            Thanks for the clarification, AC!

      3. Naselus Silver badge

        Re: More reason to use Linux

        "I enjoy many things about Mint but I don't want to get that greasy under the hood right now!"

        Honestly, Mint is actually less secure than Windows these days (not Linux distros generally - just Mint, which is extremely amateurishly run and often skips critical security updates for extremely flimsy reasons). Most Linux admins I know think it's awful and advise people to avoid it if they want to really learn about Linux. Generally, the people who go around proselytizing Mint to anyone who'll listen don't understand WHY Linux is considered better than Windows, and think that just by using any Linux distro they've become computing experts; the equivalent of people who think 'Macs can't get viruses'.

  11. Scoured Frisbee
    Joke

    Cost of the attack?

    No estimate of the amount of damage from a well-qualified expert? Surely an attack of this magnitude and duration has IT costs running into the many many millions...

  12. Anonymous Coward
    Anonymous Coward

    News just in....

    Software you download might be malicious, & have vulnerabilities & bugs in it.

    Now over to Susan for the Weather....

    1. Destroy All Monsters Silver badge

      Re: News just in....

      ...where she is rudely interrupted in her explanation of tomorrow's rainy day by an offer to DOWNLOAD WINDOWS 10 NOW OR LATER?

  13. Dabooka Silver badge
    FAIL

    Where's that story about not being able to fix Layer 8?

    "When I installed it said it couldn't be trusted, I installed anyway"

    Case for the prosecution rests

    1. myhandler

      Re: Where's that story about not being able to fix Layer 8?

      Yes, but if you'd installed it many times before you'd just bounce over that and click OK. It would have got me..

      What is an untrusted source anyway? Everything?

      It's the sort of messge you see when an email comes through from, lets say the National Trust, and it says 'certificate not trusted'. National Trust emails have been like that for months. (I know it's not the same, but it's similar)

      It's impossible to differentiate between an important message and a less important one.

  14. Prst. V.Jeltz Silver badge

    Ive never worked anywhere that dosent have browser certificate errors popping up everywhere becuase they or their software providers havent paid / bothered to keep them up to date. and I've worked in some big places.

    I had one such error this morning in fact with a certain nhs trust not maintainnig a particular certificate.

    re the signed installer - id have fallen for that because a) the mentality outlined above, b) its the regular download distribution point and as such reputable , like sourceforge.

  15. jason 7

    Ninite.com...

    ...for the win.

  16. ShelLuser
    Mushroom

    GPG

    This is why you should always use GPG to sign your stuff in my opinion. Hackers can redo CRC checksums with ease, but good luck trying to hack a 2048bit RSA/DSA key.

  17. earl grey Silver badge
    Flame

    why would you think MS store is secure

    When their so-called "fixes" try to infect my computer with win-x stuff?

  18. Gis Bun

    Ya. Saw the tiny file for Audacity. Decided to get it directly from Audacity's web site.

  19. bombastic bob Silver badge
    Black Helicopters

    It's a CONSPIRACY, I tell ya!

    "After I Installed the Windows 10 anniversary update I noticed it had uninstalled Classic Shell and had an even worse start menu as before,"

    AAAaaand the FORCING YOU TO RE-INSTALL 'Classic Shell' naturally exposes you to this "new" version which results in PUNISHING YOU for NOT using Micro-shaft's *GLORIOUS* *MODERN* *INTERFACE* (with the built-in ADVERTISING).

    So it's a CONSPIRACY from MICRO-SHAFT to *FORCE* you to *DO* *IT* *THEIR* *WAY* and *PREVENT* you from *BYPASSING* their *AD-CRAP* and *SPY-CRAP*!!! And they want to *KILL* the traditional 'start menu' interface that has worked for over 20 years! [and leverage it, and LOCK YOU IN, and CONTINUE to SUCK YOU DRY for every penny they can get]

    (well it's a fun conspiracy theory, at any rate)

    And wait until they do something REALLY heinous [as if it's possible to get worse], like re-sorting the start menu to put their "offerings" at the top, or (even worse than that) scroll them along with the 'all [cr]apps' list, so that only 2 or 3 items NOT being promoted by Micro-shaft will be in the list, at the bottom, below their 'preferential' list, forcing you to scroll-scroll-scroll to the 'W' to get 'windows cleanup' or whatever... [from now on my windows application start menu shortcut names start with the number '0', ha ha ha ha]

  20. Anonymous South African Coward Silver badge

    So glad I dodged that nasty bullet. Installed Classic Shell for a client last Sunday.

    Otherwise it would've been a case of Classic Hell for me....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019