SoylentNews is people
SoylentNews
The open source Pale Moon Browser's archive server suffered a data breach and infection.
From the Data breach post-mortem:
There has been a data breach on the archive server (archive.palemoon.org) where an attempt was made to sabotage our project by infecting all archived executables on the server with a trojan/virus dropper. This post-mortem report is posted to provide full transparency to our community as to what happened (as far can be gathered -- see below), which files were affected, what you can do to verify your downloads and what will be done to prevent such breaches in the future.
[...] A malicious party gained access to the at the time Windows-based archive server (archive.palemoon.org) which we've been renting from Frantech/BuyVM, and ran a script to selectively infect all archived Pale Moon .exe files stored on it (installers and portable self-extracting archives) with a variant of Win32/ClipBanker.DY (ESET designation). Running these infected executables will drop a trojan/backdoor on your system that would potentially allow further compromise to it.
The moment this was reported to me on 2019-07-09, I shut down access to the archive server to prevent any potential further spread of infected binaries and to start an investigation.
[...] Our data on this is limited, because in a later incident (likely by the same party or one other with similar access) on 2019-05-26 the archive server was rendered completely inoperable to the point of having widespread data corruption and being unable to boot or retrieve data from it. Unfortunately that also means that system logs providing exact details of the breach were lost at that time.
After becoming inoperable, I set up the archive server again on a different O.S. (moved from Windows to CentOS, and changed access from FTP to HTTP as a result considering Linux FTP can't be easily set up the same way and this server is purely a convenience service for users).
[...] This affected all archived executables (installers and portable exes) of Pale Moon 27.6.2 and below. Archived versions of Basilisk on the same storage server, although some would have already been present at that time, were not affected or targeted. Only files on the archive server were infected. This never affected any of the main distribution channels of Pale Moon, and considering archived versions would only be updated when the next release cycle would happen, at no time any current versions, no matter where they were retrieved from, would be infected.
Of note: only the .exe files on the server at the top level were affected. Files inside the archives (extract-able with 7-zip from the installers/portable versions or files inside the zip archives) were not modified.
If you never downloaded from archive.palemoon.org, you are almost certainly in the clear.
The post goes on to suggest that you verify your download by checking the code signing on the executables, where available, against .sig files provided, and/or against the SHA256 hashes provided.
It also notes:
Additionally, the infection is known to all major antivirus vendors and you can scan your downloads/system with your preferred mainstream antivirus scanner to verify the installers are clean.
Your humble editor has been using Pale Moon almost exclusively for four years, but has always practiced good download hygiene and always verified a download against the provided SHA256 hash. Also, since downloads were never from the archive server, it appears there was not even a potential to be affected in this case.
Out of an abundance of caution, Windows Defender was run and no infection of any kind was reported.
(Score: 3, Informative) by Anonymous Coward on Thursday July 11 2019, @06:09PM (10 children)
Right, us people with a proper OS aren't affected... Let them eat cake!
On a more serious note though, it's inevitable and just a matter of time that something like this happens to upstream package repos of the big & important distro's (Debian, Fedora, Hannah Montana Linux, ...).
That'll be the day that shit /really/ hits the fan...
(Score: 4, Insightful) by SomeGuy on Thursday July 11 2019, @06:22PM
The not so funny thing is that EXE installers too often do all kinds of malicious things, even if they are not "infected" with something.
Oh, look, setup wants me to install a new toolbar! It did WHAT to the Windows Registry? It littered how many files all over the place? Oh, look, now it won't uninstall!
So much simpler just to expand a zip/7z/rar file. Well, if the application itself doesn't also do anything funny.
That said, Pale Moon is a great project, and I hope this doen't hurt them too much.
(Score: 2) by HiThere on Thursday July 11 2019, @06:27PM (2 children)
IIRC, something similar *did* happen to Debian perhaps a decade ago now. They detected it fairly quickly, and I wasn't affected, so I don't remember the details. I'm not sure if they were already signing debs or not.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Thursday July 11 2019, @07:18PM (1 child)
Gentoo had an issue too about a year ago: https://www.gentoo.org/news/2018/06/28/Github-gentoo-org-hacked.html [gentoo.org] it didn't actually manage to touch anything beyond the github mirror. It was either just before or just after they started signing the whole source tree and portage started checking signatures when it synced.
(Score: 0) by Anonymous Coward on Sunday July 14 2019, @09:18PM
It might have been INTENDED to spur them on to sigining and verifying portage. Because they had a pretty fuck you attitude about it in the years before (I and others had suggested it in the #gentoo support channel as well as the mailing lists.
(Score: 2) by Oakenshield on Thursday July 11 2019, @06:28PM (5 children)
I wouldn't touch Hannah Montana Linux with a 10 foot pole. If it's not infected with something horrible, it sure looks like it is.
(Score: 0) by Anonymous Coward on Thursday July 11 2019, @06:58PM (1 child)
I thought you were being ridiculous and scrolled up to see no, you are not. I refuse to search and find out if the OP was being silly, some things are better left unknown.
(Score: 0) by Anonymous Coward on Friday July 12 2019, @05:51AM
I just watched a video review of it on youtube. There are people in the comments calling for a Miley Cyrus Linux.
(Score: 2) by Subsentient on Friday July 12 2019, @01:38AM (2 children)
It's infected with the worst possible thing: Hannah Montana.
Worm.Posix.Assapoopshits.Massachussets
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 2) by PiMuNu on Friday July 12 2019, @11:36AM (1 child)
I know you are being fascile, but actually a "Minecraft/Beast Quest/Unicorn Fairies/whatever" tie-in would probably drive linux adoption among kids far more than the latest flashy graphics. And let's not forget, today's script kiddies are tomorrow's nobel prize winners.
(Score: 0) by Anonymous Coward on Friday July 12 2019, @05:16PM
dude
are there pictures of this hannah montana OS? can I turn off its firewall and probe the ports? Can the voice replace Alexa or Siri? has anyone figured out how to get Emmanuelle to replace either of those?