Comments (19)
@galaxyhaxz As far as your GitHub account is concerned, you could consider adding two-factor authentication to your account.
from devilution.
So here's the thing, whenever any changes are pushed to the repo, it gets logged in the commits. The releases section however, that is not the case. One can simply upload/swap files at whim, and there is no log or history or even notification. The 0.2 release was 861KB and was uploaded more than a week ago. Then, sometime on 06/24 it was silently replaced with a 405KB SFX installer. The virus seems to work very silently, and then disappears. It's possible I could've gotten a virus from an email I received a few days ago. The email was from "Jason Michael" who goes by "uptospeed99". The title asked me about Devilution but the email itself seemed to be spam.
Anyway, I'll try contacting the GitHub admins and see if they have a log of IP addresses that pushed an upload.
The latest release is here: https://github.com/diasurgical/devilution/releases/tag/0.3
Password to the 7-zip file is the SHA1 of the executable: A4CDB3A9F64AD3CD9F40994FDFFBE3AB643BD03F
Devilution.exe file size: 764 KB (782,336 bytes)
from devilution.
The only other person with any permissions is @mewmew but I doubt that.
For reference, I have not uploaded any executables or done anything with the release. All my contributions can be seen here: https://github.com/diasurgical/devilution/commits?author=mewmew
These kind of things seem to become more common place now that open source is large enough to affect mainstream users. Issue tracking a similar incident of Gitea: go-gitea/gitea#4167
Edit: Signed releases is the way to go.
from devilution.
The release has been updated and is now digitally signed and password protected. A SHA-256 is also provided to verify the release. I apologize to any of you who were affected by the virus, hopefully this won't happen again in the future:
https://github.com/diasurgical/devilution/releases/tag/0.3
from devilution.
Wanted to add here as well that it isn't only devilution or other projects that were injected with trojans, The Gentoo Linux project (Which I'm a developer for) also had our github organization projects hacked as well, and we are currently working on resolving the issue. You can see the announcement here:
https://archives.gentoo.org/gentoo-announce/message/dc23d48d2258e1ed91599a8091167002
So seems that this wasn't something done from someone within devilution or anything like that, it seems like a problem with github infra or something.
from devilution.
This must be something else. I pasted the link to the exe into several online virus scanners and they all returned clean.
from devilution.
I guess a trojan executable is hidden in the devilution.exe.
Here's the result of devilution.exe.
https://www.virustotal.com/#/file/410cd8754bb61cd20fc54040aefed7676243fbd5667b73c8521f6c1927edac7e/detection
Or you can run it...
from devilution.
The sad part is that @mljack is correct. The executable itself is packed with two files inside, the actual Devilution.exe and a separate file "Diablo.exe" which contains the virus. I just downloaded it and tested everything. The date of the file being packed was 06/24/18, which is strange because I uploaded the release before that. It looks like someone somehow sabotaged the release, possibly GitHub themselves.
I'm removing the release, from now on they will be packed into a .7z or other format so nothing can tamper with them.
from devilution.
@galaxyhaxz
Better sign your releases. Or at least list the file checksum/hash.
If someone could release a binary in your name, I doubt the source code is also in danger.
Deserve a big noticing in readme.md.
from devilution.
I don't believe the GitHub conspiracy theory, haha.
Are you the only one with permission to create releases? Maybe your machine is compromised...
from devilution.
The only other person with any permissions is @mewmew but I doubt that. This definitely isn't good, whoever repacked it with a virus definitely knows what they are doing. The virus itself is titled "Diablo.exe", which leads me to believe it wasn't an automated process. Someone could have access to my account, so I'm changing passwords to everything.
I can't believe this happening. How the f**K is this even possible?
from devilution.
At least the source code is clean ;). Checked the build with Avira, no results.
from devilution.
You can also check the file in online "reverser". I used it once for tests and it give interesting summaries/output.
https://www.reverse.it/
from devilution.
I'm trying to neutralize the Trojan. List what I found so far here in case someone find this thread from google: (I think the filenames are random generated, so others may see different names and paths.)
- Kill the trojan process. No other related processes are found.
- Remove executables. Delete executable files in cmd, not work in file explorer. Something like:
del "C:\Users\me\AppData\Roaming\Francochinois\eudic\tmp\me_bWU\ \me_bWU.exe"
del "C:\Users\me\AppData\Roaming\vlc\art\arturl\5086e21f5fb9
d3801765ab2e30c9f2a5\me_bWU\ \me_bWU.exe" - Stop scheduled task "me_bWU". It launches every 1am.
- Stop autorun on system boot. run msconfig in Win+R. In the Startup tab, there's a ".lnk" item with unknown manufactorer. Disable it.
- It creates some folders with misformatted name. Just leave them alone, since exe files are all removed.
from devilution.
@Lubieerror Here's the link. Still in progress.
https://www.reverse.it/sample/9d2caeecbe12d527411e6e2b127d3bb8cb5203416b0b3e9f6a8daa75aeeab9da
More:
https://sandbox.pikker.ee/analysis/22776/summary
from devilution.
Interesting read, it seems like they had the exact same problem with the binaries being replaced. I'm starting to think my account was hacked, but the activity log doesn't show any other user than AppVeyor (could that have something to do with it?).
Either way, perhaps signed releases would be the best way to go about this from now on.
from devilution.
from devilution.
This didn't impact anyone who compiled from source right? ONLY those that downloaded the executable from releases?
from devilution.
That's right. It seems that somehow the release was modified to provide a build with an embedded Trojan.
from devilution.
Related Issues (20)
- [hellfire] Hive/Crypt - invisible chests and barrels HOT 1
- Are you able to use Hellfire's source code? HOT 1
- [hellfire] OperateL2Door - Please check bin exactness HOT 10
- Building in VS2019: exe attempts to open crypto/rsa key file? HOT 1
- Cleanup code HOT 1
- out of memory error HOT 5
- 60 FPS support? HOT 1
- Migrate macOS builds to GitHub Actions HOT 10
- [Not A Bug] Question about the License and Legal Section in the Readme HOT 5
- MaxGold always depends on auricGold HOT 4
- Gnat String's "Multiple arrows per shot" only fires one arrow HOT 2
- Win98 Support? HOT 1
- Farmer Quest Bug HOT 1
- [Feature request] add option to show items on map HOT 4
- [Android] Option to change stationary toggle to allow moving
- "Legal" section ambiguity HOT 1
- [MSVC][permissive-] devilution failed to build with /permissive- on MSVC HOT 5
- [Need help] Getting a Massive bow of swiftness at clvl 44+ HOT 3
- Is this gap intentional? HOT 1
- mods don't work In the mobile application HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from devilution.