MuseHub/Muse.Service reported by Malwarebytes - is it legit or a false positive?

• Dec 10, 2022 - 07:40

Hi,
I accidentally downloaded some malware this week, and installed Malwarebytes to detect and remove it.

Malwarebytes also detected and reported a programme called Muse.Service.exe as contacting a compromised web site. I've pasted the details below. As a temporary measure, I've uninstalled Musehub and Musescore.

But I'm not sure if this was a genuine infection, or whether MuseHub legitimately tries to contact this IP and Malwarebytes is reporting it as a false positive. Any thoughts?

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\WindowsApps\Muse.MuseHub_0.9.10.559_x64__rb9pth70m6nz6\Muse.Service.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Compromised
Domain:
IP Address: 185.65.134.164
Port: 6881
Type: Outbound
File: C:\Program Files\WindowsApps\Muse.MuseHub_0.9.10.559_x64__rb9pth70m6nz6\Muse.Service.exe

Comments

Jan 13, 2023 - 03:39

Running Windows 10.

I wanted to simply upgrade to Musescore 4. It's late in my day , and the standalone musescore download was not obvious. So I wound up with the Musehub package.

Immediately after installing Musescore via Musehub, I realized my mistake and uninstalled Musehub.

Will that remove the background software running in the background that other ( more technical ) folk have mentioned here?

I want musehub and any services from it out of my system .

If the uninstall was not adequate, can you advise what I need to do to get there?

Thanks
-tom

Reply

Dec 15, 2022 - 17:01

Chiming in on this... ever since I downloaded Muse Hub, I seem to be getting notifications from my ISP that malicious IPs are trying to access my device.

Additionally when exiting Muse Hub in the tray (so that it does not appear in the tray anymore), it's still running services in the background that I have to kill manually via Task Manager.

What's going on here?

Reply

Dec 15, 2022 - 23:08

I get that it's used to run auto updates, but I feel like it's expected that when you "exit" a program, it should actually exit it. I feel like this is how most programs work in general, even those with auto updates.

Regarding the unknown IPs and "community acceleration", that's deeply concerning. I think that feature should be disabled by default if that's the case.

Especially if a non-technical person is trying out Musescore and downloaded Muse Hub, I don't think it's a good look for Muse when their ISP (Xfinity in my case, as it gave me notifications via their app) to be telling them that these outside IPs are trying to access my computer.

Just my two cents - regardless I have uninstalled Muse Hub since the time I have made my comment.

Reply

Dec 17, 2022 - 06:50

But the main concern is not the torrent stuff.
The biggest security problem here is that this service runs with a privileged account (admin, root).
I am surprised that nobody sees this as a problem.
Basically, the Muse group can install anything they want on your computers, without you knowing about it.

Reply

Dec 17, 2022 - 10:16

I definitely see it as a problem. MuseScore is slowly becoming proprietary software, through the introduction of third-party proprietary tools that "solve" problems introduced by regressions in MuseScore. It may be overly cynical of me to point this out, but it really looks like a way to circumvent GNU GPL.

The whole concept of software checking for updates is absurd to any Linux user. We have package managers that do that for us. But this means less control for the software proprietors. Having such "update" software closed source and running with root privileges is a huge red flag. And you're incentivised into using this software (which would in any other circumstance rightly be described as malware) by getting a shiny present like MuseSounds: "oh no, you can't download this soundfont unless you give full control of your system to our proprietary updater". In what alternate reality does that make any sense? If this is not Defective-By-Design, what is?

I am very worried about this and the future of MuseScore.

Reply

Dec 18, 2022 - 09:20

If you allow a third party you know nothing about (as i understand it: a 'mailbox' company based in Cyprus, but located in Kaliningrad, Russia) to have root access to your system: this is bad security.
Especially because there is really no need to have this running as root.

Reply

Dec 20, 2022 - 13:16

@graffesmusic: Can you elaborate on that? I mean the privileged account issue?

On my Mac I see the following information on the binary ("ls -l"):

-rwxr-xr-x@ 1 my_userid admin 9158928 13 dec 23:55 /Applications/Muse Hub.app/Contents/MacOS/Muse Hub

There is one extended attribute, indicated by the "@": com.apple.quarantaine

No root owner. Can it run as root at all? Or with root privileges?

Reply

Dec 20, 2022 - 13:28

But not in normal operation, right? When I run ps aux on it I see:

my_userid 752 0,0 0,0 34453592 6548 ?? Ss 3:46pm 0:00.02 /Applications/Muse Hub.app/Contents/XPCServices/HelperInstaller.xpc/Contents/MacOS/HelperInstaller
my_userid 743 0,0 0,2 35163600 81796 ?? S 3:46pm 0:00.61 /Applications/Muse Hub.app/Contents/MacOS/Muse Hub launchedAtLogin

As far as I can tell, this is running with my user privileges. Which are not root privileges.

Am I missing something here?

Reply

Dec 21, 2022 - 08:49

I don't know anything about Macs.
But it surely looks that the service on your system is running as your own user.
Somebody should confirm this behaviour.

But if this is correct, then i can only conclude that Linux users are really screwed.

On Linux, if privileged are dropped by adding a no shell system user/group, the service refuses to run - by design.

Reply

Feb 24, 2023 - 07:12

I'm pretty shocked to discover this running, definitely as root, on my Ubuntu 20.04 system. Huge security hole and I had no idea it was there. Typing the following on a terminal stops it:

david@dm:~$ sudo systemctl stop muse-hub.service
david@dm:~$ sudo systemctl mask muse-hub.service
Created symlink /etc/systemd/system/muse-hub.service → /dev/null.
david@dm:~$ sudo systemctl start muse-hub.service
Failed to start muse-hub.service: Unit muse-hub.service is masked.

Note you can unmask the service to bring it back to life. Masking prevents it from restarting at boot time.
Perhaps the developers can consider security a bit closer. Musescore is great, but this makes it dangerous.

Reply

Feb 24, 2023 - 16:53

As mentioned numerous times, issues with Muse Hub are discussed on their support site at musehub.zendesk.com. Muse Hub is an installer and it installs files into folders like /usr/lib so obviously needs to have appropriate privileges - it should't be a security problem at all. But out of an abundance of caution, alternative solutions are being investigated.

Reply

Feb 25, 2023 - 17:26

This is just a lie. The right way to do this is to at install time make a single folder in /usr/lib that doesn't require root privileges to add files and folders in and then run the background service without root permissions which will mean that it can only mess around with it's own folder rather than being able to mess with arbitrary system files. Making a torrent client run as root in the background is a massive security hole you're opening in your system and the fact that no one at MuseHub has acknowledged that makes me incredibly skeptical that the team is competent.

Reply

Do you still have an unanswered question? Please log in first to post your question.