Slashdot Mirror

← Back to Stories (view on slashdot.org)

'StrongPity' Malware Infects Users Through Legitimate WinRAR and TrueCrypt Installers (neowin.net)

Posted by msmash on from the security-blues dept.

Kaspersky Labs has revealed a new strain of malware -- named 'StrongPity' which targets users looking for two popular applications - WinRaR and TrueCrypt. The malware contains components that not only has the ability to give attackers complete control on the victim's computer, but also steal disk contents and download other software that the cybercriminals need. From a Neowin report: To be able to gather victims, the attackers have built special fake websites that supposedly host the two programs. One instance that was discovered by the researchers is that the criminals transposed two letters in a domain name, in order to fool the potential victim into thinking that the program was a legitimate WinRAR installer website.

42 of 105 comments (clear)

  1. Title smells like bullshit by truedfx · · Score: 5, Insightful

    "through legitimate WinRAR and TrueCrypt installers"? By what logic are those installers legitimate?

    1. Re:Title smells like bullshit by urbster1 · · Score: 1

      came here to post this

    2. Re:Title smells like bullshit by omnichad · · Score: 2

      Bad writing, but I'm sure the meaning is that it also legitimately installs the actual intended software. Might even be the exact same installer but with a modified payload.

    3. Re:Title smells like bullshit by richy+freeway · · Score: 2

      Isn't that precisely how malware has been spreading since day one?

    4. Re:Title smells like bullshit by SumDog · · Score: 1

      Yea, I was expecting to see something in the article where they somehow injected their malware without changing the MD5 or SHA sums and put them back in the official mirrors. That would have been way more impressive.

    5. Re:Title smells like bullshit by Lumpy · · Score: 2

      not legitimate... It is horrible writing and freaking fearmongering FUD crap that is the norm for slashdot now days.

      These are MODIFIED installers, the article needs to be corrected

      --
      Do not look at laser with remaining good eye.
    6. Re:Title smells like bullshit by AHuxley · · Score: 1

      The user seeks out the real crypto software solution.
      Looking at some site, the user then finds some site GUI with a swapped out download that offers poor crypto but has the look and feel of the real crypto software.
      "On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users" (October 3, 2016)
      https://securelist.com/blog/re...
      "Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well."

      --
      Domestic spying is now "Benign Information Gathering"
    7. Re:Title smells like bullshit by viperidaenz · · Score: 1

      Yellow journalism, or the yellow press, is a type of journalism that presents little or no legitimate well-researched news and instead uses eye-catching headlines to sell more newspapers. Techniques may include exaggerations of news events, scandal-mongering, or sensationalism.

      That pretty much describes every media outlet around these days.

  2. Legitimate by dejitaru · · Score: 3, Insightful

    If it's malware infected, it's not legitimate.

    1. Re:Legitimate by green1 · · Score: 1

      In this case, you're right. But conversely, just because it's legitimate, does not mean it's malware free.

      Of course this makes for clickbait, because legitimate installers installing malware are rare, whereas fake installers installing malware is an every day occurrence.

  3. Legitimate Installers by Anonymous Coward · · Score: 1

    ... no. How could the malware being served qualify as a legitimate installer?

  4. sounds like by Anonymous Coward · · Score: 1

    someone just downloaded an .exe off a website and ran it.

    If I can get someone to do that, you don't need winrar as part of the equation anymore.

  5. Actual source by Anonymous Coward · · Score: 5, Informative

    Nothing like an ad-infested news page with referral program links to the original source. Here is the actual article, with a sanitized URL:

    http://usa.kaspersky.com/about-us/press-center/press-releases/2016/Kaspersky_Lab_Reveals_Advanced_Persistent_Threat_StrongPity

    1. Re:Actual source by houstonbofh · · Score: 1

      I hate wrapper websites. And why does everyone share the website that just has a youtube video embedded with a dozen adds on it instead of sharing the youtube video?

  6. What about TrueCrypt... by HBI · · Score: 1, Insightful

    Why are people still using something that the authors of same apparently think is compromised?

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    1. Re:What about TrueCrypt... by Bob+the+Super+Hamste · · Score: 1

      I thought it came out that the authors basically got sick of supporting it and went all scorched earth. That said people should have moved on from TrueCrypt when this was disclosed last year. The VeraCrypt project has that fix as well as taking care of what was found during the limited TrueCrypt audit.

      --
      Time to offend someone
    2. Re:What about TrueCrypt... by HBI · · Score: 2

      I saw something about the "tired of supporting it" bs, but the assumption at the time was that it was a warrant canary of sorts.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    3. Re:What about TrueCrypt... by Kjella · · Score: 2

      Why are people still using something that the authors of same apparently think is compromised?

      Because if they really found a serious bug they'd either patch it or tell people where it is and why it needs fixing. The whole "there's a problem here, but I won't tell you what it is", "trust Microsoft, switch to Bitlocker" and so on was just screaming "there's something we can't tell you". It's designed to ruin their credibility so that nobody would trust another Truecrypt release. Why would they do that? The only logical explanation I can think of is that somebody was trying to force them to add a backdoor and this was their way to permanently refuse. That makes the 7.1a the last good version, not one you should throw away. And nobody's found this alleged compromise, so what... they found something extremely cleverly hidden backdoor but decided to not give the slightest hint? Nothing they said makes any sense, which I think was exactly the point. It's nonsense and shouldn't be trusted at all.

      --
      Live today, because you never know what tomorrow brings
    4. Re:What about TrueCrypt... by HBI · · Score: 1

      One could also interpret this differently, as saying they inserted a back door in a previous release. In which case 7.1a is compromised as well.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  7. Why is this here? by thegarbz · · Score: 3, Insightful

    Hasn't this been done 1000 times before? What's new here? Why is this newsworthy?

    1. Re:Why is this here? by omnichad · · Score: 1

      They're going as far as creating lookalike web sites to host it. I haven't seen this exact thing before personally.

    2. Re:Why is this here? by green1 · · Score: 4, Informative

      The headline stated something rare (legitimate installers of popular programs being infested by malware)

      Of course the headline was nothing to do with reality, the article, or even the summary, which is all about the every day occurrence of fake installers being used to try to trick people in to installing malware, which is not new at all.

    3. Re:Why is this here? by Anonymous Coward · · Score: 1

      Why do people feel the need to post "why is this news?" comments? This actually may interest some people. Maybe _you_ already knew it, but there are new people on the site every day. It's pretty egotistical to think that only things that interest you is news. The better question is "why are you posting this?"

    4. Re: Why is this here? by bestweasel · · Score: 1

      I wondered that. The link below mentions unusual and fake certificates.

      The malware first appeared on tamindir.com at the end of 2015 redirecting mainly Turkish users to a clone of the truecrypt site then last month links were put on winrar.it and winrar.be to point to copies of the winrar site which affected mainly Italian and Belgian users respectively. The malware was after details of encryption and passwords.

      There's no word on how the attackers put links to the malware on legitimate sites.

      I'd guess it's an espionage group for hire rather than a state actor or the usual economic criminals.

      https://securelist.com/blog/re...

      "When visiting sites and downloading encryption-enabled software, it has become necessary to verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code signing certificates need to re-examine the necessity of doing so for their own customers. "

  8. Re:Neowin headline error by green1 · · Score: 1

    I'm more surprised that Slashdot passed on the error without thinking how stupid it sounded.

    You must be new here.

  9. Malware controls victim's Windows computer by khz6955 · · Score: 1

    "The malware contains components that not only has the ability to give attackers complete control on the victim's computer"

    Msmash forgot to mention that this malware is only effective on Microsoft Windows. Go here for an alternative to the Microsoft industry standard.

    1. Re:Malware controls victim's Windows computer by houstonbofh · · Score: 1

      To be fair, not a lot of people install WinRAR on Linux.

    2. Re:Malware controls victim's Windows computer by cfalcon · · Score: 1

      I'm pretty sure you can in WINE. And Truecrypt has Linux versions for sure.

    3. Re:Malware controls victim's Windows computer by AHuxley · · Score: 1

      The "compromised" issues if finally been understood from the small developer to huge US brands crypto perspective and as junk international "standards".
      Other code might be security service friendly by design as a small front company, gov fronted start up or via developers who had to make deals or had cash offers made by govs or got trapped under a US NSL at work.
      Its hard to find good crypto that works. Look at the help the security services got over everyday crypto by big US brands under PRISM or VPV security under BULLRUN, Dual_EC_DRBG issues
      Microsoft helped Prism decrypt your emails and Skype, says report (July 12, 2013)
      http://www.techradar.com/news/...
      BULLRUN https://en.wikipedia.org/wiki/...
      https://securelist.com/blog/re...
      "key loggers and additional data stealers." and "effectively steal disk contents"

      --
      Domestic spying is now "Benign Information Gathering"
  10. Re:Neowin headline error by houstonbofh · · Score: 1

    Clickbait is not an error. It is intentional. You clicked...

  11. Re:Simple to stop via hosts files... apk by houstonbofh · · Score: 1

    Are you going to list every possible misspelling of the websites? Enumerating badness does not work. Has not for a long time... http://www.ranum.com/security/...

  12. So NOT legitimate, then by wonkey_monkey · · Score: 1

    'StrongPity' Malware Infects Users Through Legitimate WinRAR and TrueCrypt Installers

    in order to fool the potential victim into thinking that the program was a legitimate WinRAR installer website.

    It certainly fooled whoever submitted the story.

    Now, will someone at Slashdot bother to fix it?

    --
    systemd is Roko's Basilisk.
  13. Re:Wait.. by SumDog · · Score: 2

    7zip is open source and I'm pretty sure it handles rar/zip/gzip too.

  14. Re:On ./ by campuscodi · · Score: 2

    I'll just leave this here: "The owner of dotslash.org is offering it for sale for an asking price of 10000 USD!"

  15. Re:Wait.. by NotAPK · · Score: 3, Interesting

    7-zip decompresses RAR files, and makes 7z (LMZA and LMZA2) files which are smaller, "better"* (support multi threaded compression/decompression and AES encryption) and is multi-platform and open source. Absolutely no reason why it shouldn't be your compression format of choice.

  16. Why use WinRAR? by nuckfuts · · Score: 1

    Why do people even download WinRAR? For the odd occasion I need to extract a WinRAR archive, the free and open source 7-zip works fine. It also handles a number of other formats, and is fast. (For example, it is MUCH faster at extracting ZIP archives than Windows Explorer).

  17. Re:Wait.. by youngone · · Score: 1
    From my experience, every dodgy construction company in China uses the same pirated version of WinRAR.

    Except for the one construction supplies company who sent infected .rars to several of my users. (To be fair that was about 8 years ago. Things may have got better but I wouldn't hold my breathe).

  18. Considering removing slashdot from favourites by just+another+AC · · Score: 1

    This is supposedly a tech news site.
    There is no way that editing can accidentally be that shit. Malware in "Legitimate installer" - wow that is news. Click through to standard bullshit.

    Things like this are a good way to drive away the readership. Only reason I still visit is that the community is still large enough to have interesting discussions around the articles (although the trolling etc is getting worse as time goes on)

    (Just wish a few other alternatives would get more active communities)

  19. Ok, folks, where is the story? by Opportunist · · Score: 1

    First of all, the headline is misleading. For it to be true, you'd have to get infected somehow by installing genuine WinRAR and TrueCrypt software you downloaded from trusted (and trustworthy), genuine sources. Now THAT definitely WOULD be a story!

    But what do we have instead? Malware writers using typosquatting techniques to get people to install genuine looking software. Now, it's been a while that I've left the malware analysis business, but even back then, well over a decade ago, this would not have made the news anymore. Or is it news because that technique is SO ancient that nobody remembers it anymore?

    Damn millennials and their goldfish-dimension long term memory!

    No, but seriously, what the hell is the news here? That malware authors get nostalgic when it comes to distribution? So Retro isn't just for music and games anymore? Are we going to get file infectors again, too? And hand crafted, self-morphing viruses? That would at least be interesting to analyze again.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  20. Re:Once-legitimate, hosted on a different domain.. by ACE209 · · Score: 1

    Dont't be mean.

    --
    "we are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further."
  21. Re: Wait.. by NotAPK · · Score: 1

    Cheers, I haven't seen disk fragmentation myself, but I'll look out for it from now on.

    And yes, I think you're correct, I don't think 7zip has any recovery or repair mode, but it does make a "best effort" and in my experience will partially recover damaged archives. Of course, since it will depend enormously on the exact file structure, archive structure, and level of damage, this should be regarded more as an anecdote than advice.

  22. Re:Wait.. by A+Friendly+Troll · · Score: 1

    7-Zip has no recovery options. If you're doing backups, but note testing them (which is a classic home scenario), RAR and it's extra recovery data can save you.