#39 malware found

v1.0 (example)
closed-invalid
Cosmin Truta
None
1
2013-12-28
2013-06-07
Jacob
No

See the attached screenshot.
Quite shocking to find a password stealer when installing yeoman.

1 Attachments

Discussion

  • Ian
    Ian
    2013-10-28

    This looks like a simple false positive from Windows Defender. Coincidentally, part of the optipng compiled binary happens to have the same bytes as a piece of virus that Windows Defender has on file. Double check that you have the correct download from the correct location, and check the key so you know you have an intact download, but otherwise nothing to worry about. Just one more reason not to use Windows ;)

     
  • Cosmin Truta
    Cosmin Truta
    2013-11-04

    The archive optipng-0.7.4-win32.zip and the executable optipng.exe (version 0.7.4) have the following checksums:

    $ md5sum optipng-0.7.4-win32.zip optipng.exe
    adc47c6ccda9cdabfc269f27cfa6b7d2 optipng-0.7.4-win32.zip
    293e26924a274c6185a06226619d8e02
    optipng.exe

    $ sha1sum optipng-0.7.4-win32.zip optipng.exe
    1e176b0320c7a4ac67fa5103f8ad62e438ad05e8 optipng-0.7.4-win32.zip
    6e993ae03b1dd44e4aa22a9feab836e91e611e3c
    optipng.exe

    If either the MD5 or the SHA1 are mismatches, then the files on your system are infected from elsewhere. But if the checksums are matching, then, indeed (as Ian mentioned) it's a false positive, and that's possibly because of the UPX compression of the executable. Other false positives have also been reported in the past, due to UPX compression.

     
  • Cosmin Truta
    Cosmin Truta
    2013-11-04

    • status: open --> pending
     
  • I am working for an AV company and a cursory check of the binary at https://github.com/yeoman/node-optipng-bin/blob/master/vendor/win/optipng.exe (the only revision according to the history) does not indicate that this is malware. Yes, I used IDA, a disassembler, to actually look over a few potential indicators.

    Also, the file hash of the (UPX'd) binary matches the one from the project download area.

    # The one from the download area
    $ sha1sum optipng.exe
    6e993ae03b1dd44e4aa22a9feab836e91e611e3c *optipng.exe
    
    # The one from Github (above link)
    $ sha1sum optipng.ex_
    6e993ae03b1dd44e4aa22a9feab836e91e611e3c *optipng.ex_
    

    The download I used for verification:

    $ sha1sum optipng-0.7.4-win32.zip
    1e176b0320c7a4ac67fa5103f8ad62e438ad05e8 *optipng-0.7.4-win32.zip
    

    I would presume that this therefore was a false positive and likely has been fixed by Microsoft. If it hasn't, report it. Also @Cosmin, Microsoft is quite conservative with detections, so I wouldn't assume they detect it because you used UPX ;)

    // Oliver

     
  • Cosmin Truta
    Cosmin Truta
    2013-12-28

    Thanks, Oliver, for your analysis. Although I wouldn't flatly assume that UPX => false AV positive, I did, however, think that UPX messes up some information and might confuse AV software. This is based on what I had randomly read on random forums, not on actual knowledge.

    I am glad this is finally sorted out, thank you very much for that. I am closing the defect as "invalid".

     
  • Cosmin Truta
    Cosmin Truta
    2013-12-28

    • status: pending --> closed-invalid
    • assigned_to: Cosmin Truta