Attention: Some Fosshub downloads compromised
Some software programs on Fosshub, a free project hosting service, appear to be compromised and serve malware payloads .
Fosshub is a popular file hosting service that software projects such as Classic Shell, qBittorrent, Audacity, MKVToolNix, and others use as their primary file download service.
Basically, what these projects do is link either directly to download files hosted by Fosshub, or link to a download page for their programs on Fosshub.
A thread started on August 2 on the Classic Shell forum by a new user indicated that the user's computer would not boot Windows anymore after installing the application.
The message displayed reads:
AS YOU REBOOT, YOU FIND THAT SOMETHING HAS OVERWRITTEN YOUR MBR !
IT IS A SAD THING YOUR ADVENTURES HAVE ENDED HERE!
DIRECT ALL HATE TO PEGGLECREW (@CULTOFRAZER ON TWITTER)
Other users replied stating that they too were experiencing issues. The malware payload included in the software installer overwrites the Master Boot Record of the operating system. Systems won't boot anymore because of it.
Windows users may correct the issue using a Windows Repair disc, a third-party solution like TestDisk, or backups if they have been created previously.
If you can boot into recovery mode, running the commands bootrec /fixmbr, bootrec /fixboot and bootrec /rebuildbcd may also fix the issue.
It appears that the payload will overwrite only the Master Boot Record of the operating system. While that is still a nuisance, it is better than having to deal with malware that encrypts, deletes, steals or modifies data on the PC.
It is highly suggested to avoid downloading files from Fosshub for the time being until the issue is corrected on their end. It appears that at least some files are still infected at the time of writing.
Most projects support download mirrors that you may use instead. It is still suggested to verify the downloads on Virustotal before you execute them just to be on the safe side.
I can’t enter recovery mode, nor do I have a backup. How can I use TestDisk without being able to boot my PC?
noticed that too. Did they release a corrected version already? I have had MBR issues for MONTHS and never knew what caused it. I thought my computer was just dying on me.
Here’s a video of the malware in action.
https://www.youtube.com/watch?v=DD9CvHVU7B4
Fosshub Blocked by uBlock.
(if appropriate filters are enabled)
PROTIP:
Not always possible.
After Sourceforge, now Fosshub seems to be sacrificed for unknown reasons.
Good times.
Welp. I just finished installing programs after yesterday’s complete format and intallation of Windows 10 Anniversary.
Today’s haul consisted of Chrome, Audacity, CCleaner and Paint.net, and one of them was hosted at Fosshub, although I forget which one >.< (Not Chrome, for sure).
Time to do a complete anti-malware scan to be safe. Do you have any tips on which anti-malware programs are most likely up-to-date enough to catch this batch of malware?
I made a forum post in the Audacity forums earlier today asking for the specific timeframe the hacked installer was available.
They were kind to answer quickly and elaborately (my belated post here is the cause of me doing other things), pointing out the problem with instilling a false sense of security by defining a very specific time window, recommending instead to delete all files downloaded on that day.
Source: http://forum.audacityteam.org/viewtopic.php?f=46&t=92555&e=0
They also provided a link to a VirusTotal scan for the infected file, with which to compare:
https://www.virustotal.com/en/file/176f96b1516ba4fba24035808f9428ff48123d4069db5b600ebcb7528c48d1f8/analysis/1470250515/
I found out I made a backup of the “installer” to Dropbox – in my case it turned out I had downloaded the zip-file (#potable4eva). I just did a VirusTotal scan of that one. The results are here:
https://www.virustotal.com/en/file/c7b002719a2a5ebd2c0ae403d40fe5f1e6eed3f5794a3a0c8c24f86dd39e272e/analysis/1470270662/
Stay safe!
Glad to hear that they are helpful and that you are safe. :-)
A couple more links regarding the Audacity part of things, for those interested:
http://www.audacityteam.org/compromised-download-partner/ – Audacity’s response.
https://twitter.com/CultOfRazer/status/760668803097296897 – a twitter conversation with the people who did it, I belive (not sure!).
And the above anonymous comment is mine as well – just forgot to enter the name >.<
Judging by things, I believe I was lucky enough to download the rectified installer, put it still put a scare in me.
Time to learn how to check hashes & checksums of installers on my end!
It was probably Audacity, another website explicitly said that Audacity was compromised on Fosshub.
As for your other question, while I was on Windows, Emsisoft Emergency Cleaner was highly recommended (it’s free), and Malwarebytes.
Thank you! I didn’t know about Emsisoft – I’ll check it out straight away.
I did in fact download the Audacity 2.1.2 installer earlier today and used it.
I scanned the installer prior to using it, as well as a system-wide scan after ghacks published this article – but I was only using Windows Defender, so I’m unsure as to how safe I should feel.
@ Martin
The Fosshub server is off line. No downloads possible .
That is probably for the best while they evaluate the compromise and re-populate their data.
It is not Master Boot Record not Master Book Record.
Corrected, thanks for pointing that out.
The message on the screen says “MBR” not “MNR” – slip of the finger :-P
(reference to the quoted message)
Thanks copy/paste error ;)
on a uefi system it deleted all partitions…
It deleted them on my classic MBR one too. Testdisk was however able to recover them.
protip: always download from the creator’s site to prevent something like this.
‘It is still suggested to verify the downloads on Virustotal before you execute them just to be on the safe side.’
if your upload speed is really slow, you know that it isn’t applicable..
…unless the creator’s site is the one that get compromised.
Doesn’t work for win version of mkvtoolnix, e.g., because that is the only link on the creator’s site.
This won’t work all the time as projects may use Fosshub or other download sites exclusively for providing download capabilities.