
The most popular curl download – by a malware - robin_reala
http://daniel.haxx.se/blog/2015/11/16/the-most-popular-curl-download-by-a-malware/
======
poizan42
But why does the malware need curl in the first place? It seems perfectly
capable of downloading things without. And it's running on windows where it's
guarenteed to have a http library available anyways.

~~~
rnovak
Where in the post did it say it was running on windows? It was stated that the
User Agent string wasn't identifiable, nor did it send any identifiable
headers.

edit: thanks for the clarification, I totally missed the file name

~~~
cypres
It's downloading a curl release based on mingw32, aka gnu for windows.

------
tyho
I guess substituting the existing file served at that URL with a curl that
when called by the particular malware in question (I guess you could detect
this fairly easily) warns the user graphically of the infection would be
considered going too far.

~~~
smcl
I'm not even sure you could reliably detect that - the article says they
didn't have any special/identifying headers. But yeah you're right if they
could detect then supplying an exe that warned the user would still feel sorta
weird IMO, and how many users are likely to trust a random popup or
notification seemingly from out of the blue?

~~~
rplnt
There are "indicators of compromise" listed at the end of the slides. So you
could use that. But that's not curl's job... disabling some old versions by
changing the url is more than enough in my opinion.

------
t0mk
As somebody else mentioned - this is a great honeypot opportunity! By serving
malicious builds based on referer and user-agent, they might be able to gather
really interesting data.

~~~
throwaway7767
> As somebody else mentioned - this is a great honeypot opportunity! By
> serving malicious builds based on referer and user-agent, they might be able
> to gather really interesting data.

They said the malware used no referer header and changing user-agent. If the
user-agent were useful to segment these downloads from others, they most
likely would have refused downloads based on that, because by renaming the
file like they did, they're breaking build scripts for lots of downstream
projects.

There's also the ethical issue of breaking into others machines, even if it's
"for a good cause".

~~~
oxplot
Daniel mentions in the comments [1] that this is a binary build and implies
that it's not meant to be hotlinked to.

[1]: [http://daniel.haxx.se/blog/2015/11/16/the-most-popular-
curl-...](http://daniel.haxx.se/blog/2015/11/16/the-most-popular-curl-
download-by-a-malware/comment-page-1/#comment-17535)

------
petecooper
Google cache (OP URL not loading for me at all):

[http://webcache.googleusercontent.com/search?q=cache:y8oR2pT...](http://webcache.googleusercontent.com/search?q=cache:y8oR2pTNdzUJ:daniel.haxx.se/blog/2015/11/16/the-
most-popular-curl-download-by-a-malware/+&cd=1&hl=en&ct=clnk&gl=uk)

------
kristofferR
Why aren't curl binary downloads (and other binaries for that matter) served
over HTTPS? HTTP seems like a fantastic man-in-the-middle opportunity.

~~~
mh-
they display an MD5 of the file right next to the download link, but that page
is also served over plain HTTP.

~~~
zokier
The word "MD5" does not appear anywhere on curl download page
[http://curl.haxx.se/download.html](http://curl.haxx.se/download.html)

~~~
mh-
I somehow ended up getting sent to a mirror page when I went to download,
which does have it.

[http://www.magicermine.com/demos/curl/curl/curl.html](http://www.magicermine.com/demos/curl/curl/curl.html)

------
Robadob
Wouldn't the obvious solution be to throw a captcha in-front of the download?

Or am I missing the fact that this exact download path needs to be directly
accessible by package managers or something?

~~~
ch0wn
Automated downloads don't have to be malicious. I'm sure there are tons of
legitimate scripts out there that fetch curl via those URLs.

~~~
Robadob
The fact the article states they've already changed the url for downloading
the file, suggested to me that it wasn't intended to be automatically
downloaded (I realise that automation does not imply malicious).

------
samstave
Is curl block able for outbound requests?

------
too_late
P2P-sharing would be a really great solution to this from the malware
developer's point of view. I don't harbor any ill-will towards malware devs,
especially not when they're going after windoze machines :^)

But yeah, the curl website could really come up with a lot of data, so it
seems like a very immature solution to what is really a critical component of
the app to just blindly reach out for some predefined url. It'd be way smarter
to run a CC machine somewhere and start pairing some peers. curl is somewhat
small, right?

I think they'll probably just keep renaming the file for now, and updating the
URL. It'll just be cat and mouse, and newer versions ship with it, so there's
really no point for the curl maintainers to be wasting too much time on it
since it's a limited-time issue that will more than likely sort itself out
later.

~~~
Brotkrumen
Yeah! Them people that don't share our hobbies and choices can get fucked,
right? I mean transitioning to linux is so easy and relearning a new ecosystem
so painless. Them scam victims deserve whats coming for them!

I also agree that malware devs are dumb. Instead of using that curl download
in a way they know works, they could just add a p2p module to their malware,
open up a few ports on infected machines and hide all that from av. Easy
right? I mean them archive urls change all the time! And updating that via the
cc is just too unelegant!

