certificate fail and checksum fail on download

[NewsArchive]

Hi,

First, the program and the install work fine. However, I had this one
possible new client that when he downloaded our demo, and even our real
program, I got a certificate fail. So I managed to bypass the fail
through windows, then got the message from setupbuilder that the
integrity check failed.. at which point I quit.

I copied our install via our screen sharing program, and it worked fine.

When I looked at the downloaded files, they seemed to be there, right
number of bytes, digital signature looked good, but they failed anyway.
I checked our download out, and it worked fine.

So obviously there was something on the computer that did something to
the file. I thought I'd run it by you on this thread to see if anyone
else has had an issue like this. It's only happened this one time, so
far, but if I can get an answer, that would be great to understand it.

Thanks,

--
Ray Rippey
VMT Software

[NewsArchive]

Ray,

You have two things telling you the same story -
the file your potential client downloaded does not exactly match the
file you created.

Typically that would be because his internet connection choked or his
antivirus mangled your file.

But if you have either a certificate fail or a SB integrity fail,
there's no point in having someone try to install that file.

What happens if he tries again on a different computer?

jf

[NewsArchive]

It was a new computer.. I don't think he had another one. We tried it
and we knew it worked on other clients computers. I used our screenshare
to copy the install over to his computer, and it worked fine.

We're pretty sure the download messed it up. But it was weird. The file
showed the 78mb of the file (files.. we did it 3 times, even once on a
completely different file). We realized later that the downloads took
about 2 seconds, so that was a good indication the file couldn't have
downloaded correctly.

However, how the file(s) all showed the 78mb size in windows explorer
remains a mystery to me.

I'm just curious more than anything.

Ray Rippey
VMT Software


> What happens if he tries again on a different computer?

[NewsArchive]

> I'm just curious more than anything.

What version of windows were they using and what browser was used to
download your installer?

What you describe is quite likely a compromised installer or your
program inside.

If you still have the installer, if you can setup a vmware guest with
no network access, could you install this dodgy installer and find out
if your program hashes have changed? If they havent, then its possible
the installer maybe compromised in some way, it might be doing stuff to
windows like creating a new user with remote access or any number of
things to compromise a system.

Thing is installers are perfect attack vectors to compromising a system
so you & I and every other software company is an attack vector.

Has your customer seen any of these weird behaviours?

Since the latest updates to Win10 1903 came down which forced all users
of VMware to upgrade to Player/workstation 15.5 (see a thread in
c.l.c.), I have been experiencing at least once or twice a day, website
certificate errors with MS Edge for some international big companies,
eg MS and Dailymail.

I've never seen so many website certficate errors happening over so
many days now, but I would suspect web browsers are primary attack
vectors.

Youtube (a google company) also seems to do some pretty funky stuff to
the computer, where the cpu fan spins up to max for periods of time and
it has crossed my mind that they might be testing windows systems,
considering how Google likes to embarrass MS over zero days etc and
Google does also have the best intelligence website for zero days,
namely virustotal. A bit conspiratorial of me, but other big business
have done questionable things in the past, so why not Google?<vbg>

It is a case of who do you trust.<g>

--
-- Richard

[NewsArchive]

Hi Richard,

> I've never seen so many website certficate errors happening over so many
> days now, but I would suspect web browsers are primary attack vectors.

Those are very rare. Been years since I saw one last time.

> Youtube (a google company) also seems to do some pretty funky stuff to
> the computer, where the cpu fan spins up to max for periods of time and
Video and buffering require quite a bit of power, so it's no big
surprise that the CPU may heat up a bit. The only time I can hear the
CPU fan in my machines rev up is at initial startup and when I'm
rendering videos or doing image processing on large images.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

[NewsArchive]

> Those are very rare. Been years since I saw one last time.

Attached is a screen shot of one from last night trying. Whats
interesting is MS Edge opens automatically when I log in and loads a
webpage up which is not a book marked window and not my home page or
blank new tab. There is also nothing the sysinternals Autoruns which
show MS Edge is supposed to run when logging in so I need to find out
whats been done to this laptop. The amount of hacking on my systems is
one of the reasons why I had to shut my company down. I'm also mindful
of events that took place when I was a kid as well which could all be
related.

In the zip is also a screenshot of the sysinternals tcpview where I
have connections going to 1.1.1.1 yet I my nic is setup to get the dns
from the router.

Something going on and I dont know what, but it stinks more than a
manure pile of incompetence.<vbg>

--
-- Richard

[NewsArchive]

Well, it wasn't our installer. I bypassed the security certificate
through windows... then the installer started to work, but the built in
checksum check in setupbuilder said it didn't pass muster, so I quit. So
really the certificate and setupbuilder both did their job perfectly.

That narrowed it down to the download. I used their google chrome to
download it. I don't suspect google is the problem. I should have tried
the edge browser though, just as an experiment. Then again, it was a
possible new client and didn't have time to mess around that much. He
was very patient though. In the end I copied it via screenconnect.

If the files would have been 0bytes or less than normal, I would have
just said the download failed. But since it was 78mb, I was curious.

He could have had some kind of virus that injected code into our
installer while it was downloading. I didn't run a virus check on his
computer.

We may never know... the mystery continues.

Ray Rippey
VMT Software

> What you describe is quite likely a compromised installer or your
> program inside.

[NewsArchive]

Did you do a binary comparison of the downloaded file to the original?

Did you try zipping the exe and downloading the zip?

Jeff Slarve
www.jssoftware.com


Bits and Bytes are Dy-No-Myte

[NewsArchive]

No, I should have.. but was in a hurry... potential customer and didn't
want to look like a complete idiot because our software didn't download
right.

Even though it may not be our fault, it's our fault.

But I'll bet the file was not the same... or it would have worked. And
we had customers that had downloaded the same file earlier in the day,
plus we downloaded it and installed it to be sure.



Ray Rippey
VMT Software

On 10/16/19 11:15 AM, Jeff Slarve wrote:
> Did you do a binary comparison of the downloaded file to the original?

[NewsArchive]

> And we had
> customers that had downloaded the same file earlier in the day, plus we
> downloaded it and installed it to be sure.

Was this downloaded all from the same internet connection with
different machines, or different locations/offices?

If the latter, then different internet routes to your server hosting
the installer could explain the problem. I'm beginning to wonder if
there is some sort of infrastructure insertion attack taking place.
Considering the number of young people in IT today, experience is
lacking.

--
-- Richard