How wrong I was, and when you think about, it is a pretty easy thing to do for people with malicious intent.
Open source is by definition developed within a community of individuals, most of whom are only interested in getting picked up by headhunters to get more lucrative programming jobs, or they may just be interested in developing a solution for their own particular special needs.
The problem with these communities, is that it is easy for bad seeds to get in.
Much open source software is distributed via other well known platforms, think of CHIP.DE or CNET.COM as two examples. Most of us who visit these sites see no reason not to trust their links, but the fact is that even these sources can be compromised.
Then of course there is sourceforge.net, which is where you can find the original source code for many open source programmes. But how secure is it ? That is an open question by the way and i would love feedback.
Here is a description of one problem I had with one particular piece of software for video converting, namely SUPER from www.erightsoft.com
SUPER - not this time....
For years I have been using this software which has served me very well for compressing and converting the sometimes large videos produced by Adobe's After Effects and other programmes. I have never had any reason to expect anything wrong with it, although it has to be said that their website is a challenge to browse, and seems to be geared for indirect revenue generation. Still, if you know where to find the hidden download link on the site, you will get the goods.My last experience, however, was in another league.
On March 29th 2015 I downloaded an update which I wish I hadn't.
Firstly the installer deviously got me to accept the download of other software (which I am usually wary of, but sometimes in a hurry one clicks on one OK too many).
Once it was downloaded and installed, I noticed that my browsers had become hijacked, and that my computer would start reporting KERNEL DATA IMAGE ERRORs which I had never had before. Upon the self initiated restart after this error, I got a blue on black BIOS screen saying that the boot drive was missing or the boot had failed. thankfully upon a hard restart the computer booted up normally.
This error would repeat itself after 5 hours, or when I ran my Ad Aware scans.
I then uninstalled all the little nasties that had installed with SUPER from the programme manager, deleted the directories they were installed too, deleted all the temp files, deleted strange tasks that had been created. Then I ran MALWAREBYTES, HITMAN and ADWCLEANER, and sure enough lots of little nasty entries came up which I removed...there were two notable omissions though which I shall come to in the next section.
For a while after restart my browsers ran OK, but adter a while I noticed these annoying adware tabs coming up in the browsers. Apparently the clean had not been complete, and I also noticed that my computer was wtill periodically crashing in the way that I mentioned above.
AC3DX.AX and LIBBLURAY.DLL
The only persisting problems which my scanners were reporting (which i didnt remove) were two hidden files in the Windows/SysWOW64 file which were evaluated as "Suspicious" but no threat by Hitman. I was loath to remove them as they appeared to be system files which Windows might have a problem living without.
I checked both files with virus-total.com, and no flags were raised, none of the 57 antivirus solutions were flagging the files as dangerous.
Upon searching these files on the internet, it was apparent that they were indeed part of the SUPER installation process, but apart from a few badly written blogs claiming they were indeed malicious files, they were for the most part reported as normal.
There were some unusal features however:
- The hidden flag was set
- They were in a system folder
- There was no author or signature information
However, there was one remaining suspicioous thing about the files, namely, Hitman reported that they were written at the time that I installed my SUPER, which was to be expected since they seemed to belong to Super and were reported on the internet as such. However, upon inspection in the file manager, their "Last Modified Date" was reported as sometime long in the past (2009). This seemed really strange to me, as they had clearly been written during my recent SUPER installation.
Given that i had first experienced problems upon installing the upgraded SUPER, and I figured that they probabley werent central to my computers operating system (Windows 8), I decided to quarantine them in Hitman.
Then I rebooted.
And then I had a crisis, because Windows rebooted extremely slowly, had no internet function when it did, and I couldnt even open the Control Panel. Windows explorer seemed to be functioning normally, and non Office programmes were running (Office 365 needs online authentication), but everything was clearly not right.
Panic stations....
I thought it was time for a complete system restore....
Luckily I kept a cool head, ran MALWAREBYTES (reported 12 nasties), HITMAN (none) and ADWCLEANER (about 8), and rebooted.
Thankfully everything rebooted fine, and after 12 hours operation I havent had a single crash, so MAYBE my system is finally cured.
MALWARE CREATORS ARE GETTING MORE DEVIOUS
I know this isn't the most obvious statement to make, but it seems to me that these miscreants are creating malware that can evade the majority of anti-virus scanners. Also, they are obfuscating the modified legitimate files so that they have more or less the same size as the originals that they engineer, I am lucky that Hitman found these damned things, I dont know what they may have been capable of.
My advice BE CAREFUL DOWNLOADING OPEN SOURCE STUFF AND TRUST NOBODY, EVEN POPULAR DOWNLOADER SITES.
This seems to be a new way for folks with bad intentions to hijack your PC
Below is a synopsis of the same problem I wrote in German, for those who might be interested.
AUF DEUTSCH
Für Jahren habe
ich der Video Converter von Erightsoft "SUPER" ohne Problemen
benutzt. Der Webseite war immer schwer umzugehen und mit Ads vollgepumpt, aber
der Software hat mich gut über die Jahren verdient, und ich hatte kein Problem
es als "vertrauten" Software zu behandeln.
Mein letzter
Erfahrung war aber in ein ganz andere Liga.
Ende Maerz (29er)
habe ich ein neue Version downgeloadet und installiert, und seit dann habe ich
nur Problemen mit mein Computer.
Erstens hat es
ohne Menge Adware downgeloadet, der schwer zu entfernen war. Mein Browsern war
konstant unter Attacke von unerwuenschten Browser Bars und redirects, und mein
Computer stuerzte sich jeden 2 Stunden mit KERNEL DATA IMAGE ERRORS ab, und
beim Reboot hat es mir sogar ein DEFAULT BOOT DRIVE MISSING Fehler gegeben ohne
in Windows 8 einzugehen. Gluecklierweise
nach ausschalten und einschalten ging es immer wieder normal hoch.
Ich hab
MALWAREBYTES, HITMAN und ADWCLEANER eingesetzt, TEMP Ordnern geleert, komische
Aufgaben (im Task Maneger und unter Windows-Tasks) geloescht. Aber immer
kommt der Scheisse irgenwann zurueck.
HITMAN hat immer
2 Dateien als "Verdächtig" gemeldet, aber nicht als bedrohlich
eingestüft. Die Dateien war immer als in Ordnung gemeldet von virus-total.com,
aber tatsächlich waren ein Paar Features merkwürdig. Dieser Dateien hiess
"ac3DX.ax" und "libbluray.dll" und befand sich im
Windows/SysWOW64 Ordner.
Da sie Teil des normale Installationsvorgang fuer SUPER zu gehoeren schien,
habe ich es zuerst ignoriert. Tatsächlich war ein Paar Sachen merkwürdig
aber, z.B. vertseckte Flag würde gesetzt, und es gab kein Autor oder Signatur.
Das Merkwüdigste aber, war das Hitman hat korrekt die installierten Datum
angegeben fuer dieser Dateien (zeitgleich mit Super). In der File Manager war
aber die "Last Modified Dates" weit in der Vergangenheit. Ich hatte
Angst die Beiden Dateien zu entfernen, weil die System Dateien war, aber
irgenwann habe ich mich entschieden die in die Quarantäne beizulegen.
Das habe ich
gemacht, und auf Reboot ging Windows extrem langsam hoch, und obwohl ich zur
Windows Explorer gekommen war, mein Internet funktionierte garnichts, und ich
könnte nicht mals ins "Control Panel" kommen,
PANIK
Ich dachte alles
war im Arsch, und es hilfte nur ein totaler neuer Windows Installation.
Gluecklicherweise
hab ich ein kühlen Kopf bewahrt, MALWAREBYTES, HITMAN und ADWCLEANER wieder
durchgeführt, und nach Reboot ist alles jetzt wieder normal...seit 20 Stunden
habe ich auch keiner Abstürze mehr.
Ich weiss nicht
ob alles vorbei ist, aber bisher scheint alles in Ordnung zu sein.
Der Thema um
Hijacking von Open Source software ist bisher niemals zur meinen Augen
gekommen....aber jetzt weiss ich, man muess vorsichtiger gehen, und selbst
Downloads von rumhaftere Webseiten beobachten. Online Erkündigung bringt auch
nichts, meisteins wird dieser Dateien als harmlos und nutzvoll gegeben, nur
spurios gibt es Inforrmation das sie Trojaner usw. enthalten koennen.
VirusTotal gibt nur negativen, aber die Scans von fast alle ihrer
Lieferwebseiten sind ueber 2 Monaten alt. Die Dateien war offensichtlich auch
so obfusziert, das ihrer Groesse ähnelten sich der normalen zur Verfügung stehende Dateien.
Also vorsicht
Leute beim SUPER von www.erightsoft.com.
Same thing happened to me on 4/8/2016 when installing super. took me hours to get rid of the pups, hijackers and malware! I will no longer use Super because of it.
ReplyDelete