Yay, mainstream! – and trojaned GIMP installers

This post describes a malware attack using a malicious download link for GIMP for Windows. You can trust this link, it’s the Source.

And now the WARNING!

(The title and the following text have been stolen by me from Michael Schumacher at the GIMP Developers Mailing List and GIMP Users Mailing List.) 

Hi,

recently, we’re seeing more and more sign of GIMP becoming mainstream – the availability of several GIMP installers for the Microsoft Windows platforms loaded with trojans is certainly an indication for that.

The most common trojan seems to be InstallIQ. A piece of software that grants the providers of the actual installers plausible deniability because the installers itself is clean, and because the user has to agree to install additional “utilities” during setup.

Case 1:

Step 1: the victim is sent a scam mail pointing to a file at photo-host.net/ (which disguses as a image upload site).

Step 2: the files provided there are .gmp files (huh?)

Step 3: for viewing those files, there’s a link to gimphost.com, where the infected installer is located

Case 2:

Another victim or culprit of a related scam seems to be the gimpshop.com site, which used to host a modifed version of GIMP which resembled the Photoshop UI. Either its original author has gone to the Dark Side, or that site has been taken over by a scammer – it is distributing InstallIQ-infected installers.

Advice:

If you see any GIMP installer sites which have a fine print with phrases like

“is distributing a modified installer which is different from the original ones”

or

“InstallIQ”

or

“the installer is compliant with the original software manufacturer’s policies”

then do the following:

STAY AWAY FROM THEM!

And now it’s me again. InstallIQ seems not to be a trojan but an installer that pays out some money for the hosters. It has the capability to load more software and seems so to be considered a risk to the security of the system.