Open Source Software Hijacked To Push Malware

jfruhlinger writes "VLC Media Player is a popular, useful, and free-as-in-beer piece of software. Unfortunately, its open source nature makes it easier for people with bad intentions to repackage it in nefarious ways. Not only do some of these folks claim that they're the originator of the software (a violation of trademark law and the license), but they often bundle it up with crapware and malware, which is a real dilemma for open source developers who play by the rules."

No It doesn't

[zero.kalvin]

It doesn't matter if it is open or close source. You are an idiot if you download anything from an untrusted source, point and end of discussion.

Re:No It doesn't

[mrnobo1024]

If you download and run a program without sandboxing it, then you are trusting its source by definition.

Don't confuse "trusted" with "trustworthy".

Re:No It doesn't

[sortadan]

Yeah, I know it's silly to complain about 'news' headlines, but it sounded like the official distribution had been infected. That is not the case and http://www.videolan.org/vlc/ is still a safe provider of the software.

Re:No It doesn't

[Ocker3]

Exactly. If you do a search for a printer's name, you often get a lot of random driver storage sites that pop up, but who's vetted that software? I always hit the manufacturer first, and for a piece of software I go to a known-good download site (like C-Net) as their business model is based partly on being a trusted source of software. If you aren't downloading VLC from the SourceForge repository, you're opening yourself up to using a hacked and backdoored product.

Re:No It doesn't

[amiga3D]

I can understand your annoyance, I've often felt that one of the reasons linux suffers from so few malware incidents is that the users are generally more technically proficient and security conscious. I always notice where my software is coming from and take care to notice when I'm redirected by a site. I always check to make sure that I don't allow anything to be installed I didn't ask for. Not saying I'm a genius but I've noticed most windows users seem to download and just click okay buttons indiscriminately without reading anything.

Re:No It doesn't

[whiteboy86]

>> You are an idiot if you download anything from an untrusted source Like 80% of all internet users are "idiots" in this regard, those will have a hard time recognizing legit VLC, most of them even trust .com more then .org, so they can easily fall for this. Those blackhats perpetrators have the cash to pay for AdWords, that is why this is a HUGE problem. It is even more augmented by the fact that Google/AdWords has a helping hand in this.

Re:No It doesn't

[Rhodri+Mawr]

CNET is one of the safest places to download software from online. However, the author of the article, the suspiciously named Brian Proffitt, includes the following dubious paragraph on CNET:

"But then there's sites like CNET Download, which also lists FLOSS software (among many other types of applications) for download, directly from CNET's servers. While CNET does not in any way represent that they "own" the software they're offering, nor do I seriously believe they are offering up malware, I can't be sure about the provenance of the Firefox 5 for Windows software they just offered me. Nor am I terribly sanguine about the "free scan for Windows errors" banner and box ads sitting on the download page."

By making this comment on CNET, he undermines his credibility as an analyst and casts into doubt the legitimacy of the whole of his article, which is a shame, as there *are* some relevant points made.

Re:No It doesn't

[cyberstealth1024]

To do so only download from your operating systems repository or app store. If you OS doesn't have one, find one that does.

...because there has never been malware on the Android Market.

and the Amazon App Store has an inherent risk

Re:No It doesn't

[mug+funky]

it's all those wizards in the mid to late '90s. they created a culture of clicking through endless meaningless splashes and marketing spiels to get your software. if you ever read those things, you'd still be installing CorelDraw! 5 at this point.

we all got in the habit, the OS was not terribly secure, the internet grew faster than anyone expected, and now suddenly everyone's clicking through installers that fuck their machines.

add to that the fact that most AV programs are so woeful for performance that people don't care whether they are a bot or not, so long as their machine doesn't slow down.

windows works quite well in spite of this so long as you have a diligent and well resourced IT department. at home i use ubuntu cause i'm a superstar.

Show in the right places

[udoschuermann]

The text in proprietary software can be patched to change attribution, and viruses can be attached to binaries easily enough. It's just a little easier with software for which the source code is available. Either way, don't "shop" in the wrong place.

Also a problem with commercial software.

[wisty]

So? You can also get cracked commercial software (or just shit pretending to be it) and get your viruses that way.

Has nothing to do with OSS

[MobyDisk]

You can do this with any software. Scammers have been selling virus-loaded copies of Microsoft Office since the days of dial-up.

Contact the FSF

[MobyDisk]

The Free Software Foundation (FSF) has a very good track record of dealing with these kinds of issues. The Electronic Frontier Foundation (EFF) may also be able to help.

Common Sense.

[PessimysticRaven]

Two things:

1. Agreed with everyone else, in that the summary is written in such a way that one would interpret VLC infected. Bad form on the summary writer's part. (insert rant about /. editing style, rabblerabble)

2. This is zero to do with FOSS. Even paid software can be used to shovel-out any form of virii, malware, digital Bubonic Plague, etc. This is about people downloading any and everything that has a link attached, from 'trusted' sources and flashing banner ads.

I'm going to make this real simple, Internet Security 101-style: If you download something and you don't make the MONUMENTAL effort to scan it with whatever virii scanner you're using. You deserve what you get. True, virus scanners are not the be-all/end-all of security, but considering most of these infections are lazily coded, your scanner of choice would probably find the source of the infection, but probably their Twitter, Facebook, Google, and grocery shopping lists, too.

You wouldn't stchup a prostitute without a condom, right? (I hope!) Same thing applies when you 'jack in' to the intertubez.

Re:Linux was literally used for this purpose as we

Goatse alert!

Digital Signatures (from distributions)

[lkcl]

this is entirely and precisely why distros such as debian go to such lengths to place GPG digital signatures on the downloads; why they go to such lengths to enact extensive GPG key-signing web-of-trust exchanges etc. etc. no software is allowed into the archive that is not GPG digitally-signed by someone who is part of the GPG web-of-trust network (thus whose physical identity has been identified MULTIPLE times by their peers including showing proof of identity in the form of passports or other physical but trusted identification document).

the lengths to which for example the debian developers go are sufficiently extreme that it would be an incredibly foolish exercise for any debian developer to even attempt to place spyware or any kind of malware into packages, because they could be identified (via their GPG Digital Signature) and thus banned for life from the debian project.

the lengths to which it would be necessary to go, to circumvent such a system, involve cracking of GPG Digital Signatures or of compromising the Debian Packaging system itself, and switching off the signature-checking system. whilst the average person would not know how to check that this had occurred, it is an extremely remote and unlikely possibility in and of itself; the experienced debian user could boot up off of a live boot or rescue CD and use rkhunter or chkrootkit to verify that the system had not been compromised.

all in all it has to be said, in simpler terms (as many people on comments here have already said) - don't download stuff you can't trust! but if you can't be bothered to check, but are using a stupid operating system into which a package verification system is not built-in from the ground up, then don't use that stupid operating system! if you ignore this kind of advice, then you deserve everything that you get.

Package manager, anyone?

[seandiggity]

Besides the obvious point that you can package any type of bloat or malware with closed-source software (spend some time putting together an installation wizard for Windows, and you'll see you can get away with pretty much anything), there's also the fact that F/OSS operating systems almost always have a package manager, which encourages only downloading through trusted sources. So the F/OSS way of doing things is to be careful about trusting where your binaries come from.

sudo apt-get install vlc is not gonna get you anything but a legit version of VLC, unless you setup JOez BaDazzz REPO by following directions on the 5th page of Google's search results.

Defend your trademark!

This happened to Mixxx DJ Software (http://mixxx.org), there was a web site that was shipping a Windows installer which installed crapware and Mixxx. The best part about it is their crapware would come up in the ads when you searched for Mixxx on Sourceforge!

The site that was promoting this crapware installer used the Mixxx name (trademark), several screenshots featuring the Mixxx logo and included a footer that indicated the contents of the page were copyright of their company 2008...

So we tracked them down and sent them a cease-and-desist email for violating our trademark (misrepresenting themselves as authors and using screenshots which feature the Mixxx brand without our consent)... Simply put we told them they could NOT use our trademark at all, this mean no screens with our logo, no mention of the projects name -> this means to comply with trademark law they will have to alter artwork (covered under the GPLv2) and in doing so will be required rebuild the app and redistribute all of the code also. As far as we are aware they complied and now they are substantially less relavent from a branding perspective and no longer really much of a threat to our user community...

You may not be able to enforce copyright if they comply with the terms of the license the software is distributed under (in this case GPLv2), but you can sure as hell stick it to people who attempt to tarnish your brand with trademark law and certainly make it far less convenient for these scum-balls to do this and still be on the right side of the law.

-G

FreeSoftware and Drivers

[DrYak]

Also F/LOSS and Drivers share another characteristic :
both are available for free from the original developper's website.

You *can* find free copies of drivers for your printer at HP.com
You *can* find free copies of vlc on videolan.org

BUT

If you want the full blown Microsoft Office or Photoshop, you have to get them from shady website, because the original are paying.

---

Perhaps, what could even further help opensource, is a package manager for Windows opensource software, making it easy to search for, install and upgrade F/LOSS from trusted sources within a single application.
Something like Steam (or the upcoming application stores for Mac OS X and Windows).

Clueless users only need to get *that* software from the legit source, and then this software takes care of making sure they get the rest from non-malware infested websites.