I don't have an MBR. Will these cretins consider supporting GUID partition table / UEFI in their next release?
Classic Shell, Audacity downloads infected with retro MBR nuke nasty
Classic Shell and Audacity downloads were booby-trapped this week with an old-school software nasty that knackered victims' Windows PCs. Hackers were able to inject some retro-malware into the popular applications' installers hosted on fosshub.com, an official home for Classic Shell and Audacity releases among other software …
COMMENTS
-
-
-
Thursday 4th August 2016 15:46 GMT Hans 1
>Careful what you wish for, overwriting efivars on the MB could brick your computer in the kind of way which can't be rescued with any boot disk.
Upvovoted, but, Windows Cleaner and Suface Experts do not understand that downloading something from some rogue website and installing it is insecure. They do not know what MBR is, or EFI for that matter ... else they would have jumped to Linux/FreeBSD/AnythingButRedmond a long time ago.
In short, you are wasting your time with these n00bs.
-
-
-
Thursday 4th August 2016 16:06 GMT Anonymous Coward
Re: UEFI affected as well
"This particular malware was very new and detected only by AVG and Kaspersky as a generic threat."
Which in my opinion only goes to show you of what poor quality most virus scanners actually are. I'm not talking about detection here but prevention. Surely it's not that hard to intercept disk writes to the boot sector and partition table and ask the user for approval first?
-
Thursday 4th August 2016 18:43 GMT Ken Hagan
Re: UEFI affected as well
"Surely it's not that hard to intercept disk writes to the boot sector and partition table and ask the user for approval first?"
I had a BIOS that did that, about twenty years ago, so it's not that hard. However, I haven't had a similar warning anytime recently, so apparently it isn't something that modern BIOSes bother with.
-
-
-
Thursday 4th August 2016 03:34 GMT Kanhef
UAC limitation
A lot of FOSS isn't signed – many developers don't seem to want to bother with the hassle – so the warning isn't too unusual. The only way it would have prevented an infection is if someone had installed the program enough times to notice that it's usually signed, but this time it wasn't.
-
-
-
Thursday 4th August 2016 06:36 GMT frank ly
A good example
"We did not have the right safeguards in place, namely, to monitor external files. We clearly have not been vigilant enough. Over the next few weeks we will be working to become a safer, more secure organization."
Admit you made mistakes, recognise your shortcomings and work like heck to put them right. It's a refreshing change and I hope it starts a trend.
-
Thursday 4th August 2016 07:17 GMT wolfetone
The problem with that pop up window is that people who know about computers will know it's a pain in the ass, but they'll have gotten their software from a trusted source.
People with no idea about computers will click OK to anything because they know that's the only way to install the thing they downloaded.
There is no patch for human stupidity, but there may be a way to alter their MBR?
-
Thursday 4th August 2016 15:55 GMT Hans 1
>There is no patch for human stupidity, but there may be a way to alter their MBR?
Hey, you, get off your high horses for a second ... these are ordinary citizens who were force-fed Windows X^3 and who really want their Win7 back, hence they revert to downloading some software from some rogue website .... ALLL BECAUSE FSCK'ING REDMOND DECIDED TO DO AWAY WITH WHAT EVERYBODY WAS ACCUSTOMED TO SINCE 1995 .... and failed to recognize their error when Windows 8.x tanked .... they are not asking a lot, just an option to revert to "sensible Windows", whatever that means ....
-
Friday 5th August 2016 06:44 GMT wolfetone
"Hey, you, get off your high horses for a second ... these are ordinary citizens who were force-fed Windows X^3 and who really want their Win7 back, hence they revert to downloading some software from some rogue website .... ALLL BECAUSE FSCK'ING REDMOND DECIDED TO DO AWAY WITH WHAT EVERYBODY WAS ACCUSTOMED TO SINCE 1995 .... and failed to recognize their error when Windows 8.x tanked .... they are not asking a lot, just an option to revert to "sensible Windows", whatever that means ...."
But Windows 7 has the same stupid notification bullshit that allows this problem to carry on.
-
-
Thursday 4th August 2016 17:05 GMT Nolveys
The problem with the popup window is that users have to click on such windows _all_ _the_ _time_ and that the message is completely non-specific. A message such as:
"This software wishes to:
- install itself for all users to use
- add itself as a service
- hook into explorer.exe
- hook into winlogin
- perform low-level disk modifications
Do you wish to continue?"
Would help immensely. Of course this would require some sort of capabilities-based privilege elevation and associated API.
-
Thursday 4th August 2016 18:52 GMT Ken Hagan
On paper, MSIEXEC could do all of that. The MSI file that you feed it could be just data and the operations that it requests on its behalf could be sanity checked and classified for end-user (well, Administrator) approval.
In practice, MSIEXEC lets you do anything that can be written as an MSI and MSI files can contain custom DLLs that do anything you want as the running user. To add insult to inury, there's an instance of MSIEXEC that runs as SYSTEM, in case Administrator isn't sufficiently god-like.
All this has been true since MSI debuted almost (?) 20 years ago. MS has never felt it necessary to add these features. There *may* be an option, buried deep inside some Group Policy template, to disable custom actions. Or there may not. Since it isn't enabled, or advertised, by default it hardly matters whether it exists or not.
Tl;dr: the Windows Installer is utter, utter loathesome crap.
-
Friday 5th August 2016 07:01 GMT Anonymous Coward
>In practice, MSIEXEC lets you do anything that can be written as an MSI and MSI files can contain >custom DLLs that do anything you want as the running user. To add insult to inury, there's an >instance of MSIEXEC that runs as SYSTEM, in case Administrator isn't sufficiently god-like.
You mean like running a program as root on Linux?
-
-
-
-
Thursday 4th August 2016 08:23 GMT Tony W
Would this be detected on check?
As others have pointed out, quite a lot of legitimate sw produces unknown publisher warning. I scan all exe and zip downloads before running though. I also use Scotty that detects changes to startup programs. Am I just getting a false sense of security by doing this?
-
Thursday 4th August 2016 10:19 GMT phuzz
Re: Would this be detected on check?
A virus scanner is unlikely to pick up a brand new threat (although I assume this one is in the databases of most virus scanners by now), so that probably wouldn't have helped you.
Also, a change to the MBR is 'before' any OS is loaded, or startup programs, so monitoring here wouldn't have helped either (assuming this malware just altered the MBR and didn't install it's own startup program).
What would keep you safe from this is enabling (the much reviled in anti-Microsoft circles) SecureBoot, which checks that the bootcode is cryptographically signed. Or simply just using a GPT boot block, rather than MBR.
tl/dr: no, your current defences would probably not have helped defend against this specific malware.
-
Thursday 4th August 2016 13:44 GMT Pascal Monett
Re: Also, a change to the MBR is 'before' any OS is loaded
I don't think so. The MBR was changed by the execution of the nasty. Besides, if no OS is loaded, how can any change be made ? Something has to run the code that makes the change.
Why this MBR rewrite could fly under the AV radar is beyond me. Is the MBR being regularly rewritten by the OS all day ? Don't think so. So why does MBR access not trigger a humongous red screen with nukular* blast in the background and big white lettering saying "HEY, SOMEBODY WANTS TO RECONFIGURE YOUR DISKS - ARE YOU SURE ???" and a nice red button with "FUCK NO" written on it to abort.
But no, apparently any piece of code can just go and write to the MBR. No problem here, no sir, carry on while I slow the Internet down with all the Flash checking I have to do. . .
* yes, I did write nukular on purpose
-
Thursday 4th August 2016 15:14 GMT Jim Mitchell
Re: Also, a change to the MBR is 'before' any OS is loaded
@ Pascal Monett
Even without AV, the OS should block this. Windows UAC will query for writes to system files, but I can blow away the MBR without any question? On a related note, I was surprised when the BIOS update program from the manufacturer ran fine without Windows asking for user approval of any kind.
-
Friday 5th August 2016 10:24 GMT phuzz
Re: Also, a change to the MBR is 'before' any OS is loaded
I assume that the malware did bring up a UAC prompt, but as the users thought they were installing legitimate software they clicked it without noticing that it was unsigned.
I have seen BIOS's which block any writes to the MBR, but of course you have to turn this off before you install an OS, and remember to turn it on later. I've not seen it in a BIOS for a few years now.
-
-
-
Friday 5th August 2016 20:05 GMT jelabarre59
Re: Would this be detected on check?
What would keep you safe from this is enabling (the much reviled in anti-Microsoft circles) SecureBoot, which checks that the bootcode is cryptographically signed. Or simply just using a GPT boot block, rather than MBR.
SecureBoot is not reviled because it checks your boot process. It's reviled because Microsoft have appointed themselves God And Holy Gatekeeper of SecureBoot, allowing no others control over it. Properly done you should be able to register your OWN keys into it's index when you install a new OS. But MS are doing everything possible (and I didn't even say everything "legal") to make sure it stays that way.
-
-
-
Thursday 4th August 2016 09:30 GMT yossarianuk
More reason to use Linux
Installing Audacity on Linux is genrally done via a centralised package manager where it is far far far harder for an attacker to upload a malware version - you are much safer that finding the same software on Windows.
Opensource of windows involves visiting random sites, which often have about 20 different download links (most are not real download buttons but just a link to another random advert).
-
-
-
Thursday 4th August 2016 18:57 GMT Ken Hagan
Re: More reason to use Linux
"Can Microsoft really put GPL applications in their 'windows store' without breaking the GPL ?"
I don't see why not. They aren't offering as part of their own product. It's just a transfer of data. Last time I downloaded some GPL-ed code, the bits passed through a number of commercial operations, such as my ISP. Even RMS doesn't have a problem with that ... surely?
-
Sunday 7th August 2016 13:25 GMT Vic
Re: More reason to use Linux
"Can Microsoft really put GPL applications in their 'windows store' without breaking the GPL ?"
I don't see why not
Then you might want to read the licence, as it gives the answer most explicitly.
They aren't offering as part of their own product. It's just a transfer of data
That does not matter one bit. If they are redistributing the code that is permissible only under the terms of the licence - which, for a commercial redistribution as this would be, requires either the transfer of source with the binary, or else a binding promise to supply that source on demand.
Vic.
-
-
-
Thursday 4th August 2016 10:37 GMT Palpy
Yes, the Linux repositories are safer. Sigh.
But there is much more software available for Windows. AFAIK, Linux Audacity users don't have access to the variety of plugins that Windows Audacity users enjoy.
The range of non-commercial software written for Windows used to be a lot of fun to explore. But once download sites started bundling PUPs with the installers and malware writers started co-opting downloads, the thrill done gone.
(Written from non-Windows, non-Mac grandpaw box. Just so's you know it's not from a Win fanboi.)
-
Thursday 4th August 2016 11:12 GMT yossarianuk
Re: Yes, the Linux repositories are safer. Sigh.
Not more (validated) opensource available,
Linux audacity seems to have a fair amount of plugins, its lacking some VST plugin's sure, however has plenty.
Also using the jack plugin in Linux with a realtime kernel gets you as close to 0 latency as possible, something Windows cannot really do (using software alone)
-
Thursday 4th August 2016 11:13 GMT Mage
Re: There is much more software available for Windows
Used to be true. However most of the engineering stuff I use hasn't been updated for years and doesn't work on various versions of Windows since XP (depending on application and version of windows).
I've had good success with WINE on Linux Mint + Mate. The only newer programs I want are English QQ, which doesn't exist on Linux (nor work on WINE), Digiguide, Kindle Reader and Notepad++ (which all do work on WINE). Compilers are no problem. LibreOffice, Inkscape, Thunderbird, Calibre, Celestia, Gimp, Audacity, Filezilla, PuTTY, Eagle CAD, Xchat (or clone), Scratch, Stellarium, Apache, PHP, MySQL, Skype, etc are all on Windows and Linux "natively". Many programs have less bloated Linux alternatives. I guess maybe Sage Accounts and Payroll might be a problem, I don't know as I don't do IT support any longer, thank God.
-
Thursday 4th August 2016 12:53 GMT breakfast
Re: Yes, the Linux repositories are safer. Sigh.
I use Audacity a lot and around the current version there's not much difference between platforms.
If you're dealing with a lot of VSTs that is a little different, though they do often work under Wine, but those tend to be more in the realm of serious studio recording, for which one would plausibly use something like Ardour on Linux rather than Audacity.
-
-
Thursday 4th August 2016 12:49 GMT Anonymous Coward
Re: More reason to use Linux
Yes that has its advantages, but I can't be the only Windows user who LIKES the fact that single files can be executables, easily downloaded, stored and transfered (and often still working on later versions of Windows), which is really convenient in many ways.
And the downside on Linux is that, unless you're a real neckbeard Penguinista, you're forced to upgrade when your OS is getting long in the tooth and the repository is no longer maintained. I still haven't got to grips with how it all works behind the scenes and how to work around such things. I enjoy many things about Mint but I don't want to get that greasy under the hood right now!
Plus, there's nothing stopping someone from setting up a centralised package manager system for Windows software - but it there such a thing? If the answer is no, then it's not lilkely that the demand is there, is it?
And could Linux repositories be hacked anyway? Could the national security service intercept a download request and insert their own malicious version? Inquiring minds would like to know beneath their tinfoil hats!
I'm just glad I haven't chosen to update my Audacity at the wrong time.
Windows and Mint user (who sees both sides of the story)
-
Thursday 4th August 2016 15:40 GMT Jamie Jones
Re: More reason to use Linux
Could the national security service intercept a download request and insert their own malicious version? Inquiring minds would like to know beneath their tinfoil hats!
I don't know about Linux, but FreeBSD keeps sha256 checksums of all it's distfiles (seperate from the distfiles themselves!)
-
Thursday 4th August 2016 16:31 GMT Anonymous Coward
Re: More reason to use Linux
> I don't know about Linux, but FreeBSD keeps sha256 checksums of all it's distfiles (seperate from the distfiles themselves!)
Very much the same on Debian & derivatives (secureapt)
To the best of my knowledge, all the others have equivalent security mechanisms.
-
-
Friday 5th August 2016 11:54 GMT Naselus
Re: More reason to use Linux
"I enjoy many things about Mint but I don't want to get that greasy under the hood right now!"
Honestly, Mint is actually less secure than Windows these days (not Linux distros generally - just Mint, which is extremely amateurishly run and often skips critical security updates for extremely flimsy reasons). Most Linux admins I know think it's awful and advise people to avoid it if they want to really learn about Linux. Generally, the people who go around proselytizing Mint to anyone who'll listen don't understand WHY Linux is considered better than Windows, and think that just by using any Linux distro they've become computing experts; the equivalent of people who think 'Macs can't get viruses'.
-
-
-
Thursday 4th August 2016 12:19 GMT myhandler
Re: Where's that story about not being able to fix Layer 8?
Yes, but if you'd installed it many times before you'd just bounce over that and click OK. It would have got me..
What is an untrusted source anyway? Everything?
It's the sort of messge you see when an email comes through from, lets say the National Trust, and it says 'certificate not trusted'. National Trust emails have been like that for months. (I know it's not the same, but it's similar)
It's impossible to differentiate between an important message and a less important one.
-
-
Thursday 4th August 2016 12:56 GMT Prst. V.Jeltz
Ive never worked anywhere that dosent have browser certificate errors popping up everywhere becuase they or their software providers havent paid / bothered to keep them up to date. and I've worked in some big places.
I had one such error this morning in fact with a certain nhs trust not maintainnig a particular certificate.
re the signed installer - id have fallen for that because a) the mentality outlined above, b) its the regular download distribution point and as such reputable , like sourceforge.
-
Thursday 4th August 2016 17:11 GMT bombastic bob
It's a CONSPIRACY, I tell ya!
"After I Installed the Windows 10 anniversary update I noticed it had uninstalled Classic Shell and had an even worse start menu as before,"
AAAaaand the FORCING YOU TO RE-INSTALL 'Classic Shell' naturally exposes you to this "new" version which results in PUNISHING YOU for NOT using Micro-shaft's *GLORIOUS* *MODERN* *INTERFACE* (with the built-in ADVERTISING).
So it's a CONSPIRACY from MICRO-SHAFT to *FORCE* you to *DO* *IT* *THEIR* *WAY* and *PREVENT* you from *BYPASSING* their *AD-CRAP* and *SPY-CRAP*!!! And they want to *KILL* the traditional 'start menu' interface that has worked for over 20 years! [and leverage it, and LOCK YOU IN, and CONTINUE to SUCK YOU DRY for every penny they can get]
(well it's a fun conspiracy theory, at any rate)
And wait until they do something REALLY heinous [as if it's possible to get worse], like re-sorting the start menu to put their "offerings" at the top, or (even worse than that) scroll them along with the 'all [cr]apps' list, so that only 2 or 3 items NOT being promoted by Micro-shaft will be in the list, at the bottom, below their 'preferential' list, forcing you to scroll-scroll-scroll to the 'W' to get 'windows cleanup' or whatever... [from now on my windows application start menu shortcut names start with the number '0', ha ha ha ha]