
Keepass.com spreading malware acting as the official password manager site - svacko
https://twitter.com/berkcgoksel/status/1125727590440931329
======
zaroth
I discovered this a couple months ago and posted in an Ask HN about an
apparent attempt by the same person to trademark TrueCrypt;

[https://news.ycombinator.com/item?id=19311856](https://news.ycombinator.com/item?id=19311856)

At the time the download links on the non-official Keepass.com site seemed to
point back to the official sources, but I noted of course that could change in
the future, or could even be different depending on who visits the site.

I ended up submitting an objection to the TrueCrypt trademark application to
the USPTO, but I'm not sure how much good it will end up doing. I was not able
to pay a lawyer the several thousand dollars they wanted to draft the letter
themselves.

~~~
mysterypie
Quoting part of your original posting here:

 _I have been working on a fork of TrueCrypt /VeraCrypt and wanted to be sure
that before releasing the code that I am following all the license terms and
giving proper attribution, as TrueCrypt has a somewhat non-standard open
source license.

TrueCrypt has an old trademark issued back in 2007 but which expired after 10
years in 2017. As part of the licensing review, I discovered there is a new
trademark application filed August 25, 2018 by Julien Clairet under a company
named "DATA ACCESS" based in Paris, France.

I discovered [that] "keepass.com" is also apparently registered to Julien /
DATA ACCESS.

There is a publication period when new Trademarks are announced and an
opportunity to contest the validity of the claim. The new "TrueCrypt"
trademark was published on February 20, 2019, and you have 30 days from the
time that the mark is published to file any opposition.

I am preparing to file a response to USPTO._

First of all, a huge thank you from everyone that loves TrueCrypt for doing
this.

How long will it be before you know if they issued or rejected the trademark?
Is there anything else that can be done now that the 30-day deadline has
passed? Would you mind posting a link to the trademark application?

~~~
zaroth
Thank you and you're welcome. I did link the application in my original post,
here it is again;

[http://tsdr.uspto.gov/documentviewer?caseId=sn88092713&docId...](http://tsdr.uspto.gov/documentviewer?caseId=sn88092713&docId=RFA20180829063346#docIndex=12&page=1)

Typically two months after publications they will send the Notice of
Allowance. It hasn't happened yet but it could happen any day I suspect.

------
mysterypie
For anyone confused by this Twitter sound bite, the story is that there are 2
main sites from which you can download KeePass Password Safe (the free, open-
source password manager):

\- [https://keepass.info/](https://keepass.info/) is the _official_ site,
which ironically uses a suspicious-looking .info top-level domain, but is in
fact the legitimate source

\- [https://keepass.com/](https://keepass.com/) is an unofficial site which
the Twitter article is reporting as spreading malware, but has somehow
obtained the more legitimate-sounding .com top-level domain

And by the way, both of these sites come up on the first page of a Google
search for "KeePass".

~~~
freehunter
I have the same issue with Putty. I was helping a client debug an issue with
an appliance they bought from my company (me on their computer, them watching
over my shoulder) and asked if I could download Putty on their machine. They
said yes, so I went to
"[https://www.chiark.greenend.org.uk/~sgtatham/putty/"](https://www.chiark.greenend.org.uk/~sgtatham/putty/")
and clicked the download link and they flipped out. It's too fishy, they said,
must be a malicious site. I went to putty.org instead (not affiliated with
Putty), and clicked the "download putty" link and it redirected back to the
other site, and from that point they refused to let me download Putty.

We then spent 3 hours getting approvals for me to get my own laptop on their
internal network so I could use ssh from my Macbook. I felt bad because my
company charges like $300/hr for our consulting services, so we wasted nearly
$1000 because the main Putty download site seemed too suspicious for the
client to be comfortable with.

I know Putty is legitimate and I know it's a free product, but appearances do
matter. Presentation does matter. Although I do blame Microsoft a bit for not
shipping an SSH client for so long.

~~~
sireat
How about using ninite.com for managing popular Windows downloads?

Ninite has decent corporate adoption by now. You could even push them towards
Ninite Pro.

------
Swenrekcah
What a great world in which any video that accidentally includes a radio
playing a song is immediately taken down, but this sort of thing can go on for
years.

~~~
SlowRobotAhead
Well, it tells you who wrote the laws. DMCA, sure as hell wasn't written by
Clinton, he just championed it.

------
mpettitt
For reference, the actual official site is
[https://keepass.info/](https://keepass.info/)

~~~
magashna
oof, .info and .biz are almost always red flags

~~~
Waterluvian
Faced with the .info and .com I would have bet all my money that .com was the
legit one.

~~~
Mirioron
On the other hand, the .com page is page 2 of Google results, while .info is
the first result.

~~~
stordoff
Not for me - excluding ads, Keepass.com is the fourth result (KeePass.info,
Sourceforge, Wikipedia, "People also ask" infobox, then Keepass.com).

------
npteljes
Keepass.com is present in uBlock Origin's Badware Risks list, I couldn't even
access it first.

~~~
user17843
I have my browser that I use for logging into sites behind three layers of
security:

\- Google Safe Browsing

\- Pihole including a couple of regularly updated malware lists

\- uBlock Origin

It looks like Safe Browsing and pihole do not yet have this on the blacklist.

~~~
m-p-3
I submitted keepass.com on the report malware form on Google, for what it's
worth.

------
kayone
Disclaimer: I'm the founder/maintainer for AppGet (appget.net)

Issues like this were one of the main reasons I started working on appget. I
died a little bit inside every time I saw a friend google an app and click on
the first link (usually an ad) or click through the installation wizard as
fast as they possibly could and not unchecking the toolbar, bundle, bonus,
whatever else.

AppGet solves these issues from a couple of different angles,

1\. we only allow packages hosted on the official vendor, maintainer websites.

2\. All package manifests are simple YAML files on GitHub where they go
through a PR/Review before getting merged.

3\. For your _tech normal_ friends or family, they can search for apps in
[https://appget.net/packages/](https://appget.net/packages/) and click the
install button, and we do the rest. No command line needed. 4\. We disable all
bundled app installations by default.

For example here is the page for Keepass
[https://appget.net/packages/i/keepass](https://appget.net/packages/i/keepass)

------
magicalhippo
Back in the days, when Google was still somewhat new, I tended to laugh a bit
inside when my parents and other non-techies would search Google for a domain
rather than to go in the address bar. They'd search for Ford or Ford.com,
rather than just put Ford.com in the address bar.

Though I quickly realized it wasn't such a bad idea at all, for exactly the
reasons such as this. Even I mess up domains sometimes, so I usually tend to
use Google instead except for the ones I know by heart (or have bookmarked).

~~~
unknownsavage
This only really works if you have an ad-blocker, or at least know to ignore
the ads. Otherwise google will frequently end up frequently serving ads for a
malicious product (most commonly seen for crypto products)

~~~
magicalhippo
Fair enough, although surfing without an ad-blocker is like having random one-
night stands without a condom.

------
llamataboot
This is a super gnarly one to me because it is a PASSWORD MANAGER. Literally
they could just supply a password manager that also sends all the passwords to
a third party.

I get it open source, hard to keep the lights on, etc etc but I feel like if
you take the steps of getting into a such a security heavy space, then you
have to be able to keep up your end of the bargain.

In this case it might not mean registering every variation of keepass
(keepass.com probably useful though) but it certainly means working
aggressively with search engines to get things flagged, send push
notifications to your users warning them of it, etc etc

~~~
acqq
> but I feel like if you take the steps of getting into a such a security
> heavy space, then you have to be able to keep up your end of the bargain.

Why, if you don't earn enough money?

~~~
llamataboot
Because people have put their trust into you and you owe them something for
that.

better to shut down a project and walk-away for example, then leave it up,
never update it, have a vulnerability get exposed, and have everyone using
your product get owned

~~~
acqq
> you owe them something

Definitely not.

The companies even sell products, for which everybody directly pays, and then
owe even to the millions of users nothing once they have sold the product
(actually sold the "license"). I've even had to buy the exactly same product
(the license) more than once, every time I've changed the platform or even
just changed the computer.

So if I publish anything as open source, free for anybody to use, I own even
less to anybody with whom I don't have a paid contract for support.

------
Axanagor
Keepas is not the only software involved....
[https://twitter.com/Gabry89/status/1125775980365217793](https://twitter.com/Gabry89/status/1125775980365217793)

------
canada_dry
My company bought up as many related domains (e.g. misspelled, org, com) as we
could think of to prevent this kind of thing.

A very cost effective way to protect your IP.

------
antisthenes
uBlock Origin catches keepass.com correctly with the default filters.

Reaffirming my decision for the n-th time to never browse the modern web
without adblock.

------
appleflaxen
opendns flags this as a phishing threat, which is nice:

[https://phish.opendns.com/main?url=keepass.com&server=ams16&...](https://phish.opendns.com/main?url=keepass.com&server=ams16&prefs=&tagging=&nref)

------
leepowers
Been using the KeePassXC[1] community fork for about three months now. The
transition was smooth; it's pretty much identical to KeePass or KeePassX. Has
TouchID integration for MBP which is super useful. Plus the source is
available on Github and is actively maintained.

[1] [https://keepassxc.org/](https://keepassxc.org/)

------
mimsee
Same people are most likely hosting [https://7zip.fr/](https://7zip.fr/)

------
user17843
Update: The sites are now all blocked by
[https://www.squidblacklist.org/downloads/dg-
malicious.acl](https://www.squidblacklist.org/downloads/dg-malicious.acl),
which is a list I recommend everyone to put into their pihole.

Still not blocked on Google Safe Browsing.

------
dschuetz
Just tested: uMatrix detects the site being a threat, preventing to load the
homepage in the first place.

------
Rapzid
Is there an ICANN dispute avenue available for the Keepass to seize control of
this domain?

------
jlawson
Is there a way to figure out if an existing install was the compromised or
real one?

------
lgats
Report it here,
[https://safebrowsing.google.com/safebrowsing/report_badware/](https://safebrowsing.google.com/safebrowsing/report_badware/)

------
true_tuna
Let’s get this shut down.

~~~
jaden
I don't know if it helps to have multiple reports, but Google's Report
malicious software form is here:

[https://safebrowsing.google.com/safebrowsing/report_badware/...](https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en)

------
dev_stdout
Reminds me of whitehouse.com vs whitehouse.gov back in the day...

------
peterwwillis
We can fly rockets to space and then land them on barges at sea, cure
diseases, use technology to reduce global hunger, create synthetic organs, and
trade trillions of dollars of money across oceans in microseconds, yet we
can't figure out which of two computers in an online card catalog is real and
which is going to empty your bank account.

~~~
JudgeWapner
counterpoints:

* private space missions were financed from the sale of a predatory business (paypal)

* government space missions originated from the cold war arms races (that continue to this day)

* a few diseases are curable, many aren't. pharmaceuticals profit more from treatment than cure, however. Some ailments such as anaphalaxis and diabetes that are mostly treatable have been receding into "uncured/undertreated" territory because phama keeps raising the prices of insulin or epi pens.

* much of hunger, say in Africa, can be easily treated if we could find a way to keep warlords and corrupt gov's from _stealing the aid_ , but our technology isn't helping us very much (not saying we shouldn't keep trying, but tech is of no use for this problem)

* synthetic organs sound great (if you need one). maybe this I concede is a victory for (bio)tech.

* trading money is really just trading information. Once the infrastructure is in place, it's a trivial matter.

deciding who gets to post content online is a much harder problem to solve. If
you could make one call to google to have them de-listed from search, every
company/political faction would be doing this to thier competitors/rivals.

------
BuckRogers
Great reason to use your package manager or the Microsoft Store to get most of
your software.

------
duxup
That's a bummer, keepass is pretty great... but then again that's probabbly
why someone targeted it.

------
pbreit
Heckuva name.

------
m3kw9
Should be flagged as a porn site

