Batu69 Posted August 3, 2016 Share Posted August 3, 2016 Some software programs on Fosshub, a free project hosting service, appear to be compromised and serve malware payloads . Fosshub is a popular file hosting service that software projects such as Classic Shell, qBittorrent, Audacity, MKVToolNix, and others use as their primary file download service. Basically, what these projects do is link either directly to download files hosted by Fosshub, or link to a download page for their programs on Fosshub. A thread started on August 2 on the Classic Shell forum by a new user indicated that the user's computer would not boot Windows anymore after installing the application. The message displayed reads: Quote AS YOU REBOOT, YOU FIND THAT SOMETHING HAS OVERWRITTEN YOUR MNR ! IT IS A SAD THING YOUR ADVENTURES HAVE ENDED HERE! DIRECT ALL HATE TO PEGGLECREW (@CULTOFRAZER ON TWITTER) Other users replied stating that they too were experiencing issues. The malware payload included in the software installer overwrites the Master Book Record of the operating system. Systems won't boot anymore because of it. Windows users may correct the issue using a Windows Repair disc, a third-party solution like TestDisk, or backups if they have been created previously. If you can boot into recovery mode, running the commands bootrec /fixmbr, bootrec /fixboot and bootrec /rebuildbcd may also fix the issue. It appears that the payload will overwrite only the Master Boot Record of the operating system. While that is still a nuisance, it is better than having to deal with malware that encrypts, deletes, steals or modifies data on the PC. It is highly suggested to avoid downloading files from Fosshub for the time being until the issue is corrected on their end. It appears that at least some files are still infected at the time of writing. Most projects support download mirrors that you may use instead. It is still suggested to verify the downloads on Virustotal before you execute them just to be on the safe side. Article source Link to comment Share on other sites More sharing options...
bubbada Posted August 3, 2016 Share Posted August 3, 2016 As far as I'm concerned i see the SHA256 is differant to the original so the file was changed in some way, i uploaded my downloaded classic shell 4.3.0 installer to virustotal here (which i downloaded a few days ago) and if still skeptical from fosshub url here too. I recommend a HashCheck Shell Extension (no sha256 though) to be installed so you can find out the hash of a file to compare with the original one. that or go one better with VT Hash Check (VT as in Virustotal, you'll need a API key to be able to use the shell extension you can get one when u sign up to virustotals website.) Here are the Official file signatures below Classic Shell file signatures Classic Shell Installer (English) - 6.89 MB | version: 4.3.0 MD5: e10881b65c27c6e09e5a33cd8bcd99c6 SHA1: a6b06d07fe3b1a7204b1b62c67fbf3c602385364 SHA256: 4ee910b283871ab31ef03eeb15d9557e89b55eda8f0580340b4dd2fc90305ac8 Classic Shell Installer (French) - 7.62 MB | version: 4.3.0 MD5: 593c2858c51b8366ce4effcd268fa6a1 SHA1: d74c0dbf43d9118d8c10ad91bee6ce108ca26ffb SHA256: e3b49672df8893dcdac505b57ddf55b5554d3bcc6abbb87121c4a4b38f32d6cc Classic Shell Installer (German) - 7.18 MB | version: 4.3.0 MD5: e20d71f2a67b0e18dc27188b3fa4722c SHA1: 717f88fdab638b5cc82e6a6aff93ff1f63be35c8 SHA256: aa33d2b9ad193948e9c7c20ff101da6576732f691f8faf170d305209bc8da4f6 Classic Shell Installer (Spanish) - 7.19 MB | version: 4.3.0 MD5: 06cfebf56cf562fdd34349c57402d04b SHA1: 1c8805bf3f94898144ddbe3c5b00fd607da44dea SHA256: 1a194f21543c5bf2423a312b941caa037569d67b6f106d5dc698b9f58e0bc57a Classic Shell Installer (Italian) - 7.17 MB | version: 4.3.0 MD5: 63525bd5e4fe3a1f40659e74b2bc8b70 SHA1: 9ffc084d9b1ced95bdecb34dae586ec990ac9b0f SHA256: 203d2f32f1d9ff7dd87266d198b024cfa27773ba2abd3dcd47bd8495a87e1ba1 Classic Shell Installer (Polish) - 7.11 MB | version: 4.3.0 MD5: a929ed76401d20c9437978918dd3e104 SHA1: 535171dcd233dfeb81ce7f31dcf718a4157ca9ae SHA256: b52a616ca70f9d3ef897bfd0aa0d8b7b7c96fc3759c4665d996dab5f3affdd33 Classic Shell Installer (Russian) - 7.22 MB | version: 4.3.0 MD5: 17472cf215e45ba27bd4898c844bd837 SHA1: 2d6c643f5bdab3408fb9f8ab5220b1347ecf7cc0 SHA256: 6eaf2375c772257ad642b72bcc6d2d2efcf87923a242b4d7c66cfed27d5b8d91 Classic Shell Installer (Simplified Chinese) - 7.07 MB | version: 4.3.0 MD5: b58ead0d57317ca0b37616c20517f18b SHA1: f01041853008556fa8c9f2c48f70f8bad05141a3 SHA256: 81f0efe9b6a21d8fad4359b0e0a395e3b698b3c90d0e80cb5fab6b1d0d40663e Classic Shell Installer (Traditional Chinese) - 7.13 MB | version: 4.3.0 MD5: b5ddc72992d8e0f3eb9981abe384f54e SHA1: 7af23672df525508c1321bd16307bc80a7071e6e SHA256: 0b4a508610741e8abe5347f06ecd74d7eca7ddb223b3d18a3490ea91384929ed Classic Shell Installer (Latest beta version) - 6.87 MB | version: 4.2.7 beta MD5: 16c799a299ec0d1ad499ccb9ecb47529 SHA1: 7602f3b6d82a72144e8a7214fa64ff43333198ab SHA256: 306fd9ca2ecc0f2b410526115a4af3614b5b30431c9886573d4908bade79cc23 Classic Shell Installer (Italian) - 6.76 MB | version: 4.2.5c MD5: f27011037390b29fe30b9815af5f3d88 SHA1: 1dba620fa9ddc89a4ec67c25cc066ce37d0fa6e1 SHA256: 0818feacce73ca8a77f0dabbeef8db69436da8238a50d1c754ac6b7d8eab518a Classic Shell Installer (French) - 7.21 MB | version: 4.2.5c MD5: 06073a38a6e291fba16a65c928922154 SHA1: 5f6e39e5d3d12e31fe9d183a9017e72880fd6322 SHA256: cad385a46739c06f6cf84f5ac3dcdf4f3d0cf4149d4cdcac311505e10ea0feaa Classic Shell Installer (German) - 6.73 MB | version: 4.2.5c MD5: 82d0041bb3c682f67d3885f32b3ddd8e SHA1: 5836b0e1e2906d8e113531ba550947b1f920aebd SHA256: fc124057af8ad2e4edca4a8760f6c005179959b9d4b82a688aa06f51723ff437 Classic Shell Installer (English) - 6.65 MB | version: 4.2.5c MD5: 525c36f380de7276839bd2ad4c8420bd SHA1: 41fc9c648d23c726d6df101a11750d6fb2e6342a SHA256: 46139997048f4f41926398910ed3164be29190046c7ecfbea98607ac51aa515e Classic Shell Installer (beta version) - 6.88 MB | version: 4.2.6 beta MD5: 50e6730888e0117a16415c2d73149245 SHA1: f265728da0191bf42f59177d31ffe516ab59eecd SHA256: 5ee3d8e4b32374f0817e45064f950a13e9cbe78f9b583c63ba9b0d905dc59d2a Classic Shell Installer (Traditional Chinese) - 6.71 MB | version: 4.2.5c MD5: f5d9ab5614d3a974c53907951d1b641b SHA1: 6dd64f9267b114d90c0663fd4b78594afca0e60e SHA256: 9f9779815fb03682fb6efa946ce4af5c175d1a64307aba57d8a1aa6b31fbd7c5 Classic Shell Installer (Simplified Chinese) - 6.97 MB | version: 4.2.5c MD5: 8a4994df757279de51a238214d9ae176 SHA1: 37d856edf57a4e2050c0862f44f873b1542c45ea SHA256: fa461b2a0842ba6a7b5dfb3302fe2ac7cf9416dcfe21dec7d3d594aeea5cc895 Classic Shell Installer (Russian) - 6.82 MB | version: 4.2.5c MD5: cd69e6eac44e02b0647d4997e92c097d SHA1: ab7c0efd51855ff74ea7dbdbc6b7a8a197a9efad SHA256: 1b746c2208d2b53bf79e3ce54f8ec17dd130fcb5c67fbeca6581693812e6c57d Classic Shell Installer (Polish) - 6.68 MB | version: 4.2.5c MD5: 5f67c778aac7723547541a9483cd7cf1 SHA1: 839ed803d1ef23399d97e6cad38f659c9d211154 SHA256: e33905a9432365947f4737f514f567b4d93fd39a3177fb39e9c706506295233c Link to comment Share on other sites More sharing options...
Petrovic Posted August 3, 2016 Share Posted August 3, 2016 It should go without saying that you should scan an executable before running it, even if it's coming from a trusted source. As the last few years have shown, though, a false sense of security loves to bite people over and over again. On August 2nd 2016, for three hours, an external developer had their account compromised on Audacity's and Classic Shell's download server FossHub and was used to replace the legitimate installer with a malware that overwrite the master boot record. Thanks to the quick response of the Audacity team they quickly moved to take down the rogue download before too many people were affected. Sadly it was a two for one deal, as not only Audacity was targeted, but also the popular Windows modification tool called Classic Shell. Classic Shell was also targeted and had their installer mirrored on FossHub replaced with the infected version. Unfortunately, this malware version of Classic Shell was downloaded approximately 300 times according to an official response posted by FossHub: Quote The attackers uploaded a malware file on Classic Shell page which was downloaded approximately 300 times. We removed the file in several minutes and we changed all passwords for all services we had. - http://www.audacityteam.org/compromised-download-partner/ When installing the malware version of Classic Shell, it was fairly easy to spot that something was not right. When the normal version is installed, it will display a UAC prompt that shows Ivaylo Beltchev as the publisher of the program. On the other hand, the malware version would have the publisher listed as Unknown. When the malware version of Audacity and Classic Shell were installed, the malware would overwrite the master boot record so that it displays a message when the computer starts. This message states "AS YOU REBOOT, YOU FIND THAT SOMETHING HAS OVERWRITTEN YOUR MBR! IT IS A SAD THING YOUR ADVENTURES HAVE ENDED HERE!". This quote is a reference to the 1987 video game called ShadowGate, which was notorious for the amount of ways you could die in the game. A group named PeggleCrew claimed responsibility for the attack and explained that they did it to teach people a lesson. Quote @AuraTheWhiteHat We also compomised Audacity. FossHub was fully compromised, including (temporarily), the admin's email. — Cult of Razer (@CultOfRazer) August 3, 2016 @AuraTheWhiteHat Because nobody will learn to check signatures and hashes if it isn't demonstrated bluntly. — Cult of Razer (@CultOfRazer) August 3, 2016 If you or someone you know was affected by this malware, assistance can be received in the Am I Infected? forum. You may also attempt to repair the MBR yourself as seen in this video Article source Link to comment Share on other sites More sharing options...
SPECTRUM Posted August 3, 2016 Share Posted August 3, 2016 already posted here: Link to comment Share on other sites More sharing options...
BALTAGY Posted August 3, 2016 Share Posted August 3, 2016 Anyone have link to this virus or even the file, i want to test it ? lol Link to comment Share on other sites More sharing options...
Jordan Posted August 3, 2016 Share Posted August 3, 2016 Topics merged Link to comment Share on other sites More sharing options...
bubbada Posted August 4, 2016 Share Posted August 4, 2016 Important info From Audacity IMPORTANT: Our download partner FossHub was compromised for a few hours on 2nd August. This has now been resolved. If you downloaded Audacity’s Windows installer on that date and it is only 355 kB, delete the file and don’t reboot. More help here. ----- Important info From Classic shell Attention! The download service for Classic Shell was hacked on August 2nd, and for a few hours it served an infected version of the installer.The malware corrupts your PC and makes it unbootable. Here’s more information about the hack:http://www.classicshell.net/forum/viewtopic.php?f=12&t=6441If you have been affected, follow these instructions to fix your PC:http://www.classicshell.net/forum/viewtopic.php?f=12&t=6440The current download link is safe. ----- my advise is to check your file hashes people, use vthash to compare with virustotal. Link to comment Share on other sites More sharing options...
bubbada Posted August 4, 2016 Share Posted August 4, 2016 Since this is an big issue you would recon a hash test of the file could be checked with the original hash before it is even given out (downloaded) maybe all sites should be taking this into consideration. Link to comment Share on other sites More sharing options...
SoftChip Posted August 8, 2016 Share Posted August 8, 2016 One thing I dislike is a site that puts it downloads in a mirror like Fosshub, but does not put file hashes on their own web site. How can you be sure the file on the mirror is the right one? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.