SSL certificate on windirstat.info

Hey folks,

sorry about the negligence on my part. This is just to let everyone know that I’m aware of it.

I already sent the CSR to StartSSL, so this will hopefully be resolved later today.

// Oliver

Update:

This should be fixed now.

  • SHA256 fingerprint:
    78:A1:7D:C5:A9:45:39:B9:64:5A:F9:85:8B:AA:82:9A:92:2B:76:23:46:46:E5:8A:E5:E7:75:E4:6E:27:B1:B1
  • SHA1 fingerprint:
    6C:F0:65:0D:30:34:AE:D8:3B:15:CD:32:A0:5A:31:81:EF:F3:36:41
Posted in Announcement | 2 Comments

altWinDirStat

Only recently I learned of a fork of WinDirStat on Github named altWinDirStat. You folks may want to check it out.

I hope in mid to long term we can join forces rather than having the code bases diverge.

// Oliver

Posted in Uncategorized | 2 Comments

Please vote

Hi folks,

please vote on the Bitbucket issue tracker for issues and features. If I see a trend there, I’ll probably prioritize according to it.

// Oliver

Posted in Feedback | 4 Comments

New independent file download mirror

Triple IT from the Netherlands kindly offered to provide another download mirror at no cost.

Triple IT logo
(click to go to their website)

It’s now linked from our download page. Thanks to Triple IT for the offer and implementation.

// Oliver

Posted in Project news | 1 Comment

No PAD file … and none to come

After getting another request to create and offer a PAD file, I looked into the process again. There’s an online generator software at this address. I was using that to enter my data. When I was done filling in the stuff that was relevant to a FLOSS program like WinDirStat, I ended up getting a list of error messages.

Here’s the start of the list:

Screenshot snippet

So I need to give my postal address? No thanks. Post box? Yeah, who pays for that?

This is geared towards shareware and freeware programs, no doubt. But what took my breath away was this error message:

Invalid data formatting. According to the PAD specification, this field should have the following format: “^http://.{2,120}Z“. You can find the full PAD specification here: www.padspec.org

I have to give a non-HTTPS site, because shareware is so 1990s and the PAD format is as well?

Conclusion: there’s no PAD file for WinDirStat and there won’t be. Sorry, folks.

// Oliver

Posted in Uncategorized | 2 Comments

Being all social now …

@windirstat ;)

Posted in Project news | 1 Comment

For anyone who uses premake4 and needs an up-to-date binary

A code-signed binary can be found here.

The SHA1 hashes are:

  • 2a687b2084f80bc8a9194ae8857d5bf46c137009 *premake4.exe
    (premake4.rev-800-52c1aa08a896.exe)

Hope it helps someone.

// Oliver

PS: yes, this was mainly built for use in the WDS repo and therefore is located in the windirstat/premake-stable project realm.

Posted in Uncategorized | Leave a comment

Re: WinDirStat detected as trojan … rightly so

Submitted the trojanized file to a number of AVs and they are catching up as can be witnessed on VirusTotal.

Hope not too many unsuspecting users fell for this. Whatever the source of the file may be.

// Oliver

Posted in Project news | 8 Comments

WinDirStat detected as trojan … rightly so

Well, actually it isn’t the genuine WinDirStat but a trojanized version posing as WinDirStat and it’s masquerading under the disguise of the good Unicode version of windirstat.exe which is contained in the installer. So it’s named that as well.

Now, the report I got from a WinDirStat user from Sweden (thanks again!) was that MalwareBytes had detected WDS once again. I assumed false positive and it turned out that it was at least for the particular file that the Swedish user had (SHA1: 26e14a532e1e050eb20755a0b7a5fea99dd80588)1 – which was the genuine file from the genuine version 1.1.2 installer. That is the installer with the following two cryptographic hashes2:

  • MD5: 3abf1c149873e25d4e266225fbf37cbf
  • SHA1: 6fa92dd2ca691c11dfbfc0a239e34369897a7fab

We’ve had this before, but this time it was a slightly different case.

I contacted Doug from MalwareBytes. We had been in touch some time before. So I got a contact for the malware research at MalwareBytes and was able to inquire about the file. It turned out that the file aforementioned Swedish user had inquired about wasn’t under detection, but another file with the MD5 hash a84aad50293bf5c49fc465797b5afdad. Now I didn’t have that file in my release archive so I asked for the file3 and was then able to look at the actual trojanized file. And what struck me was that all external traits shown by this file matched closely the Unicode build from the 1.1.2 installer. The size matched, the timestamp in the PE header matched, just some things like the sections and a whole lot of code or data had been changed in the middle of the file.

So I loaded the genuine file into IDA Pro and the entry point looked like this:

.text:004471B4 _wWinMain@16    proc near
.text:004471B4
.text:004471B4 hInstance       = dword ptr  4
.text:004471B4 hPrevInstance   = dword ptr  8
.text:004471B4 lpCmdLine       = dword ptr  0Ch
.text:004471B4 nShowCmd        = dword ptr  10h
.text:004471B4
.text:004471B4                 jmp     _wWinMain@16_0
.text:004471B4 _wWinMain@16    endp

and when I did the same on the trojanized file it looked like this:

.text:004471B4 _wWinMain@16    proc far
.text:004471B4                 enter   0FFFFA5D1h, 7Fh
.text:004471B8                 xchg    eax, ebp
.text:004471B9 loc_4471B9:
.text:004471B9                 or      al, 19h
.text:004471BB                 inc     ecx
.text:004471BC                 retf    0BECAh
.text:004471BC _wWinMain@16    endp ; sp-analysis failed

Holy moly, Batman! Someone actually trojanized WinDirStat and it looks like EPO4 just from a brief look.

Again, this file is named windirstat.exe and to the naked eye it looks like the Unicode build from the 1.1.2 installer, but in actuality this is a trojanized version of the genuine file. Now I don’t have the time to investigate into what exactly this thing is doing, but it bears all the hallmarks of malware and therefore from my perspective that file isn’t a false positive.

Conclusions

If you download files. check that their hashes match what is expected. Future releases of WDS will be signed with an Authenticode certificate, so it will also make it harder to trojanize WinDirStat.

I checked last night and at least the downloads from SourceForge.net and DownloadBestSoft were genuine. No danger there. Still: you are encouraged to double or triple check! And keep in mind that MD5 is broken, so never ever rely on MD5 alone.

// Oliver

Recap: the clean files are:

MD5:

  • 3abf1c149873e25d4e266225fbf37cbf *windirstat1_1_2_setup.exe
  • 3f3dd4476249ae664e3365e5bb651601 *release/windirstat.exe
  • 24cd9a82fcfc658dd3ae7ba25c958ffb *urelease/windirstat.exe

SHA1:

  • 6fa92dd2ca691c11dfbfc0a239e34369897a7fab *windirstat1_1_2_setup.exe
  • 752e1687d58de3bef927d9ad24c0ed3da3754e17 *release/windirstat.exe
  • 26e14a532e1e050eb20755a0b7a5fea99dd80588 *urelease/windirstat.exe
  1. that false positive has been fixed meanwhile. []
  2. keep in mind that MD5 has been broken, so you should never rely on it alone anyway. It is possible to forge binaries that match the MD5 hash of another binary as recent government-sanctioned malware has shown. []
  3. Usually you won’t get a file that is deemed malicious from any anti-malware company, but since I work in the AV industry as well and had contact with Doug before, I had the credentials. []
  4. Entry Point Obfuscation []
Posted in Project news | 1 Comment

Youtube channel for WinDirStat

I created a Youtube user and channel for WinDirStat. If you want to contribute a video clip, let me know. If you have a channel yourself that is dedicated to WinDirStat, let me know as well.

// Oliver

Posted in Project news | Leave a comment

Reddit: /r/WinDirStat

Find it here. The link is also in the link list in the sidebar.

// Oliver

Posted in Feedback | Leave a comment

Would you like a forum and/or a Wiki?

Hey folks,

being users of WinDirStat and perhaps having contacted me through the contact form or other means, would you like to see a Wiki and or forum for WinDirStat instead of merely the trackers and the mailing list (which is virtually dead, except for the very frequent spammers, which you wouldn’t get to see because the whole list is moderated).

A forum may offer a more lively discussion among users and may be a little more exposed than the mailing list is. This way I’d also spend less time supporting users because you folks could – by merit – become “community” moderators and help newbies or in general help other users. Last but not least this might be one way to share cleanup (and soon other scripted) actions. For the latter a Wiki may be more suitable or even just in addition. The forum AFAIK isn’t tied to the SF.net accounts if we run it on SF.net, but the Wiki would, I think. I only remember faintly from Enchanted Keyfinder.

Whatcha think? Let me know in the comments. Thanks and get well into the year 2013.

// Oliver

Posted in Feedback | 6 Comments

Began signing the commits I make to the source repo

I have started to sign the commits to the source repository using GnuPG and will expect the same from future contributors to the project (although OpenSSL with X509 certificates will also be accepted, of course).

It provides a level of trust and the possibility of additional integrity-checking for the source code. Starting with revision 300 on the master repository (on SF.net) this takes effect.

The commitsigs.py extension will be used for the purpose. It can be cloned from here.

Additionally I am keeping a clone on Bitbucket, for “backup purposes” ;)

// Oliver

Posted in Project news | Tagged , | 13 Comments

windirstat.info now also via SSL

The website is now also available via SSL. This also means that you will be able to use the contact page via SSL.

// Oliver

Posted in Project news | Tagged | 3 Comments

Cleanup actions, who uses them right now?

Hi folks,

who of you uses the cleanup actions or even created their own? How complex are they? How difficult would it be for you if they got replaced? I suppose I would provide some rather trivial migration path, but I’m curious. Surprise me … :mrgreen:

// Oliver

Posted in Feedback | 30 Comments