SourceForge has been around as long as I can remember. Bringing open source projects to the world for people to download and peer at source code and projects.
With github taking over in popularity, the need for SourceForge has dwindled. Slashdot owns SourceForge now (or maybe they always have? I don’t recall).
So what brings my piss to a boil today? Malware hosted on SourceForge. You’d think they’d have some sort of AV scan on their CDN, but no! I try and reach out to SourceForge, but its in Vain – they wont even get back to me / acknowledge my existence.
Take ‘Nick’ for example.
Bunch of projects, claiming GPL open source, but then you look up one of the binaries on VirusTotal
23/55. That’s a serious problem. You’ll also notice all of the fake reviews claiming the software is good.
Mr Nick is surprisingly easy to find on the net. A few seconds on google reveals this isn’t his first time distributing malware.
Speculation? No, google earth is free.
Let’s peek inside just for shits and giggles shall we?
We see our ‘GPL.txt’ as well as the clean portable binary, however we’re interested in the other stuff that gets packed along side. Normally the $TEMP folder in regards to Nullsoft installers contains any DLL’s the application will need to place when installing. Inside we see a .net framework installer and something named ‘Product21361_Distribution22179_Partner15953.exe’. Seems legit.
MD5 Hash: BCCE565C894B1B1E85A6162459A284B6
Detection ratio: 13 / 55
Once again, another nullsoft installer, but this one is different, there’s no exe inside. Just a dll.
Opening this ‘Product21361_Distribution22179_Partner15953.exe’ in 7zip shows us some file named ‘revs.dat’, and a dll named ‘convert.dll’.
Rev.dat doesn’t seem to contain any useful data, in fact its a bunch of gibberish. I’ll bet dollars to donuts that ‘convert.dll’ most likely decodes / decrypts this file as an exe. That said, let’s poke around inside this nullsoft installer with our debugger, see if we can’t extract something good. Since there is no exe inside the archive, the fastest way to seeing what’s actually inside is to set a breakpoint on CreateProcessA. If you like going through things thoroughly, then set breakpoints on WriteFile and follow the second arg, however in the interest of saving time / being lazy, let’s just break on CreateProcess.
Looks like we have our true ‘revs.exe’ file running out of the temp folder. You’ll also notice a URI in the command line arguments to ‘installer.ppodownload.com’.
This is most certainly our dropper that grabs all the goodies off the net. When I ran the thing and watched, it pulled down a few other files including some system checker tool, something named ‘svchost.exe’. Here’s a small exert from WireShark:
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*HTTP/1.1 200 OKD
ate: Fri, 10 Oct 2014 10:02:30 GMT
Expires: Thu, 16 Oct 2014 15:38:48 GMT
Last-Modified: Sun, 05 Oct 2014 12:17:37 GMT
I think it’s safe to conclude this “GPL” software is about as GPL as the Powerpoint.
Another one I stumbled across was called DVDStyler made by a guy named Alex Thuering.
Check out this guy’s bug list
He neither confirms nor denies malware in his project and marks it as “wont fix”. What an asshat.
Bad mouthing aside, let’s dive into his software shall we?
Running the installer at first goes normally until I notice a service is created.
What the hell is this?
Bunch of advertising BS and spyware – Uncool. Here’s some of the crap pulled down from WireShark:
There’s more of them out there too. Websites I used to trust have gone over to the ‘Dark Side’. CNET for example….
Thanks for reading!
Oh and I’ll be speaking at ToorCon this year in San Diego on in 2 weeks. I’ll be giving a breakdown on the FinFisher malware suite. I was gonna hold off until then to post my writeup, to keep the suspense.