This isn’t good. Two of the most popular programs on download site FossHub were recently replaced with malware that nuked the master boot records on any PC unlucky enough to install it.
The free software site had to act quickly after hackers infiltrated it through compromised user accounts. While the hackers were in the system they managed to replace the installation files for Audacity and Classic Shell with malicious downloads.
Both programs are two of the more popular downloads on FossHub. In the case of Audacity, a popular audio editing and recording program, FossHub was able to catch the malicious file before anyone downloaded it. Beloved Start menu replacement Classic Shell wasn’t so fortunate. About 300 downloads of the bad file occurred before FossHub shut it down.
The impact on you at home: The threat from the hackers appears to be over. All downloads from FossHub should now be secure and malware-free as before. If you’re worried, however, scan any files you’ve downloaded with an anti-virus program before installing them. (You should actually do this with every single file you ever download.) You can also upload the file to a site like Virus Total, which will scan your file with several security programs.
Your browser may also say that it can’t trust your download (as it apparently did with the bad Classic Shell download). If that happens that’s another red flag—though false positives from browsers aren’t uncommon.
Fallout
[MASSIVE] [PSA] Do not download Classic SHELL! read comments (MBR overwrite!!) mbr.rootkit from pcmasterrace
Anyone who downloaded and installed the bad version of Classic Shell has likely already figured that out. Based on posts from users on Reddit, the infected Classic Shell program overwrote users’ master boot record (MBR) and flashed a cheeky message on a user’s screen. Messing with the MBR would render an infected PC temporarily unusable, but the MBR can usually be repaired with a command prompt tool called bootrec.exe.
Users on Reddit are also claiming that the malicious files weren’t hacked versions of Classic Shell and Audacity. Instead, the bad guys just replaced the installation file with a different one that contained the malware. When the bad file was installed, it popped up a command prompt window and did nothing else—another tip-off that this was a problem installer.
The apparent hackers, who called themselves Cult of Razer on Twitter, claimed they also had temporary control over FossHub.com, including the site’s administrator email account. They also said their motivation for carrying out the hack was to draw attention to the site’s security weaknesses with a less benign attack. That would then prompt the site to double down on security before hackers who might try to use ransomware took advantage of the same issue. The tweets on the Cult of Razer account have since been deleted but are still available in Google’s cache.