Researchers Uncover Ring of GitHub Accounts Promoting 300+ Backdoored Apps

An anonymous reader writes: A security researcher has uncovered a ring of malicious GitHub accounts promoting over 300 backdoored Windows, Mac, and Linux applications and software libraries. The malicious apps contained code to gain boot persistence on infected systems and later download other malicious code -- which appeared to be a "sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers.

All the GitHub accounts that were hosting these files -- backdoored versions of legitimate apps -- have now been taken down. One account, in particular, registered in the name of Andrew Dunkins, hosted 305 backdoored ELF binaries. Another 73 apps were hosted across 88 other accounts.

Oh no!

[The-Ixian]

Not my bounceball app! I can no longer download bounceball on new computers! Thanks GitHub! How am I supposed to bounce a ball now?!

Re:Oh no!

That reminds me of a guy that used to post here a lot. His name was also creimer.

300?

Researchers Uncover Ring of GitHub Accounts Promoting 300+ Backdoored Apps

One account, in particular, registered in the name of Andrew Dunkins, hosted 305 backdoored ELF binaries.

Someone posts a crapload of malicious code to their own account. Is this really news?

Re:300?

... creimer has been

wow. you really don't have a life do you?

ya think?

[evanchik]

Autosploit is the script kiddy app of them all. But other code , which maybe "malicious" intent, the code being used sometimes is used to learn how this computer I have works, and to "control" it. Falls under free speech, unless used for profit. If its posted on github to the world, that its not. They should be thankfull (microsoft and others) and actually fix the issues they are exploiting. Its like a PoC todo list for development security.

Re: ya think?

Zoom!

Dunkins

[Oswald+McWeany]

Andrew Dunkins may host a lot of malware- but he makes some semi-decent doughnuts.

ffmpeg in the list

[technology_dude]

Does this mean VLC is compromised? That is a huge deal if so.

Re:ffmpeg in the list

I would think they'd be professional enough to get ffmpeg from the original source, not some cloned repo or binary off some donut dude.

Re:ffmpeg in the list

Obviously VideoLAN wouldn't use some random repo from GitHub. You must know that there are hundreds of clone repo all over the web.

Re:ffmpeg in the list

[Rockoon]

I dont think its about being professional.

My 70+ year old father sees gihub as "safe" because "open source" after being told repeatedly for years that open source was safe.

Containers

[Bigbutt]

How many containers that are downloaded regularly to systems also contain malicious code? Do people verify what's being retrieved? I create my own OS containers when building a pod but I'm probably a bit in the minority. When you run that demo and load up an nginx container, are you confident it's not tainted?

[John]

Re:Containers

There is an easy way to find out; type the following command. If it displays no output, it means you are safe:
grep creim container.img

Re:Containers

When you run that demo and load up an nginx container, are you confident it's not tainted?

Is there any reason to think that the official NGINX container is any less secure than the official binary that the official container downloads from the official DEB repository?

Re:Containers

[Bigbutt]

I was using it as an example as I recently followed a demo for kubeadm which had me pulling three nginx containers. How many other containers are out there that folks may be using that aren't official containers like the nginx one though?

[John]

Re:No "1st" & here's e.g. thereof... apk

But you are also blocking my 25+ websites, blogs and vlogs, why?????
--
"Is Wreck Ralph The Next Casey Neistat for Young Wannabe YouTubers?" #SomethingPositive & Hard work ! :)

Micro$oft

Must be the first to say: all Micro$oft fault. GitHub is dead.

Re:Micro$oft

But still, this is no reason not to
Get Microsoft Certified With Confidence Voucher ($100+).
https://www.youtube.com/watch?...

How about all other open source apps?

Anybody seriously think that, it never occurred to countless hacker groups & malware writers in the world, to add their own (extremely hard to detect) bugs to common open source software, to use as backdoors?

For example, notice how often broken databases in the internet, are from an open source database!!!

I block it as listed by security pros

Better SAFE than SORRY so I block it as listed by security pros is why & I agree w/ them. Others don't have to & can edit hosts easily (unlike other methods that wildcard like DNS or addons using regex (might as well be 'chinese' to non-coders vs. hosts easy edit which is like phonebook entries)).

* There ya go... perhaps you ought to switch to WHIPSLASH's openSORES site (he has one you know in SOURCEFORGE).

He owns it along w/ slashdot. Consider it. It may be safer. I know /.'s been hit w/ malscript iirc & so was sourceforge (or was it a malware like this hosted there? 1 of those 2 happened before).

APK

P.S.=> PLUS, for all I know (considering the UNIDENTIFIABLE anonymous STALKERS I have constantly "riding me" which EVERYONE here sees & KNOWS happens (especially gweihir who KNOWS they impersonate me & TRIED to him also))? YOU may possibly be one of the culprits in a malwaremaker/botnet herder yourself for all I know... apk

Happened before too (nodejs/npm & more)... apk

See subject & https://securityintelligence.c... + https://www.bleepingcomputer.c... + https://www.bleepingcomputer.c... + https://www.bleepingcomputer.c... + https://www.bleepingcomputer.c... + https://www.bleepingcomputer.c...

* The thieves & morons doing bots/malware = assholes which I'm sure you agree with based on YOUR sentiments.

APK

P.S.=> What I do about it is here (from my earlier post) https://developers.slashdot.or... ... apk

Youre fucking nuts, apk.

Get a frigging life and give up the creimer obsession, you'll get a restraining order.

Re:Youre fucking nuts, apk.

Apk's correct though with valid proofs and you anonymous creimertards project your own misdoings falsely accusing apk of them.

Real quotes about me and my work... APK

Your software is just crap - written in crayon, fictional... I'm going to continue using the Host File Engine as a punchline to a joke by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is fucking insane - by JazzLad April 20, 2016

his hosts "program" is actually a broken batch file by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to be a laughingstock while consuming excessive amounts of alcohol by alexgieg September 25 2015

I've never tried to belittle (APK's work), I've flat out said it's crap - by BronsCon (927697)

I like your tinfoil hat by Karmashock September 09 2015

that APK nut, I can't get him to stop talking about his piece of shit file by rogoshen1 Tuesday March 03, 2015

APK

P.S.=> When YOU do better than THAT by our /. registered peers, then talk (from behind your FAKE NAME for your FAKE LIE of a "so-called" WASTED life) - ok? apk

Get it from the author, not a theif.

Simples. And for the rest, if you don't know who it is, whether closed or open source, why the fuck are you getting anything from them without looking it over??? Do you buy your cars from some guy in a pub offering you one? No? Then why are you doing the same for closed source (the binaries will be backdoored, the code itself shows the backdoor: just fucking look if you get the source rather than the binaries, the root is pretty easy to spot: why is it asking to download stuff from a http site?)?

If you bought a copy from a back street seller of Windows Professional, would you install it and never wonder any more about it? No. If it looks odd, you won't even buy it. At the very least you'll never put it on the internet, and assume AT LEAST it is an illegal copy, even if not rooted, so putting it on the internet would only get MS to delete your OS and send the BSA around.

Re:That's what he was up to!

That's what he was up to since he left Slashdot!

Yes, I am talking about you, creimer!

nice work when you can get it. and he gets to live in your head, rent-free.

Re:No "1st" & here's e.g. thereof... apk

You block github, but post on slashdot, a sister company to sourceforge, who actively inserted malware into hosted projects' windows installers.

Re: No "1st" & here's e.g. thereof... apk

Were you the guy cured of AIDS or do you still have it?

Sneakers? Sheesh

[mnemotronic]

Of all the malware they could be pushing ... bots buying over-priced connie high-tops. I am so out-of-touch with this life priority.

No "1st" & here's e.g. thereof... apk

Idiot unidentifiable anon trolls gave me guff for BLOCKING github in hosts (ESET noted threatvector https://www.welivesecurity.com... )!

* Just goes to show you they're either MORONS/DOLTS or malware makers/botnet herders themselves...

Want more e.g. of github hosting malware?

See See subject & https://securityintelligence.c... + https://www.bleepingcomputer.c... + https://www.bleepingcomputer.c... + https://www.bleepingcomputer.c... + https://www.bleepingcomputer.c... + https://www.bleepingcomputer.c...

P.S.=> The thieves & morons doing bots/malware = assholes & it is getting "outta control" on OpenSORES sites & yes, CLOUD HOSTING too (along w/s short-lived SPAM domains outta GoDaddy hosting providers allowing it CHEAP via "$1 unlimited domain/subdomain" stuff too)... apk

I noted that in another post... apk

I see less on sourceforge but I did mention it happens there too https://developers.slashdot.or... cid=58219054 & this is also WHY I don't allow scripts on this site (OR OTHERS usually either blocking them the FASTEST WAY on 3rd party in hosts, operating LONG BEFORE say, NoScript does in slower usermode (still good addon, only 1 I use, helps me FIND BAD SITES/SCRIPTS in fact to ADD TO HOSTS)

AND + I don't "OpenSORES" my code (due to what happened to GOOGLE's CHROME being subverted into malware EFast).

* SLASHDOT / SOURCEFORGE stopped what you note on installers though iirc.

APK

P.S.=> The people hosting this stuff on websites & yes, OpenSORES dev sites aren't patrolling for this stuff & checking it apparently - very bad, part of (again) WHY I don't do it (opensores)... apk

Still IMPERSONATING me JEALOUS "Lil' Jowie"?

HILARIOUS u ADMIT u have a /. acct & STALK me by UNIDENTIFIABLE ac https://hardware.slashdot.org/... - YOU have ISSUES, lunatic.

See subject & that's the "best ya got"? It proves You WISH you were ME (as your POOR imitation = the sincerest form of flattery).

Instead of WASTING your life STALKING me by UNIDENTIFIABLE anonymous posts OR IMPERSONATING me (since you WISH you were me)? Make a Wheel https://isc.sans.edu/forums/di... as I have that gives users more speed/security/reliability & anonymity NATIVELY doing more for less vs. ANY single 'solution' out there!

* LASTLY - the ONLY time you start IMPERSONATING me vs. STALKING me by UNIDENTIFIABLE anon posts is WHEN YOU ARE OUT OF "downmodpoints" I can easily NULLIFY by REPOSTING my posts RUNNING YOU DRY of them after you ABUSE them - I must've already, lol!

APK

P.S.=> I know WHY you do it though (out of "butthurt angst", lol): I've BLOWN YOU AWAY so many times under your MANY alter-ego SOCKPUPPET /. accounts FAKENAMES you're out for "revenge" only to have EGG ON YOUR FACE yet again https://tech.slashdot.org/comm... ... apk

Re: Still IMPERSONATING me JEALOUS "Lil' Jowie"?

just got off shift and have sore knees, eh?

The REAL UNALTERED quotes on my work

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* SINCE ALL YOU DO IS IMPERSONATE ME & OTHERS https://developers.slashdot.or... I note there.

APK

P.S.=> Linux model's faster/more efficient/better MERGE feature too - More coming... apk

This is fucking terrifying.

[flacco]

Pretty sure the "sneaker auction" functionality was a placeholder.

Re: This is fucking terrifying.

[soso31]

Thanks GitHub! How am I supposed to bounce a ball now?! https://audacity.onl/ https://findmyiphone.onl/ https://origin.onl/

Re:Aw, poor little Juden shekelboy, lol... apk

Impersonating APK again I see. APK is not a jew shekul boy.

Definitely a Chinese operation

Chinese are the biggest sneakerhead Nike addicts. No white guy gives a shit about Air Jordans, let's be real.

Projecting again, JEALOUS "Lil' Jowie"?

Projecting again, JEALOUS "Lil' Jowie"? I don't get on my knees for anyone BUT I do FLOOR YOU easily https://tech.slashdot.org/comm... forcing YOU to YOUR KNEES as that evidence shows, lol!

* Grow up!

APK

P.S.=> Impersonating me & lying + LIBELING me as well as STALKING me shows you have NO RESPECT for the law https://developers.slashdot.or... which my reply in that link addresses with this one as well - grow up! apk

I don't have AIDS (never did & can't)... apk

I don't have AIDS (never did & can't) - I found out literally 36++ yrs. ago I lack the CC5 receptor the AIDS virus "hooks into" cells with.

* I'm one of the VERY LUCKY FEW that do via genetic inheritance in fact!

APK

P.S.=> You TRULY DO WISH you were ME (in more ways than that too lol e.g. as I completely DESTROYED YOU PUBLICLY in tech fact https://tech.slashdot.org/comm... hahahaha & easily as always)... apk

Malware found on sourceforge today too

See subject & a malware on sourceforge https://safeweb.norton.com/rep...

APK

P.S.=> Like I said - it's getting outta control & the "bad guys" ARE attacking even sourcecode others use in OpenSORES.... apk

Malware found on sourceforge too

See subject & a malware on sourceforge https://safeweb.norton.com/rep...

APK

P.S.=> Like I said - it's getting outta control & the "bad guys" ARE attacking even sourcecode others use in OpenSORES.... apk

Malware found on sourceforge too

See subject & a malware on sourceforge https://safeweb.norton.com/rep...

APK

P.S.=> Like I said - it's getting outta control & the "bad guys" ARE attacking even sourcecode others use in OpenSORES or hosting malware outta the OpenSORES repositories like github &/or sourceforge too.... apk

Malware found on sourceforge too

See subject & malware on sourceforge https://safeweb.norton.com/rep...

APK

P.S.=> Like I said - it's getting outta control & the "bad guys" ARE attacking even sourcecode others use in OpenSORES or hosting malware outta the OpenSORES repositories like github &/or sourceforge too.... apk

Malware found on sourceforge too

See subject & a malware on sourceforge https://safeweb.norton.com/rep...

APK

P.S.=> As I said - it's getting outta control & the "bad guys" ARE attacking even sourcecode others use in OpenSORES or hosting malware outta the OpenSORES repositories like github &/or sourceforge too.... apk