undefined | Better HN

0 pointssr28y ago0 comments

I found malware in the PIA installer. Not sure if it was planted by PIA themselves or I was subjected to a MITM attack, and so I would never use any bespoke VPN software again. Best just downloading the OpenVPN config files and plug them into something like Viscosity[0] (which I trust over the more bespoke VPN clients made by the VPN providers themselves).

[0]: https://www.sparklabs.com/viscosity/

0 comments

middleclick8y ago

As a general rule of thumb, I have used various VPN services and made sure to never use their clients. Downloading an OpenVPN configuration file IMO seems the best way to go about it.

dagrha8y ago

Speaking of PIA and not using the provider's client, I've written this simple python script that populates PIA OpenVPN routes for NetworkManager on a bunch of Linux distributions, which then pop right into the system tray or are accessible from nmcli, etc. (https://github.com/dagrha/pypia)

sr2OP8y ago

Yeah and use a decent client like Viscosity, or if your O.S supports OpenVPN config files natively, just use them.

boomboomsubban8y ago

What so you mean "found malware?" You checked the installer and found that some aspect was malicious or some software you are running said it found malware? As the installer seems likely to cause false positives.

You're still better using independent VPN clients, but I would not trust them at all if the installer actually has malware.

sr2OP8y ago

I spotted loads of malicious network traffic, and using the Sysinternals Autoruns[0] utility I was able to spot attempts at persistence. I also checked the outbound connections and they were C&C servers. I can't remember if the installer was digitally signed or not, but there was definitely malware in it. I always make sure to opt-out of any AD ware that might be bundled with an installer, but this seems to have been injected surreptitiously, and installed with very little interaction.

Just be careful with the bespoke VPN clients as they are very juicy targets for MITM attacks. I know I would be going after VPN software if I wanted to do ex-filtration for a small subset of users trying to hide their tracks from governments and ISPs.

[0] https://technet.microsoft.com/en-us/sysinternals/bb963902.as...

boomboomsubban8y ago

So an installer was trying to set up autoruns, and the outbound connection IP's were on some list? The first part seems like expected behavior, the second sounds like your list of bad IP's included several that one of the most popular VPN providers use.

1 more reply

elmigranto8y ago

> I spotted loads of malicious network traffic

Care to provide anything substantial (e.g. net dumps or screenshots at least)?

> and they were C&C servers

How do you know that, have you MITMD your connection? Do you have anything besides generic spooky words?

1 more reply

CharlesW8y ago

> Best just downloading the OpenVPN config files and plug them into something like Viscosity…

On macOS, I just created a new "PIA" service in Network. Is there any reason to use Viscosity instead of the macOS VPN client?

tgragnato8y ago

If I am not wrong PIA doesn't support IKEv2. The only choice is then L2TP/IPSec.

IPSec is typically considered secure, but it's allegedly compromised in some implementations and/or weakened during the standardisation process.

CharlesW8y ago

Good to know, thank you!

j / k navigate · click thread line to collapse

0 comments

middleclick8y ago

As a general rule of thumb, I have used various VPN services and made sure to never use their clients. Downloading an OpenVPN configuration file IMO seems the best way to go about it.

dagrha8y ago

sr2OP8y ago

Yeah and use a decent client like Viscosity, or if your O.S supports OpenVPN config files natively, just use them.

boomboomsubban8y ago

You're still better using independent VPN clients, but I would not trust them at all if the installer actually has malware.

sr2OP8y ago

[0] https://technet.microsoft.com/en-us/sysinternals/bb963902.as...

boomboomsubban8y ago

1 more reply

elmigranto8y ago

> I spotted loads of malicious network traffic

Care to provide anything substantial (e.g. net dumps or screenshots at least)?

> and they were C&C servers

How do you know that, have you MITMD your connection? Do you have anything besides generic spooky words?

1 more reply

CharlesW8y ago

> Best just downloading the OpenVPN config files and plug them into something like Viscosity…

On macOS, I just created a new "PIA" service in Network. Is there any reason to use Viscosity instead of the macOS VPN client?

tgragnato8y ago

If I am not wrong PIA doesn't support IKEv2. The only choice is then L2TP/IPSec.

IPSec is typically considered secure, but it's allegedly compromised in some implementations and/or weakened during the standardisation process.

CharlesW8y ago

Good to know, thank you!

j / k navigate · click thread line to collapse