Virus or Trojan on archive.palemoon.org ?

About this bulletin board and the Pale Moon website

Moderators: satrow, Lootyhoof, FranklinDM

User avatar
Sartorix
Apollo supporter
Apollo supporter
Posts: 35
Joined: 2018-05-13, 18:50
Location: M, DE-BY, Terra, Solar System, Milky Way, Laniakea Supercluster, Local Universe, Multiverse, ...?

Virus or Trojan on archive.palemoon.org ?

Unread post by Sartorix » 2019-07-09, 19:28

For historical purposes (looking for differences in the development of the branding - the new one I like the most) I wanted to download the file palemoon-20.3-installer.exe from archive.palemoon.org.

My Avast virus scanner prevented this and reported 2 issues: Win32-Malware-gen and MSIL:Crypt-HD [Trj].

I disabled Avast and downloaded the file. I sent it as a possible false alarm to Avast - but Avast confirmed in an e-mail the findings:
Hello,

Thank you for contacting Avast.

Our virus specialists have been working on this problem and they informed me that this detection is correct.

For future reference you might also find the following article to be useful: https://support.avast.com/en-ww/article ... -guideline

Best Regards,
Prokop
The Avast Support Team
Then I sent the file to several online virus scanners. The frightening results lead me to this message.

Kaspersky says: Trojan-Dropper.Win32.Agent.gen

VirusTotal says: 45 of 72 engines detected this file

Jotti’s Malware Scan says: 11 out of 15 scanners have reported malware.

What also makes me suspicious is the fact that the file palemoon-20.3-installer.exe from archive.org is smaller in size and has different properties than the one from archive.palemoon.org - but strangely it has the same files with the same contents in it when unzipping (with utility unpacked, not by running or self-unpacking!). Is there something else hidden in the file palemoon-20.3-installer.exe from archive.palemoon.org ?

I only downloaded this file palemoon-20.3-installer.exe - I can't say anything about the other archived files.

(Attached a few screenshots and page prints.)
"Always look on the bright side of life"
>>Eric Idle<<

"Asshole is an essential member of the human body - who despises it might mistakenly use the mouth in its place"
>>unknown platitudinarian<<

"Laedere numquam velimus, longeque absit illud propositum potius amicum quam dictum perdendi"
>>Marcus Fabius Quintilian<<

User avatar
karlkracher
Moon lover
Moon lover
Posts: 85
Joined: 2015-12-05, 17:40
Location: germany

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by karlkracher » 2019-07-09, 21:56

Attention: First post probably contains link to a suspicious executable file
Sartorix wrote:
2019-07-09, 19:28
Is there something else hidden in the file palemoon-20.3-installer.exe from archive.palemoon.org ?
I found this file was dropped, doesn't look healthy.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24631
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-10, 01:03

Looks like there has been a data breach on the previous archive server on 27 Dec 2017 considering the date stamp on the files when all (reasonably modern) Pale Moon installer and portable executable files were changed and likely infected; considering the time stamps this has been done with a script. There has been no indication of a breach at all and all transfers were done over secure connections, so it looks like this was done through either local access or via a compromised remote session.

It seems to me that the hosting VM provider might not have (had) proper security in place to host the type of (Windows) VPS offered at the time; with the files having been transferred to a new solution when the previous one became corrupt (which I now suspect was also a malicious act by the same party and not, as thought, a hardware failure), the infected older files have, unfortunately, been retained in the new archive. Obviously, if you were to check the accompanying pgp .sig files for them they would fail the check, but not all versions of the archived binaries have been signed previously, including the 20.3 versions.

I will take the archive offline immediately and investigate further if possible, but considering the previous solution is no longer in production where this infection happened, it does not look like much more can be garnered from it.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
therube
Board Warrior
Board Warrior
Posts: 1081
Joined: 2018-06-08, 17:02

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by therube » 2019-07-10, 01:19

@Karl, so this dropped file, what, that came about when attempting to run the infected installer (in a sandboxed environment)?

The "relationship" section of virustotal mentions, palemoon-27.6.0.win32.installer.exe.

And @Moonchild, you commented on that particular report?
(Not sure I'm understanding what that virustotal page is saying in that respect?)

@Sartorix, good find.

Nasty situation.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24631
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-10, 01:38

therube wrote:
2019-07-10, 01:19
And @Moonchild, you commented on that particular report?
I'm not sure what you're referring to.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
karlkracher
Moon lover
Moon lover
Posts: 85
Joined: 2015-12-05, 17:40
Location: germany

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by karlkracher » 2019-07-10, 02:54

therube wrote:
2019-07-10, 01:19
@Karl, so this dropped file, what, that came about when attempting to run the infected installer (in a sandboxed environment)?
:oops: No. I've downloaded it to my desktop. Moved it with my mouse into a special folder for later transfer into a vm, a chattering contact in an old cheap mouse started it. Normally first step would have been renaming but i forgot. A window came up asking for my administrator password while another file was dropped onto the desktop, then i killed the system by cutting the power off. Started the dual boot linux for examination, found in %APPDATA% a new folder Blw with some files, two of them exe. Later i found a run entry in the registry to one of this executables.

Sometimes it's nice to have an old slow computer 8-)

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24631
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-10, 13:01

I'm investigating as much as can be done, and will be posting a post mortem report for transparency.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Sartorix
Apollo supporter
Apollo supporter
Posts: 35
Joined: 2018-05-13, 18:50
Location: M, DE-BY, Terra, Solar System, Milky Way, Laniakea Supercluster, Local Universe, Multiverse, ...?

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Sartorix » 2019-07-10, 15:01

Moonchild wrote:
2019-07-10, 13:01
I'm investigating as much as can be done, and will be posting a post mortem report for transparency.
Thank You for investigating.
A humble question: as a wrote in my opening post I didn't start or let self-extract the suspicious palemoon-20.3-installer.exe but I unpacked the contenting files with a 7zip-utility (Total Commander, packer extension "Total7zip.wcx"). Just to get sure, was I wright when I presumed that it's not supposable to get infected by merely unpacking palemoon-20.3-installer.exe with an utility :?: :sick:
"Always look on the bright side of life"
>>Eric Idle<<

"Asshole is an essential member of the human body - who despises it might mistakenly use the mouth in its place"
>>unknown platitudinarian<<

"Laedere numquam velimus, longeque absit illud propositum potius amicum quam dictum perdendi"
>>Marcus Fabius Quintilian<<

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24631
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-10, 15:21

The files inside the archives/installers were not modified. Just using a tool to extract the enclosed files is perfectly safe.
Only by running the installers or self-extractors (for portable) is there a risk for infection. As long as you don't actually run them, you are good.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Sartorix
Apollo supporter
Apollo supporter
Posts: 35
Joined: 2018-05-13, 18:50
Location: M, DE-BY, Terra, Solar System, Milky Way, Laniakea Supercluster, Local Universe, Multiverse, ...?

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Sartorix » 2019-07-10, 16:06

Moonchild wrote:
2019-07-10, 15:21
... Only by running the installers or self-extractors (for portable) is there a risk for infection. As long as you don't actually run them, you are good.
Thanks for the quick response!
Only now I discovered you've already made a very helpful statement about it on Data breach post-mortem that actually answered my question :thumbup:
"Always look on the bright side of life"
>>Eric Idle<<

"Asshole is an essential member of the human body - who despises it might mistakenly use the mouth in its place"
>>unknown platitudinarian<<

"Laedere numquam velimus, longeque absit illud propositum potius amicum quam dictum perdendi"
>>Marcus Fabius Quintilian<<

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6050
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by New Tobin Paradigm » 2019-07-10, 16:54

Bob Dole doesn't like this...

Our enemies are gonna have a field day.
Image
- Get out of bed. Resistance is futile. Wake up and assimilate the day. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
Sartorix
Apollo supporter
Apollo supporter
Posts: 35
Joined: 2018-05-13, 18:50
Location: M, DE-BY, Terra, Solar System, Milky Way, Laniakea Supercluster, Local Universe, Multiverse, ...?

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Sartorix » 2019-07-10, 16:58

New Tobin Paradigm wrote:
2019-07-10, 16:54
Our enemies are gonna love this...
What about renaming this post ?
"Always look on the bright side of life"
>>Eric Idle<<

"Asshole is an essential member of the human body - who despises it might mistakenly use the mouth in its place"
>>unknown platitudinarian<<

"Laedere numquam velimus, longeque absit illud propositum potius amicum quam dictum perdendi"
>>Marcus Fabius Quintilian<<

User avatar
Sartorix
Apollo supporter
Apollo supporter
Posts: 35
Joined: 2018-05-13, 18:50
Location: M, DE-BY, Terra, Solar System, Milky Way, Laniakea Supercluster, Local Universe, Multiverse, ...?

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Sartorix » 2019-07-10, 17:45

New Tobin Paradigm wrote:
2019-07-10, 16:54
Bob Dole doesn't like this...

Our enemies are gonna have a field day.
So what? That's life! Shit happens! ... :roll:

No matter what happened - Pale Moon keeps "Your browser, Your way" :!:

(and mine ;-) )
"Always look on the bright side of life"
>>Eric Idle<<

"Asshole is an essential member of the human body - who despises it might mistakenly use the mouth in its place"
>>unknown platitudinarian<<

"Laedere numquam velimus, longeque absit illud propositum potius amicum quam dictum perdendi"
>>Marcus Fabius Quintilian<<

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24631
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-10, 18:26

Sartorix wrote:
2019-07-10, 16:58
What about renaming this post ?
Renaming it won't change the fact that for a while, old archived versions of the windows executables -were- trojan-infected and available to the public; although considering how long it took for this to come to light, I don't think the affected versions were downloaded a lot at all.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
therube
Board Warrior
Board Warrior
Posts: 1081
Joined: 2018-06-08, 17:02

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by therube » 2019-07-10, 19:43

(While archive.palemoon.org is down, & .sig & "Digital Signatures" methods aside), do you have a listing of known good hashes that you could post so others questioning the validity of files they may have on hand can check against?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24631
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-10, 20:22

therube wrote:
2019-07-10, 19:43
do you have a listing of known good hashes that you could post
No, I don't. And apparently there is no such tool available that easily and speedily does it for a whole directory structure either.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
RoestVrijStaal
Hobby Astronomer
Hobby Astronomer
Posts: 22
Joined: 2019-06-19, 19:18
Location: Dependency Hell

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by RoestVrijStaal » 2019-07-10, 22:29

Moonchild wrote:
2019-07-10, 20:22
therube wrote:
2019-07-10, 19:43
do you have a listing of known good hashes that you could post
No, I don't. And apparently there is no such tool available that easily and speedily does it for a whole directory structure either.
Meet QuickHash.
It has functionality to hash a whole directory. It's open source (under the GPL, ooof!). The reason why the latter downloadable (non-linux) installers lack a pay button is because they are not signed. While the signed installers requires a paid certificate to create them (sounds reasonable, imo). If you're skeptical, you could run it in Sandboxie (or a virtual machine) to use it.


When you don't have the untouched installers anymore, would you please share the SHA3-hashes of the infected files then?

I've the installers of v26.5.0 and v27.9.3 and I'm willing to share them if you don't have them anymore. But I've to be sure that those aren't the infected ones :)

User avatar
therube
Board Warrior
Board Warrior
Posts: 1081
Joined: 2018-06-08, 17:02

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by therube » 2019-07-10, 23:43

Even HashMyFiles for that matter.

Code: Select all

HashMyFiles.exe  /wildcard \wlib\leechftp\pale*.*   /sha256 1  /sha1 0 /md5 0  /shtml outpm.html



(Output html file generated by HashMyFiles, posted here as "text". Copy, save as outpm.html & view.)
outpm.html.TXT
(6.81 KiB) Downloaded 8 times

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24631
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-10, 23:45

Thanks for the tip.
Unfortunately it does not live up to its name, since hashing is incredibly slow -- I'll have to let it run overnight and hope that it's done when I get up.
OK so that's really weird. I interrupted it because it should only hash the .exes -- and when indicating that and restarting the process it was suddenly fast at hashing...?

I looked at hashmyfiles and it refused to traverse subdirectories, and the output was MUCH too verbose to be useful.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24631
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-10, 23:55

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

Post Reply