Security Notice for Windows based installers

sebastien1234 edited this page Jun 14, 2018 · 6 revisions

This notice is for all cryptocurrency users who download Windows-based installers from Github.com’s release pages for their respective projects. Developers of these projects may be targeted for the particular attack described below:

Notice

On June 13th, 2018 at 6:05 PM UTC – The Blockchain Foundry team received reports of Windows Defender SmartScreen showing the syscoincore-3.0.4-win64-setup.exe by “Unknown Publisher”, which led to the investigation of this issue.

What Happened?

Upon investigation, the Syscoin developers found that a malicious, unsigned copy of the Windows Syscoin 3.0.4.1 installer was made available via the Syscoin Github release page on June 9th, 2018 due to a compromised GitHub account. This installer contained malicious code. (Trojan:Win32/Feury.B!cl)

The virustotal scan of the malicious file named “re.exe” that is saved to the local temp folder (C:\Users\user\AppData\Local\Temp) upon running the fake installer: https://www.virustotal.com/#/file/b105d2db66865200d1b235c931026bf44428eb7327393bf76fdd4e96f1c622a1/detection

Who May Be Affected?

This may affect Windows users who downloaded and executed the Syscoin 3.0.4.1 Windows setup binaries from Github between June 09th, 2018 10:14 PM UTC & June 13th, 2018 10:23 PM UTC.

Windows users who may not be affected:

  • Individuals using versions of Syscoin other than 3.0.4.1
  • Users that did not download or execute the Syscoin 3.0.4.1 setup binaries during the time period shown above

Mac and Linux users were not affected by this issue.

What Should You Do?

All Windows users should identify their installation date:

  • Right-click on syscoin-qt.exe in C:\Users[USERNAME]\AppData\Roaming\SyscoinCore or view in detailed list mode and make a note of the modified date.
  • OR go to Settings->Apps and make a note of the installation date.

If the modified/installation date is between June 9th, 2018, and June 13th, 2018, take the following precautions:

  • Backup any important data including wallets onto another storage medium outside of the affected computer. Treat this data cautiously as it may contain infectious code.
  • Run an up-to-date virus scanner on your system to remove the threat.
  • Passwords entered since the time of the infection should be changed from a separate device after ensuring the threat has been removed.
  • Funds in unencrypted wallets or wallets that had been unlocked during the infection period, should be moved to a newly generated wallet on a secure computer.

We highly recommend running the following GenericKD trojan removal guide – https://malwaretips.com/blogs/trojan-generickd-removal/. This must be completed before you restart or you may be prompted for a login screen at which point the trojan could be logging your password.

Windows users that did not download the corrupted copy, Mac, and Linux users do not need to take any action.

How Did This Happen?

Reports were filed indicating that Windows Defender SmartScreen, AVG and Kaspersky were flagging the syscoincore-3.0.4-win64-setup.exe as a potential virus.

Investigation into the issue revealed the original Github Windows setup binaries for release 3.0.4.1 had been modified and replaced with a malicious version through a compromised Github account. Upon discovery, the 3.0.4.1 setup binaries were removed from Github and replaced with official, signed versions of the binaries.

What Actions Will Syscoin Take in the Future?

Effective immediately, all Syscoin developers and Blockchain Foundry staff with Github access will:

  • Be required to have 2FA authentication enabled
  • Perform routine verification of signature hashes
  • Work with Github to ensure users will be able to detect if binaries have been altered after release

We are in contact with Github to determine whether there were any breaches of security on their end that would have allowed the uploaded binaries to be compromised.

Summary

The Blockchain Foundry team received reports of Windows Defender SmartScreen showing the syscoincore-3.0.4-win64-setup.exe by “Unknown Publisher”.

The team launched an investigation into the issue and located the following affected binaries.

Binaries Affected:

syscoincore-3.0.4-win32-setup.exe

syscoincore-3.0.4-win64-setup.exe

All 3.0.4.1 binaries were downloaded from Github and compared against the SHA256SUM.asc available and there appeared to be a discrepancy for all Windows installer files. The SHA256SUM.asc was cross checked against a local copy of SHA256SUM.asc created at the time of building (May 27, 2018) and confirmed that the fingerprints for the windows installer files were not matching. The SHA256SUM.asc file was unmodified by the attacker.

We downloaded an infected copy of the syscoincore-3.0.4-win64-setup.exe onto a test machine and upon opening, we noticed the file installer path was changed to C:\Users\user\AppData\Local\Temp\re2.exe instead of C:\Users\user\Downloads\syscoincore-3.0.4-win64-setup.exe Further investigation showed a file named re.exe was created in C:\Users\user\AppData\Local\Temp
At which point we confirmed that our Github setup binaries had been modified and replaced with corrupted versions. The file copied to temp direction “re.exe” has been confirmed to be malicious by the majority of anti-virus scanners through https://www.virustotal.com

We removed the 2 corrupted copies and the windows.exe files were replaced with the correct ones.

We used the Github API to confirm the binaries were modified on June 9th, 2018. Thus, users who downloaded the following files between June 9th, 2018, and June 13, 2018, should consider their computer at risk. It is unknown if data may be exfiltrated or if there is opportunity to install additional malware on the machine at risk.

We purposefully infected a cheap laptop not used for sensitive content in our office. After restart, we were asked for a login password, although none had been set by us. Prior to login, we observed that an .exe titled “402232.exe” was running which renamed itself to “Antimalware Service Executable” in the task manager. Upon restart, it was password protected. The results of the test led us to believe it was most likely a keylogger and/or ransomware.

Preventative Measures

Although the issue was detected quickly, we believe that the crypto-community is at risk for a specific type of attack which targets gatekeepers of source code for cryptocurrency projects.

We highly recommend that all gatekeepers of software repositories for cryptocurrency projects sign binaries through an official build process like Gitian. Should the Gitian process be followed, (for example: https://github.com/syscoin/syscoin/blob/master/doc/gitian-building.md) you will have necessarily signed the binaries. It is then easy for a downloader to detect that these binaries have been signed by an authority managing the release process (in this case Blockchain Foundry Inc.).

We are working with Github to improve the release page experience to provide information regarding the modifying account as well as the last modification date of a release. This would allow users to detect if certain binaries were updated for potentially malicious purposes.

All individuals responsible for Github releases should enable 2FA and ensure they have deterministic signature hashes for files on a regular basis.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.