Malware in Twine 2.1.3 download?

0 votes
asked Nov 5 by raytracer (120 points)

I use Little Snitch on my Macbook Pro (10.10.5) to check on unauthorized outbound connections any program tries to make. A couple of times I found that the download of Twine 2.1.3 was contacting what looked like a very strange server:

Twine

wants to connect to wrcvqkrmwryiiv on TCP port 80 (http)

IP Address 92.242.140.2

Reverse DNS Name unallocated.barefruit.co.uk

Established by /Applications/Twine.app/Contents/MacOS/nwjs

Process ID 33585

User edo (UID: 503)

 

The format of the message allows you click on the name of the server (wrcvqkrmwryiiv) and it brings up a very long list of nonsense names like the one listed in the message that are also located at that same IP address.

One of the times there was also a message saying that I didn't have the latest version of the program, though I was using 2.1.3 which I believe is the latest barring the new beta that just came out. The version I am using lists a creation date of May 1, 2017, and it was dowloaded on June 10, 2017. I am not sure if the malware that was on the website affected the installers (there is no mention of this being the case), or if there was a minor update to the installer since May 1 that didn't necessitate a new version number. 

The apparent domain it connects to, barefruit.co.uk, is some sort of advertising site. On the site it says: Barefruit generates highly targeted traffic for ISPs by replacing DNS and HTTP errors with relevant advertising. Since advertising and Twine don't seem to go together, this looks strange. 

Chris or anyone else who has seen this please weigh in. I know this may be benign and just look odd, but it does look odd.

edo

2 Answers

+1 vote
answered Nov 5 by Chapel (33,870 points)
edited Nov 5 by Chapel

When you type a fake web address into your browser, what happens? Are there ads or just normal DNS error messages?

Example of how one of these ads might look

commented Nov 5 by raytracer (120 points)
I get a normal DNS error message from my service provider.

The message I got was that the Twine app was contacting the possibly sketchy server. Are you suggesting that there is something external to Twine that might be redirecting the request that Twine makes?
commented Nov 5 by Chapel (33,870 points)
I thought it sounded like DNS hijacking, which can be caused by malware, but can also be caused by your ISP. It's not great, but most ISPs do it, and its legal. Some browsers are secured against it, since it is a security issue and can open you up to certain types of attacks. I'm pretty sure Chrome blocks it, not sure about other browsers.

It could be malware (from Twine or otherwise), but my guess was that it was your ISP, but only because I'm pretty sure barefruit.co.uk works with ISPs (as indicated on their website and some light research on my part) rather than dealing specifically in malware. Shady nonetheless.

It's possible that Twine itself is compromised, but I wouldn't expect it to be intentional. I'm sure klembot can speak for himself there though.

In the meantime, there's no harm in a virus scan if you haven't already. You might want to specifically scan Twine and its associated files as well.

On the bright side, since Twine runs in NW.js, it shouldn't have any meaningful access to your personal information or browsing history.

Note that I am not a security expert, so don't take my word for it. We have a lot of talented people here that I'm sure will have better insight, and its possible I'm completely wrong on all counts.
commented Nov 5 by raytracer (120 points)
Looks like you were on the right track with this. I thought it strange that only Twine and no other apps ended up with this error, but I run AdBlock and Ghostery on my browsers so that probably catches it before anything odd pops up. A test of a nonexistent address without those enabled showed an expected error-plus-ads page of the kind that might be generated by barefruit.

I'm guessing that the Twine app checks for new versions on startup and this is where Little Snitch caught the request. Maybe in the changes made in October following the Twinery hack the location where the app checks for updates was changed, and now the app looks for a non-existent address which in turn generates the request to contact barefruit.

Even if this is the case, it still seems weird that I'd get a message to update to the latest version when I know I am running the latest version. That message might get generated following the address error, but it still looks a little shady.

So I think this is solved, more or less, but it would be good if klembot could verify what might or might not be going on.
commented Nov 5 by Chapel (33,870 points)

 A test of a nonexistent address without those enabled showed an expected error-plus-ads page of the kind that might be generated by barefruit.

Well, the "good" news is that its probably your ISP, and your system isn't infected by malware. 

Maybe in the changes made in October following the Twinery hack... 

That'd be my guess, too. It's clearly trying to access something that isn't accessible anymore. I'm not sure how big of a problem that actually is security-wise, but I don't think you need to avoid using Twine or anything. 

So I think this is solved, more or less, but it would be good if klembot could verify what might or might not be going on.

I'm sure he will; hopefully soon. 

commented Nov 5 by raytracer (120 points)
Thanks for your help on this! It likely saved me quite a bit of time.
commented Nov 7 by mcd (740 points)

The message to update to a version you're already at is a known issue.

I tried to catch some nefarious behavior using Private Eye, a free program similar to Little Snitch, and I did see a lot of unexpected traffic coming out of nwjs.  Unfortunately, after I upgraded to the new beta to compare its traffic (there wasn't any from nwjs, and nothing suspicious from Twine directly), I was unable to downgrade back to 2.1.3 to check out the urls individually.  (I got a blank screen from 2.1.3 after NWJS complained about my profile and a version change, presumably a separate issue from any possible malware.)

The other malware incident also involved requests to spam ad servers (which could be defunct and bring up your ISP's DNS error spam from Barefruit), but there are genuine requests that Twine could be making besides the version check:  if you installed or use story formats that request remote resources, or have any remote resources within your stories that would get fetched on Test or Play, those links could have gone bad and led to the Barefruit request.

So it's hard to say what's going on.  If you can figure out whether it's a particular story and/or action (test/play) that's leading to the Barefruit requests, maybe you can figure out whether it's an innocuous request or not.  If you're willing to upgrade to the beta, that might solve your problem directly.

0 votes
answered Nov 7 by klembot (1,570 points)

First of all, Twine checks on startup for new versions by loading https://twinery.org/latestversion/2.json. The code that does that is here and here. It's pretty cut-and-dry.

I'm confident that despite our malware problems on twinery.org, the apps were not affected. They have been hosted on Bitbucket for a good long while now, which means any trouble on twinery.org would be quarantined from them.

I tried installing the demo version of Little Snitch with 2.1.3 and all I have seen it flag so far are internal connections the app makes-- it has to do with NW.js, the library we're using for the app. NW.js was a pretty popular way to convert Web-based apps into desktop apps (a different library called Electron has eclipsed it). My understand of it is that it spins up a web server that only the app can talk to, and the app shows you a browser view of it.

So... I don't really know why you are seeing those connections. I will keep using Little Snitch and see if I see any untoward going on myself.

commented Nov 8 by klembot (1,570 points)

Forgot to add, it only checks for a new version once a day. The code that does that is here.

commented Nov 8 by raytracer (120 points)
Thanks for checking in on this, it all sounds pretty clear. I also noticed today that the request to barefruit only happened on my home network. At work the apparent redirect was caught and rerouted to something on the local network. There may be a utility in place there that prevents redirects like this from going out. Either that or there is something amiss on my home network (possible but unlikely). This happened when the program started, so it was happening when the program checked for a new version. There didn't appear to be any instances of this happening in any particular part of a story I was editing.

I'll see if this continues under the new beta. I didn't want to switch over until my students were done using Twine in one of my classes this term. If anything comes up with it I'll post something about it.
Welcome to Twine Q&A, where you can ask questions and receive answers from other members of the community.

You can also find hints and information on Twine on the official wiki and the old forums archive.

See a spam question? Flag it instead of downvoting. A question flagged enough times will automatically be hidden while moderators review it.
...