Trojanized dnSpy app drops malware cocktail on researchers, devs

[ndgayan]

I saw this article in the bleepingcomputer.com https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/ about how bad actors use this amazing tool to hack into computers.

[ElektroKill]

Hi, this is sadly one of the consequences of having an open source software like this one. People with malicious intent can always just download the source code and inject malware. There is not much I can do about this as the bad actors will always find a way to counter the counter measures. I have however decided to provide hashes for dnSpy releases going forward on the releases page so it is easier to verify the download. However this won’t help much as these bad actors do a lot of get their malicious websites to the top of the search results and the information about malicious downloads won’t be seen there.

If you have any ideas on how to better circumvent this other then raising awareness and reporting the malicious websites to hosting providers and search engines then I would gladly like to hear them.

To finish of, it’s worth mentioning that the downloads from the Releases section and the builds from the CI server of this repository are the only supported and verified dnSpyEx versions.

[mitchcapper]

This will be an issue with any popular project but I think dnSpy is a bit more at risk due to the history and current fragmentation.

• Searching github for dnspy does not show this in the first 10 pages by default (no idea why on that one)
• Searching github for dnspyex returns only 6 results, none are you as dnspyex is only in the repo user (which it doesn't consider value in a repo search).
• Searching google for dnspy and one cannot find this repo on the first 6 pages. Google doesn't even show the "More results from github.com ..." for me for some reason.
• The official project being discontinued without stating a successor fork means users have to try and search harder for a fork.
• Even if you know it is called dnSpyEx if you search on google for this, it autocorrects to dnspy and that has the problem of bullet 1.
• If you tell google no no you really mean dnSpyEx it lists this org first, but the first thing that looks like an actual repo is https://github.com/VNGhostMans/dnSpyEx/commits/master which is not properly forked, has its own 'latest releases' and clearly not right (see note below)
• There is only one release on this repo with a minor version increment. Someone looking for the latest release may miss this being it.

Potential recommendations

• Un-fork this repo, and make it a source repo instead. Github makes this quite easy now: https://stackoverflow.com/questions/38831301/how-to-un-fork-the-github-repository/66470086#66470086 . There are several benefits with github and search engines. Github by default excludes forks from several things.
• Consider renaming the repo/ui to dnSpyEx. This is already how it is referred to often, but this would make it easier to find and issues easier. If not it may be worth just assuming spot as the "Official, Unofficial" continuation of dnSpy. Looking at the work being done this is the massive source of development.
• Add a note to the start of the README mentioning the situation ie: "dnSpyEx is the unofficial continuation of the original dnSpy/dnspy debugger that was archived by the lead in 2020." There is the about on the side but may be missed.
• Consider adding a note about CI beta builds with a link and disclaimer like "beta builds may have some (or all) features broken and are for testing purposes only". There are no other official distribution methods/websites of this repo oterr than the CI system or the Releases page.

Semi-unrelated side note:
The https://github.com/VNGhostMans org is highly suspect. At first it looks like someone who just doesn't know how to use git or github, committing up large other repos in their own commits. They had properly forked things in the past though. In addition you look at the 'commits' being made by them (all of which are only to orgs they control) and they are odd. Why are the pinning their odd forks/mirrors and even going as far as instantly "archiving" repos to make it look like the official: https://github.com/VNGhostMans/dnSpy. Why are they pointing in a readme to the old dnSpy as their personal copy: https://github.com/VNGhostMans/dnSpyEx/commit/5d1ab25a3286df349d6bcb079ff26ec2f04ddd91 Why are they making app releases mirroring official release names and even modifying the release descriptions: https://github.com/VNGhostMans/ScyllaHide/releases/tag/v1.4.750-7e648fb vs https://github.com/x64dbg/ScyllaHide/releases . They also have a second org that has done very similar with many other github projects: https://github.com/Obfuscator-Collections

Maybe there is some way this is done without malicious intent. I can't think of how, even someone very 'fresh', wouldn't make these changes for innocuous reasons. Honestly if I was trying to get malware out there stealth cloning, with some artificial history, cross linking between my repos, and faux releases that look real would very much seem like an effective way. I didn't take the time to compare the binaries (although they at least repackaged some of them from the official archive) for anything suspect. There is 100% the option though in the future to make a "Release" that looks legit but has one slightly modified file in it, that someone may not notice if they didn't directly compare with the actual official release.

[ElektroKill]

Hi,
First of all sorry for the rather late response.

• Searching github for dnspy does not show this in the first 10 pages by default (no idea why on that one)
• Searching github for dnspyex returns only 6 results, none are you as dnspyex is only in the repo user (which it doesn't consider value in a repo search).
• Searching google for dnspy and one cannot find this repo on the first 6 pages. Google doesn't even show the "More results from github.com ..." for me for some reason.

This is because GitHub does not index repositories that are forked from a different one.

• The official project being discontinued without stating a successor fork means users have to try and search harder for a fork.

I do not have any control over the dnSpy repository so I cannot really add a notice there and the original developer seems to have lost interest in dnSpy.

• Even if you know it is called dnSpyEx if you search on google for this, it autocorrects to dnspy and that has the problem of bullet 1.

dnSpy is searched for more often than dnSpyEx so Google may think that dnSpyEx is a typo. Although it may also be caused by the poor indexing and SEO for forks on GitHub's side.

• If you tell google no no you really mean dnSpyEx it lists this org first, but the first thing that looks like an actual repo is VNGhostMans/dnSpyEx@master (commits) which is not properly forked, has its own 'latest releases' and clearly not right (see note below)

I'm puzzled by the existence of this repository too. More on this later.

• There is only one release on this repo with a minor version increment. Someone looking for the latest release may miss this being it.

There will be more releases in the future, I'm just very busy with school so I don't have much development time :)

• Un-fork this repo, and make it a source repo instead. Github makes this quite easy now: stackoverflow.com/questions/38831301/how-to-un-fork-the-github-repository/66470086#66470086 . There are several benefits with github and search engines. Github by default excludes forks from several things.

I have considered this but I haven't committed to doing it as I don't want people to be misled thinking this is some new project inspired by dnSpy but rather just a straight continuation. I know this causes a major sacrifice when it comes to SEO and discoverability of this project which may cause a lot of confusion. I hope that with time Google will get better at picking up this repository as a thing. I'm quite disappointed that the only way to improve indexing and SEO for forks is to either get more stars than the original (let's face it this will probably never happen) or unforking the repository.

• Add a note to the start of the README mentioning the situation ie: "dnSpyEx is the unofficial continuation of the original dnSpy/dnspy debugger that was archived by the lead in 2020." There is the about on the side but may be missed.
• Consider adding a note about CI beta builds with a link and disclaimer like "beta builds may have some (or all) features broken and are for testing purposes only". There are no other official distribution methods/websites of this repo oterr than the CI system or the Releases page.

Will do this shortly!

Regarding the VNGhostMans repository, I agree that it does look very fishy, I will try to contact the owner as to what his intent behind it is and why he has not just contributed his language changes through crowdin like everyone else. The last thing I want is for the name "dnSpyEx" to be linked with malware.

[hymccord]

I have an pro to un-forking. Submitting PRs to this repo is a PITA. When I click 'Create Pullrequest' in this repo, it automatically redirects me back to the original (now archived) repo and every time I have to edit the URL manually to submit a PR here because I haven't found a way to it without that. I think un-forking would fix that.

[mitchcapper]

Agree with your points and certainly several are out of the project's control.

I think de-forking would help a good number of issues and any sort of concern over confusion you can address (similarly to what you just did) in the readme which should hopefully suffice for most users.

We already know github treats forks as second class citizens and it is not hard to assume google does the same to some extent. Aside from the lack of github features, a big one that is also disabled is searching of code from the searchbox even when on the project page. I use git grep plenty, but there are also a good number of times I search on GH instead. Searching the dnSpy repo right now somewhat suffices but the further this diverges the less and less useful that already inconvenient solution is.

[VNGhostMans]

Hello everyone.
After reading the discussions, it seems people are suspicious about my Github dnSpyEx project.
I can present the following:
This project is similar to the dnSpyEx project that ElectrollKill is developing 99.99% of, the other 0.01% as it says in the README.md that this project supports more Vietnamese language. Everything is the same in the dnSpyEx project. And I promise the source code is 100% clean. As for why I don't contribute to ElectroKill's dnSpyEx project, it's because I don't know much about it :D. And second, it's very difficult for newbies to know how to build it, as they don't know where the subfolders are located. This dnSpyEx project of mine (my calling is also incorrect because the original code is from ElectroKill, I have included the original link in the description) is a full project, I have updated every subfolder, as well as the build it. Also a lot of people are concerned that this project contains malicious code, but no, you see, it's completely open-source, you can check each file by yourself if you have free time. I always keep everything up to date, so this project is always updated as soon as ElectroKill updates dnSpyEx. Thanks for liking and knowing me.
As for why you can easily search my dnSpyEx repo? I don't know :D
I'm not forcing anyone to use my dnSpyEx releases, but I can assure you that my dnSpyEx repo is 100% clean. As for the reason why I didn't fork the dnSpyEx repo, it's as I stated above. Thanks!

[VNGhostMans]

Ahhh, so now what I need to do is label the current releases available on my Github as unofficial releases. I think this will let the user know that the release available on my Github is a clone from the original project. To the question that people suspect that I am the bad guy, the versions I release contain malicious code, I would like to present the following:

• My Github is geared towards new Github users like me.
• My Github is a repository, not a place where I work.
• All my Github projects are clones and of course attached releases are clones only.
• IMPORTANT IS MY GITHUB PROJECTS ARE COMPLETELY CLEAN, IF YOU ARE IN DOUBLE, YOU CAN ANALYZE IT IT YOURSELF, I WILL NOT HAVE TO EXPLAIN LONGLY BECAUSE YOU WILL THINK I'M ONLY REASONING IT MY LICENSE ACTION.
  Any questions you and others can ask me, I will answer in my spare time.
  Postscript:
• I'm really annoyed when my Github projects are discussed and suspected of containing malicious code. I know you're just doing this out of precaution and I don't blame you at all. What I need to do is explain. And I already explained.
• And I hope people can understand me, believe in it instead of doubting and gossiping about my projects. Thanks. Have a nice day.
• My English is not good, I use Google translate to be able to communicate with you, so if there are mistakes, please forgive me.
  VNGhostMans

[mitchcapper]

Thanks again for the reply, and I think I have provided more than a welcome amount of feedback. As you mentioned it is your github account and projects, so run them as you like. Wish you the best and thanks for helping contribute!

[VNGhostMans]

More and more bad guys take advantage of the fact that large software has open source code on Github, from which those bad guys can insert malicious code and spread it to users. It's not wrong for you to suspect me of being a bad guy, because you don't know who I am, and what is my purpose in not fork the repo like a normal person would. Thank you for understanding what I'm doing. Thanks. Have a nice day.

[Lynnolium]

MD5 and SHA1 signatures help verify that the build/binaries downloaded are legit. Unfortunatly very few outside of the serious coder bother to do that check.

[mitchcapper]

Yeah but if the repo you are looking at you think is the official repo, checking the hashes they list won't help you.