I suspect it's just part of a package that someone bought and is using.
edit: thanks for the clarification, I totally missed the file name
Of course, then there's checking MD5s, etc.
Let the malware developper have fun debugging this issue.
"an updated version of the malware comes bundled with the curl library"
"!!!! Your computer is infected with MALWARE download this software now! !!!!"
They said the malware used no referer header and changing user-agent. If the user-agent were useful to segment these downloads from others, they most likely would have refused downloads based on that, because by renaming the file like they did, they're breaking build scripts for lots of downstream projects.
There's also the ethical issue of breaking into others machines, even if it's "for a good cause".
Some of the binaries are served over HTTPS, such as these https://bintray.com/vszakats/generic/curl/#files
Or am I missing the fact that this exact download path needs to be directly accessible by package managers or something?
It may not be ideal but you could certainly put some form of authentication in front of the Windows downloads or force token generation via the Web site to download the executable.
The question is whether that's a good idea - as mentioned, it's not cURL's responsibility to prevent malicious usage, but perhaps being a little more cautious about the acquisition of cURL in the first place for Windows users might not be seen as an intrusion.
I can use closed source MS Word to write ransom notes. I can use closed source iPhones to make drug deals. Are people ideologically ready for that?
The Software shall be used for Good, not Evil.
(of course, that didn’t stop IBM: https://news.ycombinator.com/item?id=3693388 )
But yeah, the curl website could really come up with a lot of data, so it seems like a very immature solution to what is really a critical component of the app to just blindly reach out for some predefined url. It'd be way smarter to run a CC machine somewhere and start pairing some peers. curl is somewhat small, right?
I think they'll probably just keep renaming the file for now, and updating the URL. It'll just be cat and mouse, and newer versions ship with it, so there's really no point for the curl maintainers to be wasting too much time on it since it's a limited-time issue that will more than likely sort itself out later.
I also agree that malware devs are dumb. Instead of using that curl download in a way they know works, they could just add a p2p module to their malware, open up a few ports on infected machines and hide all that from av. Easy right? I mean them archive urls change all the time! And updating that via the cc is just too unelegant!
You sound like fun at a party