For historical purposes (looking for differences in the development of the branding - the new one I like the most) I wanted to download the file palemoon-20.3-installer.exe from archive.palemoon.org.
My Avast virus scanner prevented this and reported 2 issues: Win32-Malware-gen and MSIL:Crypt-HD [Trj].
I disabled Avast and downloaded the file. I sent it as a possible false alarm to Avast - but Avast confirmed in an e-mail the findings:
Hello,
Thank you for contacting Avast.
Our virus specialists have been working on this problem and they informed me that this detection is correct.
What also makes me suspicious is the fact that the file palemoon-20.3-installer.exe from archive.org is smaller in size and has different properties than the one from archive.palemoon.org - but strangely it has the same files with the same contents in it when unzipping (with utility unpacked, not by running or self-unpacking!). Is there something else hidden in the file palemoon-20.3-installer.exe from archive.palemoon.org ?
I only downloaded this file palemoon-20.3-installer.exe - I can't say anything about the other archived files.
Is there something else hidden in the file palemoon-20.3-installer.exe from archive.palemoon.org ?
I found this file was dropped, doesn't look healthy.
Re: Virus or Trojan on archive.palemoon.org ?
Posted: 2019-07-10, 01:03
by Moonchild
Looks like there has been a data breach on the previous archive server on 27 Dec 2017 considering the date stamp on the files when all (reasonably modern) Pale Moon installer and portable executable files were changed and likely infected; considering the time stamps this has been done with a script. There has been no indication of a breach at all and all transfers were done over secure connections, so it looks like this was done through either local access or via a compromised remote session.
It seems to me that the hosting VM provider might not have (had) proper security in place to host the type of (Windows) VPS offered at the time; with the files having been transferred to a new solution when the previous one became corrupt (which I now suspect was also a malicious act by the same party and not, as thought, a hardware failure), the infected older files have, unfortunately, been retained in the new archive. Obviously, if you were to check the accompanying pgp .sig files for them they would fail the check, but not all versions of the archived binaries have been signed previously, including the 20.3 versions.
I will take the archive offline immediately and investigate further if possible, but considering the previous solution is no longer in production where this infection happened, it does not look like much more can be garnered from it.
Re: Virus or Trojan on archive.palemoon.org ?
Posted: 2019-07-10, 01:19
by therube
@Karl, so this dropped file, what, that came about when attempting to run the infected installer (in a sandboxed environment)?
The "relationship" section of virustotal mentions, palemoon-27.6.0.win32.installer.exe.
And @Moonchild, you commented on that particular report?
(Not sure I'm understanding what that virustotal page is saying in that respect?)
@Karl, so this dropped file, what, that came about when attempting to run the infected installer (in a sandboxed environment)?
No. I've downloaded it to my desktop. Moved it with my mouse into a special folder for later transfer into a vm, a chattering contact in an old cheap mouse started it. Normally first step would have been renaming but i forgot. A window came up asking for my administrator password while another file was dropped onto the desktop, then i killed the system by cutting the power off. Started the dual boot linux for examination, found in %APPDATA% a new folder Blw with some files, two of them exe. Later i found a run entry in the registry to one of this executables.
Sometimes it's nice to have an old slow computer
Re: Virus or Trojan on archive.palemoon.org ?
Posted: 2019-07-10, 13:01
by Moonchild
I'm investigating as much as can be done, and will be posting a post mortem report for transparency.
I'm investigating as much as can be done, and will be posting a post mortem report for transparency.
Thank You for investigating.
A humble question: as a wrote in my opening post I didn't start or let self-extract the suspicious palemoon-20.3-installer.exe but I unpacked the contenting files with a 7zip-utility (Total Commander, packer extension "Total7zip.wcx"). Just to get sure, was I wright when I presumed that it's not supposable to get infected by merely unpacking palemoon-20.3-installer.exe with an utility
Re: Virus or Trojan on archive.palemoon.org ?
Posted: 2019-07-10, 15:21
by Moonchild
The files inside the archives/installers were not modified. Just using a tool to extract the enclosed files is perfectly safe.
Only by running the installers or self-extractors (for portable) is there a risk for infection. As long as you don't actually run them, you are good.
... Only by running the installers or self-extractors (for portable) is there a risk for infection. As long as you don't actually run them, you are good.
Thanks for the quick response!
Only now I discovered you've already made a very helpful statement about it on Data breach post-mortem that actually answered my question
Renaming it won't change the fact that for a while, old archived versions of the windows executables -were- trojan-infected and available to the public; although considering how long it took for this to come to light, I don't think the affected versions were downloaded a lot at all.
Re: Virus or Trojan on archive.palemoon.org ?
Posted: 2019-07-10, 19:43
by therube
(While archive.palemoon.org is down, & .sig & "Digital Signatures" methods aside), do you have a listing of known good hashes that you could post so others questioning the validity of files they may have on hand can check against?
When you don't have the untouched installers anymore, would you please share the SHA3-hashes of the infected files then?
I've the installers of v26.5.0 and v27.9.3 and I'm willing to share them if you don't have them anymore. But I've to be sure that those aren't the infected ones
Thanks for the tip. Unfortunately it does not live up to its name, since hashing is incredibly slow -- I'll have to let it run overnight and hope that it's done when I get up.
OK so that's really weird. I interrupted it because it should only hash the .exes -- and when indicating that and restarting the process it was suddenly fast at hashing...?
I looked at hashmyfiles and it refused to traverse subdirectories, and the output was MUCH too verbose to be useful.