Fosshub website was compromised yesterday, serving up malware downloads

[Master Disaster]

For a short period yesterday Fosshub was compromised and was serving up compromised versions of both Classic Shell & Audacity which contain malware that destroys the users boot sector and replaces it with an old skool "ha ha we destroyed your PC" message straight from the 90s.

 

A group called Cult Of Peggle has claimed responsibility for the hack on twitter. 

 

Just a PSA, if you downloaded either app yesterday DO NOT INSTALL IT. For now the malware appears to be totally unknown (brand new and not detectable by any AV/AM) and while its only confirmed payload is the mbr kill it's possible it's also installing other stuff on your PC too because while it does destroy the mbr it leaves all data intact and the damage can be fixed with a few very simple commands. 

 

http://www.bleepingcomputer.com/forums/t/622002/fosshub-apparently-hacked-classicshell-installer-kills-the-mbr/

https://mobile.twitter.com/CultOfRazer?s=09

Video includes instructions on how to fix the payload

 

So again we have malware creators targeting legitimate software and legitimate websites to spread their wares. Pretty bad. 

[Dresta]

Dillon the hacker is that you?

[zMeul]

the title is very very very incorrect

the FossHub hosting service wash breached, not! the Classic Shell and Audacity websites

for Audacity I do not know, but ClassicShell.net removed the FossHub download link: http://www.classicshell.net/forum/viewtopic.php?f=12&t=6434#p27963

 

ClassicShellSetup_4_3_0

• clean

MD5: e10881b65c27c6e09e5a33cd8bcd99c6
SHA1: a6b06d07fe3b1a7204b1b62c67fbf3c602385364
File size: 7220496 bytes

• infected

MD5: c67dff7c65792e6ea24aa748f34b9232
SHA1: 438b6fa7d5a2c7ca49837f403bcbb73c14d46a3e
File size: 7148732 bytes

[Master Disaster]

1 minute ago, zMeul said:

the title is very very incorrect

the FossHub hosting service wash breached, not! the Classic Shell and Audacity websites

for Audacity I do not know, but ClassicShell.net removed the FossHub download link: http://www.classicshell.net/forum/viewtopic.php?f=12&t=6434#p27963

 

ClassicShellSetup_4_3_0

• clean

MD5: e10881b65c27c6e09e5a33cd8bcd99c6
SHA1: a6b06d07fe3b1a7204b1b62c67fbf3c602385364
File size: 7220496 bytes

• infected

MD5: c67dff7c65792e6ea24aa748f34b9232
SHA1: 438b6fa7d5a2c7ca49837f403bcbb73c14d46a3e
File size: 7148732 bytes

Fixed

[ThinkWithPortals]

So, Classic Shell came up yesterday saying that it had a new update, so I clicked install and all was well. I've just powered on my PC, no problems at all. Am I safe?

 

EDIT: I think I'm safe. I found out that the actual installer says Ivaylo Beltchev on the signature, the hacked one does not. Mine said Ivaylo Beltchev. Think I dodged a fucking bullet on this one.

 

OK heart, you can stop going 3000 beats per minute now.

 

PSA EVERYONE: If you downloaded Classic Shell and want to be sure, find the 4.3 setup file. If it is 6.88MB and has a digital signature, you're good. If it is 6.81MB and doesn't have a digital signature, you're infected.

[zMeul]

2 hours ago, ThinkWithPortals said:

you're infected.

by infected you mean altered MBR

and by that it means they won't be able to boot the OS

and by that it means they can't read your warning

[ThinkWithPortals]

6 minutes ago, zMeul said:

by infected you mean altered MBR

and by that it means they won't be able to boot the OS

and by that it means they can't read your warning

No, this is for people who have installed the compromised Classic Shell but not yet rebooted their systems.

[zMeul]

4 minutes ago, ThinkWithPortals said:

No, this is for people who have installed the compromised Classic Shell but not yet rebooted their systems.

to fix MBR you have to do it from a 2ndary boot device

afaik it's not possible to fix the MBR from within Windows itself

 

might be possible with EasyBCD, haven't tried it nor used in a while

[EarthboundHero]

1 minute ago, zMeul said:

to fix MBR you have to do it from a 2ndary boot device

afaik it's not possible to fix the MBR from within Windows itself

You can with a repair disk. Watch the attached video in the OP.

 

Edit: Misunderstood your post. Ignore me.

[ThinkWithPortals]

Just now, zMeul said:

to fix MBR you have to do it from a 2ndary boot device

afaik it's not possible to fix the MBR from within Windows itself

Oh, I know. The guide is intended for people who want to check what version of Classic Shell they installed (genuine or hacked) without having to reboot their systems, so they can be sure whether their MBR is borked so they can make the necessary preparations (copy personal data in preparation for reinstall/repair, etc.)

[zMeul]

Just now, EarthboundHero said:

You can with a repair disk.

yes, but that means you have to reboot 

[zMeul]

I'm more curious what happens on a GPT install

[Master Disaster]

Fixing is simple

 

1) Reboot

2) Boot from your Windows installation media

3) Select Repair Your Computer

4) Click Advanced > Command Prompt (or just press shift+f10)

5) enter bootsec.exe /fixmbr and press enter

6) Close command prompt and click Startup Repair

7) Reboot and your back into Windows, no hassle.

 

That said no one really knows if the mbr kill is the only payload or if it infects your machine in other ways yet so I'd be careful.

[Master Disaster]

Just now, zMeul said:

I'm more curious what happens on a GPT install

Yep, same here. I'm running a UEFI install on a GPT partition so I have no MBR. Plus Secureboot would stop if from changing my EFI partition anyway.

[EarthboundHero]

2 minutes ago, zMeul said:

I'm more curious what happens on a GPT install

Same here, anyone willing to take one for the team? 

[Sidiox]

Dunno if you guys read the hackers twitter but they seem to be quite nice about it. Linking how it works and how to fix it. Also saying you should always check software you're installing. Not all that bad, unless the software is installing more malware than just a simple mbr kill