The Latest in IT Security

Malware Poses as Rainmeter Skins on deviantART


Recently I decided to improve my desktop with a little interactivity, and started dabbling with something called Rainmeter which displays customisable and functional skins in a variety of designs. There are entire websites where people can show off their design skills, and the general idea is to install Rainmeter, download a skin (in the .rmskin format) and enable the elements of your chosen skin such as weather, Facebook feeds, HDD space and so on. It’s a great little program.

I have a bit of a thing for Mass Effect 2, and I especially have a bit of a thing for orange UI on spaceships. Wouldn’t it be awesome if I could combine the two with a custom Rainmeter skin?

My favourite desktop on the Citadel.

Imagine my surprise, then, to find this popping up on deviantART earlier today:

“One of my first skins i’ve done . Mass Effect will always be a great game ! download if you agree !”

A random deviantART user claiming this is their skin (when it clearly isn’t), the comments are disabled meaning nobody can warn of potential shenanigans and the file in the zip is an .exe instead of a Rainmeter file (.rmskin)?

Hello there, walking definition of “How about no“. For reference, a legitimate Rainmeter skin file would look less like a .exe and more like this:

Incidentally, unticking “hide extensions for known file types” in Windows Folder Options would reveal the fake file as a standard .exe, an extention that would be missing if the option were ticked.

A quick scan of deviantART reveals multiple uploads from spammy looking users, most of whom have comments disabled, have uploaded executables and (in some cases) claim to have created a skin when someone else is claiming to be the creator on the exact same page:

Even Chuck Norris is in on the action, with a “full setup” executable that raises a few red flags along with other executable files provided by the uploader.

While you’re trying to tie the above into some sort of Chuck Norris joke, I should point out that some of the recently uploaded files (and there are quite a few pages of them since the spamming apparently started in the last three or four hours) have been removed and currently look like this:

Strangely, while the files are being removed, the accounts are still live which means continued uploads. The rogue accounts aren’t too difficult to spot – they typically have skins identical to other spammy users, have comments disabled and their profiles contain somewhere between 4 and 6 downloads. Everything you can think of is a potential target, from awesome orange tinted videogames (ahem) and Karate guys who were soundly thrashed by Bruce Lee to “Girls of Otaku“, pictures of cute pink hearts and the inside of Iron Man’s helmet.

I guess this means his boosters will cut out and he’ll end up as the flattest member of the Avengers but whatever.

I can’t stress how many pieces of dubious malware are being uploaded right now and fans of Rainmeter should be extremely careful – we’re going through the files and taking a look, but the spamming could go on for a while until deviantART and Rainmeter manage to shut this spamrun down for good (and these spamruns seem to keep rising from the grave). In the meantime:

1) Stick to trusted sources of Rainmeter skins, and pay attention to comments posted at all times.

2) If comments are disabled, steer clear.

3) If the user is new, if they only have a few uploads, if those uploads look like uploads from other new users: continue to steer clear.

4) If you do happen to download a zip, open it up and find an executable instead of a .rmskin..well, insert something about steering clear right here.

I think we can all agree an awesome orange desktop is much better than the one that says “Reformatting”, so think twice before grabbing that hot looking skin or you may end up with problems a few steps above “I can’t get this world clock to show Jakarta” on your to-do list.

Christopher Boyd (Thanks to Jovi Umawing for additional information)

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments