It should go without saying that you should scan an executable before running it, even if it's coming from a trusted source. As the last few years have shown, though, a false sense of security loves to bite people over and over again.

On August 2nd 2016, for three hours, an external developer had their account compromised on Audacity's and Classic Shell's download server FossHub and was used to replace the legitimate installer with a malware that overwrite the master boot record. Thanks to the quick response of the Audacity team they quickly moved to take down the rogue download before too many people were affected.

Sadly it was a two for one deal, as not only Audacity was targeted, but also the popular Windows modification tool called Classic Shell. Classic Shell was also targeted and had their installer mirrored on FossHub replaced with the infected version. Unfortunately, this malware version of Classic Shell was downloaded approximately 300 times according to an official response posted by FossHub:

The attackers uploaded a malware file on Classic Shell page which was downloaded approximately 300 times. We removed the file in several minutes and we changed all passwords for all services we had.

- http://www.audacityteam.org/compromised-download-partner/

When installing the malware version of Classic Shell, it was fairly easy to spot that something was not right. When the normal version is installed, it will display a UAC prompt that shows Ivaylo Beltchev as the publisher of the program. On the other hand, the malware version would have the publisher listed as Unknown.

When the malware version of Audacity and Classic Shell were installed, the malware would overwrite the master boot record so that it displays a message when the computer starts. This message states "AS YOU REBOOT, YOU FIND THAT SOMETHING HAS OVERWRITTEN YOUR MBR! IT IS A SAD THING YOUR ADVENTURES HAVE ENDED HERE!". This quote is a reference to the 1987 video game called ShadowGate, which was notorious for the amount of ways you could die in the game.

A group named PeggleCrew claimed responsibility for the attack and explained that they did it to teach people a lesson.

@AuraTheWhiteHat We also compomised Audacity. FossHub was fully compromised, including (temporarily), the admin's email. — Cult of Razer (@CultOfRazer) August 3, 2016

@AuraTheWhiteHat Because nobody will learn to check signatures and hashes if it isn't demonstrated bluntly. — Cult of Razer (@CultOfRazer) August 3, 2016

If you or someone you know was affected by this malware, assistance can be received in the Am I Infected? forum. You may also attempt to repair the MBR yourself as seen in this video

There are a few lessons to take from this and (hopefully not) future incidents:

1. As 2016 has shown us, never reuse passwords. Websites can easily be compromised and if the same password is used for different sites, it might just end up coming back to bite you in the end. It is also important to NOT allow browsers to remember passwords as there are various tools that can retrieve saved passwords from browsers like Chrome and Firefox. If you must use a password remembering tool, I personally recommend 1Password, although it isn't free it does offer a trial that allows you to store up to 20 logins and offers more security than storing the passwords within the browser.

2. Always scan before running a program, even if a file is coming from a trusted source. Virustotal is a good online scanner that utilizes many different antivirus engines to scan files uploaded.

3. Keep an up to date Antivirus & Antimalware software on your computer. Everyone has their own opinions about security software and the ones I personally prefer are Avast! Antivirus & Malwarebytes Antimalware.

4. If something seems too good to be true, then it probably is. The best security is common sense, if you choose to disregard it, you may find your security software won't be able to protect you.

If you have any security tips of your own, feel free to post them in the comment section below, you may end up helping save someone from becoming a victim.