WhyNotWin11.com is not owned by Me

[sanny-io]

https://www.whynotwin11.com

https://i.imgur.com/6Rlz443.png

I haven't seen this mentioned anywhere. Is this from you @rcmaehl? The download link currently points to this repo's releases, but they might be trying to lay low for a while before switching it out 👀

[spirillen]

@iam-py-test wrote:

Why is better performance needed? The only point of this domain is to (correct me if I am wrong) redirect lost people to GitHub and prevent it from being bought up by malware authors. (Also may have the effect of redirecting people who made a typo away from the .com)

I'm not sure I follow you here... we where talking about the optimal redirect setup for nginx (aka cloudflare) to this GH repo.

HTTPS prevents tampering

Only IF the domain is

1. listed in googles HSTS list
2. The browser supports the HSTS lists
3. You can still overrule the HSTS by adding 0 to the HSTS header
4. The dns have a CAA record with a limiting value not excluding
   1. mypdns.org 86400 IN CAA 128 issue "letsencrypt.org"

For nginx

add_header Strict-Transport-Security "max-age=0;" always;

evil ISPs from spying, and also increases user trust.

?? they still see the DNS and http(s) request header... Only the content is hopefully encrypted...

[iam-py-test]

@spirillen

1. Why can the request override the HSTS preload? That seems like a major security issue
2. I agree HTTPS is probably not needed, unless Someone uses whynotwin11.org as a way to get to the GitHub repo, so HSTS would have a benefit Someday there is content hosted on this domain. (that could be done) In my (non-expert) opinion, unless one of these happens, HTTPS redirects should not be used. However, I think HTTPS should be setup (unless that is hard), as some browsers (i.e. Firefox) warn users against HTTP domains, and will try to upgrade everything to HTTPS.

Also, I think there should be a warning in the README.md (maybe at the top) that says all domains except whynotwin11.org which claim they are related to whynotwin11 are scams (like how uBlock Origin warns about the ublock.org scam in their README) Might not help too much if users go to the wrong site in the first place, but might help a bit.

From: @.> Sent: Tuesday, June 29, 2021 2:35 PM To: @.> Cc: @.>; @.> Subject: Re: [rcmaehl/WhyNotWin11] WhyNotWin11.com is not owned by Me (#66)

@iam-py-testhttps://github.com/iam-py-test wrote:

Why is better performance needed? The only point of this domain is to (correct me if I am wrong) redirect lost people to GitHub and prevent it from being bought up by malware authors. (Also may have the effect of redirecting people who made a typo away from the .com)

I'm not sure I follow you here... we where talking about the optimal redirect setup for nginx (aka cloudflare) to this GH repo.

HTTPS prevents tampering

Only IF the domain is

1. listed in googles HSTS list
2. The browser supports the HSTS lists
3. You can still overrule the HSTS by adding 0 to the HSTS header

For nginx

add_header Strict-Transport-Security "max-age=0;" always;

evil ISPs from spying, and also increases user trust.

?? they still see the DNS and http(s) request header... Only the content is hopefully encrypted...

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/rcmaehl/WhyNotWin11/issues/66#issuecomment-870823955, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AUCUUPAGUWAODYKFPUUIZBLTVIG7LANCNFSM47MMEG7Q.

[spirillen]

That seems like a major security issue

NO, not at all, the value lies in the controller of the server, it's a way out for a miss configured cert, remember, humans makes mistakes.

HTTP domains, and will try to upgrade everything to HTTPS

No for HTTP code 30(1|2|7|8) exactly for the cache HIT :smirk:

Someone uses whynotwin11.org as a way to get to the GitHub repo, so HSTS would have a benefit

Exactly how?? HSTS says only THIS Domain requires SSL connection.... but as it is redirecting, I don't see the need for HSTS at all, there are no pages, solely a HTTP redirect code!!

However, I think HTTPS should be setup (unless that is hard)

Add this to the server section of the config...

server {

        # SSL configuration
        ssl_stapling on;
        ssl_certificate /fullchain.pem;
        ssl_certificate_key privkey.pem;
        ssl_trusted_certificate chain.pem;
        resolver <IP> valid=600s;
        resolver_timeout 5s;

        add_header Strict-Transport-Security "max-age=31536000; preload" always;

}

Or simply Verifying or approving a domain for your organization it's kinda a single TXT record in the DNS zone.....

[thepwrtank18]

The build from whynotwin11.com is now modified to have their own website instead of whynotwin11.org, and the logo changed to an "A" of some sort.

Updates are still via the GitHub repo.

[rcmaehl]

I was gonna check but Avast had other plans

[micwoj92]

The build from whynotwin11.com is now modified to have their own website instead of whynotwin11.org, and the logo changed to an "A" of some sort.

Updates are still via the GitHub repo.

I suspect that "A" is just default AutoIt icon, that's EPIC FAIL :sunglasses:

Nevermind, it's something different.

[rcmaehl]

I'll decompile it and take a look at their changes (if any)

[iam-py-test]

@rcmaehl You should be able to override, or you can maybe use something like curl

[spirillen]

I'll decompile it and take a look at their changes (if any)

Just for other to see the sha512sum, as I don't see any reason for other to download a badware.exe on there Windos (I'm running *nix :smirk: )

sha512sum WhyNotWin11.exe WhyNotWin11.com.exe 
9cc044f91b9f2d7f818ecdf208ea2cac371c26de7724b0623b28c045eef2c2a6fc7025d096075d6d4cb95d53ec3dbf6d3410185adfa887c19658ff03ee3d0a72  WhyNotWin11.exe
f92d71e1ab3c61c1c1f9f02c70e564816dfa2a853af68a6ab834f156d90d71f45c94673da2eb1bbd29a31b7d671ccc1d46d1e63030226790f380bb6d92fc732b  WhyNotWin11.com.exe

[iam-py-test]

I'll decompile it and take a look at their changes (if any)

Just for other to see the sha512sum, as I don't see any reason for other to download a badware.exe on there Windos (I'm running *nix 😏 )

sha512sum WhyNotWin11.exe WhyNotWin11.com.exe 
9cc044f91b9f2d7f818ecdf208ea2cac371c26de7724b0623b28c045eef2c2a6fc7025d096075d6d4cb95d53ec3dbf6d3410185adfa887c19658ff03ee3d0a72  WhyNotWin11.exe
f92d71e1ab3c61c1c1f9f02c70e564816dfa2a853af68a6ab834f156d90d71f45c94673da2eb1bbd29a31b7d671ccc1d46d1e63030226790f380bb6d92fc732b  WhyNotWin11.com.exe

You always can download in a sandboxed VM or on a Linux machine (my favorite VM-less way to examine malware)

[JeremyWu0212]

@rcmaehl That's the webpage. 疑似高仿网站？？？

[JeremyWu0212]

@rcmaehl The exe file's size is 686kb. The file is download from the .com

[rcmaehl]

686kb? I would not trust it at all then

[rcmaehl]

@Yuki2718, an update

I can confirm that application doesn't seem to be an autoit file or at least no one that the trusted decompiler can recognize. Oddly enough, VirusTotal Behavior report shows it running some of the commands that should be expected. App was UPX Compressed which the decompiler can handle but it still didn't recognize it. I'm assuming it's some sort of self extracting archive with some sort of a malicious wrapper

I wouldn't trust their as far as I can throw it.

[thepwrtank18]

You should probably take action by sending a DMCA complaint to Google (and other search engines) for impersonation and spreading malware. It's open source, but you still own it.

The one from the website is closed source, and (presumably) a violation of the LGPL.

We can definitely say this isn't just a fan site for helping @rcmaehl out.

[spirillen]

Google isn't the one who handle misplaced domain that IANA/RIPE

In this case the first contact however would be name:sheep:

whois whynotwin11.com
   Domain Name: WHYNOTWIN11.COM
   Registry Domain ID: 2622571933_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.namecheap.com
   Registrar URL: http://www.namecheap.com
   Updated Date: 2021-06-27T08:37:11Z
   Creation Date: 2021-06-27T08:22:51Z
   Registry Expiry Date: 2022-06-27T08:22:51Z
   Registrar: NameCheap, Inc.
   Registrar IANA ID: 1068
   Registrar Abuse Contact Email: abuse@namecheap.com
   Registrar Abuse Contact Phone: +1.6613102107

Then if they are not taking desired actions, then it RIPE: https://duckduckgo.com/?t=ffab&q=ripe+report+domain&ia=web

[Yuki2718]

@rcmaehl Okay, 27/70 in VT would be enough to judge the software is suspicious.

[CKylinMC]

I don't know should I create a new issue but I can't visit https://www.whynotwin11.org ...

[micwoj92]

Try without www, it's just a redirect to this repo.

[CKylinMC]

Try without www, it's just a redirect to this repo.

OK, it works. Thanks!

[colenh]

keeps getting worse doesn't it, ive reported it to both cloudflare and namecheap but i havent recieved any replies.

[iam-py-test]

Report to uBlock Origin at https://github.com/uBlockOrigin/uAssets/issues That will increase the blocking

[micwoj92]

Apparently namecheap is bad when it comes to replying to abuse report emails. No idea about cloudflare.

[iam-py-test]

Apparently namecheap is bad when it comes to replying to abuse report emails. No idea about cloudflare.

If we report to mainstream blocklists, they will be more likely to respond

[micwoj92]

Report to uBlock Origin at https://github.com/uBlockOrigin/uAssets/issues That will increase the blocking

https://github.com/uBlockOrigin/uAssets/commit/d2b2afe18f9cf3196b58b7a0e9fb67d1d83e5444

[iam-py-test]

Oh. Thanks! I think maybe it should be updated to $all

[blocklistproject]

At this time we have a similar response to @spirillen, the site still currently links to the repo, after scanning the site we are not able to find any obvious malicious serving content and VirusTotal gives it a clean bill of health. Please keep us updated and as soon as this changes we will add it to our lists.

[iam-py-test]

@blocklistproject the download has a large number of detections on VirusTotal:

[iam-py-test]

https://www.virustotal.com/gui/file/831c7d8b75738072e74020f61670ebde2e88b4f72cac941cdddf09d5de263a18/detection

[blocklistproject]

I am unable to download the file in a safe environment right now to confirm. So, out of an abundance of caution based on the image above we will at least be temporarily blocking the site. Once I am able to confirm this, the block will either be removed or will permanently be left in place. Thank you for bringing this to our attention and the quick reply regarding our concern. It takes a community!

[micwoj92]

@blocklistproject At first that website was serving .exe from this repo, then they switched to self hosting and next day they had changed executable to show .com website instead of real whynotwin.org redirect. Then they changed to totally different exe which scan you can see above. It seems that now they changed to linking to official download again but it is uncertain for how long and what next action will owner of this fake website take. I think it should be blocked permanently. Thanks for considering.

[spirillen]

At this time we have a similar response to @spirillen, the site still currently links to the repo ...

I'm a bit confused about the intention with this message? What is it you are trying to tell me? Could you please elaborate @blocklistproject ?

Update:

It is right that it for time being is pointing towards the official download as @micwoj92 says, this however can easily be an attempted trick to try "reseting" BlackLists and Tools like VT (VirusTotal), but it will fail as the SHA checksum is used, not the link and it is on a numbered watchlist,

For you @blocklistproject:

<div class="“download-buttons-os”">
 <a class="maxbutton-1 maxbutton maxbutton-download" href="https://github.com/rcmaehl/WhyNotWin11/releases/latest/download/WhyNotWin11.exe"><span class='mb-text'>Download</span></a></div>

[dxgldotorg]

https://who.is/whois/whynotwin11.com

Bad news, the web host is hidden behind Cloudflare.

Perhaps you might be able to get in touch with NameCheap support (the registrar) but they might require a UDRP.

[iam-py-test]

https://who.is/whois/whynotwin11.com

Bad news, the web host is hidden behind Cloudflare.

Perhaps you might be able to get in touch with NameCheap support (the registrar) but they might require a UDRP.

If enough places block it, it might not matter Does anyone know how to get NameCheap to take it down?

[colenh]

https://who.is/whois/whynotwin11.com Bad news, the web host is hidden behind Cloudflare. Perhaps you might be able to get in touch with NameCheap support (the registrar) but they might require a UDRP.

If enough places block it, it might not matter Does anyone know how to get NameCheap to take it down?

already contacted them and cloudflare and im awaiting a response

[iam-py-test]

@MDMCK10 is this mean it has been taken down or will be taken down? https://sitecheck.sucuri.net/results/whynotwin11.com shows it is still online (for now)

If it gets completely taken down, @rcmaehl should try to buy the domain before someone else uses it

[iam-py-test]

@MDMCK10 is this mean it has been taken down or will be taken down? https://sitecheck.sucuri.net/results/whynotwin11.com shows it is still online (for now) If it gets completely taken down, @rcmaehl should try to buy the domain before someone else uses it

This just means that Cloudflare has put a warning on the WhyNotWin11.exe file that's on the site, (and forwarded a complaint to the hosting provider as well) the website itself is still online, but I'm also working with Namecheap at the moment to get the domain itself taken down. I'll post updates as they happen.

@MDMCK10 Thank you! Also, why is it look like gmail is warning you about that email?

Also, our abuse reports have worked; we have AV detections on VT and community reports

[micwoj92]

We did it Reddit!

[iam-py-test]

We did it Reddit!

Reddit?

[micwoj92]

https://old.reddit.com

[iam-py-test]

https://old.reddit.com

I know what Reddit is. I was just curious why you said Reddit when this is GitHub

[micwoj92]

Because @rcmaehl is notorious Redditor.

[iam-py-test]

Domain Status: clientHold https://icann.org/epp#clientHold We win!

... or so I thought looks like the domain is (sadly) back up, except the "WhyNotWin11.exe" file on it is gone. I guess it's up to @rcmaehl to take legal action at this point, since whoever is behind the website clearly wants to keep it up for some (likely malicious) reason

How did they do that? Also, it is blocked by a whole bunch of places, so hopefully that will provide some protection. Has anyone been able to get through to Google abuse? They seem to ignore my Safe Browsing reports

[iam-py-test]

Domain Status: clientHold https://icann.org/epp#clientHold We win!

... or so I thought looks like the domain is (sadly) back up, except the "WhyNotWin11.exe" file on it is gone. I guess it's up to @rcmaehl to take legal action at this point, since whoever is behind the website clearly wants to keep it up for some (likely malicious) reason

How did they do that? Also, it is blocked by a whole bunch of places, so hopefully that will provide some protection. Has anyone been able to get through to Google abuse? They seem to ignore my Safe Browsing reports

How did they do that? Well, registrars actually give you a way to get your domain back up if you resolve the "problem", which in this case was the "WhyNotWin11.exe" file on the site being considered malware, since the person got rid of that file, the registrar allowed the domain to be put back up. I submitted to safe browsing, but nothing has happened. As for how many vendors are blocking it, the answer is "some", but it's not enough, we would need Google Safe Browsing blocking it for any major impact to happen.

I am aware, but GSB's report system is horrible, and domains I reported months ago still are not blocked. I am not even sure if I have the right url. However, if we submit it to GSB enough times, and get other places onboard, we may be able to make an impact

[micwoj92]

Domain Status: clientHold https://icann.org/epp#clientHold We win!

... or so I thought looks like the domain is (sadly) back up, except the "WhyNotWin11.exe" file on it is gone. I guess it's up to @rcmaehl to take legal action at this point, since whoever is behind the website clearly wants to keep it up for some (likely malicious) reason

Is it? I cant connect to it.

[iam-py-test]

Domain Status: clientHold https://icann.org/epp#clientHold We win!

... or so I thought looks like the domain is (sadly) back up, except the "WhyNotWin11.exe" file on it is gone. I guess it's up to @rcmaehl to take legal action at this point, since whoever is behind the website clearly wants to keep it up for some (likely malicious) reason

Is it? I cant connect to it.

Just checked. I can't connect either due to an unknown error

[rcmaehl]

I'll check some of my several tickets with several vendors and see if there's any update

[krystian3w]

On my ISP also is offline.

[iam-py-test]

@MDMCK10 maybe your seeing a cached version

[iam-py-test]

@MDMCK10 maybe your seeing a cached version

... oh the darn caches i checked what happened, it looks like that it came back up for a brief period of time on my end for some reason, and when i was doing the WHOIS lookup it did not show clientHold after making sure that nothing is being cached on my end, the site once again looks to be offline (sorry about that, i did not notice at first)

Ok. Thanks for checking We all make errors