Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Classic Shell hackers: We infected FossHub so ransomware couldn't (and yeah, also for fun)

Peggle Crew speaks out on hard drive nuke stunt

The hacking group credited for compromising FossHub and briefly infecting downloads of Audacity and Classic Shell says the fallout from the website's insecurity could have been far worse had they not got there first.

In a conversation with El Reg, a member of the Peggle Crew group said the security breach – in which the FossHub accounts for both Audacity and Classic Shell were compromised and used to spread a few hundred copies of a new piece of Master Boot Record (MBR) nuking malware – was, in fact, a relatively simple matter.

We're told that in late July, the miscreants easily found an internet-facing service that was not password-protected. This contained all the source code and passwords they needed to obtain deeper access to FossHub's production and mirror systems as well as its caching servers via FTP, the crew said. They were able to grab the accounts database of developers who upload files to FossHub; the passwords were not salted, apparently.

It took one of the gang's x86 assembler programmers "a day or so" to write the MBR nasty, which blows away the boot record sector and potentially trashes the partition table on the main drive, rendering the PC unbootable until it is repaired by software tools. The group considered slipping in a rootkit but gave up on that and went with an old-school MBR killer instead.

Their software nasty was hidden in copies of the Windows installers for Audacity and Classic Shell hosted on FossHub, a portal for free and open-source projects. Running an infected installer put in place the MBR-attacking malware rather than unpacking the legit app. On the next reboot, a message from the crew was displayed on the screen and the MBR scrubbed.

Once Peggle Crew was inside FossHub, it made sure to target the most popular applications hosted on the site to garner the most attention for themselves.

"Audacity and Classic Shell are the two most popular programs there, so those were the ones we made executables that mimicked the installers for," the crew said.

"After the initial wave when the administrators fixed the executables and locked the developer accounts in question, we replaced all the executables on their mirrors with a generic version of our MBR overwriter by using stolen FTP credentials."

After that, FossHub administrators were forced to take down the site for several hours to address the issue, and while nobody downloaded the infected Audacity installer, apparently, a few hundred people were infected with Peggle Crew's poisoned version of Classic Shell.

The crew admits that, while the attack was mostly done for fun, there was also a sense that exposing the flaw with a relatively benign infection (broken MBRs can be cleaned up fairly easily) could prevent a more nefarious attack from exploiting the same bug.

"The entry point was so obvious that it was only a matter of time before a ransomware author got to it (a la Transmission), and we didn't want that," Peggle Crew said.

The security breach is not going to be a one-off, either. We're told that prior to hijacking FossHub, Peggle Crew was behind such stunts as hacking the Twitter accounts of Beatles drummer Ringo Starr last February and the NFL in June.

"We've been around a while, so this is not the last you'll see of us," Peggle Crew says. "Unless the very angry dude in our Twitter mentions actually comes and kills us, that is." ®

Similar topics

TIP US OFF

Send us news


Other stories you might like