Audacity and Classic Shell software downloads affected

Aug 3, 2016 10:30 GMT  ·  By

A hacking crew that goes by the name of PeggleCrew has compromised Fosshub and embedded malware inside the files hosted on the website and offered for download.

According to Cult of Peggle, one of the group's four members, the team breached the website and embedded a malware payload inside some of the files hosted on Fosshub, a downloads portal, in the same category as Softpedia.

"In short, a network service with no authentication was exposed to the internet," the hacker told Softpedia in an email. "We were able to grab data from this network service to obtain source code and passwords that led us further into the infrastructure of FOSSHub and eventually gain control of their production machines, backup and mirror locations, and FTP credentials for the caching service they use, as well as the Google Apps-hosted email."

On Twitter, the hacker said he compromised the entire website, including the administrator's email. He also revealed he didn't dump the site's database but claimed that "passwords weren't salted."

Later, Cult of Peggle told Softpedia that they "in fact dump[ed] the partner database for FOSSHub, the database containing usernames and logins for application developers who uploaded their binaries through the site. Our tweet on the subject may not have been clear," the hacker explained.

"We initially replaced the Audacity and Classic Shell installers with executables made to look like the originals through the developer interface for uploading files," Cult of Peggle also told Softpedia in an email. "After word got out and the admins reverted the changes, we replaced all installer executables on their servers with the MBR-overwriting code directly."

Malware rewrote MBR with harmless message

According to multiple reports from users complaining on 4chan and the Classic Shell forums, the malware only seemed to rewrite the user's MBR (Master Boot Record), a section of the hard drive containing information about the computer's boot-up procedure.

After users downloaded and installed the compromised software from Fosshub, the next time they rebooted, the rewritten MBR would show a blank black screen with a message from the hacker:

  As you reboot, you find that something has overwritten your MBR! It is a sad thing your adventures have ended here! Direct all hate to PeggleCrew (@CultofRazer on Twitter) Greetz: Eclipso, Bubsv, Conflict, Wizards of the Coast, JewInvader, LagFish, Roland, Josh Burress, Jacob Gruentzel, AF, Teridax, John Cena, Ethan Ralph, Vince (RIP)  

In subsequent tweets, the hacker said that they tried to insert an EFI payload (rootkit) but failed, and since it was only a joke for him, they later gave up.

Users can recover their computers from the malware's effects

The current MBR malware's effects can be easily reverted. Below is a YouTube video recorded by danooct1 that features some recovery instructions for affected users. Additionally, the Classic Shell forums also contain additional removal instructions.

Previously, PeggleCrew had hijacked the Twitter accounts of Ringo Star and the NFL (National Football League), announcing the NFL Commissioner Roger Goodell's death as a prank.

An hour before this article's publication, Fosshub administrators took down the website. FossHub could not be reached for comment because of technical reasons. The company will be contacted after they will restore their portal, since the only method of reaching a representative was via a contact form on their website.

UPDATE 1: Article has been updated with comments from Cult of Peggle on how PeggleCrew compromised Fosshub.

UPDATE 2: Fosshub has returned online and has aknowledged the incindent. The team also published a blog post detailing what happened.