Classic Shell, Audacity downloads infected with retro MBR nuke nasty
Gonna party like it's 1989
Classic Shell and Audacity downloads were booby-trapped this week with an old-school software nasty that knackered victims' Windows PCs.
Hackers were able to inject some retro-malware into the popular applications' installers hosted on fosshub.com, an official home for Classic Shell and Audacity releases among other software projects.
When victims fetched the tainted downloads on Tuesday and ran them, rather than install the expected app, the computer's Master Boot Record (MBR) was replaced with code that, during the next reboot or power on, displayed a cheeky message and prevented the machine from starting up properly. The main drive's partition table was also likely damaged.
We thought these sorts of shenanigans died in the 1980s or early 1990s. In order for this to work, the victim would have to click through a warning that the download was not legit.
The message shown after a reboot read:
As you reboot, you find that something has overwritten your MBR! It is a sad thing your adventures have ended here!
Direct all hate to Pegglecrew (@cultofrazer on Twitter)
Classic Shell is a free and popular application that brings a Windows 7-style start menu back to later Windows editions. Audacity is open-source and described as a free multi-track audio editor and recorder.
For some computers, the MBR overwrite worked as Peggle Crew expected with a message displayed. For other systems, bewildered victims were simply dumped at a BIOS configuration screen or a blank screen with a flashing cursor during the next reboot. The broken MBR is repairable, especially if you have a Windows recovery disc to hand, and you'll need TestDisk to restore a trashed partition table.
Less tech-savvy folks may end up wiping their computers and starting from scratch out of frustration. You might want to blow it away anyway and restore from a good backup in case the software nasty left any other surprises on the drive.
"After I Installed the Windows 10 anniversary update I noticed it had uninstalled Classic Shell and had an even worse start menu as before," said peterb on the Classic Shell forums.
"So I went to the site, checked if the latest version 4.3 supported the update and downloaded it. When I installed it said it couldn't be trusted, I installed anyway but it did nothing. When I restarted my laptop it went straight to BIOS. Luckily I had a System Repair Disc close by and I could fix Windows."
If your screen looks like this, you're in trouble ... Source: ClassicShell.net forums
FossHub tries to be a spyware-less and adware-free host for free and open-source software. According to the site's administrator on Wednesday, a group of hackers gained control of two user accounts that had access to the Classic Shell and Audacity downloads:
The attackers uploaded a malware file on Classic Shell page which was downloaded approximately 300 times. We removed the file in several minutes and we changed all passwords for all services we had.
They were greedy meaning that they targeted the largest projects listed on FossHub: Audacity and Classic Shell. We reacted promptly for Audacity installer but for Classic Shell, several hundred users were able to download the malware infected version.
Several hours later, we noticed the attackers were able to gain access through an FTP account and we decided to shut down the main server immediately to prevent any further infection/damage.
We are currently in the process of reinstalling everything, change all access rights, passwords and run up under new security rules. I would like to say that we “apologize” but I would lie not to admit it is the worst day ever for me (personally) and all FossHub team members.
The software nasty has since been submitted to Virustotal.
Classic Shell developer Ivo Beltchev is advising anyone unsure of their downloads to check for the security certificate: the authentic version will show Beltchev as a verified publisher, while the malicious build will show up in Windows as coming from an unknown publisher.
Shots of an authentic (left) and malicious (right) installer notification
Team Audacity, meanwhile, said: "For about 3 hours on August 2, 2016, our download server was serving a hacked copy of Audacity that contained malware. This was due to hackers obtaining the password of one of our developers and using it to upload the malware.
"We are a community of developers, documentation writers, support and help people, not a commercial outfit with a dedicated security team with strong security protocols.
"We did not have the right safeguards in place, namely, to monitor external files. We clearly have not been vigilant enough. Over the next few weeks we will be working to become a safer, more secure organization." ®