Hacker News new | past | comments | ask | show | jobs | submit login

I found malware in the PIA installer. Not sure if it was planted by PIA themselves or I was subjected to a MITM attack, and so I would never use any bespoke VPN software again. Best just downloading the OpenVPN config files and plug them into something like Viscosity[0] (which I trust over the more bespoke VPN clients made by the VPN providers themselves).

[0]: https://www.sparklabs.com/viscosity/




As a general rule of thumb, I have used various VPN services and made sure to never use their clients. Downloading an OpenVPN configuration file IMO seems the best way to go about it.


Speaking of PIA and not using the provider's client, I've written this simple python script that populates PIA OpenVPN routes for NetworkManager on a bunch of Linux distributions, which then pop right into the system tray or are accessible from nmcli, etc. (https://github.com/dagrha/pypia)


Yeah and use a decent client like Viscosity, or if your O.S supports OpenVPN config files natively, just use them.


What so you mean "found malware?" You checked the installer and found that some aspect was malicious or some software you are running said it found malware? As the installer seems likely to cause false positives.

You're still better using independent VPN clients, but I would not trust them at all if the installer actually has malware.


I spotted loads of malicious network traffic, and using the Sysinternals Autoruns[0] utility I was able to spot attempts at persistence. I also checked the outbound connections and they were C&C servers. I can't remember if the installer was digitally signed or not, but there was definitely malware in it. I always make sure to opt-out of any AD ware that might be bundled with an installer, but this seems to have been injected surreptitiously, and installed with very little interaction.

Just be careful with the bespoke VPN clients as they are very juicy targets for MITM attacks. I know I would be going after VPN software if I wanted to do ex-filtration for a small subset of users trying to hide their tracks from governments and ISPs.

[0] https://technet.microsoft.com/en-us/sysinternals/bb963902.as...


So an installer was trying to set up autoruns, and the outbound connection IP's were on some list? The first part seems like expected behavior, the second sounds like your list of bad IP's included several that one of the most popular VPN providers use.


This was before the client even connected for the first time. And the IPs were well known C&C servers used for collecting keystrokes and screenshots of your O.S


Checking if their various servers exist on install seems likely. And well known C&C servers probably hide their actual IP, they'd be fairly easy to shut down if they didn't.


> I spotted loads of malicious network traffic

Care to provide anything substantial (e.g. net dumps or screenshots at least)?

> and they were C&C servers

How do you know that, have you MITMD your connection? Do you have anything besides generic spooky words?


> Have you MITMD your connection

Yes, with another Sysinternals tool called TCPView https://technet.microsoft.com/en-us/sysinternals/tcpview.asp...

You don't even need an AV product, you can spot malicious activity by eye alone.


> Best just downloading the OpenVPN config files and plug them into something like Viscosity…

On macOS, I just created a new "PIA" service in Network. Is there any reason to use Viscosity instead of the macOS VPN client?


If I am not wrong PIA doesn't support IKEv2. The only choice is then L2TP/IPSec.

IPSec is typically considered secure, but it's allegedly compromised in some implementations and/or weakened during the standardisation process.


Good to know, thank you!




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: