This post describes a malware attack using a malicious download link for GIMP for Windows. You can trust this link, it’s the Source.
And now the WARNING!
(The title and the following text have been stolen by me from Michael Schumacher at the GIMP Developers Mailing List and GIMP Users Mailing List.)
Hi,
recently, we’re seeing more and more sign of GIMP becoming mainstream – the availability of several GIMP installers for the Microsoft Windows platforms loaded with trojans is certainly an indication for that.
The most common trojan seems to be InstallIQ. A piece of software that grants the providers of the actual installers plausible deniability because the installers itself is clean, and because the user has to agree to install additional “utilities” during setup.
Case 1:
Step 1: the victim is sent a scam mail pointing to a file at photo-host.net/ (which disguses as a image upload site).
Step 2: the files provided there are .gmp files (huh?)
Step 3: for viewing those files, there’s a link to gimphost.com, where the infected installer is located
Case 2:
Another victim or culprit of a related scam seems to be the gimpshop.com site, which used to host a modifed version of GIMP which resembled the Photoshop UI. Either its original author has gone to the Dark Side, or that site has been taken over by a scammer – it is distributing InstallIQ-infected installers.
Advice:
If you see any GIMP installer sites which have a fine print with phrases like
“is distributing a modified installer which is different from the original ones”
or
“InstallIQ”
or
“the installer is compliant with the original software manufacturer’s policies”
then do the following:
STAY AWAY FROM THEM!
And now it’s me again. InstallIQ seems not to be a trojan but an installer that pays out some money for the hosters. It has the capability to load more software and seems so to be considered a risk to the security of the system.
What is so difficult in going to gimp.org and download it from there?
“The GIMP team doesn’t officially provide any Windows binaries.”
Please read Rolf’s post and the GIMP website slowly and you will find the answer to your question.
I think this was more a rhetorical question by nachbarnebenan.
But I’ll put a link to the “official” download site into the posting.
Yes, you’re right
when someone who doesnt know what gimp is and is told at the scam site its the only way to view a file, then presented with an easy “one click away” installation to gimp, then people click. they dont go through “EXTRA” effort to simply install gimp. even if they did, gimp doesn’t have a gimp viewer plugin to make the site work. some may even go back to try to install this mystery plugin “by gimp” Its called a scam.
Pingback: Links 12/8/2012: CDE Open-Sourced, Wikileaks Exposes TrapWire | Techrights
There’s also picsoft.org being used as a photo storage site. The rest of the process is the same though. You’re taken to gimphost.org and asked to download the infected software. There might even affiliates getting paid to distribute this….I noticed the “photo ID” number you input is also the same number in the URL directed to gimphost.org.
In other words, I get a message saying from an add I posted on Craigslist for “Item’s Wanted” — the message says, if this is what you’re looking for, they’re yours!
The link goes to picsoft.org were I’m asked to put in a photo id. I input “922wtm” (the photo D number I received).
The files can’t downloaded because you need Gimp.
Click the link….
I wind up at http://gimphost.org/?u=922wtm
So 922wtm being at the end of the URL tells me that there may even some sort of affiliate model being used to promote this.
Beware!
I was stupid and clicked/dowloaded
Does any one know what I should do now? I uninstalled gimp, was that the only threat?
From what I understand its the EXTRA stuff you didnt hit decline to that is the problem. gimp portable 2.80 is legit.(and outdated) just uninstall all software that was installed on the same day gimp was. or do what I did to my roommates comp and roll back to an earlier restore point.
… and let run a good virus/trojan search program…..
yep, I stupidly did the same, Paypal just called and some guy from Indonesia just tried to buy a $335 stereo system. I ran Avast and Adware immediatly after deleting the file, with no hits.