Trojan in released Devilution.exe ??? about devilution HOT 19 CLOSED

@galaxyhaxz As far as your GitHub account is concerned, you could consider adding two-factor authentication to your account.

from devilution.

So here's the thing, whenever any changes are pushed to the repo, it gets logged in the commits. The releases section however, that is not the case. One can simply upload/swap files at whim, and there is no log or history or even notification. The 0.2 release was 861KB and was uploaded more than a week ago. Then, sometime on 06/24 it was silently replaced with a 405KB SFX installer. The virus seems to work very silently, and then disappears. It's possible I could've gotten a virus from an email I received a few days ago. The email was from "Jason Michael" who goes by "uptospeed99". The title asked me about Devilution but the email itself seemed to be spam.

Anyway, I'll try contacting the GitHub admins and see if they have a log of IP addresses that pushed an upload.

The latest release is here: https://github.com/diasurgical/devilution/releases/tag/0.3
Password to the 7-zip file is the SHA1 of the executable: A4CDB3A9F64AD3CD9F40994FDFFBE3AB643BD03F
Devilution.exe file size: 764 KB (782,336 bytes)

from devilution.

The only other person with any permissions is @mewmew but I doubt that.

For reference, I have not uploaded any executables or done anything with the release. All my contributions can be seen here: https://github.com/diasurgical/devilution/commits?author=mewmew

These kind of things seem to become more common place now that open source is large enough to affect mainstream users. Issue tracking a similar incident of Gitea: go-gitea/gitea#4167

Edit: Signed releases is the way to go.

from devilution.

The release has been updated and is now digitally signed and password protected. A SHA-256 is also provided to verify the release. I apologize to any of you who were affected by the virus, hopefully this won't happen again in the future:
https://github.com/diasurgical/devilution/releases/tag/0.3

from devilution.

Wanted to add here as well that it isn't only devilution or other projects that were injected with trojans, The Gentoo Linux project (Which I'm a developer for) also had our github organization projects hacked as well, and we are currently working on resolving the issue. You can see the announcement here:

https://archives.gentoo.org/gentoo-announce/message/dc23d48d2258e1ed91599a8091167002

So seems that this wasn't something done from someone within devilution or anything like that, it seems like a problem with github infra or something.

from devilution.

This must be something else. I pasted the link to the exe into several online virus scanners and they all returned clean.

from devilution.

I guess a trojan executable is hidden in the devilution.exe.
Here's the result of devilution.exe.
https://www.virustotal.com/#/file/410cd8754bb61cd20fc54040aefed7676243fbd5667b73c8521f6c1927edac7e/detection

Or you can run it...

from devilution.

The sad part is that @mljack is correct. The executable itself is packed with two files inside, the actual Devilution.exe and a separate file "Diablo.exe" which contains the virus. I just downloaded it and tested everything. The date of the file being packed was 06/24/18, which is strange because I uploaded the release before that. It looks like someone somehow sabotaged the release, possibly GitHub themselves.

I'm removing the release, from now on they will be packed into a .7z or other format so nothing can tamper with them.

from devilution.

@galaxyhaxz
Better sign your releases. Or at least list the file checksum/hash.
If someone could release a binary in your name, I doubt the source code is also in danger.

Deserve a big noticing in readme.md.

from devilution.

I don't believe the GitHub conspiracy theory, haha.
Are you the only one with permission to create releases? Maybe your machine is compromised...

from devilution.

The only other person with any permissions is @mewmew but I doubt that. This definitely isn't good, whoever repacked it with a virus definitely knows what they are doing. The virus itself is titled "Diablo.exe", which leads me to believe it wasn't an automated process. Someone could have access to my account, so I'm changing passwords to everything.

I can't believe this happening. How the f**K is this even possible?

from devilution.

At least the source code is clean ;). Checked the build with Avira, no results.

from devilution.

You can also check the file in online "reverser". I used it once for tests and it give interesting summaries/output.
https://www.reverse.it/

from devilution.

I'm trying to neutralize the Trojan. List what I found so far here in case someone find this thread from google: (I think the filenames are random generated, so others may see different names and paths.)

1. Kill the trojan process. No other related processes are found.
2. Remove executables. Delete executable files in cmd, not work in file explorer. Something like:
   del "C:\Users\me\AppData\Roaming\Francochinois\eudic\tmp\me_bWU\ \me_bWU.exe"
   del "C:\Users\me\AppData\Roaming\vlc\art\arturl\5086e21f5fb9
   d3801765ab2e30c9f2a5\me_bWU\ \me_bWU.exe"
3. Stop scheduled task "me_bWU". It launches every 1am.
4. Stop autorun on system boot. run msconfig in Win+R. In the Startup tab, there's a ".lnk" item with unknown manufactorer. Disable it.
5. It creates some folders with misformatted name. Just leave them alone, since exe files are all removed.

from devilution.

@Lubieerror Here's the link. Still in progress.
https://www.reverse.it/sample/9d2caeecbe12d527411e6e2b127d3bb8cb5203416b0b3e9f6a8daa75aeeab9da

More:
https://sandbox.pikker.ee/analysis/22776/summary

from devilution.

Interesting read, it seems like they had the exact same problem with the binaries being replaced. I'm starting to think my account was hacked, but the activity log doesn't show any other user than AppVeyor (could that have something to do with it?).

Either way, perhaps signed releases would be the best way to go about this from now on.

from devilution.

from devilution.

This didn't impact anyone who compiled from source right? ONLY those that downloaded the executable from releases?

from devilution.

That's right. It seems that somehow the release was modified to provide a build with an embedded Trojan.

from devilution.