Malware in Strawberry Perl v5.10.1.2

Discussion in 'Perl Misc' started by whitesmith, Nov 4, 2010.

  1. whitesmith

    whitesmith Guest

    On 2010-07-24 I uninstalled ActiveState Perl and installed Strawberry
    Perl v5.10.1.2, largely on the strength of the webpage's implied
    indorsement by Larry Wall: "When I'm on Windows, I use Strawberry
    Perl." I hope you don't really use this implementation, Larry, because
    a couple weeks after the install I got a call from American Express
    about several bogus charges to my card--including a $1 charge by a
    site called strawberry.com (not strawberryperl.com, the site from
    which I downloaded the product). $1 charges seem to be the preferred
    method used by scammers to test a card's validity: if the small charge
    goes through, these dudes pounce and run it up to the max in an hour
    or so. Amex is wise to the trick so they immediately cancelled the
    card and sent me a new one with a different number.

    I ran ZoneAlarm against the installation and it found bad boys called
    Worm.Win32.c* in both xmlcatalog.exe and \bin\dmake.exe. Naturally
    when I installed the product I didn't think too much about giving it
    'Net access for auto-update purposes, which probably explains how it
    was able to grab a credit card number and call home without detection.

    *Don't use this product!!* I've gone back to ActiveState and I intent
    to stay with it, with or without a recommendation from Wall.
    whitesmith, Nov 4, 2010
    #1
    1. Advertising

  2. whitesmith

    whitesmith Guest

    On Nov 4, 7:04 am, whitesmith <> wrote:
    > On 2010-07-24 I uninstalled ActiveState Perl and installed Strawberry
    > Perl v5.10.1.2, largely on the strength of  the webpage's implied
    > indorsement by Larry Wall: "When I'm on Windows, I use Strawberry
    > Perl." I hope you don't really use this implementation, Larry, because
    > a couple weeks after the install I got a call from American Express
    > about several bogus charges to my card--including a $1 charge by a
    > site called strawberry.com (not strawberryperl.com, the site from
    > which I downloaded the product). $1 charges seem to be the preferred
    > method used by scammers to test a card's validity: if the small charge
    > goes through, these dudes pounce and run it up to the max in an hour
    > or so. Amex is wise to the trick so they immediately cancelled the
    > card and sent me a new one with a different number.
    >
    > I ran ZoneAlarm against the installation and it found bad boys called
    > Worm.Win32.c* in both xmlcatalog.exe and \bin\dmake.exe. Naturally
    > when I installed the product I didn't think too much about giving it
    > 'Net access for auto-update purposes, which probably explains how it
    > was able to grab a credit card number and call home without detection.
    >
    > *Don't use this product!!* I've gone back to ActiveState and I intent
    > to stay with it, with or without a recommendation from Wall.


    DLed directly from the big red strawberry. No mistake about it. I'm
    quite careful about what and from whom I download.
    whitesmith, Nov 4, 2010
    #2
    1. Advertising

  3. whitesmith

    Uri Guttman Guest

    >>>>> "w" == whitesmith <> writes:

    w> On Nov 4, 7:04 am, whitesmith <> wrote:
    >> On 2010-07-24 I uninstalled ActiveState Perl and installed Strawberry
    >> Perl v5.10.1.2, largely on the strength of  the webpage's implied
    >> indorsement by Larry Wall: "When I'm on Windows, I use Strawberry
    >> Perl." I hope you don't really use this implementation, Larry, because
    >> a couple weeks after the install I got a call from American Express
    >> about several bogus charges to my card--including a $1 charge by a
    >> site called strawberry.com (not strawberryperl.com, the site from
    >> which I downloaded the product). $1 charges seem to be the preferred
    >> method used by scammers to test a card's validity: if the small charge
    >> goes through, these dudes pounce and run it up to the max in an hour
    >> or so. Amex is wise to the trick so they immediately cancelled the
    >> card and sent me a new one with a different number.
    >>
    >> I ran ZoneAlarm against the installation and it found bad boys called
    >> Worm.Win32.c* in both xmlcatalog.exe and \bin\dmake.exe. Naturally
    >> when I installed the product I didn't think too much about giving it
    >> 'Net access for auto-update purposes, which probably explains how it
    >> was able to grab a credit card number and call home without detection.
    >>
    >> *Don't use this product!!* I've gone back to ActiveState and I intent
    >> to stay with it, with or without a recommendation from Wall.


    w> DLed directly from the big red strawberry. No mistake about it. I'm
    w> quite careful about what and from whom I download.

    still, your opinion isn't much given all the others who use strawberry
    perl without such issues. that means it is likely something on your box
    that did this and not the download.

    uri

    --
    Uri Guttman ------ -------- http://www.sysarch.com --
    ----- Perl Code Review , Architecture, Development, Training, Support ------
    --------- Gourmet Hot Cocoa Mix ---- http://bestfriendscocoa.com ---------
    Uri Guttman, Nov 4, 2010
    #3
  4. whitesmith

    sisyphus Guest

    On Nov 4, 6:04 pm, whitesmith <> wrote:

    > I ran ZoneAlarm against the installation and it found bad boys called
    > Worm.Win32.c* in both xmlcatalog.exe and \bin\dmake.exe.


    Yes, I prefer ActivePerl - and if you 'ppm install MinGW' first, then
    you can pretty much build any module that ships with Strawberry Perl
    anyway. (Mind you, however, some of those modules aren't all that
    trivial to build.)

    Anyway, I've just downloaded
    http://d10xg45o6p6dbl.cloudfront.ne...ry-perl/strawberry-perl-5.10.1.2-portable.zip
    and extracted it.

    ClamWin couldn't find any malware in either of those files (or
    anywhere else in the Strawberry distro, for that matter).
    Maybe I should switch to using ZoneAlarm ;-)

    Incidentally, I get the following hashes for xmlcatalog.exe:

    MD5: b39677b4d1731a888c909f0e4d86cf36
    SHA1: e30df004575008b9b53efc99863c81121b60b01a
    SHA256:
    f62576f055199e4a7dba50e8e1a581834b4dcc17208ce14ba337573c588bd36b

    and the following for dmake.exe:

    MD5: 6ba036e4ea092150bf860fc3d9bb86dc
    SHA1: b722621998333fe53190ccf6296984b120f94ccc
    SHA256:
    c48149051ab3393caba80d9882158b958df5825d7405a417401f638af89ed3dc

    If you're getting different for those files, then I suggest that
    something has corrupted them.
    I don't for one moment believe that those files are corrupted at their
    source.

    Cheers,
    Rob
    sisyphus, Nov 4, 2010
    #4
  5. whitesmith

    Guest

    On Thu, 4 Nov 2010 06:04:01 -0700 (PDT), sisyphus <> wrote:

    >On Nov 4, 6:04 pm, whitesmith <> wrote:
    >
    >I don't for one moment believe that those files are corrupted at their
    >source.
    >

    ^^^^
    It would be a sad day indeed.

    -sln
    , Nov 4, 2010
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nospam
    Replies:
    0
    Views:
    126
    Nospam
    Mar 19, 2008
  2. David
    Replies:
    1
    Views:
    101
    Uri Guttman
    Nov 4, 2010
  3. Dilbert
    Replies:
    0
    Views:
    825
    Dilbert
    Nov 10, 2011
  4. Replies:
    0
    Views:
    418
  5. removeps groups
    Replies:
    3
    Views:
    393
    Rainer Weikusat
    Sep 13, 2012
Loading...

Share This Page