MuseHub/Muse.Service reported by Malwarebytes - is it legit or a false positive?
Hi,
I accidentally downloaded some malware this week, and installed Malwarebytes to detect and remove it.
Malwarebytes also detected and reported a programme called Muse.Service.exe as contacting a compromised web site. I've pasted the details below. As a temporary measure, I've uninstalled Musehub and Musescore.
But I'm not sure if this was a genuine infection, or whether MuseHub legitimately tries to contact this IP and Malwarebytes is reporting it as a false positive. Any thoughts?
-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\WindowsApps\Muse.MuseHub_0.9.10.559_x64__rb9pth70m6nz6\Muse.Service.exe, Blocked, -1, -1, 0.0.0, ,
-Website Data-
Category: Compromised
Domain:
IP Address: 185.65.134.164
Port: 6881
Type: Outbound
File: C:\Program Files\WindowsApps\Muse.MuseHub_0.9.10.559_x64__rb9pth70m6nz6\Muse.Service.exe
Comments
Muse Hub runs a background service to handle the automatic updates. It's not malware.
In reply to Muse Hub runs a background… by Marc Sabatella
Thank you Marc.
In reply to Muse Hub runs a background… by Marc Sabatella
How do we know it's not malware? We can't inspect the source code, since it is closed.
In reply to Muse Hub runs a background… by Marc Sabatella
Running Windows 10.
I wanted to simply upgrade to Musescore 4. It's late in my day , and the standalone musescore download was not obvious. So I wound up with the Musehub package.
Immediately after installing Musescore via Musehub, I realized my mistake and uninstalled Musehub.
Will that remove the background software running in the background that other ( more technical ) folk have mentioned here?
I want musehub and any services from it out of my system .
If the uninstall was not adequate, can you advise what I need to do to get there?
Thanks
-tom
Chiming in on this... ever since I downloaded Muse Hub, I seem to be getting notifications from my ISP that malicious IPs are trying to access my device.
Additionally when exiting Muse Hub in the tray (so that it does not appear in the tray anymore), it's still running services in the background that I have to kill manually via Task Manager.
What's going on here?
In reply to Chiming in on this... ever… by albert.avery
The service was answered right above your post, it is used to run the auto updates.
The unknown IPs (not necessarily malicious) are likely those from other users, turn of the "community acceleration" setting from MuseHub if you do not wish to make use of it.
In reply to The service was answered… by jeetee
I get that it's used to run auto updates, but I feel like it's expected that when you "exit" a program, it should actually exit it. I feel like this is how most programs work in general, even those with auto updates.
Regarding the unknown IPs and "community acceleration", that's deeply concerning. I think that feature should be disabled by default if that's the case.
Especially if a non-technical person is trying out Musescore and downloaded Muse Hub, I don't think it's a good look for Muse when their ISP (Xfinity in my case, as it gave me notifications via their app) to be telling them that these outside IPs are trying to access my computer.
Just my two cents - regardless I have uninstalled Muse Hub since the time I have made my comment.
In reply to I get that it's used to run… by albert.avery
I agree on the exit.
I also feel that no non-technical user would enable the peer-to-peer function if it is disabled by default. But I think an approach as was used by Telemetry in 3.x could satisfy both: just ask it on first launch.
In reply to I agree on the exit. I also… by jeetee
But the main concern is not the torrent stuff.
The biggest security problem here is that this service runs with a privileged account (admin, root).
I am surprised that nobody sees this as a problem.
Basically, the Muse group can install anything they want on your computers, without you knowing about it.
In reply to But the main concern is not… by graffesmusic
I definitely see it as a problem. MuseScore is slowly becoming proprietary software, through the introduction of third-party proprietary tools that "solve" problems introduced by regressions in MuseScore. It may be overly cynical of me to point this out, but it really looks like a way to circumvent GNU GPL.
The whole concept of software checking for updates is absurd to any Linux user. We have package managers that do that for us. But this means less control for the software proprietors. Having such "update" software closed source and running with root privileges is a huge red flag. And you're incentivised into using this software (which would in any other circumstance rightly be described as malware) by getting a shiny present like MuseSounds: "oh no, you can't download this soundfont unless you give full control of your system to our proprietary updater". In what alternate reality does that make any sense? If this is not Defective-By-Design, what is?
I am very worried about this and the future of MuseScore.
In reply to But the main concern is not… by graffesmusic
Yes, the can install anything; such as the updates, which is it's main purpose of existence.
In reply to Yes, the can install… by jeetee
If you allow a third party you know nothing about (as i understand it: a 'mailbox' company based in Cyprus, but located in Kaliningrad, Russia) to have root access to your system: this is bad security.
Especially because there is really no need to have this running as root.
In reply to But the main concern is not… by graffesmusic
@graffesmusic: Can you elaborate on that? I mean the privileged account issue?
On my Mac I see the following information on the binary ("ls -l"):
-rwxr-xr-x@ 1 my_userid admin 9158928 13 dec 23:55 /Applications/Muse Hub.app/Contents/MacOS/Muse Hub
There is one extended attribute, indicated by the "@": com.apple.quarantaine
No root owner. Can it run as root at all? Or with root privileges?
In reply to Can you elaborate on that? I… by user2442
Ic can and willcertainly run with root priviledges when started by root
In reply to I can run with root… by Jojo-Schmitz
But not in normal operation, right? When I run
ps auxon it I see:my_userid 752 0,0 0,0 34453592 6548 ?? Ss 3:46pm 0:00.02 /Applications/Muse Hub.app/Contents/XPCServices/HelperInstaller.xpc/Contents/MacOS/HelperInstallermy_userid 743 0,0 0,2 35163600 81796 ?? S 3:46pm 0:00.61 /Applications/Muse Hub.app/Contents/MacOS/Muse Hub launchedAtLoginAs far as I can tell, this is running with my user privileges. Which are not root privileges.
Am I missing something here?
In reply to But not in normal operation,… by user2442
I don't know anything about Macs.
But it surely looks that the service on your system is running as your own user.
Somebody should confirm this behaviour.
But if this is correct, then i can only conclude that Linux users are really screwed.
On Linux, if privileged are dropped by adding a no shell system user/group, the service refuses to run - by design.
how do i go about disabling this service? i don't want it running in the background
In reply to how do i go about disabling… by sills
I'm pretty shocked to discover this running, definitely as root, on my Ubuntu 20.04 system. Huge security hole and I had no idea it was there. Typing the following on a terminal stops it:
david@dm:~$ sudo systemctl stop muse-hub.service
david@dm:~$ sudo systemctl mask muse-hub.service
Created symlink /etc/systemd/system/muse-hub.service → /dev/null.
david@dm:~$ sudo systemctl start muse-hub.service
Failed to start muse-hub.service: Unit muse-hub.service is masked.
Note you can unmask the service to bring it back to life. Masking prevents it from restarting at boot time.
Perhaps the developers can consider security a bit closer. Musescore is great, but this makes it dangerous.
In reply to I'm pretty shocked to… by davidjmcq
As mentioned numerous times, issues with Muse Hub are discussed on their support site at musehub.zendesk.com. Muse Hub is an installer and it installs files into folders like /usr/lib so obviously needs to have appropriate privileges - it should't be a security problem at all. But out of an abundance of caution, alternative solutions are being investigated.
In reply to As mentioned numerous times,… by Marc Sabatella
Thank you...
In reply to As mentioned numerous times,… by Marc Sabatella
Thank you...
In reply to As mentioned numerous times,… by Marc Sabatella
This is just a lie. The right way to do this is to at install time make a single folder in /usr/lib that doesn't require root privileges to add files and folders in and then run the background service without root permissions which will mean that it can only mess around with it's own folder rather than being able to mess with arbitrary system files. Making a torrent client run as root in the background is a massive security hole you're opening in your system and the fact that no one at MuseHub has acknowledged that makes me incredibly skeptical that the team is competent.
In reply to This is just a lie. The… by oscardssmith
Concur. I've masked it out as recommended in this thread.
In reply to This is just a lie. The… by oscardssmith
Absolutely. Whoever claims that MuseHub is not dangerous must be incredibly naive.
There is no need to assume at this moment that MuseHub is malware - there is no indication that it is, nor that it isn't. We simply don't know. Nor do we know the intentions of the team. They may very well act in good faith.
But that is not the point. MuseHub is just as dangerous as if it were malware. And the risk of its bittorrent function being hacked, a real risk that others have already pointed out, is not even the greatest danger.
Let me just sketch one scenario, entirely possible. Assume someone manages to replace the mother copy of MuseHub on the MuseHub server with a version that does contain malware. Let's say it's a ransomware, that encrypts all files on your computer and asks you to donate, say, $300 to get the decryption key.
Thanks to unchecked installation that malware would be silently installed on all computers receiving a copy. Thanks to bittorrent, distribution of that version would be lightning fast. Millions of computers would be infected overnight. How many users would grudgingly pay to have their files restored? One in ten? One in hundred? Think of the numbers involved.
Think that is unlikely? Think again. Ransomware is nothing new or unusual. MuseHub is a dream opportunity for whoever is in that business.
Note that it is not necessary to suspect the MuseHub company. A would-be attacker could hack the MuseHub server. Or they could bribe an employee. A determined attacker with enough resources can get in almost everywhere. And money would not be a problem with this kind of payoff.
I advise everybody who has MuseHub running to uninstall it immediately, and then to verify that it is indeed gone. And hope and pray it has left no backdoors. If you want to be really safe, reinstall your operation system.
In reply to Absolutely. Whoever claims… by tedbooth
This doomsday scenario is entirely predicated on the notion that some criminal would be able to replace the download package on the server. And you're right, of course it's theoretically possible. just as they could replace the download package for any other program in the world. And yet this is virtually never how malware is distributed, because there are so many better ways. There isn't anything particularly unusual about Muse Hub as installers go, except the torrent bit. So, If you're concerned that someone might pull this off and use the torrent technology to spread the malware, no need to uninstall Muse Hub - simply disable the automatic updates and/or community acceleration. if you're feeling extra paranoid, you could shut down the service entirely. But thinking that merely having it installed is somehow inviting catastrophe - now that's naive.
In reply to This doomsday scenario is… by Marc Sabatella
There is something very unusual about MuseHub. It runs with root privileges as a background task. That is precisely the thing that makes it dangerous. Pretty much every other installer will ask for root privileges once and then use those privileges to set up a folder for a non root process to manage. MuseHub by contrast holds on to its ability to do arbitrarily bad things to your system for ever.
In reply to This doomsday scenario is… by Marc Sabatella
You (Marc Sabatella) are misinformed about third party installers. Those do not have root permissions, instead they normally delegate the install task to a system installer. Which would be the proper way for MuseHub too.
Those installers do have root permission and are usually part of the operating system, and with good reason. They are developed by teams with intimate knowledge of their operating system, and of the latest attack routes on its safety. They are equipped with all kinds of safeguards to minimize the risk of installing malware. With MuseHub there is no such safeguard.
And even those very safe system installers normally ask you for your password, which MuseHub conveniently omits.
So MuseHub as installer is a completely different beast that you are totally misrepresenting.
In reply to You are misinformed about… by user2442
That's a completely irrelevant distinction. Whether it asks for root access or not, how many times does the average person say "no"? If you download software, it asks for permission to install, and you normally say yes - that's the whole reason you downloaded the program.
Someone intent on installing malware by this method could do it just as easily using any other installer. It's naive to think otherwise.
In reply to That's a completely… by Marc Sabatella
Again, not understanding. Did you read the part on the safeguards built in the system installer?
In reply to Again, not understanding… by user2442
So, we're hypothesizing a world in which someone both determined and clever enough to pull the rest of this off is somehow also short-sighted enough to not see the many easy ways around that, and this therefore stops them?
In reply to So, we're hypothesizing a… by Marc Sabatella
Was this meant as an answer to my question about the safeguards built in the system installer?
In reply to Was this meant as an answer… by user2442
Yes; trivially easy to circumvent if we assume all those other elements are in place..
In reply to Yes; trivially easy to… by Marc Sabatella
Sorry, you have no idea what you are talking about.
In reply to Sorry, you have no idea what… by user2442
You're mistaken, but if that's the best you can do to make your case, I guess I can rest mine.
In reply to You're mistaken, but if that… by Marc Sabatella
Just saying a thing does not make it true. Words need meaning, statements need arguing. On music I think you would be able to do that, on this subject sadly not.
In reply to Just saying a thing does not… by user2442
Indeed, just saying what you're saying doesn't make it true - if you want to convince anyone of any of this, you'll need to respond with meaningful words and actually address the points I've made. Until then, no point in continuing the discussion.
In reply to Indeed, just saying what you… by Marc Sabatella
The readers of this thread can decide for themselves who is supporting their claims with arguments, and who is not.
In reply to Yes; trivially easy to… by Marc Sabatella
Not sure I understand what you (Marc Sabatella) are saying. Are you saying that it is trivially easy to circumvent the safeguards if you have root access?
In reply to That's a completely… by Marc Sabatella
If this is so normal, why does no one else do things this way? (seriously. Name one other program that uses this install process) I understand you don't think there's anything wrong here, and to me that's probably the scariest part. Musescore is asking for root permissions on my computer to install software in a non-standard way, and the developers don't see this a potential security issue, even when the avenue of attack has been repeatedly pointed out.
In reply to If this is so normal, why… by oscardssmith
Many major vendors delivering large amounts of content that may need frequent updates have something similar in place. The exact mechanics may differ, but see for instance the Avid installer.
In any case, I'm not on the team developing Muse Hub, and if I were, I might have chosen to do things differently. And I'd be perfectly happy to see them make some changes to address these concerns. I'm merely pointing out that it's irresponsible to be scaring away users by drumming up fear of an incredibly unlikely event - one that, if it were to happen, would be much more likely to occur through entirely different means that don't involve Muse Hub at all. It's just harmful to the MuseScore community to be spreading such misinformation, and my goal here it to help users, not harm them.
In reply to Many major vendors… by Marc Sabatella
What is irresponsible and unacceptable is to have a closed source program, running as root, when it doesn't need to run as root. On Linux, I have a package manager which installs stuff. I don't need some proprietary program installing stuff on my computer. If you wanted to give me these sounds for free, you would have given them for free, not require that I give you control over my computer.
The safest assumption is that it is malware, and in my opinion, it is completely foolish to trust it. We don't even know who wrote it, some Russian company... Extremely shady.
In reply to What is irresponsible and… by kresimir
I've messaged the ZenDesk multiple times and no response.
In reply to I've messaged the ZenDesk… by sills
That is a well known pattern with them. Some time ago a thread was started just to discuss the issue of security (https://musehub.zendesk.com/hc/en-gb/community/posts/8450771193629-Muse…).
It was well argued, and politely so. After a few days the thread silently disappeared. Only after this was mentioned on this forum, it was reinstated without comment (see on this forum: https://musescore.org/en/node/338084#comment-1162167).
A certain David from MuseHub then said soothing words. He agreed to an open discussion on the issue. In the beginning it went fine. But once a well argued case was made to drop the root access, citing warnings from both Apple and Microsoft, and again very respectfully, communication stopped and nothing was heard from David again.
Read through that thread. It is very instructive.
In reply to What is irresponsible and… by kresimir
The vast majority of programs ever written in the history of computing are closed source. If we took the position that closed source = no one should ever trust it, then we might as well just go back to abacuses.
Calling something malware with zero evidence whatsoever is libel, plain and simple. It's a false statement made maliciously for the purpose of maligning a company and harming its community of users.
And FWIW, while there are some people of Russian descent who work for the company that produces Muse Hub, the company is not Russian, it is not based in Russia, and people employed by the company are from all over the world. But more importantly, are you seriously implying that being of a particular nationality makes you untrustworthy? There's a winning argument with history on your side...
In reply to The vast majority of… by Marc Sabatella
people are raising flags because this closed software has root permissions that can not be disabled on linux as well as windows. it's problematic because again, no one wants this running on their computer and no part of muse hub needs that much permission.
In reply to The vast majority of… by Marc Sabatella
The vast majority of programs written in the history of computing work without needing root access. Closed source + root privilege = untrustworthy. It's as simple as that. This may be how things are done on Windows, but no Linux user in their right mind would accept this. And no, I'm not implying that a particular nationality makes you untrustworthy. What makes you untrustworthy is complete lack of transparency, combined with unreasonable demands for root access (for things which could have been done in a different way, without the need for root) for a service that constantly runs, resists being shut down, and is closed source.
It is also a fact that a lot of malware comes from Russia, just like a lot of scam operations are based in India. This has nothing to do with one's nationality, but with the fact that legal systems in these countries do not punish these activities as harshly as in most other countries.
In reply to The vast majority of… by kresimir
Also, if MuseScore wasn't open source, I wouldn't be using it. It makes complete sense to distrust any closed source software, but especially if it requires root privileges, and doubly so if it fights you when you try to close it. And on top of it all, it's constantly connected not only to some server, but to a bunch of other computers. It's a security nightmare. You may as well write your passwords on post-it notes on your monitor for everyone to see, if you are going to trust this software. It's absurd and ridiculous beyond words, and anyone writing such software must either be hopelessly clueless about security or have malicious intentions. The same goes for people defending such practice.
As far as I'm concerned, I'm 99% sure it's up to something no good, and I'm certainly not going to risk running it on my system. It's not libel, it's common sense caution. Trust must be earned.
In reply to Also, if MuseScore wasn't… by kresimir
So just to be clear, you are also dismissing the 90% of the world who use Windows and macOS as being absurd and ridiculous. And accusing the people who have dedicated their lives to developing and supporting this software of having malicious intent is beyond belief.
Between that and the blatant racism, a wise woman once said, when someone shows you who they are, believe them the first time. It's great that people can see for themselves now just what kind of people are spewing this vile garbage, so thanks for that. My work is done here.
In reply to So just to be clear, you are… by Marc Sabatella
I'm sorry, there are just too many red flags to ignore.
Reasons why I suspect MuseHub might be malware:
1. Malware scanners on Windows report it as malware
2. Closed source and contrary to the spirit of MuseScore
3. No Linux distro packs it in its repo, one needs to manually download it with a browser to install it (something that should never be done on Linux)
4. Runs as service with root access. It doesn't need that, there are ways around it, but it explicitly refuses to run if not given root access
5. Constantly sends and receives data from the network, connects to multiple IP addresses
6. Resists being terminated, it goes out of its way to be difficult to uninstall or disable
7. Spikes CPU use on Windows when the screen is turned off
8. Produced by some shady company in Kaliningrad with a PO Box for address in Cyprus.
Reasons why it might not be:
1. A stranger on the Internet tells me it's perfectly safe and that I should trust it with full, unrestricted access to my computer, and if I don't, I'm a terrible person, a "blatant racist spewing vile garbage"... And why? So that it can give me a soundfont! Of course, you can't have nice sounds in a notation software if you don't completely disregard all established security practices!
Honestly, if I didn't see it with my own eyes, I couldn't believe that you've written those things about me, you don't even know me. It's utterly irrational, immature, hurtful, and yes, downright malicious.
Yeah, I'm probably done, too.
In reply to I'm sorry, there are just… by kresimir
crypto miner!!!
In reply to The vast majority of… by Marc Sabatella
You (Marc Sabatella) say: "the company is not Russian, it is not based in Russia."
Well, read the following:
"According to LinkedIn and their own press release, Muse Group is headquartered in Limassol, Cyprus. LinkedIn also shows the following additional office locations: Kaliningrad, Russia; St. Petersburg, Russia; and London, Great Britain."
(https://en.everybodywiki.com/Muse_Group)
Headquarters on Cyprus says nothing. Cyprus is famous for its low taxes and other benefits for foreign companies seeking access to the EU market. Many companies have a token presence there for this purpose, effectively operating just a P.O. Box there.
(https://www.offshore-protection.com/cyprus-tax-havens)
That leaves three offices, two of them in Russia. This goes much further than "some people of Russian descent who work for the company", as you say. It is a safe bet that Russian influence with MuseHub is very strong, if not dominant.
In reply to This doomsday scenario is… by Marc Sabatella
Well I would disable these settings but the service still has extreme administrative powers and can not be disabled once the settings are turned off.
In reply to This doomsday scenario is… by Marc Sabatella
I don't have problems with closed source software and or even community bittorrenting. But, I do get antsy when Norton starts alerting me that I have bitcoin mining occurring from the MuseHub. Is this a false positive of some sort? Probably... but, it's not as simple as "simply disable the automatic updates and/or community acceleration" ... because I did that last week when I got these alerts the first time. Yet, this morning, I'm still getting this alert:
"Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Destination Address,Source Address,Traffic Description
9 May 2023 2:23:42 AM,High,An intrusion attempt by gateway.docker.internal was blocked.,Blocked,No Action Required,System Infected: Miner.Bitcoinminer Activity 6,No Action Required,No Action Required,"gateway.docker.internal (192.168.xx.xxx, 6881)","103.219.154.220, 60016",gateway.docker.internal (192.168.xx.xxx),"TCP, Port 6881"
Network traffic from gateway.docker.internal matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME2\PROGRAM FILES\WINDOWSAPPS\MUSE.MUSEHUB_1.0.1.692_X64__RB9PTH70M6NZ6\MUSE.SERVICE.EXE."
The server it is trying to connect to is: https://ipinfo.io/AS207083/103.219.154.0/24
Looks like a datacenter IP from the NL, but that might be spoofed since so many VPNs operate out of the NL.
But, more importantly, I've taken the suggested steps and it has not stopped the traffic.
In reply to I don't have problems with… by John Asendorf
Don't doubt your suspicion with sketchy closed source software.
MuseHub is spiking cpu usage and even taking up graphics driver RAM
It uses no repos on Linux.
See https://musescore.org/en/node/341517
In reply to This doomsday scenario is… by Marc Sabatella
Ever heard of SolarWinds? You're talking about naivety, but you don't have the competence to realize that one of the most harmful ransomware campaigns in history was carried out IN THE EXACT MANNER YOU DESCRIBED AS BEING UNREALISTIC. Do you have any idea of cybersecurity concepts and news? Reading these comments from you casts SERIOUS doubts about the knowledge level of these engineers. Do you have procedures to ensure that a supply-chain attack would be detected? I'm assuming not, considering you just called a supply chain attack "virtually never how malware is distributed." Your company is not a small one-man shop. Your company IS a target of large threat actors, as you have tons of users worldwide. Infecting your supply chain would result in MILLIONS of infections. PLEASE read up on cybersecurity trends, because your lack of knowledge is, frankly, laughable.
I am reading this because malwarebytes just marked it as a trojan. I am not as techy as some of you so could someone tell me in plain English what to do lol? Thanks in advance
In reply to I am reading this because… by tuttijones
There is always the possibility of a false alarm, but In your place I would take no risks.
The safe option would be to reinstall your operating system.
Since you don't know what this trojan might do, best would be to shut down the computer as soon as possible, and then reinstall from a fresh copy of your OS.
You will probably be given the option to keep your user files, and that will probably be OK. But if you have a backup of your user files, the safest option would be to do a complete fresh install and then restore your user files from that backup. Then you can reinstall your apps/programs one by one (not MuseHub, obviously).
After that, it might be a good idea to change your passwords. In any case those that you have used while the trojan was on your system - it might have listened to them and copied them to a third party. (If you have a plain text file on your computer with all your passwords, you should change all of them.)
If you need help with all that, please let us know if you are on Windows, macOS, or Linux. Then we could give you some pointers on how to do it. Best of course would be to get help from a trusted person by your side who can walk you through it.
BTW, do you have any information on the trojan? How is it called? When did you get the warning: at installation of MuseHub, or at some later time?
Good luck.
In reply to There is always the… by johnweigand
OMG!! Really!! See below for the report from Malwarebytes. I have received a few of these this evening, never before. I don't know if this is linked but a few days ago a friend received an email from me that I didn't send. I NEVER click on links so have been scratching my head as to how this happened. An email from malwarebytes offered a breach report and found Onliner Spambot and Zynga. I spent yesterday changing Microsoft passwords but these alerts came this evening. I am running Windows 10 any help will be gratefully received
.
Malwarebytes
www.malwarebytes.com
-Log Details-
Protection Event Date: 5/4/23
Protection Event Time: 8:14 PM
Log File: dc26a370-eaaf-11ed-ab28-c85b7643fb0d.json
-Software Information-
Version: 4.5.27.262
Components Version: 1.0.1991
Update Package Version: 1.0.69014
License: Premium
-System Information-
OS: Windows 10 (Build 19045.2846)
CPU: x64
File System: NTFS
User: System
-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\WindowsApps\Muse.MuseHub_1.0.1.693_x64__rb9pth70m6nz6\Muse.Service.exe, Blocked, -1, -1, 0.0.0, ,
-Website Data-
Category: Trojan
Domain:
IP Address: 185.65.134.165
Port: 6881
Type: Outbound
File: C:\Program Files\WindowsApps\Muse.MuseHub_1.0.1.693_x64__rb9pth70m6nz6\Muse.Service.exe
(end)
In reply to There is always the… by johnweigand
correction, 5 this evening and 1 on 29th April. all the others just say 'compromised'
In reply to correction, 5 this evening… by tuttijones
I am not an expert on Malwarebytes, but it looks to me as if the attack was stopped by it. In that case you would be home free.
Yet, your report on mail never sent is disturbing. But then again, that one might be unrelated.
Incidentally, this is port 6881 which is a bittorrent port. It looks like not MuseHub itself was identified as a trojan, as I first understood you, but that a third party tried to use it to introduce a trojan to your system. Luckily it was caught. Not sure how to understand "outbound" here though.
Again, not an expert on Malwarebytes. What do others think?
In reply to I am not an expert on… by johnweigand
if you read up on this thread musehub is also doing a bunch of shady stuff like spiking cpu usage and even taking up graphic driver ram????!??!?!?!?!?!?
if its marked malware, its probably malware.
(remember, this software has root permission!)
In reply to correction, 5 this evening… by tuttijones
Correction, my previous post was based on the report you copied. I now see that you have also reports saying "compromised", and that you also were given the names Onliner Spambot and Zynga. Could it be that those are other security breaches, that were not blocked? That would be bad news. Do you still have that breach report?
In reply to Correction, my previous post… by johnweigand
I am currently talking to malwarebytes about that. The 'report' didn't give me anything nut the names which isn't exactly helpful., I am very careful about what iIopen or download so I'm a bit flummoxed by this to be honest
In reply to I am currently talking to… by tuttijones
Please let us know how things continue.
In reply to Please let us know how… by johnweigand
I will do. Malwarebytes are looking at it now. Thank you so very much for your support with this
In reply to Please let us know how… by johnweigand
Hiya,
Sorry it's taken me so long to get back to you. This is response I had from Malwarebytes:
" From the information I found reported on the developer's forum below, this program appears to use peer-to-peer connections for updates.
https://musescore.org/en/node/337673
With regards to the blocks for Musehub, it is not Musehub itself that is being detected and blocked, but instead a communication attempt by Muse.Service.exe, to a blocked server. Sometimes peer-to-peer services may contact servers that have also hosted malware at some point and may trigger a block detection when being accessed.
For example, the IP 138.199.60.166 has been reported for abuse: https://www.abuseipdb.com/check/138.199.60.166.
You may want to reach out to them to let them know and ask them why they are using servers known to be involved in abuse."
I'm getting a similar issue, but with Norton Antivirus. Below are the details for the curious:
Severity: High
Activity: An intrusion attempt by [PC Name] was blocked.
Date&Time: 5/16/2023 6:51:00 AM
Status: Blocked
IPS Alert Name: System Infected: Miner.Bitcoinminer Activity 6
Destination Address: 185.213.175.112, 55006
Traffic Description: TCP, Port 6881
Network traffic from [PC Name] matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISK\VOLUME3\WINDOWSAPPS\MUSE.MUSEHUB_1.0.0.624_X64__RB9PTH70M6NZ6/MUSE.SERVICE.EXE
In reply to I'm getting a similar issue,… by jameslung
Here too: disable Muse Hub's "Community sharing", that is a Bit Torrent and does use this port
I've had a similar problem happen, except with it detecting the trojan virus.
I don't know what to do, so I looked it up and found this.
I may make my own post about it, but currently I am just commenting on this one.
Please help, I'm clueless.
In reply to I've had a similar problem… by Recorder-Clari…
It's up to you to decide whether you trust this MuseHub software with complete access to your computer or not. I can't tell you what to do, it's your decision.
Personally, I do not trust it for the reasons I stated above and until MuseHub becomes open-source and I can compile it myself (fat chance of that ever happening, it's proprietary for a rea$on), I will not take any chances with it. If that means I am denied access to the pretty soundfont and I have to endure the regression in playback quality, so be it. Even if it meant not being able to run MuseScore at all, I wouldn't run MuseHub on any of my computers. To me, that program looks extremely shady and untrustworthy.
But again, the decision is yours, do not blindly trust what other people (including me) say, but make your own informed decision.
Thanks a lot for that. My security policy under company says that I'm not allowed to use this software on corporate PC. so I removed it because it works as p2p and here are some details:
Musehub is so suspicious,
-Background service will run on startup, even if you have "start on boot" turned off.
-background service can not be killed
-background service send and receives data on all devices in your local network.
-sends data to "52.177.138.113" in USA (Microsoft IP)
- sends data to "muse-tracker-eu-central.c3dzdbdfc5ere0gq.germanywestcentral.azurecontainer.io"
So it would be really nice to fix that problem somehow.