winrar? not! a malware!

[Dirk41]

Hi everyone!

probably many of you already read the news that during last summer official winrare websites (details in the link) from Belgium and Italy served malwares insted of the real installer.

I downloaded it before the summer but (and this could be helpfull for other users) I'd like to know if checksum would be enough to understand if the installer is safe and how to do that (I did it only with linux iso).
and ,just to be sure, how is it possibile to check if I/someone don't have anymore the installer but only the app already installed? (which winrar files I should check?

looking forward to hearing from you

thank you you anyone who replies

 

[SHvFl]

Winrar is digitally signed. If you find winrar on your pc and right click on it and click properties you should see a tab called Digital signatures. There you will see this 2 for winrar.
http://i.imgur.com/WGJ2HuA.png

If you have the installer then yes checking the hash of the installer will be sufficient. I do it with hashtab so i have an extra tab in the same location as the digital signature(different tab) showing the hash of the file.
http://implbits.com/products/hashtab/

 

[Dirk41]

thank you! i downloaded it in April, or even before, so I don't have the installer anymore.
yes I see as in your picture.

but: is not possible to know the entire hash of my winrar,in order to compare it with the original? and where can i find the original hash? I can't find it on winrar.it

 

[SHvFl]

Yeah, winrar developer doesn't give the hash of the file as far as i can see but as long as it's digitally signed you are fine.

 

[Dirk41]

I asked because i found a user that in 2010 had the hash
https://groups.google.com/forum/#!topic/it.comp.aiuto/bJz3FsyUKFg

 

[LabZero]

@Dirk41 thanks for sharing!
I checked the installer I've downloaded at September 2016.
It seems to be ok, hash match with the one currently on the site and no infection issues.

 

[askmark]

@Dirk41
Thanks for sharing this article. It was a very interesting read. It will certainly make me wary in future of downloading main stream software from distribution sites rather than direct from the vendors own site.

 

[Ana_Filiz]

The scam was quite obvious, the malware address was

http://www.ralrab.com

while the correct one is

http://www.rarlab.com

so for me it`s too low!

 

[Dirk41]

The scam was quite obvious, the malware address ...

Not in Italy "
The major difference here is that we didn’t record redirections to ralrab[.]com, but it appears the site directly served StrongPity trojanized installers:"

 

[Dirk41]

@Dirk41 thanks for sharing!
I checked the installer I've downloaded at September 2016.
It seems to be ok, hash match with the one currently on the site and no infection issues.

Do you mind to link me where you find the hash, thank you , sorry for bothering

 

[LabZero]

Do you mind to link me where you find the hash, thank you , sorry for bothering

I've uploaded my installer here:
http://onlinemd5.com and I've compared the checksum with the one on the page "Prelievo" of winrar.it.
Assuming that today the problem is solved, my installer is the same as the one on the site.

 

[Dirk41]

I've uploaded my installer here:
http://onlinemd5.com and I've compared the checksum with the one on the page "Prelievo" of winrar.it.
Assuming that today the problem is solved, my installer is the same as the one on the site.

View attachment 118060

Great thank you . Isn't it safer to compare it with the hash you find on winrar.com ?

 

[LabZero]

Great thank you . Isn't it safer to compare it with the hash you find on winrar.com ?

The hash is the same of the installer I have from winrar.it (the main issues was there).
From winrar.com i don't know because I use Ita version.

 

[Dirk41]

Ok ok I know, I use ita version too, I supposed that the hash was the same in every language . Thank you

 

[Dirk41]

Just out of curiosity

The hash is the same of the installer I have from winrar.it (the main issues was there).
From winrar.com i don't know because I use Ita version.

And do you have version 5.40 installed ?

Because probably I have an older version





Anyway , just of curiosity , do you think ( everyone can reply) that if winrar was a backdoor , I would see strange connections using command netstat -b ?

 

[jamescv7]

Nice try for those scammers.

People should be aware not only on the URL link but also the design of websites, usually those possible grammatical errors are clearly shown.

 

[LabZero]

Just out of curiosity


And do you have version 5.40 installed ?

Because probably I have an older version





Anyway , just of curiosity , do you think ( everyone can reply) that if winrar was a backdoor , I would see strange connections using command netstat -b ?

Yes, I use V 5.40 64-bit.
The story is quite confusing, however, according to the analysis by kaspersky (dates back to 2016 may), very probably, the infected Italian versions certainly are V 5.30/5.31, and the various beta of V 5.40.
In any case, currently StrongPity is detected by Kaspersky and probably by most of the AVs, then you just need a good full scan and maybe even with Zemana.