The open source Pale Moon Browser's archive server suffered a data breach and infection.
From the Data breach post-mortem:
There has been a data breach on the archive server (archive.palemoon.org) where an attempt was made to sabotage our project by infecting all archived executables on the server with a trojan/virus dropper. This post-mortem report is posted to provide full transparency to our community as to what happened (as far can be gathered -- see below), which files were affected, what you can do to verify your downloads and what will be done to prevent such breaches in the future.
[...] A malicious party gained access to the at the time Windows-based archive server (archive.palemoon.org) which we've been renting from Frantech/BuyVM, and ran a script to selectively infect all archived Pale Moon .exe files stored on it (installers and portable self-extracting archives) with a variant of Win32/ClipBanker.DY (ESET designation). Running these infected executables will drop a trojan/backdoor on your system that would potentially allow further compromise to it.
The moment this was reported to me on 2019-07-09, I shut down access to the archive server to prevent any potential further spread of infected binaries and to start an investigation.
[...] Our data on this is limited, because in a later incident (likely by the same party or one other with similar access) on 2019-05-26 the archive server was rendered completely inoperable to the point of having widespread data corruption and being unable to boot or retrieve data from it. Unfortunately that also means that system logs providing exact details of the breach were lost at that time.
After becoming inoperable, I set up the archive server again on a different O.S. (moved from Windows to CentOS, and changed access from FTP to HTTP as a result considering Linux FTP can't be easily set up the same way and this server is purely a convenience service for users).
[...] This affected all archived executables (installers and portable exes) of Pale Moon 27.6.2 and below. Archived versions of Basilisk on the same storage server, although some would have already been present at that time, were not affected or targeted. Only files on the archive server were infected. This never affected any of the main distribution channels of Pale Moon, and considering archived versions would only be updated when the next release cycle would happen, at no time any current versions, no matter where they were retrieved from, would be infected.
Of note: only the .exe files on the server at the top level were affected. Files inside the archives (extract-able with 7-zip from the installers/portable versions or files inside the zip archives) were not modified.
If you never downloaded from archive.palemoon.org, you are almost certainly in the clear.
The post goes on to suggest that you verify your download by checking the code signing on the executables, where available, against .sig files provided, and/or against the SHA256 hashes provided.
It also notes:
Additionally, the infection is known to all major antivirus vendors and you can scan your downloads/system with your preferred mainstream antivirus scanner to verify the installers are clean.
Your humble editor has been using Pale Moon almost exclusively for four years, but has always practiced good download hygiene and always verified a download against the provided SHA256 hash. Also, since downloads were never from the archive server, it appears there was not even a potential to be affected in this case.
Out of an abundance of caution, Windows Defender was run and no infection of any kind was reported.
(Score: 1, Interesting) by Anonymous Coward on Thursday July 11 2019, @06:05PM (4 children)
How dumb is that? Why would a fork of a Unix-world project be hosting content on a Windoze box?
(Score: 2) by progo on Thursday July 11 2019, @08:01PM (2 children)
Maybe the project lead or the custodian of the archive server is a Windows sysadmin in his day job. Those people are going to use Windows for their community projects because it's what they know.
I can't stand Windows, but all things considered it's not THAT much worse than anything else. Other than the expense, I don't see why it's a bad choice to serve static files.
(Score: 0, Redundant) by Anonymous Coward on Friday July 12 2019, @02:01AM
Yes it is.
Now (again) we do.
(Score: 0) by Anonymous Coward on Friday July 12 2019, @05:14PM
yeah that isn't dumb.
what's dumb is people immediately crying foul when some OS they don't like is used.
I like to screw, but I'll hammer away at someone too if it gets the job done...
(Score: 1) by doke on Friday July 12 2019, @05:12PM
As I understand it, PaleMoon is primarily written for Windows. The lead developer seems to be more Windows oriented. The Linux version is sort of a port. They've occasionally changed things in the Linux version to be a little more Windows-like, ie moving Preferences to the Tools menu.
(Score: 0) by Anonymous Coward on Thursday July 11 2019, @06:08PM (4 children)
Google Chrome squad reporting in
(Score: 2) by everdred on Thursday July 11 2019, @06:24PM (3 children)
Here, on Linux.
Have been considering switching, though, as more and more legacy extensions stop working with new versions of PM.
(Score: 2) by tangomargarine on Thursday July 11 2019, @06:44PM
It looks like they finally got their extension site up and running. They used to have a number of major FF add-ons that they'd made PM-native versions of, too.
https://addons.palemoon.org/extensions/ [palemoon.org]
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Insightful) by Magic Oddball on Thursday July 11 2019, @11:12PM (1 child)
PM on Linux here as well. Every time I consider switching (primarily due to it not working with certain websites), though, I rediscover my intense dislike of the interface that the other browsers use and quickly change my mind.
(Score: 2) by digitalaudiorock on Thursday July 11 2019, @11:47PM
Using Palemoon under Gentoo here...though out of an overlay repo using layman. I've been really happy with it. I've even compiled it on my old 32bit x86 machine with no problems. Every once in a while when I have the occasion to use the current FF on Windows, it never ceases to surprise me as to how shitty it's gotten...good riddance. At some point I'll likely replace Thunderbird with Claws mail, seeing as TB 60.x requires clang and rust to compile, and is apparently in a race to become a bigger more bloated piece of shit that FF.
(Score: 3, Informative) by Anonymous Coward on Thursday July 11 2019, @06:09PM (10 children)
Right, us people with a proper OS aren't affected... Let them eat cake!
On a more serious note though, it's inevitable and just a matter of time that something like this happens to upstream package repos of the big & important distro's (Debian, Fedora, Hannah Montana Linux, ...).
That'll be the day that shit /really/ hits the fan...
(Score: 4, Insightful) by SomeGuy on Thursday July 11 2019, @06:22PM
The not so funny thing is that EXE installers too often do all kinds of malicious things, even if they are not "infected" with something.
Oh, look, setup wants me to install a new toolbar! It did WHAT to the Windows Registry? It littered how many files all over the place? Oh, look, now it won't uninstall!
So much simpler just to expand a zip/7z/rar file. Well, if the application itself doesn't also do anything funny.
That said, Pale Moon is a great project, and I hope this doen't hurt them too much.
(Score: 2) by HiThere on Thursday July 11 2019, @06:27PM (2 children)
IIRC, something similar *did* happen to Debian perhaps a decade ago now. They detected it fairly quickly, and I wasn't affected, so I don't remember the details. I'm not sure if they were already signing debs or not.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Thursday July 11 2019, @07:18PM (1 child)
Gentoo had an issue too about a year ago: https://www.gentoo.org/news/2018/06/28/Github-gentoo-org-hacked.html [gentoo.org] it didn't actually manage to touch anything beyond the github mirror. It was either just before or just after they started signing the whole source tree and portage started checking signatures when it synced.
(Score: 0) by Anonymous Coward on Sunday July 14 2019, @09:18PM
It might have been INTENDED to spur them on to sigining and verifying portage. Because they had a pretty fuck you attitude about it in the years before (I and others had suggested it in the #gentoo support channel as well as the mailing lists.
(Score: 2) by Oakenshield on Thursday July 11 2019, @06:28PM (5 children)
I wouldn't touch Hannah Montana Linux with a 10 foot pole. If it's not infected with something horrible, it sure looks like it is.
(Score: 0) by Anonymous Coward on Thursday July 11 2019, @06:58PM (1 child)
I thought you were being ridiculous and scrolled up to see no, you are not. I refuse to search and find out if the OP was being silly, some things are better left unknown.
(Score: 0) by Anonymous Coward on Friday July 12 2019, @05:51AM
I just watched a video review of it on youtube. There are people in the comments calling for a Miley Cyrus Linux.
(Score: 2) by Subsentient on Friday July 12 2019, @01:38AM (2 children)
It's infected with the worst possible thing: Hannah Montana.
Worm.Posix.Assapoopshits.Massachussets
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 2) by PiMuNu on Friday July 12 2019, @11:36AM (1 child)
I know you are being fascile, but actually a "Minecraft/Beast Quest/Unicorn Fairies/whatever" tie-in would probably drive linux adoption among kids far more than the latest flashy graphics. And let's not forget, today's script kiddies are tomorrow's nobel prize winners.
(Score: 0) by Anonymous Coward on Friday July 12 2019, @05:16PM
dude
are there pictures of this hannah montana OS? can I turn off its firewall and probe the ports? Can the voice replace Alexa or Siri? has anyone figured out how to get Emmanuelle to replace either of those?
(Score: 0) by Anonymous Coward on Thursday July 11 2019, @06:24PM (9 children)
I dodged this bullet because I stopped using Pale Moon due to its RAM usage being ridiculous.
(Score: 4, Interesting) by ikanreed on Thursday July 11 2019, @06:39PM (2 children)
I've seen this complaint about every major browser(except, oddly, ie), and I wonder how much of it is that for performance reasons, every open DOM needs to be actively traversible with fast updates to low level implementation in UI of that DOM, while every single website feels entitled to ship with as much bloat as they and their advertisors can manage.
(Score: 0) by Anonymous Coward on Friday July 12 2019, @09:52AM
This is a chicken & egg situation. If browsers stop grabbing a few hundred meg for each tab, and perform accordingly, websites will need to be more visitor-system friendly or face a drop in traffic. But the more horsepower made available the worse the sties can and will become.
(Score: 0) by Anonymous Coward on Saturday July 13 2019, @07:30PM
What you can try is use the 32-bit version of the browser. That way the browser can't use up all your RAM just because the browser developers are too retarded to care that some people actually want to their computers for more than just browsing.
You may find that the browser actually works fine or even better overall.
I did this after I realized that the browsers actually still worked fine for the same pages when installed on machines or VMs with a lot less RAM. When the browsers are in a system with less RAM they tend change their behavior to use less RAM rather than use up huge amounts of RAM for diminishing (or even negative) returns just because "it's there".
But when I last checked there's no option or setting to tell Firefox or Chrome to behave as if it's on a 4GB or XGB system. So my workaround was to use the 32bit versions.
(Score: 4, Insightful) by tangomargarine on Thursday July 11 2019, @06:40PM (4 children)
The whole point of RAM is to be used. One application using a lot of RAM is only an issue if you're also running 3 others that also suck up your RAM, and they're fighting over it.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: -1, Flamebait) by Anonymous Coward on Thursday July 11 2019, @06:54PM
Oy, you, with you "Reason" and "Understanding"... get out! We don't do that stuff here.
(Score: 2) by MostCynical on Thursday July 11 2019, @09:37PM
But people will always find something about which to complain.
Even if it doesn't matter (eg: "my browser is slow when I have 237 tab open")
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1, Insightful) by Anonymous Coward on Friday July 12 2019, @09:54AM (1 child)
I happen to have a lot of applications running because I use my computer for more than just web browsing. Having 32GB of RAM is helpful, but having those resources available is no excuse for poor programming to consume them irresponsibly.
(Score: 2) by tangomargarine on Friday July 12 2019, @02:44PM
With 32 GB of RAM, what the heck else are you doing simultaneously if PM usage is a problem, transcoding HD video?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Thursday July 11 2019, @07:01PM
What bullet? You need to
a) be downloading from archive server (who does this maybe very old windows version users?)
b) be using windows
c) be downloading an exe installer
As for memory caching everything became fashionable many years ago maybe get used to it?
(Score: 0) by Anonymous Coward on Thursday July 11 2019, @06:25PM (5 children)
good luck changing hardcoded useragent strings for certain domains with palemoon.
i guess it got infected with the same bug as chrom(ium) ex. all the credit card storage upload and manage code there...
(Score: 0) by Anonymous Coward on Thursday July 11 2019, @08:19PM
There is a list in the source that defines user agents to provide when talking to certain sites. They've fallen into the trap of "it just has to work, even for discriminatory sites, otherwise users will scream and go back to chrome, and we care about popularity".
I've set up my browser to never send user agents. Fun to see what kind of stuff breaks, because of stupid assumptions.
(Score: 3, Insightful) by number11 on Thursday July 11 2019, @08:59PM
Huh? I use PM with Secret Agent to rotate from a collection of reasonably up-to-date user-agent strings. Whatismybrowser [whatismybrowser.com] says I'm running Chrome 54 on Windows 10, and that my browser is out of date. Ok, maybe it's time to update the collection. Some sites don't like it if you [appear to] have an old browser, but I can always click a button and rotate to a new flavor, or run NoScript, or have their favorite tracker blocked. I have more trouble from sites that don't like my VPN location, sometimes due to geolocation, sometimes due to spam blacklists, sometimes just because they're twits.
(Score: 0) by Anonymous Coward on Friday July 12 2019, @12:34AM (1 child)
AFAIR there is a variable set in about:config. Something like general.useragent.override.domain.tld containing the agent. They can be freely manipulated.
(Score: 0) by Anonymous Coward on Friday July 12 2019, @02:30PM
i think it's stored in prefs.js. if you delete it, the browser will regenerate it. the complaint is that the default regenerated prefs.js has hard-coded user-agent strings per domain.
methinks changing something as "simple and useless" as user-agent string should not require a "plug-in" to change.
see chrome(ium) that things not a browser but a POS (point-of-sales) terminal disguised as a browser ...
(Score: 1) by doke on Friday July 12 2019, @05:22PM
In PaleMoon, you can set the useragent string to anything you want, either in general, or on specific sites. Type "about:config" into the url, and enter "general.useragent.override" in the search bar. You can set that key, or that with a site name added on.
For quick, cruder, changes, you can use the pulldown at Tools -> Preferences -> Advanced -> General -> Compatability.
It will be saved in your prefs.js file across restarts of the browser. You can also set it in a user.js file, if you choose to make one.
(Score: 2, Touché) by chance2105 on Thursday July 11 2019, @06:26PM (4 children)
So getting this straight, they had a huge malfunction of the Windows machine the server was hosted on, to the point of it not booting. Then they restored the archive with either the files, or the backup of files, from the obviously broken machine. They never verified they were good.
I'm glad they were honest. This makes me really uncomfortable with them though, in general.
(Score: 2, Insightful) by nitehawk214 on Thursday July 11 2019, @07:05PM
And why make the public archive machine Windows, of all things?
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by coolgopher on Thursday July 11 2019, @10:45PM (2 children)
Why wouldn't you restore your data files from backup when your OS dies on you? That's kind of the point of having backups. You know, to be able to get the data back when it becomes inaccessible on the host it's meant to be accessible on.
Regular backup verification is typically done against the host machine, for obvious reasons, and would not pick up on deliberate tampering with files. You need to run digest verifiers to pick up on that, and even in corporate, that's (in my experience) reserved for only really critical data.
(Score: 0) by Anonymous Coward on Friday July 12 2019, @01:43AM (1 child)
I think you missed the point. They restored a backup from a compromised machine that was trashed and didn't verify that the data they restored was from prior to the compromise or not corrupted by the broken OS during creation.
(Score: 2) by martyb on Friday July 12 2019, @07:39AM
I think you missed the point.
"Have you tried turning it off and back on again?" Computers will, occasionally, get in a borked state, and a restart often clears it up. If upon reboot, everything seems to be running okay, how many of you would go on a huge search to find out why it crashed?
The system got hosed, they restored from backup, and in the vast majority of cases that would have been that. It just so happens that in this case, after they did the restore, they found out that things were NOT all right and it was only then that they found out they had restored from a backup that had been compromised.
It's one thing to know about best practices. It's quite another to go through a situation like this to become a *believer* and take steps to implement daily, weekly, and mnthly incremental and full local and offsite backups.
I'd dare say they will implement a much more rigorous backup and malware-checking process from now on.
"Good judgement comes from experience. Experience comes from poor judgement."
Wit is intellect, dancing.
(Score: 3, Touché) by EJ on Thursday July 11 2019, @07:26PM (2 children)
When you dance with the devil in the..., that's what you get.
(Score: 2) by MostCynical on Friday July 12 2019, @03:19AM (1 child)
Devil fleas?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1, Insightful) by Anonymous Coward on Friday July 12 2019, @09:20AM
Woke up next to an infected Microsoft whore.