[SAC] Concerns about file

Committees SAC mailing list
1

HI,

I think this is a false alarm, but just in case… can you check?

---------- Forwarded message ---------
From: Lance Malone (c) <lmalone@sundt.com>
Date: Tue, Apr 30, 2019 at 11:13 PM
Subject: Concerns about file
To: info@osgeo.org <info@osgeo.org>

The file in question is at this URL. URL: http://download.osgeo.org/osgeo4w/osgeo4w-setup-x86_64.exe

The reason why we are concerned is due to the following information. See the links below. I have several reported hashes which state that this exe contains viruses and possible ransomware. The hashes were collected from our sandbox (first link) and then we researched the hashes that were found within the EXE and found some questionable exe within the file.

https://www.hybrid-analysis.com/sample/b73f5981fca740beaa83e1b3382387c4a2d30304f3ed9772a2c37a3d846bec12/5cc8a2190288388b843e01c6

Lance Malone

Senior Security Engineer

o: 480-293-3241

c: 480-306-3207

w: Sundt.com

a: 2620 S. 55th Street, Tempe, AZ 85282

Calendar: https://bit.ly/2AUl5Wt

email-signature

2

Hi,

On Wed, 01. May 2019 at 16:09:46 +0200, María Arias de Reyna wrote:

I think this is a false alarm, but just in case... can you check?

Yes, the file hasn't been changed and matches the original - it's even signed
with the osgeo certificate from digicert.

That's probably the reason why it (or better put windows) fetches data from
digicert. That it fetches data from download.osgeo.org isn't supprising at all
as that's it's purpose.

I filed a "abuse report".

Jürgen

--
Jürgen E. Fischer norBIT GmbH Tel. +49-4931-918175-31
Dipl.-Inf. (FH) Rheinstraße 13 Fax. +49-4931-918175-50
Software Engineer D-26506 Norden https://www.norbit.de

Pflichtangaben (222 Bytes)