Classic Shell, Audacity downloads infected with retro MBR nuke nasty Classic Shell and Audacity downloads were booby-trapped this week with an old-school software nasty that knackered victims' Windows PCs. Hackers were able to inject some retro-malware into the popular applications' installers hosted on fosshub.com, an official home for Classic Shell and Audacity releases among other software …
>Careful what you wish for, overwriting efivars on the MB could brick your computer in the kind of way which can't be rescued with any boot disk.
Upvovoted, but, Windows Cleaner and Suface Experts do not understand that downloading something from some rogue website and installing it is insecure. They do not know what MBR is, or EFI for that matter ... else they would have jumped to Linux/FreeBSD/AnythingButRedmond a long time ago.
In short, you are wasting your time with these n00bs.
"This particular malware was very new and detected only by AVG and Kaspersky as a generic threat."
Which in my opinion only goes to show you of what poor quality most virus scanners actually are. I'm not talking about detection here but prevention. Surely it's not that hard to intercept disk writes to the boot sector and partition table and ask the user for approval first?
"Surely it's not that hard to intercept disk writes to the boot sector and partition table and ask the user for approval first?"
I had a BIOS that did that, about twenty years ago, so it's not that hard. However, I haven't had a similar warning anytime recently, so apparently it isn't something that modern BIOSes bother with.
A lot of FOSS isn't signed – many developers don't seem to want to bother with the hassle – so the warning isn't too unusual. The only way it would have prevented an infection is if someone had installed the program enough times to notice that it's usually signed, but this time it wasn't.
"We did not have the right safeguards in place, namely, to monitor external files. We clearly have not been vigilant enough. Over the next few weeks we will be working to become a safer, more secure organization."
Admit you made mistakes, recognise your shortcomings and work like heck to put them right. It's a refreshing change and I hope it starts a trend.
The problem with that pop up window is that people who know about computers will know it's a pain in the ass, but they'll have gotten their software from a trusted source.
People with no idea about computers will click OK to anything because they know that's the only way to install the thing they downloaded.
There is no patch for human stupidity, but there may be a way to alter their MBR?
>There is no patch for human stupidity, but there may be a way to alter their MBR?
Hey, you, get off your high horses for a second ... these are ordinary citizens who were force-fed Windows X^3 and who really want their Win7 back, hence they revert to downloading some software from some rogue website .... ALLL BECAUSE FSCK'ING REDMOND DECIDED TO DO AWAY WITH WHAT EVERYBODY WAS ACCUSTOMED TO SINCE 1995 .... and failed to recognize their error when Windows 8.x tanked .... they are not asking a lot, just an option to revert to "sensible Windows", whatever that means ....
"Hey, you, get off your high horses for a second ... these are ordinary citizens who were force-fed Windows X^3 and who really want their Win7 back, hence they revert to downloading some software from some rogue website .... ALLL BECAUSE FSCK'ING REDMOND DECIDED TO DO AWAY WITH WHAT EVERYBODY WAS ACCUSTOMED TO SINCE 1995 .... and failed to recognize their error when Windows 8.x tanked .... they are not asking a lot, just an option to revert to "sensible Windows", whatever that means ...."
But Windows 7 has the same stupid notification bullshit that allows this problem to carry on.
The problem with the popup window is that users have to click on such windows _all_ _the_ _time_ and that the message is completely non-specific. A message such as:
"This software wishes to:
- install itself for all users to use
- add itself as a service
- hook into explorer.exe
- hook into winlogin
- perform low-level disk modifications
Do you wish to continue?"
Would help immensely. Of course this would require some sort of capabilities-based privilege elevation and associated API.
On paper, MSIEXEC could do all of that. The MSI file that you feed it could be just data and the operations that it requests on its behalf could be sanity checked and classified for end-user (well, Administrator) approval.
In practice, MSIEXEC lets you do anything that can be written as an MSI and MSI files can contain custom DLLs that do anything you want as the running user. To add insult to inury, there's an instance of MSIEXEC that runs as SYSTEM, in case Administrator isn't sufficiently god-like.
All this has been true since MSI debuted almost (?) 20 years ago. MS has never felt it necessary to add these features. There *may* be an option, buried deep inside some Group Policy template, to disable custom actions. Or there may not. Since it isn't enabled, or advertised, by default it hardly matters whether it exists or not.
Tl;dr: the Windows Installer is utter, utter loathesome crap.
>In practice, MSIEXEC lets you do anything that can be written as an MSI and MSI files can contain >custom DLLs that do anything you want as the running user. To add insult to inury, there's an >instance of MSIEXEC that runs as SYSTEM, in case Administrator isn't sufficiently god-like.
You mean like running a program as root on Linux?
As others have pointed out, quite a lot of legitimate sw produces unknown publisher warning. I scan all exe and zip downloads before running though. I also use Scotty that detects changes to startup programs. Am I just getting a false sense of security by doing this?
A virus scanner is unlikely to pick up a brand new threat (although I assume this one is in the databases of most virus scanners by now), so that probably wouldn't have helped you.
Also, a change to the MBR is 'before' any OS is loaded, or startup programs, so monitoring here wouldn't have helped either (assuming this malware just altered the MBR and didn't install it's own startup program).
What would keep you safe from this is enabling (the much reviled in anti-Microsoft circles) SecureBoot, which checks that the bootcode is cryptographically signed. Or simply just using a GPT boot block, rather than MBR.
tl/dr: no, your current defences would probably not have helped defend against this specific malware.
I don't think so. The MBR was changed by the execution of the nasty. Besides, if no OS is loaded, how can any change be made ? Something has to run the code that makes the change.
Why this MBR rewrite could fly under the AV radar is beyond me. Is the MBR being regularly rewritten by the OS all day ? Don't think so. So why does MBR access not trigger a humongous red screen with nukular* blast in the background and big white lettering saying "HEY, SOMEBODY WANTS TO RECONFIGURE YOUR DISKS - ARE YOU SURE ???" and a nice red button with "FUCK NO" written on it to abort.
But no, apparently any piece of code can just go and write to the MBR. No problem here, no sir, carry on while I slow the Internet down with all the Flash checking I have to do. . .
* yes, I did write nukular on purpose
@ Pascal Monett
Even without AV, the OS should block this. Windows UAC will query for writes to system files, but I can blow away the MBR without any question? On a related note, I was surprised when the BIOS update program from the manufacturer ran fine without Windows asking for user approval of any kind.
I assume that the malware did bring up a UAC prompt, but as the users thought they were installing legitimate software they clicked it without noticing that it was unsigned.
I have seen BIOS's which block any writes to the MBR, but of course you have to turn this off before you install an OS, and remember to turn it on later. I've not seen it in a BIOS for a few years now.
What would keep you safe from this is enabling (the much reviled in anti-Microsoft circles) SecureBoot, which checks that the bootcode is cryptographically signed. Or simply just using a GPT boot block, rather than MBR.
SecureBoot is not reviled because it checks your boot process. It's reviled because Microsoft have appointed themselves God And Holy Gatekeeper of SecureBoot, allowing no others control over it. Properly done you should be able to register your OWN keys into it's index when you install a new OS. But MS are doing everything possible (and I didn't even say everything "legal") to make sure it stays that way.
Installing Audacity on Linux is genrally done via a centralised package manager where it is far far far harder for an attacker to upload a malware version - you are much safer that finding the same software on Windows.
Opensource of windows involves visiting random sites, which often have about 20 different download links (most are not real download buttons but just a link to another random advert).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
