Attention: Some Fosshub downloads compromised

Martin Brinkmann
Aug 3, 2016
Updated • Aug 3, 2016
Security
|
23

Some software programs on Fosshub, a free project hosting service, appear to be compromised and serve malware payloads .

Fosshub is a popular file hosting service that software projects such as Classic Shell, qBittorrent, Audacity, MKVToolNix, and others use as their primary file download service.

Basically, what these projects do is link either directly to download files hosted by Fosshub, or link to a download page for their programs on Fosshub.

A thread started on August 2 on the Classic Shell forum by a new user indicated that the user's computer would not boot Windows anymore after installing the application.

fosshub classic shell infected

The message displayed reads:

AS YOU REBOOT, YOU FIND THAT SOMETHING HAS OVERWRITTEN YOUR MBR !
IT IS A SAD THING YOUR ADVENTURES HAVE ENDED HERE!
DIRECT ALL HATE TO PEGGLECREW (@CULTOFRAZER ON TWITTER)

Other users replied stating that they too were experiencing issues. The malware payload included in the software installer overwrites the Master Boot Record of the operating system. Systems won't boot anymore because of it.

Windows users may correct the issue using a Windows Repair disc, a third-party solution like TestDisk, or backups if they have been created previously.

If you can boot into recovery mode, running the commands bootrec /fixmbr, bootrec /fixboot and bootrec /rebuildbcd may also fix the issue.

It appears that the payload will overwrite only the Master Boot Record of the operating system. While that is still a nuisance, it is better than having to deal with malware that encrypts, deletes, steals or modifies data on the PC.

It is highly suggested to avoid downloading files from Fosshub for the time being until the issue is corrected on their end. It appears that at least some files are still infected at the time of writing.

Most projects support download mirrors that you may use instead. It is still suggested to verify the downloads on Virustotal before you execute them just to be on the safe side.

Summary
Attention: Some Fosshub downloads compromised
Article Name
Attention: Some Fosshub downloads compromised
Description
Some software programs on Fosshub, a free project hosting service, appear to be compromised and serve malware payloads .
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. agadfgadfgda said on August 4, 2016 at 5:33 am
    Reply

    I can’t enter recovery mode, nor do I have a backup. How can I use TestDisk without being able to boot my PC?

  2. sry9681 said on August 4, 2016 at 2:11 am
    Reply

    noticed that too. Did they release a corrected version already? I have had MBR issues for MONTHS and never knew what caused it. I thought my computer was just dying on me.

  3. Graham said on August 3, 2016 at 10:08 pm
    Reply

    Here’s a video of the malware in action.
    https://www.youtube.com/watch?v=DD9CvHVU7B4

  4. ddk said on August 3, 2016 at 6:46 pm
    Reply

    Fosshub Blocked by uBlock.
    (if appropriate filters are enabled)

  5. Capt. Sensible said on August 3, 2016 at 5:11 pm
    Reply

    PROTIP:
    Not always possible.

    After Sourceforge, now Fosshub seems to be sacrificed for unknown reasons.
    Good times.

  6. MartinDK said on August 3, 2016 at 3:25 pm
    Reply

    Welp. I just finished installing programs after yesterday’s complete format and intallation of Windows 10 Anniversary.
    Today’s haul consisted of Chrome, Audacity, CCleaner and Paint.net, and one of them was hosted at Fosshub, although I forget which one >.< (Not Chrome, for sure).

    Time to do a complete anti-malware scan to be safe. Do you have any tips on which anti-malware programs are most likely up-to-date enough to catch this batch of malware?

    1. MartinDK said on August 4, 2016 at 2:39 am
      Reply

      I made a forum post in the Audacity forums earlier today asking for the specific timeframe the hacked installer was available.

      They were kind to answer quickly and elaborately (my belated post here is the cause of me doing other things), pointing out the problem with instilling a false sense of security by defining a very specific time window, recommending instead to delete all files downloaded on that day.
      Source: http://forum.audacityteam.org/viewtopic.php?f=46&t=92555&e=0

      They also provided a link to a VirusTotal scan for the infected file, with which to compare:
      https://www.virustotal.com/en/file/176f96b1516ba4fba24035808f9428ff48123d4069db5b600ebcb7528c48d1f8/analysis/1470250515/

      I found out I made a backup of the “installer” to Dropbox – in my case it turned out I had downloaded the zip-file (#potable4eva). I just did a VirusTotal scan of that one. The results are here:
      https://www.virustotal.com/en/file/c7b002719a2a5ebd2c0ae403d40fe5f1e6eed3f5794a3a0c8c24f86dd39e272e/analysis/1470270662/

      Stay safe!

      1. MdN said on August 4, 2016 at 1:19 pm
        Reply

        Glad to hear that they are helpful and that you are safe. :-)

    2. MartinDK said on August 3, 2016 at 7:46 pm
      Reply

      A couple more links regarding the Audacity part of things, for those interested:
      http://www.audacityteam.org/compromised-download-partner/ – Audacity’s response.
      https://twitter.com/CultOfRazer/status/760668803097296897 – a twitter conversation with the people who did it, I belive (not sure!).

      And the above anonymous comment is mine as well – just forgot to enter the name >.<

      Judging by things, I believe I was lucky enough to download the rectified installer, put it still put a scare in me.

      Time to learn how to check hashes & checksums of installers on my end!

    3. MdN said on August 3, 2016 at 7:12 pm
      Reply

      It was probably Audacity, another website explicitly said that Audacity was compromised on Fosshub.
      As for your other question, while I was on Windows, Emsisoft Emergency Cleaner was highly recommended (it’s free), and Malwarebytes.

      1. Anonymous said on August 3, 2016 at 7:19 pm
        Reply

        Thank you! I didn’t know about Emsisoft – I’ll check it out straight away.

        I did in fact download the Audacity 2.1.2 installer earlier today and used it.
        I scanned the installer prior to using it, as well as a system-wide scan after ghacks published this article – but I was only using Windows Defender, so I’m unsure as to how safe I should feel.

  7. T J said on August 3, 2016 at 10:26 am
    Reply

    @ Martin

    The Fosshub server is off line. No downloads possible .

    1. Andy said on August 3, 2016 at 10:46 am
      Reply

      That is probably for the best while they evaluate the compromise and re-populate their data.

  8. 12458 said on August 3, 2016 at 8:56 am
    Reply

    It is not Master Boot Record not Master Book Record.

    1. Martin Brinkmann said on August 3, 2016 at 9:09 am
      Reply

      Corrected, thanks for pointing that out.

      1. Decent60 said on August 3, 2016 at 10:09 am
        Reply

        The message on the screen says “MBR” not “MNR” – slip of the finger :-P
        (reference to the quoted message)

      2. Martin Brinkmann said on August 3, 2016 at 10:36 am
        Reply

        Thanks copy/paste error ;)

  9. someone said on August 3, 2016 at 8:09 am
    Reply

    on a uefi system it deleted all partitions…

    1. Paul Olaru said on August 3, 2016 at 10:54 pm
      Reply

      It deleted them on my classic MBR one too. Testdisk was however able to recover them.

  10. protip said on August 3, 2016 at 7:51 am
    Reply

    protip: always download from the creator’s site to prevent something like this.

    ‘It is still suggested to verify the downloads on Virustotal before you execute them just to be on the safe side.’
    if your upload speed is really slow, you know that it isn’t applicable..

    1. obviously said on August 5, 2016 at 6:21 pm
      Reply

      …unless the creator’s site is the one that get compromised.

    2. bret said on August 3, 2016 at 11:32 am
      Reply

      Doesn’t work for win version of mkvtoolnix, e.g., because that is the only link on the creator’s site.

    3. Martin Brinkmann said on August 3, 2016 at 7:54 am
      Reply

      This won’t work all the time as projects may use Fosshub or other download sites exclusively for providing download capabilities.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.