Whew! Curvemeister.com was not hacked

[-default]

Bitdefender responded with the following message re the possibly hacked version of the curvemeister download:

Dear Mike Russell,

Thank you for your interest in our security solution, BitDefender.

It was indeed a false positive. We have removed detection for this file. In a
few hours the updated signatures will be released through automatic updates
and BitDefender will stop detecting the file.

Best regards,
Iulian Ivanov
BitDefender Technical Support Engineer

I'll be reorganizing the site a bit over the next week or so, to remove some of the loopholes that might have been exploited by hackers.  In particular, we are considering a new photo gallery with better support for contests, and voting for images.

I'll leave the remainder of this thread in place for a few days, for those who are interested in what  happened, or more precisely, didn't happen.
==============================================================

The curvemeister site may or may not have been hacked.  At the moment, I'm verifying whether an actual virus infection took place or not, or this was just a false positive from the bitdefender virus software.  At this moment, I am thinking it was the latter, while still taking a cautious approach.

The rest of this message reflects my concerns as of May 1, 2007.  Please skip to the end of this thread for the latest news.

The download image for curvemeister version 1.0.1 may have been infected with a virus for several days, from April 27 to May 1, 2008.  Naturally, this is a matter of great concern.  Here is what I know so far.

The attacker probably accessed curvemeister.com by using a security loophole in the forum or gallery software. I have updated the forum software, and contacted customers who may have been affected, and I believe that no one was actually affected by the virus.  As an extra precaution, the curvemeister gallery is off line for the time being. 

In spite of these efforts, it is still possible that the attacker may return, and modify software that you might download from the site.  If you do not have virus software I recommend the free version of AVG, available from www.grisoft.com .

If you have downloaded curvemeister during the time mentioned above, or have any questions about your downloaded copy of Curvemeister, please email me at mike@curvemeister.com.

[derekfountain]

In spite of these efforts, it is still possible that the attacker may return, and modify software that you might download from the site.  If you do not have virus software I recommend the free version of AVG, available from www.grisoft.com .

Can you include an MD5 checksum for the executable in the announcement post? I know most people don't bother verifying them, but for those of us that do it would provide a level of security.

[-default]

Good idea Derek.  Here are the md5 values as of today, May 3, 2008.

It is unlikely, but still possible, that the hacker may modify this message, and the included md5 values, as well.  For a fresh copy of the current md5 values, please email mike AT curvemeister.com

AcrChecker.exe                                9964802e88d520abece4d4ebce8332bd
Curvemeister3-3.0.1a.exe                      cc831f86578d59ee02a834f5a6fcb724
Curvemeister3Demo-3.0.1.1.exe                  5a061567f0d207464e0a04f87d8a4781
Curvemeister3e-3.0.1a.exe                      d2c7b60b8b31859c20411001369b9fcd
Curvemeister_3-3.0.8.exe                      376a761968e687f9ceb6e944e767694e
Curvemeister_3_Elements-3.0.8.exe              4576e9571562597c7ec1b48129197286

[mikemeister_admin]

Verify them, I do not even know what the are! ???

[-default]

Barry,

I should have made it clearer that there is no need to verify the numbers.  The numbers are for people who know what an md5 checksum is, and are interested in having a quick way to verify the files.

[-default]

At least two people have reported downloading a possibly virus infected installer for Curvemeister 3, version 3.0.1.  Curvemeister 3 for Elements was not affected by the virus.

Bitdefender detects the virus, but it may not be detected by other virus scanners.  Avast and AVG do not report a virus when scanning the file in question.  I am in the process of determining whether this is a genuine virus, which is likely, or a quirk in the way bitdefender works.

In the meantime, I recommend that you play it safe. If you installed the original Photoshop and Elements version 3.0.1 of Curvemeister 3 install and run Spyware Doctor, available as a free download from google that claims that it will find and remove the virus.  As is the case with many adware scanners, Spyware Doctor may report a large number of warnings and "infections" that are not really significant.  In this case, we are concerned with finding trojan.generic only.

A free version of Spyware Doctor is available here (windows xp and vista):
http://pack.google.com/

For windows 2000 and earlier, download the trial version, which will detect trojan.generic, but not fix it, for your particular OS here:
http://www.pctools.com/

If Spyware Doctor reports the Trojan.generic virus on your system, please post here, or email mike AT curvemeister.com.  I expect to have other recommendations for detecting and fixing this problem, should the virus turn out to be genuine.

This is a serious matter, and I have taken several steps to try to ensure that this does not happen again.

[derekfountain]

Verify them, I do not even know what the are! ???

MD5 is a mathematical process that boils a large chunk of data down to a single number (called a "hash"), like the ones Mike has posted. The process is designed such that any change to even 1 bit of the data will see it give a different MD5 hash. Furthermore, the algorithm is such that it is impossible (or at least computationally impracticable) to change the data in a way such that it returns a specified MD5 hash of someone's choosing.

Mike has calculated the MD5 hashes of the original files and posted them here. When you download the file you can calculate the hash yourself and if it's different to what Mike says it should be you know the file has been changed. If an attacker does change the file there's no way they can modify it such that an MD5 run on it will return Mike's original hash value.

An MD5 calculator is a standard feature of sensible OSes like Linux and people do tend to use them. I don't think Winders comes with one but there are dozens of free ones out there.

[-default]

The previous report of a virus may have been a false alarm where bitdefender found a trojan, and other virus programs did not.

Cautious optimism at this point.  If this turns out to be the case, I am both very relieved and a little embarrassed.

I have put the original installer back in place, and the md5 for the 3.0.1a installer is now d2c7b60b8b31859c20411001369b9fcd

[ggroess]

No need to be embarrassed.  We would all prefer that the Web be a safe place but sadly it is just this kind of event that makes everyone take a bit more notice.

Thanks for being upfront and honest in the continuing assessment of whatever turns out to be the truth.

Greg

[-default]

Bitdefender responded with the following message re the possibly hacked version of the curvemeister download:

Dear Mike Russell,

Thank you for your interest in our security solution, BitDefender.

It was indeed a false positive. We have removed detection for this file. In a
few hours the updated signatures will be released through automatic updates
and BitDefender will stop detecting the file.

Best regards,
Iulian Ivanov
BitDefender Technical Support Engineer

I'll be reorganizing the site a bit over the next week or so, to remove some of the loopholes that might have been exploited by hackers.  In particular, we are considering a new photo gallery with better support for contests, and voting for images.