Jeff Duntemann's Contrapositive Diary Rotating Header Image

Malware from SourceForge?

I've been chasing something very odd here recently. For about a year nowI have used a FOSS utility called MozBackup to both archive and move my 1.7 GB mailbase around. It has always worked beautifully, but when I used it to restore my mailbase onto my new quad-core machine last week, the mailbase did not come back intact. I was getting weird error messages about the inbox not truncating when messages were moved into the junk folder, etc. which made me wonder what was going on.

Ok. This is a quad-core machine running XP SP3. I deliberately set it up so that AVG 8 runs during the day and not at 2 ayem, because I want to observe what effect multiple tasks in multiple cores has on overall system response. So every day at 1 PM, AVG 8 runs a full scan. It ran a full scan on all drives yesterday, and came up with nothing except warnings about a couple of revenant tracking cookies.

Late yesterday afternoon, I copied the current MozBackup installer file from my installers archive on D: to my “installed installers” folder (where I put installers for software installed on the machine) on C:. Instantly, AVG 8 set up a howl that it had found a trojan in MozBackup-1.4.8-EN.exe, the installer for the instance of MozBackup that I have had installed on the quad-core since June. The trojan was called Generic12.HTC.

That's odd in itself: On all the bazillion-squared pages that Google indexes, there was not a single mention of “Generic12.HTC” yesterday . Nor is there any entry by that name in AVG's virus encyclopedia. This morning, however, I suddenly see five or six mentions indexed during the night. It looks like a false positive, but I'm still a little nervous.

As a test, I went back to SourceForge and downloaded another copy of the file. As soon as it was complete in a temp folder, wham! AVG's “resident shield” utility called it out as Generic12.HTC. Now, I'm not used to thinking that SourceForge downloads can be malware sources, though there's no reason that it's impossible. However, the MozBackup-1.4.8-EN.exe file has been on my hard drive since June, and has passed muster every afternoon that the machine has been powered up. The file's time stamp has not changed. I can only assume that during yesterday's daily update, AVG brought down a signature that matched something inside the fileā€”and that would be a mighty freaky coincidence if true.

The other freaky thing is that after I deleted MozBackup 1.4.8 and installed the previous version 1.4.7 (which is in use on three of my other machines, including my X41 tablet) the mailbase restore worked perfectly. So are there two problems here or one?

The handul of reports surfacing this morning seem to indicate that it's a false positive, which would make sense, given that it's been on this system since June without AVG making noise. So maybe I don't need to warn you against the 1.4.8 version. However, it does look like 1.4.8 doesn't necessarily import an archive created with 1.4.7. Yes, a coincidence, and a weird one.


  1. Zoltan says:

    There’s an app I had downloaded from sourceforge a number of times called abacus gui buildder. The last time I went back, the installer was gone and some images had been left instead including an image on the download link. I hope they fixed it, but at least in that one instance on an inactive project, they got hacked.

    Currently I’m looking to find if there is a pathogen that attacks displays by dimming them till they look like they are off, if a reinstall of the system disks will cure it on a laptop. …

  2. Steve says:

    July 2012. I tired to download Filezilla from Sourceforge, via a link from Filzilla site. Instead of Filezilla, it tried to install a whole lot of unwanted applications. When I figured out what it was doing, I cancelled the installs and uninstalled the programs it had installed. Now my desktop shortcusts dont work and some icons have been replaced with incorrect ones. So now Sourceforge installs malware?

  3. NM says:

    SourceForge’s new owners (Dice Holdings) are now actively pushing malware with SourceForge downloads. SourceForge has become a malware distributor. There were ways that Dice Holdings could have earned revenue ethically. It appears they have opted for the dubious path.

Leave a Reply

Your email address will not be published. Required fields are marked *