Non-official site with a tampered version of KeePass (opens in new tab)

(security.infoteam.ch)

151 pointsredsec7y ago78 comments

78 comments

Hah, the Linux version points you to the original website (only the Mac and Windows versions appear to be modified)! The year of the Linux desktop is truly here.

amarant7y ago

doesnt that just imply that these scammers thought the linux userbase to be too small to be worthwhile?

the comparatively small userbase is actually an underappreciated security feature of linux ;)

taneq7y ago

Or that Linux users would instantly raise a hue and cry on seeing ads?

1 more reply

elygre7y ago

Isn’t that the infamous “security by obscurity”?

1 more reply

adtac7y ago

No, I meant a tongue-in-cheek statement that Linux is the only worthwhile desktop because it's not affected :P

slipstream-7y ago

not the website owner but people involved in the PUP ecosystem.

i'm sure that if installcore supported linux, then the linux binaries would also be bundlers.

po1nter7y ago

I've reported the website here: https://safebrowsing.google.com/safebrowsing/report_phish/?t...

Hopefull it will be blocked by the browsers using the safe browsing list.

pandasun7y ago

Looks like its hosted on wp.com:

https://i0.wp.com/keepass.fr/wp-content/uploads/2018/05/keep...

So maybe we can report it here too:

https://en.wordpress.com/abuse/

Only works if you put this as URL though:

https://wp.com/keepass.fr/

jbk7y ago

safebrowsing is useless. We've reported scams of VLC shipping malware for years. They are still there.

moviuro7y ago

FWIW, report the domains to https://someonewhocares.org/ , as he keeps updating it, and it is used by e.g. PiHole and my own hostfile generator.

Algent7y ago

I reported it to afnic too. Since it does use the same domain name maybe they will act.

Look like it's a copy paste of the .com one, with same download links.

zokier7y ago

I've had discussions with coworkers on why you shouldn't ve downloading putty from putty.org. Sure, they seem to be linking to the official downloads now, but imho it's just poor hygiene to use such pages. It takes just a moment of carelessness to get pwned

lakechfoma7y ago

Rather unfortunate that "putty.org" is the first result in searches and looks a lot more legit than "chiark.greenend.org.uk" even if it (currently) links there.

I've had discussions with coworkers on why they shouldn't look up "free online json beautifier" and dump thousands of lines of crown jewels into them (http too). Meanwhile we're doing web dev and JSON responses are autoformatted in Firefox dev tools so there's an amazingly convenient and perfectly safe alternative right there...

How do we impart urgency with this kind of stuff?

slededit7y ago

It's putty's own fault. They used to (and perhaps still do) have a section on how they don't want your donated domain - they like their current one.

From their FAQ:

> No, thank you. Even if you can find one (most of them seem to have been registered already, by people who didn't ask whether we actually wanted it before they applied), we're happy with the PuTTY web site being exactly where it is. It's not hard to find (just type ‘putty’ into google.com and we're the first link returned), and we don't believe the administrative hassle of moving the site would be worth the benefit.

1 more reply

aeontech7y ago

Show your coworkers jq, it is amazing:

https://stedolan.github.io/jq/

1 more reply

WorldMaker7y ago

Windows 10 has real OpenSSH ssh installed by default now (since April). The time for PuTTY has passed. May it rest in peace.

alliecat7y ago

PuTTY's been a thing for almost two decades at this point. That's quite a lot of inertia; It will take a lot more than three months for people to migrate, nevermind the people who aren't on W10.

campuscodi7y ago

There are quite a few of these:

https://keepass.fr/ https://7zip.fr https://audacity.fr https://gparted.fr https://keepass.fr https://nc3354.nexylan.net https://paintnet.fr

hengheng7y ago

So, basically somebody went through the list of all tools most commonly installed trough ninite, and created a spoof for each of them.

redsecOP7y ago

Thanks for the update, they all look to come from the same guys.

campuscodi7y ago

They do. They're all registered via one email: https://domainbigdata.com/gmail.com/mj/0DnwUjDWo0L7ysS4kB00p...

1 more reply

pingec7y ago

What are some safety measures you take when downloading a new version of keepass? Checking the digital signature of the binary?

Original keepass downloads are hosted on sourceforge which has not had the best history of integrity the way I see it.

codeulike7y ago

Sourceforge is under new management and they removed the bundled installers, as I understand it.

https://sourceforge.net/blog/brief-history-sourceforge-look-...

mihaifm7y ago

Compile it from source, it's a standard Visual Studio solution that builds without issues.

mehrdadn7y ago

This. And the benefit is it's easy to add your own fixes to your local version too. Stuff like removing the PerformSelfTest() call, adding items to the ListView in batch, item bounds checking when refreshing the ListView, etc. can quite noticeably speed up the UI, and random window focusing/sizing issues aren't too hard to fix either.

1 more reply

pingec7y ago

But there are no guarantees about the source either unless I am willing to audit all of it?

2 more replies

sebazzz7y ago

All keepass executable downloads have valid digital signatures and are signed by the developer.

swaggyBoatswain7y ago

I usually just use SHA / MD5 checksum, digital signatures

I think 7zip has a way for you to check the hash signature with just a right click on the file so thats dandy

lakechfoma7y ago

Are you imparting trust on checksums downloaded from the same source page?

Not implying you are but there is plenty of software where that is how they expect users to verify the integrity of the download. Useful for checking bit errors, but in the event that someone has replaced the binary then they could probably also replace the checksum...

1 more reply

slipstream-7y ago

pup bundlers also tend to be signed. just checking for a valid signature would not be enough

mikelpr7y ago

keepassxc

mehrdadn7y ago

What if you don't have/want cloud syncing programs installed on your whole system just for the sake of a password manager?

2 more replies

ajnin7y ago

I'm getting a different installer file from this website with not as many ad bundles detected : https://www.virustotal.com/#/file/23c3a4564265bc996ab61c1227...

Anyway, this wouldn't be the first time an open source software is packaged with some adware. Unsavory, but I think within the limits of the license.

slipstream-7y ago

seems to be just another bundler from the same network (installcore), but packed with a different exe packer

oliviergg7y ago

Pretty ironicly, Terms of use warn to be very careful when downloading files with an exe.,. Vbs,. Lnk,. Bat,. Sys, or a suffix com., Because these files may contain a virus or spyware !

pbhjpbhj7y ago

It's a common technique used by hucksters, "here's some friendly advice ...", it's both an attempt to signal good intent and to load the mark with a subconscious sense of having been done a favour (and so needing to do a favour back to the huckster/salesman.

wool_gather7y ago

Not ironic: totally intentional marketing trick. It makes you more inclined to trust the provider of the warning. They seem knowledgable about something important, and they're sharing that information with you. More insidiously, it makes you less likely to apply the warning to them. Because (unconsciously you think this) why would someone warn you about a trick they themselves are trying to pull?

moviuro7y ago

Who did this without thinking about an exfiltration tool instead?

octosphere7y ago

I thought this too. Obviously not a very creative use of the domain squat. Worth reading:

- https://en.wikipedia.org/wiki/Cybersquatting

- https://en.wikipedia.org/wiki/Brandjacking

slipstream-7y ago

one of those "make money online"/"internet marketing" type people just wanting to get the affiliate commissions from a pay-per-install network of the PUP bundler type.

1 more reply

greggarious7y ago

Unfortunately I can't read the article without enabling javascript - anyone care to post a summary? :)

mar77i7y ago

Unrelated to the topic, the article points out a lot of things about certificates in the URL bar. That got me to think about the URLs themselves, can I set my browser up so it displays the punycode representation of my url?

teget7y ago

network.IDN_show_punycode in firefox

amaccuish7y ago

The french is also terrible, google-translated french.

fenga7y ago

This is correct french, and there is no way this was machine translated.

Source : am french

oliviergg7y ago

It's proper french. I think I can be fooled by this website.

dddddaviddddd7y ago

Examples? There's some subject and possession disagreement here and there ("Cette clé, que vous définissez ... accéder à tous ses autres mots de passe"), but otherwise looks pretty good.

simias7y ago

There's "crypter" instead of "chiffrer" but I know some people think that "crypter" is acceptable.

1 more reply

phito7y ago

Except it's not? It's totally proper French, even if it has some grammar errors, but we're usually not that good in grammar so yeah...

swaggyBoatswain7y ago

Something I don't understand though is when I do a google search, google sometimes sponsors these phony sites.

One time I downloaded the wrong google chrome which was ironic because I was on google searching it.

Other examples that come to mind with different sites are popcorn.sh vs popcorn-time.to. There not the same repository.

Normally I just do a sanity check by checking the domain URL and checking if it has authority.

If its on sourceforge... I just assume its malware or has bundled PUPware on it, run it through antivirus and SHA/MD5 checks.

Ninite.com is pretty convenient I hope they don't get comprimised one of these days and get sold to a shady vendor

j / k navigate · click thread line to collapse

78 comments

adtac7y ago

Hah, the Linux version points you to the original website (only the Mac and Windows versions appear to be modified)! The year of the Linux desktop is truly here.

amarant7y ago

doesnt that just imply that these scammers thought the linux userbase to be too small to be worthwhile?

the comparatively small userbase is actually an underappreciated security feature of linux ;)

taneq7y ago

Or that Linux users would instantly raise a hue and cry on seeing ads?

1 more reply

elygre7y ago

Isn’t that the infamous “security by obscurity”?

1 more reply

adtac7y ago

No, I meant a tongue-in-cheek statement that Linux is the only worthwhile desktop because it's not affected :P

slipstream-7y ago

not the website owner but people involved in the PUP ecosystem.

i'm sure that if installcore supported linux, then the linux binaries would also be bundlers.

po1nter7y ago

I've reported the website here: https://safebrowsing.google.com/safebrowsing/report_phish/?t...

Hopefull it will be blocked by the browsers using the safe browsing list.

pandasun7y ago

Looks like its hosted on wp.com:

https://i0.wp.com/keepass.fr/wp-content/uploads/2018/05/keep...

So maybe we can report it here too:

https://en.wordpress.com/abuse/

Only works if you put this as URL though:

https://wp.com/keepass.fr/

jbk7y ago

safebrowsing is useless. We've reported scams of VLC shipping malware for years. They are still there.

moviuro7y ago

FWIW, report the domains to https://someonewhocares.org/ , as he keeps updating it, and it is used by e.g. PiHole and my own hostfile generator.

Algent7y ago

I reported it to afnic too. Since it does use the same domain name maybe they will act.

Look like it's a copy paste of the .com one, with same download links.

zokier7y ago

lakechfoma7y ago

Rather unfortunate that "putty.org" is the first result in searches and looks a lot more legit than "chiark.greenend.org.uk" even if it (currently) links there.

How do we impart urgency with this kind of stuff?

slededit7y ago

It's putty's own fault. They used to (and perhaps still do) have a section on how they don't want your donated domain - they like their current one.

From their FAQ:

1 more reply

aeontech7y ago

Show your coworkers jq, it is amazing:

https://stedolan.github.io/jq/

1 more reply

WorldMaker7y ago

Windows 10 has real OpenSSH ssh installed by default now (since April). The time for PuTTY has passed. May it rest in peace.

alliecat7y ago

PuTTY's been a thing for almost two decades at this point. That's quite a lot of inertia; It will take a lot more than three months for people to migrate, nevermind the people who aren't on W10.

campuscodi7y ago

There are quite a few of these:

https://keepass.fr/ https://7zip.fr https://audacity.fr https://gparted.fr https://keepass.fr https://nc3354.nexylan.net https://paintnet.fr

hengheng7y ago

So, basically somebody went through the list of all tools most commonly installed trough ninite, and created a spoof for each of them.

redsecOP7y ago

Thanks for the update, they all look to come from the same guys.

campuscodi7y ago

They do. They're all registered via one email: https://domainbigdata.com/gmail.com/mj/0DnwUjDWo0L7ysS4kB00p...

1 more reply

pingec7y ago

What are some safety measures you take when downloading a new version of keepass? Checking the digital signature of the binary?

Original keepass downloads are hosted on sourceforge which has not had the best history of integrity the way I see it.

codeulike7y ago

Sourceforge is under new management and they removed the bundled installers, as I understand it.

https://sourceforge.net/blog/brief-history-sourceforge-look-...

mihaifm7y ago

Compile it from source, it's a standard Visual Studio solution that builds without issues.

mehrdadn7y ago

1 more reply

pingec7y ago

But there are no guarantees about the source either unless I am willing to audit all of it?

2 more replies

sebazzz7y ago

All keepass executable downloads have valid digital signatures and are signed by the developer.

swaggyBoatswain7y ago

I usually just use SHA / MD5 checksum, digital signatures

I think 7zip has a way for you to check the hash signature with just a right click on the file so thats dandy

lakechfoma7y ago

Are you imparting trust on checksums downloaded from the same source page?

1 more reply

slipstream-7y ago

pup bundlers also tend to be signed. just checking for a valid signature would not be enough

mikelpr7y ago

keepassxc

mehrdadn7y ago

What if you don't have/want cloud syncing programs installed on your whole system just for the sake of a password manager?

2 more replies

ajnin7y ago

I'm getting a different installer file from this website with not as many ad bundles detected : https://www.virustotal.com/#/file/23c3a4564265bc996ab61c1227...

Anyway, this wouldn't be the first time an open source software is packaged with some adware. Unsavory, but I think within the limits of the license.

slipstream-7y ago

seems to be just another bundler from the same network (installcore), but packed with a different exe packer

oliviergg7y ago

Pretty ironicly, Terms of use warn to be very careful when downloading files with an exe.,. Vbs,. Lnk,. Bat,. Sys, or a suffix com., Because these files may contain a virus or spyware !

pbhjpbhj7y ago

wool_gather7y ago

moviuro7y ago

Who did this without thinking about an exfiltration tool instead?

octosphere7y ago

I thought this too. Obviously not a very creative use of the domain squat. Worth reading:

- https://en.wikipedia.org/wiki/Cybersquatting

- https://en.wikipedia.org/wiki/Brandjacking

slipstream-7y ago

one of those "make money online"/"internet marketing" type people just wanting to get the affiliate commissions from a pay-per-install network of the PUP bundler type.

1 more reply

greggarious7y ago

Unfortunately I can't read the article without enabling javascript - anyone care to post a summary? :)

mar77i7y ago

teget7y ago

network.IDN_show_punycode in firefox

amaccuish7y ago

The french is also terrible, google-translated french.

fenga7y ago

This is correct french, and there is no way this was machine translated.

Source : am french

oliviergg7y ago

It's proper french. I think I can be fooled by this website.

dddddaviddddd7y ago

Examples? There's some subject and possession disagreement here and there ("Cette clé, que vous définissez ... accéder à tous ses autres mots de passe"), but otherwise looks pretty good.

simias7y ago

There's "crypter" instead of "chiffrer" but I know some people think that "crypter" is acceptable.

1 more reply

phito7y ago

Except it's not? It's totally proper French, even if it has some grammar errors, but we're usually not that good in grammar so yeah...

swaggyBoatswain7y ago

Something I don't understand though is when I do a google search, google sometimes sponsors these phony sites.

One time I downloaded the wrong google chrome which was ironic because I was on google searching it.

Other examples that come to mind with different sites are popcorn.sh vs popcorn-time.to. There not the same repository.

Normally I just do a sanity check by checking the domain URL and checking if it has authority.

If its on sourceforge... I just assume its malware or has bundled PUPware on it, run it through antivirus and SHA/MD5 checks.

Ninite.com is pretty convenient I hope they don't get comprimised one of these days and get sold to a shady vendor

j / k navigate · click thread line to collapse