Jump to content
DrewPeacock

Please give users a way to check checksums

Recommended Posts

A couple of suggestions:

- Underneath links to download Malwarebytes, could you provide a checksum (or link to a checksum) so users can check the file hasn't been tampered with? Also instructions explaining what checksums are and how to check them would be useful for less tech-savvy users.

- When users already have Malwarebytes installed and are informed a new version is available, could you provide a way to check the checksum of the update?

I ask because some time back both CCleaner and Linux Mint had legitimate download files replaced with malicious versions and checking checksums could have prevented this.

Share this post


Link to post
Share on other sites

Thank you for the feedback. This has been submitted already but I'm not sure when it will be implemented.

I'm not 100% sure but the checksum for CCLeaner and Mint would probably have been the same one as the file was built and served from their own systems. If that were the case the checksum would not matter as it would match what their website said but we get where you're coming from on this.

 

 

Share this post


Link to post
Share on other sites

Hello @DrewPeacock and :welcome:

Malwarebytes for Windows has been a globally known product for many years.  By the time you notice the new Offline Installer, the new installer executable is likely to have been uploaded multiple times to VirusTotal where the most industry popular digests have been calculated and published with the file's VT overall analysis.

Additionally, the file's digital signature, plus countersigning, may be sought & examined.  This holds true for the executables, drivers and DLLs that constitute the modules and other internal files within the installed product.  Independently you may also verify the digital signature(s) through the use of Microsoft's Sysinternals' Sigcheck, Windows File Explorer and other methods.

When it comes to the Network Installer (digitally signed/countrsigned), I believe that proprietary and fairly articulate security methodologies are already in-place.  However, a Malwarebytes staffer would need to comment further.

Frequently VT community member endorsements may also be added and their member public reputations viewed for all to trace.  Coincidentally, much of the above holds true for the Malwarebytes AdwCleaner product.

As far as posted or linked checksums, "you can lead a horse to water but you can't make him drink."  -English Proverb

HTH

Edited by 1PW

Share this post


Link to post
Share on other sites

AdvancedSetup:

Thank you for the feedback. This has been submitted already but I'm not sure when it will be implemented.

What has been submitted exactly? My first or second suggestion? Or both?

I'm not 100% sure but the checksum for CCleaner and Mint would probably have been the same one as the file was built and served from their own systems. If that were the case the checksum would not matter as it would match what their website said...

I may have misunderstood what I've read online about both breaches, but I thought that in both cases the hackers had replaced legitimate files with malicious versions, in which case I don't understand why the checksums would have matched. And even if what you're saying is correct, some sites use GPG to ensure that users know that the checksum files were definitely created by the software developer/company in question and not the hackers.

 

1PW:

By the time you notice the new Offline Installer, the new installer executable is likely to have been uploaded multiple times to VirusTotal where the most industry popular digests have been calculated and published with the file's VT overall analysis.

That's probably the case and while I do use VirusTotal, I often comes across false positives. When I do, I contact the AV/AM companies in question and ask them to check if their "hit" is a false positive. Most of the time it is and I get a reply saying so. Some companies just ignore me though for reasons I fail to understand. Even VT will tell you that just because a file is not detected as malware by every scanner on VT, it doesn't necessarily mean the file is clean. It could be, but it's also possible that it's some type of malware that isn't yet detected by any of the scanners on VT. Conversely, just because scanners on VT identify a file as maware doesn't mean it is, it could be a false positive. This is the problem with any AV/AM product. And why I consider checksums vastly superior.

Additionally, the file's digital signature, plus countersigning, may be sought & examined.  This holds true for the executables, drivers and DLLs that constitute the modules and other internal files within the installed product.  Independently you may also verify the digital signature(s) through the use of Microsoft's Sysinternals' Sigcheck, Windows File Explorer and other methods.

If hackers have replaced legitimate files with malicious files, I don't see what purpose digital signing serves. Am I missing something?

When it comes to the Network Installer (digitally signed/countrsigned), I believe that proprietary and fairly articulate security methodologies are already in-place.  However, a Malwarebytes staffer would need to comment further.

Ditto, how does digital signing help in the scenario I'm presenting?

Frequently VT community member endorsements may also be added and their member public reputations viewed for all to trace.

That's hardly a foolproof system, is it?

As far as posted or linked checksums, "you can lead a horse to water but you can't make him drink."  -English Proverb

Of course, but I'm a horse that DOES want to drink. Just because many users won't check checksums (even when their usefulness is explained) is no reason to not provide checksums for people who ARE willing to check them, is it?

 

Share this post


Link to post
Share on other sites

With regards to digitally signed files, if anyone were to replace a legitimate signed file, it would no longer carry Malwarebytes' digital signature, and if a legitimate file were somehow altered, it would likewise break/invalidate the digital signature.  This is because a file may only be digitally signed using specific authorized machines, which in this case belong to Malwarebytes' Developers.

With regards to a checksum printed on a webpage vs the checksum of a download, if a malicious third party were able to hack into the hosting servers, it is very likely they could just as easily (if not more so, since hosting servers are likely more guarded/secured against outside attacks/intrusions) hack the webpage where the checksum is printed and just change it, making the checksum of the file being downloaded appear to be legitimate even if it is not.

Share this post


Link to post
Share on other sites

exile 360:

"With regards to digitally signed files, if anyone were to replace a legitimate signed file, it would no longer carry Malwarebytes' digital signature..."

Yes, but how would I know that until after I've installed the malicious file and looked for the digital signature only to find it's missing? By then it's too late and I'm infected with malware.

"... and if a legitimate file were somehow altered, it would likewise break/invalidate the digital signature."

I'm assuming this would make the file undownloadable or uninstallable? If so, the digital signing has done its job. If not, well, all the more reason to use checksums.

"With regards to a checksum printed on a webpage vs the checksum of a download, if a malicious third party were able to hack into the hosting servers, it is very likely they could just as easily (if not more so, since hosting servers are likely more guarded/secured against outside attacks/intrusions) hack the webpage where the checksum is printed and just change it, making the checksum of the file being downloaded appear to be legitimate even if it is not."

Well couldn't Malwarebytes simply make the page that lists all the checksums for the various downloads read-only and put an internal warning system in place if anyone tries to alter the permissions of the page from read-only and tries to change any of the checksums? Also any page that displays checksums should be very strongly secured against intrustion. And as I said before, many companies (especially those that create Linux software) use GPG so that users know that the checksum is legit and hasn't been tampered with. I'm sure people could think of additional ways to ensure the valdity of checksums, e.g. if someone accesses a page that lists checksums then all those checksums could be internally checked against a record of them on a Malwarebytes computer that doesn't have internet access and a message could be displayed that says "These checksums confirmed correct as of [date], [time]".

Checksums add a useful layer of protection and make it harder for hackers to infect people with malware. Way make it easy for them?

Share this post


Link to post
Share on other sites

Digital signatures are superior to checksums because they are more versatile and more secure against tampering.  If an installer or any of its contents have been altered in any way by a third party it breaks the digital signature and the installer itself would no longer be digitally signed.  You wouldn't need to install the application or run the installer to know that it is invalid.  Windows would tell you the moment you tried to execute it that the installer you're trying to run is not digitally signed.  That alone provides verification that the installer is legitimate.

As for safeguarding the page with the checksums printed, you're talking about a public facing website which must allow for a large amount of traffic from various sources.  They also need to be able to edit the page any time a new version is released, so making it read-only isn't a solution.  Anyone who can get into the backend of the site hosting the page with admin permissions would be able to edit it, and in fact I believe this is how CCleaner and others had their files infected in the first place.  The use of checksums would not have prevented it.  Companies must simply guard their digital signatures carefully and restrict access to their signing machines, and this is what Malwarebytes and others do, and so far there have been no instances where any of their files were maliciously manipulated, altered or replaced, even though malicious hackers have tried many times to infiltrate or DDoS Malwarebytes' servers.

Share this post


Link to post
Share on other sites

exile360:


"Digital signatures are superior to checksums because they are more versatile and more secure against tampering."
Checksums are pretty damn secure if GPG is used, which I've mentioned before, but you didn't address that point.


"If an installer or any of its contents have been altered in any way by a third party it breaks the digital signature and the installer itself would no longer be digitally signed.  You wouldn't need to install the application or run the installer to know that it is invalid.  Windows would tell you the moment you tried to execute it that the installer you're trying to run is not digitally signed.  That alone provides verification that the installer is legitimate."
And as I said, this would mean the digital signature is doing its job. Your comment "You wouldn't need to install the application or run the installer to know that it is invalid" doesn't apply to this scenario, but to the other one I presented where safe downloads are replaced with malicious versions that aren't digitally signed. You didn't address this scenario.


"As for safeguarding the page with the checksums printed, you're talking about a public facing website which must allow for a large amount of traffic from various sources."
And this traffic only needs to be able to read the checksums, no interaction with the page is required.


"They also need to be able to edit the page any time a new version is released, so making it read-only isn't a solution."
Of course it is. Whenever the page needs updating, take the page offline, change the permissions to read/write, change the page as required, reset the permissions to read-only and put the page back online.


"Anyone who can get into the backend of the site hosting the page with admin permissions would be able to edit it..."
Well firstly intrusion should be made as hard as possible, including not making schoolboy errors like not keeping all the website software up to date and not using long passwords and multi-factor authentication to log in. But any sensible, well-designed system would plan for an eventuality, including being hacked, and have a warning system in place in case anyone tries to change the permissions. I mentiond this before, but you didn't address this point. But if a secondary biometric sign-in method is used, this would make it very hard for hackers to get into the system in the first place.


"... and in fact I believe this is how CCleaner and others had their files infected in the first place. The use of checksums would not have prevented it."
It's been a while since I read about the CCleaner and Linux Mint hacks, so I'll have to check since I can't remember the exact method used, but of course checksums wouldn't prevent someone changing a page's permissions. How could they? That's not their purpose.


"Companies must simply guard their digital signatures carefully and restrict access to their signing machines, and this is what Malwarebytes and others do, and so far there have been no instances where any of their files were maliciously manipulated, altered or replaced, even though malicious hackers have tried many times to infiltrate or DDoS Malwarebytes' servers."

That sounds like a challenge. I hope no-one takes you up on it. By the same token companies must guard their checksums carefully. No system is perfect, so layers of protection are best. Lastly, I fail to see why you're so opposed to checksums when they add another useful layer of security if implemented properly. Many companies use them and as AdvancedSetup said "This has been submitted already but I'm not sure when it will be implemented", so it's clear Malwarebytes sees the point of checksums, just that they haven't been implemented yet.

 

AdvancedSetup:
Re my second suggestion, I was talking about when Malwarebytes, which is already installed, downloads an update through the app's interface . What I had in mind was something like the app informing the user "Checking checksums, checksums match, downloading update, installing update, update completed". Something along those lines. When updates are done through the app, I have no way to manually check checksums.

Share this post


Link to post
Share on other sites

I did address digital signatures.  The bad guys can't sign it with Malwarebytes' digital signature; that's the entire point of it, however if the bad guys got access to a page to the point where they could modify the files being hosted, they could likewise modify the page where the checksum is printed because it requires admin/write access; there is no way for a checksum to safeguard against this which is my point.  It is a system that relies entirely on the security of a public facing website, while a digital signature relies on the security of a machine owned by a Developer employed by Malwarebytes; one which I might add that they are extremely careful with, never exposing it to any kind of public access for any reason (because it is the machine they write code on and nothing more; it doesn't host any public facing files, doesn't host websites that are accessible to the public and there is no way for the bad guys to even find the machine, much less hack into it to get control over it).

Look, I understand what you are saying, but I think you really don't understand how digital signatures work.  There is a reason that this is the system in use by the likes of Microsoft, Apple as well as all AV/AM vendors (including Malwarebytes).  Please just do a bit of research on digital signatures and then if you have any points to make against them, make them, but you make it sound like it's harder for a hacker to infiltrate a public facing server than to gain access to a digital signing system that is offline and in physical control of the Developers/vendor who owns the digital signature.  On one side you have a public website where the IP address of the hosting server is known (it has to be, otherwise no one could reach it to view the page), and users must be able to view and download content from it (again, otherwise the page wouldn't be able to serve its purpose), and on the other you have a proprietary, offline machine completely under the control of the company that digital signs their own files.  They aren't even close to the same level of security; checksums are nice for folks who cannot afford to purchase and properly set up digital signing, and it's also great for projects where there are numerous developers working on the same code in different geographic locations where no one individual is responsible for compiling and releasing the binaries to the public; this is why in the open source community checksums are so popular, and conversely this is why in the world of closed source, commercial software digital signatures are used instead because they are a far more reliable and secure solution.

Share this post


Link to post
Share on other sites

exile360:

"I did address digital signatures.  The bad guys can't sign it with Malwarebytes' digital signature..."

I never said they could. You're saying that like it counters a point I made. I never made such a point.

"... however if the bad guys got access to a page to the point where they could modify the files being hosted, they could likewise modify the page where the checksum is printed because it requires admin/write access; there is no way for a checksum to safeguard against this which is my point."

You totally ignored what I had to say about read/write permissions in relation to modifying a page that contains checksums. And especially the part about verifying the checksums with a permanently offline computer. If the checksums have been modified, such a system would tell you that the checksums don't match and so you'd immediately be suspicious of the associated download file.

"It is a system that relies entirely on the security of a public facing website, while a digital signature relies on the security of a machine owned by a Developer employed by Malwarebytes; one which I might add that they are extremely careful with, never exposing it to any kind of public access for any reason (because it is the machine they write code on and nothing more; it doesn't host any public facing files, doesn't host websites that are accessible to the public and there is no way for the bad guys to even find the machine, much less hack into it to get control over it)."

You're making it sound like I'm saying replace digital signatures with checksums. I'm not, I'm saying use both.

Also, don't be too overconfident in the security of any system. The "baddies" could be Malwarebytes employees, it's not always outsiders you need to protect your systems from.

"Look, I understand what you are saying..."

Clearly not.

"... but I think you really don't understand how digital signatures work."

Damn, you're condescending. What's to understand? They're an anti-tamper mechanism.

"There is a reason that this is the system in use by the likes of Microsoft, Apple as well as all AV/AM vendors (including Malwarebytes)."

Yes, because digital signatures have their place. They're of no benefit if legit files have been replaced with dodgy ones.

"Please just do a bit of research on digital signatures..."

I don't need to do any research because it's not as if I don't understand the point of them and it's not as if I'm asking Malwarebytes to do away with them.

"... and then if you have any points to make against them, make them, ..."

I don't have anything against digtal signatures. I've written nothing that could possibly lead you to that conclusion.

"... but you make it sound like it's harder for a hacker to infiltrate a public facing server than to gain access to a digital signing system that is offline and in physical control of the Developers/vendor who owns the digital signature."

No I don't. Again I didn't write anything that could lead to that conclusion. Your claiming I said things I never said.

"On one side you have a public website where the IP address of the hosting server is known (it has to be, otherwise no one could reach it to view the page), and users must be able to view and download content from it (again, otherwise the page wouldn't be able to serve its purpose), and on the other you have a proprietary, offline machine completely under the control of the company that digital signs their own files.  They aren't even close to the same level of security;..."

Another irrelevant point on your part, since I never claimed any such thing.

What I am saying is use checksums in addition to digital signatures.

"... checksums are nice for folks who cannot afford to purchase and properly set up digital signing, and it's also great for projects where there are numerous developers working on the same code in different geographic locations where no one individual is responsible for compiling and releasing the binaries to the public; this is why in the open source community checksums are so popular, and conversely this is why in the world of closed source, commercial software digital signatures are used instead because they are a far more reliable and secure solution."

And what do digital signatures do to protect users if legit files have been replaced with malicious ones? You keep evading this question.

Share this post


Link to post
Share on other sites

Digital signatures can't be replaced with malicious ones.  That is the entire point of using them.  If they could, the entire security of every file in the Windows operating system would be moot and could easily be replaced by malicious actors yet that hasn't happened, ever.  This is why I suggested that perhaps you don't understand how digital signatures work because you indicate that the bad guys could somehow easily replace 'good ones' with 'bad ones', but again I must reiterate that this is not in any way how digital signature enforcement/verification works.  It is an over-simplification that doesn't make sense.  I know this because dealing with valid/invalid digital signatures is something dealt with in the security community quite frequently (spoofed digital signatures, version information and other similar 'hacks' to try and trick users into running malicious code are areas that are well researched and understood by an anti-malware vendor like Malwarebytes and in fact is one of the easy giveaways that indicates when a file is likely malicious).

Write protection of a page isn't going to help against a malicious hacker since the means they use to infiltrate public sites/servers are typically through the exploitation of security vulnerabilities, often 0-days which are as of yet unknown and unpatched, and if they can get into the server, having the page be write protected doesn't matter because they can then simply replace the page rather than modifying it (since a webpage is essentially nothing more than a graphical representation of a text file, i.e. an HTML document, and that document is hosted on a server; a public facing computer which, if infiltrated by a malicious actor, could then be modified in any way regardless of any permissions/write protection that has been placed on the documents/pages being hosted there).  On the other hand, a digitally signed file cannot be modified in any way without invalidating the digital signature, and of course if the malicious actor is a Malwarebytes Developer then that is an entirely different issue and no amount of security would be able to stop them since their code is trusted as valid, so even if they were to do something malicious to a Malwarebytes installer, that installer's hash would still be considered valid by the IT department that uploads it to Malwarebytes' servers and would hypothetically be putting up the matching hash information if Malwarebytes had hash verification in place so implementing a hash validation system on the website wouldn't do any good against an insider threat.

Perhaps those in Malwarebytes' IT department will see the value in implementing some kind of hash verification to the website, and if they do then I am sure they will implement it, however I personally believe that the fact that they have never done so up to this point is rather telling, but maybe that's just me.

Share this post


Link to post
Share on other sites

exile360:

"Digital signatures can't be replaced with malicious ones."

I never said they could. Is your reading comprehension that poor that you can't understand what I've been writing all this time? I've been talking about replacing legit digitally signed files with malicious files that aren't digitally signed.

"That is the entire point of using them.  If they could, the entire security of every file in the Windows operating system would be moot and could easily be replaced by malicious actors, yet that hasn't happened, ever."

So you've not heard of ransomware then? Plus at this point Windows Update does a great job of *****ing up Windows all on its own without users having to worry about malicious actors.

"This is why I suggested that perhaps you don't understand how digital signatures work because you indicate that the bad guys could somehow easily replace 'good ones' with 'bad ones', but again I must reiterate that this is not in any way how digital signature enforcement/verification works."

Yawn. Re-read what I actually wrote and don't put words in my mouth.

"It is an over-simplification that doesn't make sense."

Yeah because you're repeatedly misinterpreting what I've been writing. At this point I can only assume deliberately.

[...]

"Write protection of a page isn't going to help against a malicious hacker..."

Of course it is if the hacker can't change the page permissions to modify it.

"... since the means they use to infiltrate public sites/servers are typically through the exploitation of security vulnerabilities, often 0-days which are as of yet unknown and unpatched..."

As I said above, it's crucial to keep servers and all software running on them up to date. This is basic computer security 101, which applies both to servers and home computers. Hackers exploiting known vulnerabilities that haven't been patched where patches are available is one thing, but zero days? Who are the hackers? The NSA/GCHQ who have been hoarding zero days?

Plus I also mentioned multi-factor authentication to log in, including biometric methods, and an automatic alert system to warn people if anything is happening that shouldn't be happening (e.g. a checksum page's permissions being changed outside of approved hours). But you chose to ignore all these points because they don't support your argument.

"... and if they can get into the server, having the page be write protected doesn't matter..."

Not necessarily. And the operative word is "if". Multi-factor authentication would make this very difficult indeeed. Plus having the public-facing checksum page connected to a computer with no internet access that contains copies of the checksums would enable them to be checked in real time whenever anyone accesses the checksum page. This permanently offline computer could verify if the checksums are legit or whether they've been tampered with. I'm sure people could come up with other methods to ensure the validity of the checksums. I've already mentioned GPG, but you repeatedly chose to ignore that as well.

"... because they can then simply replace the page rather than modifying it (since a webpage is essentially nothing more than a graphical representation of a text file, i.e. an HTML document, and that document is hosted on a server..."

So simply put a system in place that prevents the page being replaced rather than modified. Preventing deleting and pasting should do the job, shouldn't it?

[...]

"On the other hand, a digitally signed file cannot be modified in any way without invalidating the digital signature..."

Yeah, yawn, we know. Is that relevant?

"... and of course if the malicious actor is a Malwarebytes Developer then that is an entirely different issue and no amount of security would be able to stop them..."

That's not true. It would still be possible to put systems in place that would make it hard for an insider to do anything malicious. The point I was making was that focussing entirely on outsiders and thinking that risks can only come from outside is unwise.

"... since their code is trusted as valid, so even if they were to do something malicious to a Malwarebytes installer, that installer's hash would still be considered valid by the IT department that uploads it to Malwarebytes' servers and would hypothetically be putting up the matching hash information if Malwarebytes had hash verification in place so implementing a hash validation system on the website wouldn't do any good against an insider threat."

Apart from your feeble inability to think up ways to thwart malicious actors, they've invented these new-fangled things called sentences. You should check them out.

"Perhaps those in Malwarebytes' IT department will see the value in implementing some kind of hash verification to the website..."

Maybe, maybe not.

"... and if they do then I am sure they will implement it, however I personally believe that the fact that they have never done so up to this point is rather telling..."

Yeah, so what does that reveal? That they're lazy and haven't got round to it yet? Or that they don't see the point of checksums and are just paying lip-service to their usefulness?

Either way, their response to my suggestions is pitiful since checksums do serve a useful purpose.

Share this post


Link to post
Share on other sites

Hello @DrewPeacock:

After all has been said here, I am happy you or one of the rare individuals who will purposely verify before installing.  Excellent!

Recently Malwarebytes published downloadable executables/installers which have revealed x.509 signing.  Again, VirusTotal (VT) will verify/report those certificates during its analysis for validity.

I believe that nearly all the time, newly published exe/dll/sys files will also have been uploaded to VT and their analysis will include all the popular hashes you seek.

In the case of Malwarebytes for Windows, a "Component Package Version" release is very likely to update existing exe/dll/sys files.  Those new files will have digital signers/counter signers and x.509 signers.  Any subsequent VT analysis will reveal those signers and the calculated new hashes will accompany them.

I also felt as strongly as you do now, about eight years ago.  Now, with Malwarebytes' security improvements, VT provides the reliable one-stop-shopping that satisfy the integrity checks I seek.

If nothing else changes at a global level, Malwarebytes users will continue to take the path of least resistance without verifying anything...  Pity.

HTH

Share this post


Link to post
Share on other sites

I would like to add my vote for checksums as well. I would especially love to see an archived list of previously released setup files with their checksums. Not necessarily to download them, just as a reference. I have a very elaborate and time consuming process I follow to make sure that a file is legit before I go ahead and run it. I then save that file offline for audit purposes. While I can always run one of those older files through VT again, it won't tell me if the file was originally available on the official MBAM website. That "relationships" tab is hit and miss.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.