You are not logged in.

#1 2016-06-26 09:18:30

greenman-23
Member
From: Morocco
Registered: 2013-12-16
Posts: 10
Website

Hubstaff shell scripting file is it malicious spyware?

Hi,

apologies if I'm posting this in the wrong forum

As part of the arrangement for some contractual work I was asked to sign up to hubstaff.com

however the service requires the installation of a shell script (Hubstaff-1.2.8-4ec96dd.sh) which is 11.5mb in size. There is virtually no documentation on this script which on face value appears to be spyware. Designed to monitor staff activity it raises serious ethical issues. Ones compounded by the request to install it on my own personal PC.

Communication from the vendor didn't inspire me with confidence either. to quote:

"We have a lot of users that use the Linux version of our app, I myself use it regularly whenever I work on dev items for Hubstaff. I know that may not mean a lot given that I work for Hubstaff, but security is something that I've always cared a lot about and I probably wouldn't have chosen to work here if the software was malware. :slight_smile:

That being said, Hubstaff does have some activity tracking features that you can read about here: https://hubstaff.com/features?ab=f21

Our software isn't malware or spyware, we're very open about the type of activity that our software can track. Most of those features can be disabled by the organization's owner in the organization settings, so if any of those features make you uncomfortable, you may want to talk to your organization's owner about it and see if they can disable it for you.

You may also be interested in reading our privacy policy, which can be found here: https://hubstaff.com/privacy2

the script is huge and I'm not keen on installing software that tracks when it hasn't or appears not to have been verified by a Linux community...

The script in question can be found here https://hubstaff.com/download

both the the comment " I probably wouldn't have chosen to work here if the software was malware" and the complete lack of documentation or evidence of independent verification by a linux community rang alarm bells.


any advice received with thanks,

regards

malcolm


When you're stuck at the North Pole you have two options: to stay stuck or go South...

Offline

#2 2016-06-26 10:23:07

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Hubstaff shell scripting file is it malicious spyware?

I would sure expect that it's spyware.

Some alternatives:
* Use a VM for this contract's work
* Ask them to supply you with a laptop

Offline

#3 2016-06-26 14:42:06

TheChickenMan
Member
From: United States
Registered: 2015-07-25
Posts: 354

Re: Hubstaff shell scripting file is it malicious spyware?

Maybe packet capture what it's sending from a vm and then just write a script that resends those packets while you're doing your work on your normal computer so they think you're running the script?


If quantum mechanics hasn't profoundly shocked you, you haven't understood it yet.
Niels Bohr

Offline

#4 2016-06-26 15:36:41

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,740

Re: Hubstaff shell scripting file is it malicious spyware?

I like the VM idea. 

One thing I worry about is that no matter what you run it on -- your main machine, a VM, A loaner laptop, etc... is that it is still running arbitrary code from behind your firewall.  For all you know, it could be providing a tunnel that allows them to bore through your firewall into your network at their pleasure.   Bad for a home network;  disaster for a corporate network.   If your network architecture allows it, and you choose to run this script someplace, I would configure a new guest network *outside* your firewall.

Edit:  Or, how about spinning up a AWS server (or any 'cloud' based service)?  I just happen to run a AWS instance and I have no association with Amazon other than being a customer.

Last edited by ewaller (2016-06-26 16:00:09)


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#5 2016-06-26 15:55:21

Awebb
Member
Registered: 2010-05-06
Posts: 6,275

Re: Hubstaff shell scripting file is it malicious spyware?

Did you know what was coming, when you signed that contract? If not, I'd seek legal advice. This is almost as bad as asking for your Facebook password.

Offline

#6 2016-06-26 16:11:45

\hbar
Member
Registered: 2014-03-15
Posts: 165

Re: Hubstaff shell scripting file is it malicious spyware?

Ewaller makes a very good point. One quick comment: the script seems to me to be an install script, and most of the 10MB is binary (which I'm guessing is the hubstaff tracking program itself, which the script is meant to install). I don't think the source code is available. This might make finding out what the program does, difficult.

Edit: The script actually contains a gzipped tar archive that contains a binary named 'mojosetup'.

Last edited by \hbar (2016-06-26 16:37:23)

Offline

#7 2016-06-26 17:03:28

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: Hubstaff shell scripting file is it malicious spyware?

You can find the actual stuff it installs simply enough (it is a tarball wrapped in a shellscript):

sed  '1,395d' <Hubstaff-1.2.8-4ec96dd.sh > Hubstaff-1.2.8-4ec96dd.tar.gz
mkdir Hubstaff-1.2.8-4ec96dd
tar xzvf Hubstaff-1.2.8-4ec96dd.tar.gz -C Hubstaff-1.2.8-4ec96dd

Just your standard suspicious closed-source binary which probably isn't any more suspicious than the Windows version, which I am sure people happily accept because they are told to. wink
But I do wonder why the 11 MB tarball decompresses to less than 1MB of suspicious binary???


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#8 2016-06-26 17:12:52

greenman-23
Member
From: Morocco
Registered: 2013-12-16
Posts: 10
Website

Re: Hubstaff shell scripting file is it malicious spyware?

thanks for all the replies..

I contacted Hubstaff and whilst they are confident about the security of the software my searches didn't identify that the script has gone through any formal verification process by a third party (i.e Canonical, RedHat, Slackware).  So whilst it (likely) isn't the intent to be malicious the absence of verification means it could easily contain an exploit that permits a hostile attack.

Given that the software takes screenshots and logs keystrokes it potentially needs very little code injection to represent a very real threat. There further seems to be no mechanism to deal with such an attack. And whilst exploits of this nature do occur in Linux, the open nature of the software ensures that an army of coders rise up and fix the exploit long before any Russian security consultant can get out of bed. 

So I am struggling to see how software that has never been audited and has no mechanism for updating or patching exploits can be allowed to run a horse and cart through all my security. 

It just can't be allowed to happen so unfortunately I have declined the work.

again thanks to all for your comments,


When you're stuck at the North Pole you have two options: to stay stuck or go South...

Offline

#9 2016-06-26 20:23:22

\hbar
Member
Registered: 2014-03-15
Posts: 165

Re: Hubstaff shell scripting file is it malicious spyware?

Eschwartz wrote:

But I do wonder why the 11 MB tarball decompresses to less than 1MB of suspicious binary???

The compressed part ends after 411556 bytes. After that, there's what what looks like the contents of an app, judging from the names of the files: licenses, png's, libraries, binaries. I'm guessing the suspicious binary installs more suspicious binaries. You know the saying: "Suspicious binary begets suspicious binary"...

Offline

#10 2016-06-26 21:29:32

urkle
Member
Registered: 2016-06-26
Posts: 2

Re: Hubstaff shell scripting file is it malicious spyware?

If you actually look at this in detail.. the first part is a compressed MojoSetup installer (32bit and 64bit) wrapped in a SHAR to auto extract and run it.    The rest of the payload is the actual installer contents which is simply a zip file containing the actual application.   If you want to bypass the installer you can simply run unzip on the .sh and it will extract out the Hubstaff client.

Offline

#11 2016-06-26 22:01:40

urkle
Member
Registered: 2016-06-26
Posts: 2

Re: Hubstaff shell scripting file is it malicious spyware?

Actually.. if you wanted to view the source of that mojosetup installer it is located here..  https://github.com/OutOfOrder/MojoSetup-bins

Offline

#12 2016-06-27 07:23:00

greenman-23
Member
From: Morocco
Registered: 2013-12-16
Posts: 10
Website

Re: Hubstaff shell scripting file is it malicious spyware?

"Actually.. if you wanted to view the source of that mojosetup installer it is located here..  https://github.com/OutOfOrder/MojoSetup-bins"

but its the tarball that is of concern, not the installer

sorry if this has caused you problems but closed source is by its very nature suspicious...

Last edited by greenman-23 (2016-06-27 12:02:39)


When you're stuck at the North Pole you have two options: to stay stuck or go South...

Offline

Board footer

Powered by FluxBB