Posted August 3, 2016 For a short period yesterday Fosshub was compromised and was serving up compromised versions of both Classic Shell & Audacity which contain malware that destroys the users boot sector and replaces it with an old skool "ha ha we destroyed your PC" message straight from the 90s. A group called Cult Of Peggle has claimed responsibility for the hack on twitter. Just a PSA, if you downloaded either app yesterday DO NOT INSTALL IT. For now the malware appears to be totally unknown (brand new and not detectable by any AV/AM) and while its only confirmed payload is the mbr kill it's possible it's also installing other stuff on your PC too because while it does destroy the mbr it leaves all data intact and the damage can be fixed with a few very simple commands. http://www.bleepingcomputer.com/forums/t/622002/fosshub-apparently-hacked-classicshell-installer-kills-the-mbr/ https://mobile.twitter.com/CultOfRazer?s=09 Video includes instructions on how to fix the payload So again we have malware creators targeting legitimate software and legitimate websites to spread their wares. Pretty bad. Main Rig:- Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS | Server:- Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0) Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 Dillon the hacker is that you? I'm a educated fool with money on my mind. They say i got to learn but nobody here to teach me,if they can't understand it how can they reach me Power and the money,money and the power,minute after minute,hour after hour My Motivation Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 the title is very very very incorrect the FossHub hosting service wash breached, not! the Classic Shell and Audacity websites for Audacity I do not know, but ClassicShell.net removed the FossHub download link: http://www.classicshell.net/forum/viewtopic.php?f=12&t=6434#p27963 ClassicShellSetup_4_3_0 clean MD5: e10881b65c27c6e09e5a33cd8bcd99c6 SHA1: a6b06d07fe3b1a7204b1b62c67fbf3c602385364 File size: 7220496 bytes infected MD5: c67dff7c65792e6ea24aa748f34b9232 SHA1: 438b6fa7d5a2c7ca49837f403bcbb73c14d46a3e File size: 7148732 bytes Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 Author 1 minute ago, zMeul said: the title is very very incorrect the FossHub hosting service wash breached, not! the Classic Shell and Audacity websites for Audacity I do not know, but ClassicShell.net removed the FossHub download link: http://www.classicshell.net/forum/viewtopic.php?f=12&t=6434#p27963 ClassicShellSetup_4_3_0 clean MD5: e10881b65c27c6e09e5a33cd8bcd99c6 SHA1: a6b06d07fe3b1a7204b1b62c67fbf3c602385364 File size: 7220496 bytes infected MD5: c67dff7c65792e6ea24aa748f34b9232 SHA1: 438b6fa7d5a2c7ca49837f403bcbb73c14d46a3e File size: 7148732 bytes Fixed Main Rig:- Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS | Server:- Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0) Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 So, Classic Shell came up yesterday saying that it had a new update, so I clicked install and all was well. I've just powered on my PC, no problems at all. Am I safe? EDIT: I think I'm safe. I found out that the actual installer says Ivaylo Beltchev on the signature, the hacked one does not. Mine said Ivaylo Beltchev. Think I dodged a fucking bullet on this one. OK heart, you can stop going 3000 beats per minute now. PSA EVERYONE: If you downloaded Classic Shell and want to be sure, find the 4.3 setup file. If it is 6.88MB and has a digital signature, you're good. If it is 6.81MB and doesn't have a digital signature, you're infected. Project White Lightning (My ITX Gaming PC): Core i5-4690K | CRYORIG H5 Ultimate | ASUS Maximus VII Impact | HyperX Savage 2x8GB DDR3 | Samsung 850 EVO 250GB | WD Black 1TB | Sapphire RX 480 8GB NITRO+ OC | Phanteks Enthoo EVOLV ITX | Corsair AX760 | LG 29UM67 | CM Storm Quickfire Ultimate | Logitech G502 Proteus Spectrum | HyperX Cloud II | Logitech Z333 Benchmark Results: 3DMark Firestrike: 10,528 | SteamVR VR Ready (avg. quality 7.1) | VRMark 7,004 (VR Ready) Other systems I've built: Core i3-6100 | CM Hyper 212 EVO | MSI H110M ECO | Corsair Vengeance LPX 1x8GB DDR4 | ADATA SP550 120GB | Seagate 500GB | EVGA ACX 2.0 GTX 1050 Ti | Fractal Design Core 1500 | Corsair CX450M Core i5-4590 | Intel Stock Cooler | Gigabyte GA-H97N-WIFI | HyperX Savage 2x4GB DDR3 | Seagate 500GB | Intel Integrated HD Graphics | Fractal Design Arc Mini R2 | be quiet! Pure Power L8 350W I am not a professional. I am not an expert. I am just a smartass. Don't try and blame me if you break something when acting upon my advice. ...why are you still reading this? Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 2 hours ago, ThinkWithPortals said: you're infected. by infected you mean altered MBR and by that it means they won't be able to boot the OS and by that it means they can't read your warning Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 6 minutes ago, zMeul said: by infected you mean altered MBR and by that it means they won't be able to boot the OS and by that it means they can't read your warning No, this is for people who have installed the compromised Classic Shell but not yet rebooted their systems. Project White Lightning (My ITX Gaming PC): Core i5-4690K | CRYORIG H5 Ultimate | ASUS Maximus VII Impact | HyperX Savage 2x8GB DDR3 | Samsung 850 EVO 250GB | WD Black 1TB | Sapphire RX 480 8GB NITRO+ OC | Phanteks Enthoo EVOLV ITX | Corsair AX760 | LG 29UM67 | CM Storm Quickfire Ultimate | Logitech G502 Proteus Spectrum | HyperX Cloud II | Logitech Z333 Benchmark Results: 3DMark Firestrike: 10,528 | SteamVR VR Ready (avg. quality 7.1) | VRMark 7,004 (VR Ready) Other systems I've built: Core i3-6100 | CM Hyper 212 EVO | MSI H110M ECO | Corsair Vengeance LPX 1x8GB DDR4 | ADATA SP550 120GB | Seagate 500GB | EVGA ACX 2.0 GTX 1050 Ti | Fractal Design Core 1500 | Corsair CX450M Core i5-4590 | Intel Stock Cooler | Gigabyte GA-H97N-WIFI | HyperX Savage 2x4GB DDR3 | Seagate 500GB | Intel Integrated HD Graphics | Fractal Design Arc Mini R2 | be quiet! Pure Power L8 350W I am not a professional. I am not an expert. I am just a smartass. Don't try and blame me if you break something when acting upon my advice. ...why are you still reading this? Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 4 minutes ago, ThinkWithPortals said: No, this is for people who have installed the compromised Classic Shell but not yet rebooted their systems. to fix MBR you have to do it from a 2ndary boot device afaik it's not possible to fix the MBR from within Windows itself might be possible with EasyBCD, haven't tried it nor used in a while Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 1 minute ago, zMeul said: to fix MBR you have to do it from a 2ndary boot device afaik it's not possible to fix the MBR from within Windows itself You can with a repair disk. Watch the attached video in the OP. Edit: Misunderstood your post. Ignore me. Spoiler Prometheus (Main Rig) CPU-Z Verification Laptop: Spoiler Intel Core i3-5005U, 8GB RAM, Crucial MX 100 128GB, Touch-Screen, Intel 7260 WiFi/Bluetooth card. Phone: Spoiler TruPureX, Asus Zenwatch 3. Game Consoles: Spoiler Softmodded Fat PS2 w/ 80GB HDD, and a Dreamcast. If you want my attention quote my post, or tag me. If you don't use PCPartPicker I will ignore your build. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 Just now, zMeul said: to fix MBR you have to do it from a 2ndary boot device afaik it's not possible to fix the MBR from within Windows itself Oh, I know. The guide is intended for people who want to check what version of Classic Shell they installed (genuine or hacked) without having to reboot their systems, so they can be sure whether their MBR is borked so they can make the necessary preparations (copy personal data in preparation for reinstall/repair, etc.) Project White Lightning (My ITX Gaming PC): Core i5-4690K | CRYORIG H5 Ultimate | ASUS Maximus VII Impact | HyperX Savage 2x8GB DDR3 | Samsung 850 EVO 250GB | WD Black 1TB | Sapphire RX 480 8GB NITRO+ OC | Phanteks Enthoo EVOLV ITX | Corsair AX760 | LG 29UM67 | CM Storm Quickfire Ultimate | Logitech G502 Proteus Spectrum | HyperX Cloud II | Logitech Z333 Benchmark Results: 3DMark Firestrike: 10,528 | SteamVR VR Ready (avg. quality 7.1) | VRMark 7,004 (VR Ready) Other systems I've built: Core i3-6100 | CM Hyper 212 EVO | MSI H110M ECO | Corsair Vengeance LPX 1x8GB DDR4 | ADATA SP550 120GB | Seagate 500GB | EVGA ACX 2.0 GTX 1050 Ti | Fractal Design Core 1500 | Corsair CX450M Core i5-4590 | Intel Stock Cooler | Gigabyte GA-H97N-WIFI | HyperX Savage 2x4GB DDR3 | Seagate 500GB | Intel Integrated HD Graphics | Fractal Design Arc Mini R2 | be quiet! Pure Power L8 350W I am not a professional. I am not an expert. I am just a smartass. Don't try and blame me if you break something when acting upon my advice. ...why are you still reading this? Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 Just now, EarthboundHero said: You can with a repair disk. yes, but that means you have to reboot Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 I'm more curious what happens on a GPT install Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 Author Fixing is simple 1) Reboot 2) Boot from your Windows installation media 3) Select Repair Your Computer 4) Click Advanced > Command Prompt (or just press shift+f10) 5) enter bootsec.exe /fixmbr and press enter 6) Close command prompt and click Startup Repair 7) Reboot and your back into Windows, no hassle. That said no one really knows if the mbr kill is the only payload or if it infects your machine in other ways yet so I'd be careful. Main Rig:- Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS | Server:- Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0) Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 Author Just now, zMeul said: I'm more curious what happens on a GPT install Yep, same here. I'm running a UEFI install on a GPT partition so I have no MBR. Plus Secureboot would stop if from changing my EFI partition anyway. Main Rig:- Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS | Server:- Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0) Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 2 minutes ago, zMeul said: I'm more curious what happens on a GPT install Same here, anyone willing to take one for the team? Spoiler Prometheus (Main Rig) CPU-Z Verification Laptop: Spoiler Intel Core i3-5005U, 8GB RAM, Crucial MX 100 128GB, Touch-Screen, Intel 7260 WiFi/Bluetooth card. Phone: Spoiler TruPureX, Asus Zenwatch 3. Game Consoles: Spoiler Softmodded Fat PS2 w/ 80GB HDD, and a Dreamcast. If you want my attention quote my post, or tag me. If you don't use PCPartPicker I will ignore your build. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted August 3, 2016 Dunno if you guys read the hackers twitter but they seem to be quite nice about it. Linking how it works and how to fix it. Also saying you should always check software you're installing. Not all that bad, unless the software is installing more malware than just a simple mbr kill "Great minds discuss ideas; average minds discuss events; small minds discuss people." Main rig: i7-4790 - 24GB RAM - GTX 970 - Samsung 840 240GB Evo - 2x 2TB Seagate. - 4 monitors - G710+ - G600 - Zalman Z9U3 Other devices Oneplus One 64GB Sandstone Surface Pro 3 - i7 - 256Gb Surface RT Server: SuperMicro something - Xeon e3 1220 V2 - 12GB RAM - 16TB of Seagates Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now