
Non-official site with a tampered version of KeePass - redsec
https://security.infoteam.ch/en/blog/posts/notice-non-official-site-with-a-tampered-version-of-keepass.html
======
adtac
Hah, the Linux version points you to the original website (only the Mac and
Windows versions appear to be modified)! The year of the Linux desktop is
truly here.

~~~
amarant
doesnt that just imply that these scammers thought the linux userbase to be
too small to be worthwhile?

the comparatively small userbase is actually an underappreciated security
feature of linux ;)

~~~
taneq
Or that Linux users would instantly raise a hue and cry on seeing ads?

~~~
PascLeRasc
Kind of like how scammers use bad grammar on purpose to weed out the people
too smart to be a victim.

~~~
taneq
Yes, now that you mention it - they deliberately tried to design their dragnet
to exclude victims who were likely to be problematic. :)

------
po1nter
I've reported the website here:
[https://safebrowsing.google.com/safebrowsing/report_phish/?t...](https://safebrowsing.google.com/safebrowsing/report_phish/?tpl=mozilla&hl=en-
US&url=https%3A%2F%2Fkeepass.fr%2F)

Hopefull it will be blocked by the browsers using the safe browsing list.

~~~
jbk
safebrowsing is useless. We've reported scams of VLC shipping malware for
years. They are still there.

~~~
moviuro
FWIW, report the domains to
[https://someonewhocares.org/](https://someonewhocares.org/) , as he keeps
updating it, and it is used by e.g. PiHole and my own hostfile generator.

------
zokier
I've had discussions with coworkers on why you shouldn't ve downloading putty
from putty.org. Sure, they seem to be linking to the official downloads _now_
, but imho it's just poor hygiene to use such pages. It takes just a moment of
carelessness to get pwned

~~~
lakechfoma
Rather unfortunate that "putty.org" is the first result in searches and looks
a lot more legit than "chiark.greenend.org.uk" even if it (currently) links
there.

I've had discussions with coworkers on why they shouldn't look up "free online
json beautifier" and dump thousands of lines of crown jewels into them (http
too). Meanwhile we're doing web dev and JSON responses are autoformatted in
Firefox dev tools so there's an amazingly convenient and perfectly safe
alternative right there...

How do we impart urgency with this kind of stuff?

~~~
slededit
It's putty's own fault. They used to (and perhaps still do) have a section on
how they don't want your donated domain - they like their current one.

From their FAQ:

> No, thank you. Even if you can find one (most of them seem to have been
> registered already, by people who didn't ask whether we actually wanted it
> before they applied), we're happy with the PuTTY web site being exactly
> where it is. It's not hard to find (just type ‘putty’ into google.com and
> we're the first link returned), and we don't believe the administrative
> hassle of moving the site would be worth the benefit.

~~~
lakechfoma
>>we don't believe the administrative hassle of moving the site would be worth
the benefit

this is so short sighted, especially for software used to admin productive
systems

------
campuscodi
There are quite a few of these:

[https://keepass.fr/](https://keepass.fr/) [https://7zip.fr](https://7zip.fr)
[https://audacity.fr](https://audacity.fr)
[https://gparted.fr](https://gparted.fr)
[https://keepass.fr](https://keepass.fr)
[https://nc3354.nexylan.net](https://nc3354.nexylan.net)
[https://paintnet.fr](https://paintnet.fr)

~~~
redsec
Thanks for the update, they all look to come from the same guys.

~~~
campuscodi
They do. They're all registered via one email:
[https://domainbigdata.com/gmail.com/mj/0DnwUjDWo0L7ysS4kB00p...](https://domainbigdata.com/gmail.com/mj/0DnwUjDWo0L7ysS4kB00pg)

~~~
pandasun
Good find! Can't believe this person made that many fake domains.

------
pingec
What are some safety measures you take when downloading a new version of
keepass? Checking the digital signature of the binary?

Original keepass downloads are hosted on sourceforge which has not had the
best history of integrity the way I see it.

~~~
mihaifm
Compile it from source, it's a standard Visual Studio solution that builds
without issues.

~~~
pingec
But there are no guarantees about the source either unless I am willing to
audit all of it?

~~~
mihaifm
I agree, that's why signed source code releases are the safest thing you can
get. Keepass has signed releases (including the source code archive) that can
be checked with OpenPGP.

[https://keepass.info/integrity.html](https://keepass.info/integrity.html)

~~~
svenfaw
If you trust the signed source code there's no reason you shouldn't trust the
signed binary - unless you have sufficient time and expertise to audit the
source.

~~~
mihaifm
This is how I view it:

* Being open source protects against a malicious developer. Otherwise there is nothing preventing him to build the binary with a different source, and send the passwords to his own server.

* Signed code archive prevents against a compromised hosting site.

~~~
perl4ever
In order to get from a trusted source to a trusted binary, you have to trust
the compiler and its dependencies as well, I think.

------
ajnin
I'm getting a different installer file from this website with not as many ad
bundles detected :
[https://www.virustotal.com/#/file/23c3a4564265bc996ab61c1227...](https://www.virustotal.com/#/file/23c3a4564265bc996ab61c1227feda7aa5a3e41033717421310fef3e42871bfc/detection)

Anyway, this wouldn't be the first time an open source software is packaged
with some adware. Unsavory, but I think within the limits of the license.

~~~
slipstream-
seems to be just another bundler from the same network (installcore), but
packed with a different exe packer

------
oliviergg
Pretty ironicly, Terms of use warn to be very careful when downloading files
with an exe.,. Vbs,. Lnk,. Bat,. Sys, or a suffix com., Because these files
may contain a virus or spyware !

~~~
pbhjpbhj
It's a common technique used by hucksters, "here's some friendly advice ...",
it's both an attempt to signal good intent and to load the mark with a
subconscious sense of having been done a favour (and so needing to do a favour
back to the huckster/salesman.

------
moviuro
Who did this without thinking about an exfiltration tool instead?

~~~
slipstream-
one of those "make money online"/"internet marketing" type people just wanting
to get the affiliate commissions from a pay-per-install network of the PUP
bundler type.

------
greggarious
Unfortunately I can't read the article without enabling javascript - anyone
care to post a summary? :)

------
mar77i
Unrelated to the topic, the article points out a lot of things about
certificates in the URL bar. That got me to think about the URLs themselves,
can I set my browser up so it displays the punycode representation of my url?

~~~
teget
network.IDN_show_punycode in firefox

------
amaccuish
The french is also terrible, google-translated french.

~~~
fenga
This is correct french, and there is no way this was machine translated.

Source : am french

~~~
oliviergg
It's proper french. I think I can be fooled by this website.

------
Kagerjay
Something I don't understand though is when I do a google search, google
sometimes sponsors these phony sites.

One time I downloaded the wrong google chrome which was ironic because I was
on google searching it.

Other examples that come to mind with different sites are popcorn.sh vs
popcorn-time.to. There not the same repository.

Normally I just do a sanity check by checking the domain URL and checking if
it has authority.

If its on sourceforge... I just assume its malware or has bundled PUPware on
it, run it through antivirus and SHA/MD5 checks.

Ninite.com is pretty convenient I hope they don't get comprimised one of these
days and get sold to a shady vendor

