Re: [Gimp-user] gimpx? possible malicious software using Gimp name

On 05/26/2013 08:48 AM, Michael Schumacher wrote:
On 25.05.2013 19:22, Michael Strout wrote:
Hi all,
      I just received a text message on google voice with
something which
was made to look like a failed image embed that led to this page which talked about requiring a
gimp photo
viewer for a .JPG.GMP file.  Links lead to a domain
which thing
looks like a malicious site crafted to fool windows users into
malware to me.

Yes, it is. See
for an analysis, with slightly different urls.

The owner of the domain name "" is hiding behind a
pseudo-anonymous registrar.  That in itself is enough to rule out
installing anything offered on the site.

The hosting service where the website lives,, presents a "404 page not found" notice at, another strong indicator of
"other than honest" intentions.

If I'm incorrect and this is somehow a valid tool please let me
know to set my mind at ease.

This isn't a valid tool. Most likely a trojan.

Looks that way to me.  Maybe somebody who has the time and interest
will install it in a virtual machine and audit the results to
determine what the installer actually is/does.  But
directing users to the "real goods" provides a complete solution, so
why bother?

If not, does anyone know if there's something that can be done
about it?

Educating users would be the best approach. Any suggestions how to
phrase a warning for

The Windows installation instructions in my GIMP tutorial for
beginners at conclude with:

Warning! Do not download the GIMP from unofficial websites offering
"Free Downloads." Sabotaged GIMP installers rigged with trojans have
been discovered in the wild.

The phrase "rigged with trojans" has a hyperlink to:

It might be useful to put a warning like this on the front page of
the GIMP site, followed by a link to the relevant Sourceforge page
for the "real" Windows port.  The educational impact would be

Also, the GIMP site's front page has a Google rank of 7 (out of 10
on a log scale), so a hyperlink here would add a lot of weight in
search result placement of the Sourceforge page for the GIMP
installer.  This would help prevent search engines from being
manipulated via SEO to send people to sites with trojanized GIMP

At present, the link to the Windows port on the Downloads page at is hidden behind a "show other downloads" link buried in
the middle of the page.  This is hard to justify, as the majority of
current and potential users are on Microsoft platforms.  The GIMP is
a *powerful* gateway drug for Free Software, so (literally) hiding
it from people who are using Microsoft junk does Linux advocacy no

I would be inclined to move the link for Windoze installers to the
top of the Downloads page on the GIMP website.  The higher on the
page this link appears, the more likely that a search engine will
direct would-be first time users there, rather than to a hosting
service for malware.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]