apcupsd uninstaller contains malware

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

apcupsd uninstaller contains malware

Olah, Norbert

Hi,

 

I had an antivirus alert after trying to uninstall the product. (winapcupsd-3.14.14.exe -> downloaded from sourceforge)

My first tought was that it's a false-positive alert. Then I checked the uninstaller.exe with virustotal.com to see what other AV engines say about it, and I got these resulst:

https://www.virustotal.com/en/file/79c493a2f478be589491b7f687960be7d18565c13fd497c7abd4653251cf864f/analysis/

 

What is your opinion?

Is it possible, that the uninstaller is infected?

I've read some bad news about sourceforge, that they're bundling adware or other crap in the downloaded software (and sometimes without the developers permission or knowledge). Is it possible, that in this case something similar happened?

 

Please respond ASAP, because in the worst case, some production environments could be affected.

 

Thanks in advance!

 

 

Best regards,

 

Norbert Oláh

Junior System Analyst

 

Xerox Hungary Ltd.

Madarász Viktor u. 47/49. 2/b. 6. em.

H-1138 Budapest, Hungary

t   +36 1 4368968

m  +36 30 370 8899

[hidden email]

www.xerox.hu

 


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Apcupsd-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/apcupsd-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: apcupsd uninstaller contains malware

Adam Kropelin-2

Check the digital signature (right-click, properties, etc.) winapcupsd.exe should be signed by me. If not, it's been tampered with.

FWIW, the tampering that sf.net used to do (they have recently sworn it off) never involved trojans, etc. Just crapware coinstallets that were enabled by default and easy to miss if you clicked thru the installer dialogs too fast.

--Adam


On Aug 12, 2016 7:59 PM, "Olah, Norbert" <[hidden email]> wrote:

Hi,

 

I had an antivirus alert after trying to uninstall the product. (winapcupsd-3.14.14.exe -> downloaded from sourceforge)

My first tought was that it's a false-positive alert. Then I checked the uninstaller.exe with virustotal.com to see what other AV engines say about it, and I got these resulst:

https://www.virustotal.com/en/file/79c493a2f478be589491b7f687960be7d18565c13fd497c7abd4653251cf864f/analysis/

 

What is your opinion?

Is it possible, that the uninstaller is infected?

I've read some bad news about sourceforge, that they're bundling adware or other crap in the downloaded software (and sometimes without the developers permission or knowledge). Is it possible, that in this case something similar happened?

 

Please respond ASAP, because in the worst case, some production environments could be affected.

 

Thanks in advance!

 

 

Best regards,

 

Norbert Oláh

Junior System Analyst

 

Xerox Hungary Ltd.

Madarász Viktor u. 47/49. 2/b. 6. em.

H-1138 Budapest, Hungary

t   +36 1 4368968

m  +36 30 370 8899

[hidden email]

www.xerox.hu

 


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Apcupsd-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/apcupsd-users


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Apcupsd-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/apcupsd-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: apcupsd uninstaller contains malware

c72578
In reply to this post by Olah, Norbert
Hi,
what are the checksums of your installer (winapcupsd-3.14.14.exe)?
They should be
MD5: 8a4751bfb474104fa4f1684fdf7761ca
SHA1: 8664a7a0c8c893a55930a18a7c43fe355d68e2dd
etc.

Regards
Wolfgang


Von: "Olah, Norbert" <[hidden email]>
An: "[hidden email]" <[hidden email]>
Gesendet: 15:09 Freitag, 12.August 2016
Betreff: [Apcupsd-users] apcupsd uninstaller contains malware

Hi,
 
I had an antivirus alert after trying to uninstall the product. (winapcupsd-3.14.14.exe -> downloaded from sourceforge)
My first tought was that it's a false-positive alert. Then I checked the uninstaller.exe with virustotal.com to see what other AV engines say about it, and I got these resulst:
https://www.virustotal.com/en/file/79c493a2f478be589491b7f687960be7d18565c13fd497c7abd4653251cf864f/analysis/
 
What is your opinion?
Is it possible, that the uninstaller is infected?
I've read some bad news about sourceforge, that they're bundling adware or other crap in the downloaded software (and sometimes without the developers permission or knowledge). Is it possible, that in this case something similar happened?
 
Please respond ASAP, because in the worst case, some production environments could be affected.
 
Thanks in advance!
 
 
Best regards,
 
Norbert Oláh
Junior System Analyst
 
Xerox Hungary Ltd.
Madarász Viktor u. 47/49. 2/b. 6. em.
H-1138 Budapest, Hungary
t   +36 1 4368968
m  +36 30 370 8899
 

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Apcupsd-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/apcupsd-users



------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Apcupsd-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/apcupsd-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: apcupsd uninstaller contains malware

Jernej Simončič-3
On Saturday, August 13, 2016, 15:00:32, Wolfgang Stoeggl wrote:

> Hi,what are the checksums of your installer
> (winapcupsd-3.14.14.exe)?They should beMD5: 8a4751bfb474104fa4f1684fdf7761ca
> SHA1: 8664a7a0c8c893a55930a18a7c43fe355d68e2ddetc.

Due to the was NSIS works, each install will likely have a unique
Uninstall.exe hash (the uninstall data is appended to Uninstall.exe,
and it's likely to be unique per-machine).

--
< Jernej Simončič ><><><><>< http://eternallybored.org/ >

The deficiency will never show itself during the dry runs.
       -- Boyle's Third Law


------------------------------------------------------------------------------
_______________________________________________
Apcupsd-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/apcupsd-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: apcupsd uninstaller contains malware

John Connell
It looks like I have a faulty download :-

:~$ gpg --verify apcupsd-3.14.14.tar.gz.sig apcupsd-3.14.14.tar
gpg: Signature made Tue 31 May 2016 18:48:35 BST using DSA key ID A57B2D90
gpg: BAD signature from "Apcupsd Distribution Verification Key (www.apcupsd.com)"


I’ll download the source again.

John


On 17 Aug 2016, at 12:03, Jernej Simončič <[hidden email]> wrote:

On Saturday, August 13, 2016, 15:00:32, Wolfgang Stoeggl wrote:

Hi,what are the checksums of your installer
(winapcupsd-3.14.14.exe)?They should beMD5: 8a4751bfb474104fa4f1684fdf7761ca
SHA1: 8664a7a0c8c893a55930a18a7c43fe355d68e2ddetc.

Due to the was NSIS works, each install will likely have a unique
Uninstall.exe hash (the uninstall data is appended to Uninstall.exe,
and it's likely to be unique per-machine).

--
< Jernej Simončič ><><><><>< http://eternallybored.org/ >

The deficiency will never show itself during the dry runs.
      -- Boyle's Third Law


------------------------------------------------------------------------------
_______________________________________________
Apcupsd-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/apcupsd-users


------------------------------------------------------------------------------

_______________________________________________
Apcupsd-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/apcupsd-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: apcupsd uninstaller contains malware

Adam Kropelin-2

The signature is on the .tar.gz not the .tar.


On Aug 17, 2016 7:25 AM, "John Connell" <[hidden email]> wrote:
It looks like I have a faulty download :-

:~$ gpg --verify apcupsd-3.14.14.tar.gz.sig apcupsd-3.14.14.tar
gpg: Signature made Tue 31 May 2016 18:48:35 BST using DSA key ID A57B2D90
gpg: BAD signature from "Apcupsd Distribution Verification Key (www.apcupsd.com)"


I’ll download the source again.

John


On 17 Aug 2016, at 12:03, Jernej Simončič <[hidden email]> wrote:

On Saturday, August 13, 2016, 15:00:32, Wolfgang Stoeggl wrote:

Hi,what are the checksums of your installer
(winapcupsd-3.14.14.exe)?They should beMD5: 8a4751bfb474104fa4f1684fdf7761ca
SHA1: 8664a7a0c8c893a55930a18a7c43fe355d68e2ddetc.

Due to the was NSIS works, each install will likely have a unique
Uninstall.exe hash (the uninstall data is appended to Uninstall.exe,
and it's likely to be unique per-machine).

--
< Jernej Simončič ><><><><>< http://eternallybored.org/ >

The deficiency will never show itself during the dry runs.
      -- Boyle's Third Law


------------------------------------------------------------------------------
_______________________________________________
Apcupsd-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/apcupsd-users


------------------------------------------------------------------------------

_______________________________________________
Apcupsd-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/apcupsd-users


------------------------------------------------------------------------------

_______________________________________________
Apcupsd-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/apcupsd-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: apcupsd uninstaller contains malware

John Connell
I’ve downloaded both files from sourceforge again and get:

:~$ gpg --verify apcupsd-3.14.14.tar.gz.sig apcupsd-3.14.14.tar.gz
gpg: Signature made Tue 31 May 2016 18:48:35 BST using DSA key ID A57B2D90
gpg: Good signature from "Apcupsd Distribution Verification Key (www.apcupsd.com)"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 635B 9D94 3945 DCA0 5BE9 AB0A 24E8 4804 A57B 2D90

I’ve then emptied the /apcupsd-3.14.14 folder and run .configure, make & make install again and I get:

------------------------------------------------------------
debian distribution installation
------------------------------------------------------------
COPY apcupsd => /etc/init.d/apcupsd
insserv: warning: script 'apcupsd' missing LSB tags and overrides
insserv: There is a loop between service logitechmediaserver and apcupsd if stopped
insserv: loop involving service apcupsd at depth 2
insserv: loop involving service logitechmediaserver at depth 1
insserv: Stopping apcupsd depends on logitechmediaserver and therefore on system facility `$all' which can not be true!
insserv: exiting now without changing boot order!
update-rc.d: error: insserv rejected the script header
Makefile:10: recipe for target 'install-debian' failed
make[3]: *** [install-debian] Error 1
../../autoconf/targets.mak:68: recipe for target 'install' failed
make[2]: *** [install] Error 2
../autoconf/targets.mak:110: recipe for target 'debian_DIR' failed
make[1]: *** [debian_DIR] Error 2
autoconf/targets.mak:110: recipe for target 'platforms_DIR' failed
make: *** [platforms_DIR] Error 2





















Is it possible that I’ve not cleaned everything out from the failed install?
John


------------------------------------------------------------------------------

_______________________________________________
Apcupsd-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/apcupsd-users
Loading...