Yay, mainstream! – and trojaned GIMP installers

This post describes a malware attack using a malicious download link for GIMP for Windows. You can trust this link, it’s the Source.

And now the WARNING!

(The title and the following text have been stolen by me from Michael Schumacher at the GIMP Developers Mailing List and GIMP Users Mailing List.) 

Hi,

recently, we’re seeing more and more sign of GIMP becoming mainstream – the availability of several GIMP installers for the Microsoft Windows platforms loaded with trojans is certainly an indication for that.

The most common trojan seems to be InstallIQ. A piece of software that grants the providers of the actual installers plausible deniability because the installers itself is clean, and because the user has to agree to install additional “utilities” during setup.

Case 1:

Step 1: the victim is sent a scam mail pointing to a file at photo-host.net/ (which disguses as a image upload site).

Step 2: the files provided there are .gmp files (huh?)

Step 3: for viewing those files, there’s a link to gimphost.com, where the infected installer is located

Case 2:

Another victim or culprit of a related scam seems to be the gimpshop.com site, which used to host a modifed version of GIMP which resembled the Photoshop UI. Either its original author has gone to the Dark Side, or that site has been taken over by a scammer – it is distributing InstallIQ-infected installers.

Advice:

If you see any GIMP installer sites which have a fine print with phrases like

“is distributing a modified installer which is different from the original ones”

or

“InstallIQ”

or

“the installer is compliant with the original software manufacturer’s policies”

then do the following:

STAY AWAY FROM THEM!

And now it’s me again. InstallIQ seems not to be a trojan but an installer that pays out some money for the hosters. It has the capability to load more software and seems so to be considered a risk to the security of the system.

Anything to add from your side of the computer?

    • “The GIMP team doesn’t officially provide any Windows binaries.”

      Please read Rolf’s post and the GIMP website slowly and you will find the answer to your question.

      • I think this was more a rhetorical question by nachbarnebenan. ;-) But I’ll put a link to the “official” download site into the posting.

          • when someone who doesnt know what gimp is and is told at the scam site its the only way to view a file, then presented with an easy “one click away” installation to gimp, then people click. they dont go through “EXTRA” effort to simply install gimp. even if they did, gimp doesn’t have a gimp viewer plugin to make the site work. some may even go back to try to install this mystery plugin “by gimp” Its called a scam.

  1. Pingback: Links 12/8/2012: CDE Open-Sourced, Wikileaks Exposes TrapWire | Techrights

  2. There’s also picsoft.org being used as a photo storage site. The rest of the process is the same though. You’re taken to gimphost.org and asked to download the infected software. There might even affiliates getting paid to distribute this….I noticed the “photo ID” number you input is also the same number in the URL directed to gimphost.org.

    In other words, I get a message saying from an add I posted on Craigslist for “Item’s Wanted” — the message says, if this is what you’re looking for, they’re yours!

    The link goes to picsoft.org were I’m asked to put in a photo id. I input “922wtm” (the photo D number I received).

    The files can’t downloaded because you need Gimp.

    Click the link….

    I wind up at http://gimphost.org/?u=922wtm

    So 922wtm being at the end of the URL tells me that there may even some sort of affiliate model being used to promote this.

    Beware!

  3. I was stupid and clicked/dowloaded :( Does any one know what I should do now? I uninstalled gimp, was that the only threat?

    • From what I understand its the EXTRA stuff you didnt hit decline to that is the problem. gimp portable 2.80 is legit.(and outdated) just uninstall all software that was installed on the same day gimp was. or do what I did to my roommates comp and roll back to an earlier restore point.

  4. yep, I stupidly did the same, Paypal just called and some guy from Indonesia just tried to buy a $335 stereo system. I ran Avast and Adware immediatly after deleting the file, with no hits.

  5. pixsend.org seems to to be loaded with Trojans as well! Stay away! what a pain to remove & I was just trying to view some pictures that someone sent me a link to via a craigslist Ad. Beware of unknown folks sending links to “pictures”.

    • Got the pixsend link this morning from someone responding to my ad on CL, looked fishy to me and after a quick search my suspicions were confirmed. Be wary, people!

      • This happened to me this morning. I sent a warning to others in the want ads on CL that explained:

        ‘I posted a wanted ad for some dollhouse furniture. I got a text message from the phone number (269) 841-5069 which read:

        “Hi, regarding your Wantted
        ad in craigslist will this
        work for you? <>http://pixsend.org/?
        photo=636YWT If so, lets
        talk. Thanks”

        It had photos attached that require GIMP to open them but it takes you to a fake GIMP software download page. BEWARE! It is some kind of MALICIOUS EXE. FILE. When you call the number it of course is just a dial tone, no real person at the other end. I don’t know how to report this so I am trying to warn all of you.’

        • i got this same thing this morning,luckily my comp told me it was malicious software so i quit and researched it..thanks for your help..

          • I got the pixsend scam from craigslist this morning. I am really glad i am naturally suspicious, lol. “Just because you’re paranoid doesn’t mean there isn’t an invisible demon waiting to eat your face.” – Harry Dresden.

  6. Wow, I’m sure glad I don’t trust anything anymore. I had an ad for my mobile website business on CL, and got a reply asking me if I could do this… with a link to pixsend, and said they needed a quote right away. So this is not a bot, but a human doing this crap.

    When I went to the pixsend I saw it was to gimpx.org, so before I downloaded I searched for gimp (I’d heard of it but never used it), found the real gimp, then found this blog (Thank you).

  7. I also received a pixsend text this morning from the barter side of CL. The file wouldn’t upload on my phone which I thought was weird and it asked me to try from a computer. It seems suspicious so I googled it and I found this site. Thanks.

    • picsend.net seems to be a victim as well, given that the have the following notice up on their pages:

      ‘Notice: There have been reports of emais being sent to Craigslist ads and text messages directing users to pic-send.com with a corresponding “Sender’s Code.” PicSend.net is in no way affiliated with these messages or “pic-send.com.”‘

      ——

      Dear NSA, you should have more than enough data to track that scum down, and the means to end them almost everywhere. And you are in need of some good press. How about some Win-Win operation?

  8. yea i did the same thing like a idiot and downloaded it, but in delete programs there was no program downloaded today or anything that i didnt know exactly what it was…im thinking maybe my antivirus stopped the download because theres no trace it ever took place..?….if i did download tho what are the risks??? i mean what is the “end plan” for this scam? like are they hacking into my computer to take my bank info and stuff….??? please let me know someone i’ve been worried all day after reading this forum…thank you in advance!!!!!!

  9. They could not be not after your own data – although they certainly can scrape it as an additional benefit – but more interested in using your computer as part of a botnet (https://en.wikipedia.org/wiki/Botnet) to do some large-scale operations. Like sending out more of those scam messages, hosting a network of fake banking sites, …

    If your system is part of a botnet, then your ISP might decide to block you out until the infection is cleared. That depends on their policies, of course. The absolute extreme could be seizure of your computer by the authorities, but that should require some serious crime and an evidence trail leading to you.

    Reinstalling your system and restoring your data from an existing backup (that has been made before you downloaded the file) is the only option to fix this for sure, unfortunately

  10. Got my text message this morning pointing to an attached picture at http://pic-send.com/?photo=439BWT. Clicked on the download installer plugin and it takes you to gimpx.com offering an installer .exe. I was blind to the .gmp extension at first but what got me suspicious was the site didn’t detect my os version – linux. Browsed authentic firefox plugins and didn’t see one for the gimp. 4th result after googling gimp firefox plugin I see the words Yahoo and Malware. Phone number was 2074208514 btw.

  11. yupp

    Just got my first virus spam from CL

    sent me to site called Pic-Msg.com

    Same exact thing

    cLicked it like a dumbfuck and “downloaded”

    When it finished DL’ing my laptop said it wasnt compatible WIN-32 software.

    nice try, guy.

    • I received one on my cell phone from Pic-msg.net in response to an ad for our lost dog on Craig’s List. Was your from .com or .net? What is the goal of these individuals?

      • The ultimate goal: money.

        The immediate goal, is to gain remote control over as many systems as possible, in order to use them as tools for the ultimate goal.

        Monetizing schemes for remotely controlled systems are legion – from extorting money of the affected users themselves as compensation for unlocking their suddenly locked-down system to renting them out as a cloud computing platform for various tasks.

  12. Same for me, got one from Craigslist that tried getting me to go to pixmsg.net.

    Dirtbags number is 904-800-7720, avoid if you run into it.