
Classic Shell hacked with compromised update that erases your partition table - megalomaniac443
http://www.classicshell.net/forum/viewtopic.php?f=12&t=6434
======
corobo
It looks like this is on Fosshub (at time of writing is offline) which could
imply that there's a much larger compromise in progress depending on what
popular software is hosted there.

~~~
caf
It looks like they have a dump of the Fosshub user database.

Audacity was also affected: [http://www.audacityteam.org/hacked-
download/](http://www.audacityteam.org/hacked-download/)

~~~
theandrewbailey
Damn. You have no idea how close I was to reinstalling Audacity last night.

~~~
ocdtrekkie
Downloaded it a couple days ago in my case! Close call, though I do backup my
important files offsite.

~~~
theandrewbailey
I keep two offsite backups!

------
Sir_Cmpwn
Interesting to see malware in this day and age that actually kills your
computer instead of installing adware or joining a botnet.

~~~
dhimes
From their Twitter page

 _Fun fact: We actually had an EFI payload. We just had issues with the
installer and it was left unadded._

~~~
voltagex_
Damn. With the state of most consumer mainboards, an EFI "payload" could leave
the system "bricked". I know I've got one el-cheapo laptop that can't boot
because I made a mess of the EFI environment and there's no way to reset it.

~~~
Zardoz84
I'm begin to think that EFI is a very wrong turn way on modern computers.

~~~
Sir_Cmpwn
You're a bit behind the curve on this. EFI has been criticized for being
horrendously complicated and gross since its inception.

~~~
semi-extrinsic
Obligatory Matthew Garrett quote from a Linux kernel EFI patch in 2011:

UEFI stands for "Unified Extensible Firmware Interface", where "Firmware" is
an ancient African word meaning "Why do something right when you can do it so
wrong that children will weep and brave adults will cower before you", and
"UEI" is Celtic for "We missed DOS so we burned it into your ROMs".

[https://lkml.org/lkml/2011/5/25/228](https://lkml.org/lkml/2011/5/25/228)

~~~
yuhong
Even on servers, I noticed that HP (now HPE) began locking access to server
UEFI updates soon after
[http://lkml.org/lkml/2013/11/11/653](http://lkml.org/lkml/2013/11/11/653) was
posted.

------
fencepost
Audacity was also affected for a brief time, and the Audacity page about it
([http://www.audacityteam.org/compromised-download-
partner/](http://www.audacityteam.org/compromised-download-partner/)) has much
more information including the FossHub statement.

It's described there as the Audacity portion being a compromise of an Audacity
developer's account, with another reference to two compromised accounts. There
were also other attack attempts going on at the same time, so the FossHub
folks took things down for a time - not sure if they're done with their
checking or not.

According to FossHub there were only ~300 downloads of Classic Shell during
this time, and they may have caught the Audacity one faster.

------
posnet
A youtuber who usually does videos of classic DOS viruses made a video of this
one in action.

[https://www.youtube.com/watch?v=DD9CvHVU7B4](https://www.youtube.com/watch?v=DD9CvHVU7B4)

------
warbiscuit
This comment
([http://www.classicshell.net/forum/viewtopic.php?p=27961&sid=...](http://www.classicshell.net/forum/viewtopic.php?p=27961&sid=e793bf88f4ac6301869fea98aab54756#p27961))
on the forum thread posted md5/sha1 checksums of clean & infected 4.3.0
installers (though it's not clear if those are only infected checksums).

    
    
       ClassicShellSetup_4_3_0_clean.exe
       MD5: e10881b65c27c6e09e5a33cd8bcd99c6
       SHA1: a6b06d07fe3b1a7204b1b62c67fbf3c602385364
       File size: 7220496 bytes
    
       ClassicShellSetup_4_3_0_infected.exe
       MD5: c67dff7c65792e6ea24aa748f34b9232
       SHA1: 438b6fa7d5a2c7ca49837f403bcbb73c14d46a3e
       File size: 7148732 bytes

~~~
beefhash
Are the people over there sure that it's a good idea to rely on the broken[1]
MD5 and the close-to-be-broken[2] SHA-1 for verifying checksums in the context
of malicious actors? Though I guess the hashes and file sizes differ, so I
guess this is just being pedantic.

[1]
[https://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities](https://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities)

[2]
[https://sites.google.com/site/itstheshappening/](https://sites.google.com/site/itstheshappening/)

~~~
kalleboo
It seems more reliable to check the developer signature in Properties on the
EXE - the correct developer is "Ivaylo Beltchev". The infected download is
unsigned and requires you to click through a warning.

~~~
warbiscuit
Though annoyingly it's signed using sha1, not sha256.

So if they were gonna put effort into making an sha1 collision, they'd
probably target the signed payload, not the overall exe.

Though it doesn't look like sha1 is _that_ broken yet, for the budget of this
grade of attacker.

------
x64architecture
FossHub was compromised and only downloads from there were affected, various
other projects were also affected.

------
nailer
Apparently the hacked one wasn't signed. Users would have clicked through a
(very prominent) warning to install it.

~~~
fuzzy2
Unless SmartScreen complains, the order of dialogs and buttons on those
dialogs is exactly the same for both signed and unsigned programs. They only
differ in content/design elements. That's not what I'd call prominent.

There's nothing like HSTS for signed programs, so it can't be helped, though.

~~~
Someone1234
On Windows 10 you cannot install unsigned installers at all without disabling
SmartScreen.

~~~
fuzzy2
That's not true. Although the screen wide dialog thingy is a little tricky,
you can still choose to continue. It doesn't even appear most of the time.

------
AdmiralAsshat
So this appears to be a compromise of the download site, and probably could've
been avoided with a hash verification, blah blah blah. Finger wag at
developer.

Moving on, I've been thinking about the problem of file integrity and how
verifying the MD5/SHA sum creates extra gruntwork for the end-user,
particularly for your average Windows user.

How difficult would it be for the installer to compute its _own_ hash and
present it to the end-user when the installer starts, so that they can verify
it against the hash posted on the front of the software's webpage?

EDIT: Although I suppose if the binary itself is compromised, the hackers
could always modify the hash function so that it shows the same hash as an
existing "good" version even with the malicious code added. Hmm.

~~~
DougN7
Piggy backing on ayuvar's comment, it would be better to sign your installer,
and then have your front page/download page tell the user to be sure the
installer is signed (show pictures, tell them what to look for, etc).

~~~
nexxer
Per the developer at that forum thread:

"To be safe, always check the digital signature of EXEs you downloaded, before
you run them. The official Classic Shell installer has a signature for "Ivaylo
Beltchev", and the fake one doesn't even have a signature."

And per another user (silmar), my sentiments:

"The problem with signed installers is: many software developers don't sign,
so you install even if Windows warns you. Even if someone signs and then stops
signing, it may be that he forgot about it. But you want to install NOW, so
you skip the warning."

Admittedly the download page doesn't mention signing or how to look for that,
though, per the comment I referenced above, I doubt it would make much
difference to the vast majority of users.

~~~
Zancarius
I doubt it as well, and I completely agree with what you and others have said.
While I rarely use Windows, it's unsurprising to see software from smaller
development shops release software with no signature (or at least historically
it's been unsurprising). So, this complacency sort of breeds the habit of
simply clicking through and installing anyway. Heck, I even remember when
installing certain drivers often required clicking through similar warnings
since they occasionally weren't signed.

While I'd like to think things are generally better now, I think the
historical inertia of Windows' ecosystem and how conditioned users have become
to ignoring such warnings is at least partially (mostly?) at fault. There's no
easy way to correct people's behavior, and enforcing certain settings (e.g.
only installing signed software) would mean either 1) upsetting power users or
2) users still finding a way to disable such checks.

------
TazeTSchnitzel
This is another reminder of how the security model of desktop OSes is pretty
terrible. Every time you install software on Windows, you trust it with
everything on your computer by giving it administrative rights.

OS X doesn't have this problem usually, as most apps don't require admin
rights to install, you just copy them to /Applications, but it still has some
apps that use installers.

~~~
drewg123
There still is not (AFAIK) much partitioning between apps on most desktop
OSes. So even if a malicious app doesn't have admin rights, it still can run
under your UID, which is almost as bad as it then has access to nearly
everything you care about.

Obligatory xkcd: [https://xkcd.com/1200/](https://xkcd.com/1200/)

~~~
kalleboo
Apps on OS X that have been installed through the App Store are sandboxed
which is pretty close to the partitioning on iOS - for instance they can only
access files the user has explicitly given access to (open dialog, double-
clicking, drag and drop onto the app).

That doesn't help you with apps you downloaded through the web though, which
for me is all my apps because the App Store is a PITA.

~~~
dsp1234
UWP apps installed via the Windows Store have many of the same limitations
(can only access own files, runs in a limited security context, etc).

------
fletchowns
Related thread on reddit:
[https://www.reddit.com/r/pcmasterrace/comments/4vw21h/massiv...](https://www.reddit.com/r/pcmasterrace/comments/4vw21h/massive_psa_do_not_download_classic_shell_read/)

~~~
zamalek
The fix:
[http://www.classicshell.net/forum/viewtopic.php?f=12&t=6434&...](http://www.classicshell.net/forum/viewtopic.php?f=12&t=6434&p=28007#p28007)

Close one for me: I was downloading WinDirStat when I came across that post.

~~~
fencepost
Semi-unrelated: WinDirStat is amazing, but you might also look at WizTree for
speed - it does its space analysis based just on reading the MFT, so it's
quite fast.

------
PeanutNore
I must have gotten very lucky, because I downloaded and installed installed
Classic Shell on a fresh Windows 10 install yesterday afternoon and was not
affected - the installer bore the right signature and my system is intact and
boots fine. If I had tried a few hours later, I would probably be reinstalling
Windows 10 for the second time in 2 days.

------
Forge36
I hope the auto update wasn't affected. I just did this at work, no big
warning screen. Now I'm paranoid to reboot..

Update: Looks like I wasn't affected. There was an official update (4.3.0)
which was released on the 30th leading to unfortunate timing.

~~~
fencepost
The thread on Classic Shell specifically notes that the auto update pulls from
a different source that was not affected.

~~~
ultramancool
It also verifies signatures before it will execute the update, so even if that
source were hacked it wouldn't have been affected.

------
Kristine1975
Twitter account of the hackers:
[https://twitter.com/CultOfRazer](https://twitter.com/CultOfRazer)

~~~
pluma
I'm not sure it's appropriate to give that kind of people unwarranted
publicity.

~~~
kuschku
What "kind of people"?

They had the power to abuse that data and ship malware to millions, but
decided just to give people a scare.

That’s just the average grey-hat, or how most hackers were in the 90s.

Compared with the profit-obsessed and abusive hackers and companies on the web
today, which try to shove actual malware, sometimes installers with tons of
preselected options, sometimes bitlocker, they’re not bad.

~~~
pluma
Black hat hackers who bask in people calling them names in response to their
mischievous adventures.

Deleting the partition table is not grey hat, it's black hat. The bad guy in a
Western isn't suddenly neutral just because he isn't literally Josef Stalin.

------
kalsk
Classic Windows. I miss the 90s.

