Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Uncover Ring of GitHub Accounts Promoting 300+ Backdoored Apps (zdnet.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: A security researcher has uncovered a ring of malicious GitHub accounts promoting over 300 backdoored Windows, Mac, and Linux applications and software libraries. The malicious apps contained code to gain boot persistence on infected systems and later download other malicious code -- which appeared to be a "sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers.

All the GitHub accounts that were hosting these files -- backdoored versions of legitimate apps -- have now been taken down. One account, in particular, registered in the name of Andrew Dunkins, hosted 305 backdoored ELF binaries. Another 73 apps were hosted across 88 other accounts.

11 of 54 comments (clear)

  1. Oh no! by The-Ixian · · Score: 1

    Not my bounceball app! I can no longer download bounceball on new computers! Thanks GitHub! How am I supposed to bounce a ball now?!

    --
    My eyes reflect the stars and a smile lights up my face.
  2. ya think? by evanchik · · Score: 1

    Autosploit is the script kiddy app of them all. But other code , which maybe "malicious" intent, the code being used sometimes is used to learn how this computer I have works, and to "control" it. Falls under free speech, unless used for profit. If its posted on github to the world, that its not. They should be thankfull (microsoft and others) and actually fix the issues they are exploiting. Its like a PoC todo list for development security.

  3. Dunkins by Oswald+McWeany · · Score: 2

    Andrew Dunkins may host a lot of malware- but he makes some semi-decent doughnuts.

    --
    "That's the way to do it" - Punch
  4. ffmpeg in the list by technology_dude · · Score: 1

    Does this mean VLC is compromised? That is a huge deal if so.

    1. Re:ffmpeg in the list by Anonymous Coward · · Score: 1

      I would think they'd be professional enough to get ffmpeg from the original source, not some cloned repo or binary off some donut dude.

    2. Re:ffmpeg in the list by Rockoon · · Score: 1

      I dont think its about being professional.

      My 70+ year old father sees gihub as "safe" because "open source" after being told repeatedly for years that open source was safe.

      --
      "His name was James Damore."
  5. Containers by Bigbutt · · Score: 4, Interesting

    How many containers that are downloaded regularly to systems also contain malicious code? Do people verify what's being retrieved? I create my own OS containers when building a pod but I'm probably a bit in the minority. When you run that demo and load up an nginx container, are you confident it's not tainted?

    [John]

    --
    Shit better not happen!
    1. Re:Containers by Bigbutt · · Score: 1

      I was using it as an example as I recently followed a demo for kubeadm which had me pulling three nginx containers. How many other containers are out there that folks may be using that aren't official containers like the nginx one though?

      [John]

      --
      Shit better not happen!
  6. Sneakers? Sheesh by mnemotronic · · Score: 1

    Of all the malware they could be pushing ... bots buying over-priced connie high-tops. I am so out-of-touch with this life priority.

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
  7. This is fucking terrifying. by flacco · · Score: 1

    Pretty sure the "sneaker auction" functionality was a placeholder.

    --
    pr0n - keeping monitor glass spotless since 1981.
    1. Re: This is fucking terrifying. by soso31 · · Score: 1

      Thanks GitHub! How am I supposed to bounce a ball now?! https://audacity.onl/ https://findmyiphone.onl/ https://origin.onl/