Pale Moon's Archive Server hacked and used to spread malware

[Karlston]

Pale Moon's Archive Server hacked and used to spread malware

The Pale Moon team announced on July 10, 2019 that its archive server was hacked and used to spread malware.

 

The team detected the breach on July 9, 2019 and shut down the archive server immediately to prevent further infections with malware. An analysis of the issue revealed that the infection most likely happened on December 27, 2017.

 

The Archive server is used to serve older versions of Pale Moon; the browser's main distribution channels were not affected by the breach.

This never affected any of the main distribution channels of Pale Moon, and considering archived versions would only be updated when the next release cycle would happen, at no time any current versions, no matter where they were retrieved from, would be infected.

Additionally, the hacker infected only executable files of the browser and not files inside archives. Other programs hosted on the server, the web browser Basilisk, were not affected either.

 

 

According to the post mortem, the issue affected all archived executable files of Pale Moon 27.6.2 and earlier.

 

The team's investigation in the matter was severely impacted by another incident on May 26, 2019 that caused "widespread data corruption" on the archive server to the point where booting or data transfers were not possible anymore.

 

The hacker managed to sneak a script on the server that would run locally to infect the executable files on the server. The infection increased the size of the executable by about three Megabytes and planted a variant of Win32/ClipBanker.DY inside the executable.

Running these infected executables will drop a trojan/backdoor on your system that would potentially allow further compromise to it.

Bleeping Computer notes that the malware creates a scheduled task on the system in the background while Pale Moon's installer runs in the foreground.

 

Users who never downloaded Pale Moon from the Archive Server (archive.palemoon.org) are "almost certainly in the clear" according to Pale Moon's announcement.

 

The team recommends that users who downloaded the browser from the official site or archive site run a full virus scan on their systems to make sure they are clean.  The infection signature is "known to all major antivirus vendors" according to the announcement; programs like Avira Antivirus, Avast Free Antivirus, BitDefender Free, or Kaspersky Free Antivirus.

 

There is also the option to check signature files or the digital signature of Pale Moon's executable. The digital signature is not available for all releases though so that its absence does not infer that the file is infected. The existence of a digital signature on the other hand is a clear indicator that the file is clean.

 

Archived versions of Pale Moon are accessible again on archive.palemoon.org.  Dates indicate that directories were created on July 10, 2019.

Closing words

Pale Moon's main distribution channel was not affected by the hack which means that most users were not affected by the issue. The team has not released any archive server statistics and it is unclear how many users were potentially affected by the breach.

 

Pale Moon users should run a full virus scan on the system to make sure that their devices are not infected.

 

 

 

Source: Pale Moon's Archive Server hacked and used to spread malware (gHacks - Martin Brinkmann)

[steven36]

Same kind of thing happen to Linux Mint but at lest they found it right away and it did not stay on there servers long , it took Moonchild years to find this because new versions never was infected it was only older versions infected , And all the other sites were they mirror  it  on they have,  it was never ever infected ether. That really blows the theory that downloading it form the developer instead of mirror site is safer  out of the water . Almost every time something like this happens it only effects there main server .

 

Moonchild's  Disclosure

https://forum.palemoon.org/viewtopic.php?f=17&t=22526

 

Malware like was in Palemoon want even run in Linux versions ,exe want run  on Linux  , So to me its more safer use Linux the only things i ever used on Linux that got infected  before was Linux Mint and the ISO I had of 17.3  was beta witch came out long before that happen so i was never infected , Also  once people were putting malware in Kodi addons that download bitcoin miners  i knew about it months before Eset ever disclosed  it,  because NOD32  detected it on Windows. Also they wrote a version of that worked on Linux too . They think the guy who wrote bubbles  put that malware in  his repo when he retired  but we will never know because hes gone  and then it infected the fork of that addon's repo , then it spreed to many other repos and builds.

 

But  99% malware  don't even effect Linux . And half  of Linux malware don't effect the desktop only it effects Linux servers. I don't use Linux mint in over 2 years and never really used Palemoon ether i use to test it years ago  and couldn't stand it .I never have thought of it being a serious option since they forked away  from Firefox years ago  and killed  most addons they had . Some people can get by  with just a few addons but there breakage was too drastic  for me. I used firefox , cyberfox and waterfox instead.

 

You go over on Palemoon forums all kinds of shady users be helping them out so it could of  been anyone . I never keep up with whats goes on at Palemoon very often there's no need  there addon system has been broke for years  . I rather use Firefox with new addons then only be able to use a few from the Legacy Archives . All the  Legacy addons i use  work on waterfox . To me Palemoon don't care about there users just like Mozilla don't they broke Legacy addons  long before Firefox did they was a sign of things to come.

[steven36]

See the thing is Palemoon  has always  never been truly opensource  they want allow  no one to use  system libs to be used with there official branding. That why they no palemoon in open bsd  they got in a fight over it . Same reason they have no ppa or debs for Ubuntu Linux and you have to go to there website and download a web installer to install  it. Same reason Slackware gave up  on putting it in there repos there assholes.

 

A note about trademarks and branding

Although this repository is licensed under Mozilla Public License v2.0, the trademarks and brands contained herein remain the property of their respective owners. For more details, please see the notifications in the respective directories.

https://github.com/MoonchildProductions/UXP

https://github.com/jasperla/openbsd-wip/issues/86#issue

https://alien.slackbook.org/blog/pale-moon-browser-removed-from-my-repository/

 

Firefox use to be like them  , they fight  with Linux for years that's why they made ice weasel witch was re-branded Firefox now its called ice cat .Its been since i been using Linux that Debian and Firefox made up . Firefox allowed it now on Linux for a good while. Moonchild  has many enemies in open source so someone most likely set him up to kill his browser .

https://en.wikipedia.org/wiki/GNU_IceCat

 

As far as using browsers that a ran by a small teams they really no danger in it , we used them on windows and Linux for years  , Just like many people used Hobby Distros on Linux with very little problems .Only thing concerns me if they made by a small team they may get burnout and quit. But when you have enemies in open source like Moonchild  do karma going catch up with you sooner or latter .

 

 

[xpkRAKE]

I'm a little surprised none of the actual users of these older versions noticed it sooner, there must be a few.

[mp68terr]

1 hour ago, xpkRAKE said:

I'm a little surprised none of the actual users of these older versions noticed it sooner, there must be a few.

Most users do update when a new version comes out. Few users might use old versions. Few users of a likely small community; if someone noticed the hack it likely remained unnoticed.

[steven36]

6 hours ago, xpkRAKE said:

I'm a little surprised none of the actual users of these older versions noticed it sooner, there must be a few.

Whenever  someone said it was infected Moonchild told them it was a false positive .It was not Palemoon who found it no way it was a user who downloaded  a version for achieve only reasons that found it.  They never checked the hashes or anything in 2 years .

https://forum.palemoon.org/viewtopic.php?f=17&t=22520

 

Moonchild is  too incompetent to  have a browser  with such a big code change from Firefox  , The difference  was with cyberfox  and still waterfox  when there dev do security updates they backport  all the security updates from Firefox . Water 56.12  have all the security  updates Firefox ESR 60.8 do well this is not the case with Palemoon.

https://www.waterfox.net/blog/waterfox-56.2.12-release-download/

 

From Hacker news: in 2017 before the time stamps were signed on the infected exes that was found

Scroll through Mozilla's security announcements, pick ones at random, find the patch that fixed it and see if it ever got applied to Pale Moon. In many cases they haven't.

 

I have pointed out many of these and argued with Pale Moon devs about it. "Moon Child" believes they don't need to apply patches if they can't replicate the PoC from Mozilla's bugzilla.

 

These are things that are obviously vulnerable and need to be fixed (such as missing bound checks in the XML parser).

 

If someone ever cared enough to target Pale Moon users they would have an absolute field day with all the known Firefox vulnerabilities they could use.

 

https://news.ycombinator.com/item?id=13395793

 

No one should be shocked this happen and if they use it  they should consider using something else.  Moonchild still not being transparent enough ether. He never explained what the malware did to users of Palemoon. We only know what kind of  Malware it was is all. When Bleeping Computer try to test it in a VM it was dormant the Malware hides in a VM  it only works if you  have it on a real machine. Before the malware was used to steal Bitcoins from Crypto Currency wallets.  

[arsenaloyal]

I use palemoon as my secondary browser after vivaldi. This is a bit worrying.