Trojan in released Devilution.exe ??? #97
Comments
|
This must be something else. I pasted the link to the exe into several online virus scanners and they all returned clean. |
|
I guess a trojan executable is hidden in the devilution.exe. Or you can run it... |
|
The sad part is that @mljack is correct. The executable itself is packed with two files inside, the actual Devilution.exe and a separate file "Diablo.exe" which contains the virus. I just downloaded it and tested everything. The date of the file being packed was 06/24/18, which is strange because I uploaded the release before that. It looks like someone somehow sabotaged the release, possibly GitHub themselves. I'm removing the release, from now on they will be packed into a .7z or other format so nothing can tamper with them. |
|
@galaxyhaxz Deserve a big noticing in readme.md. |
|
I don't believe the GitHub conspiracy theory, haha. |
|
The only other person with any permissions is @mewmew but I doubt that. This definitely isn't good, whoever repacked it with a virus definitely knows what they are doing. The virus itself is titled "Diablo.exe", which leads me to believe it wasn't an automated process. Someone could have access to my account, so I'm changing passwords to everything. I can't believe this happening. How the f**K is this even possible? |
|
@galaxyhaxz As far as your GitHub account is concerned, you could consider adding two-factor authentication to your account. |
|
At least the source code is clean ;). Checked the build with Avira, no results. |
|
You can also check the file in online "reverser". I used it once for tests and it give interesting summaries/output. |
|
I'm trying to neutralize the Trojan. List what I found so far here in case someone find this thread from google: (I think the filenames are random generated, so others may see different names and paths.)
|
|
@Lubieerror Here's the link. Still in progress. |
|
So here's the thing, whenever any changes are pushed to the repo, it gets logged in the commits. The releases section however, that is not the case. One can simply upload/swap files at whim, and there is no log or history or even notification. The 0.2 release was 861KB and was uploaded more than a week ago. Then, sometime on 06/24 it was silently replaced with a 405KB SFX installer. The virus seems to work very silently, and then disappears. It's possible I could've gotten a virus from an email I received a few days ago. The email was from "Jason Michael" who goes by "uptospeed99". The title asked me about Devilution but the email itself seemed to be spam. Anyway, I'll try contacting the GitHub admins and see if they have a log of IP addresses that pushed an upload. The latest release is here: https://github.com/diasurgical/devilution/releases/tag/0.3 |
For reference, I have not uploaded any executables or done anything with the release. All my contributions can be seen here: https://github.com/diasurgical/devilution/commits?author=mewmew These kind of things seem to become more common place now that open source is large enough to affect mainstream users. Issue tracking a similar incident of Gitea: go-gitea/gitea#4167 Edit: Signed releases is the way to go. |
|
Interesting read, it seems like they had the exact same problem with the binaries being replaced. I'm starting to think my account was hacked, but the activity log doesn't show any other user than AppVeyor (could that have something to do with it?). Either way, perhaps signed releases would be the best way to go about this from now on. |
|
The release has been updated and is now digitally signed and password protected. A SHA-256 is also provided to verify the release. I apologize to any of you who were affected by the virus, hopefully this won't happen again in the future: |
ghost
closed this as 
|
Wanted to add here as well that it isn't only devilution or other projects that were injected with trojans, The Gentoo Linux project (Which I'm a developer for) also had our github organization projects hacked as well, and we are currently working on resolving the issue. You can see the announcement here: https://archives.gentoo.org/gentoo-announce/message/dc23d48d2258e1ed91599a8091167002 So seems that this wasn't something done from someone within devilution or anything like that, it seems like a problem with github infra or something. |
|
Hi, galaxuhaxz. I'm following this amazing project and messages in my
email. Although I'm not a programer I really like this field, even more
when I see people working together only for the sake of knoledge and to
deliver a better version of a great game like Diablo I (this game bring me
so memories lol). Anyway...You should know that microsoft take git hub (for
a pair of bilions, I guess). My friends, that actually work with coding,
are debanding to bitbucket. Maybe would be a good idea consider change the
plataform for the great good.
Em qui, 28 de jun de 2018 às 14:57, galaxyhaxz <notifications@github.com>
escreveu:
… The only other person with any permissions is @mewmew
<https://github.com/mewmew> but I doubt that. This definitely isn't good,
whoever repacked it with a virus definitely knows what they are doing. The
virus itself is titled "Diablo.exe", which leads me to believe it wasn't an
automated process. Someone could have access to my account, so I'm changing
passwords to everything.
I can't believe this happening. How the f**K is this even possible?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#97 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AmntAHvZqhAGVXgYlk0OXC7rZupfLbTAks5uBRj_gaJpZM4U7wn->
.
|
|
This didn't impact anyone who compiled from source right? ONLY those that downloaded the executable from releases? |
|
That's right. It seems that somehow the release was modified to provide a build with an embedded Trojan. |
Shortly after running Devilution.exe, I got firewall poping up seeing unknown process trying to connect cloudflare's IPs.
https://github.com/diasurgical/devilution/releases/download/0.2/Devilution.exe
Found this:
C:\Users\me\AppData\Roaming\vlc\art\arturl\5086e21f5fb9d3801765ab2e30c9f2a5\me_bWU\ \ me_bWU.exe
https://www.virustotal.com/#/file/9d2caeecbe12d527411e6e2b127d3bb8cb5203416b0b3e9f6a8daa75aeeab9da/detection
SHA1: 1953a43a93e3c3cfd358b0a8ef9fbbb7faf07d37
Be careful. If you want to try it, run it in your sandbox VM!!!
The text was updated successfully, but these errors were encountered: