#39 malware found

v1.0 (example)
closed-invalid
None
1
2013-12-28
2013-06-07
Jacob
No

See the attached screenshot.
Quite shocking to find a password stealer when installing yeoman.

1 Attachments

Discussion

  • Ian

    Ian - 2013-10-28

    This looks like a simple false positive from Windows Defender. Coincidentally, part of the optipng compiled binary happens to have the same bytes as a piece of virus that Windows Defender has on file. Double check that you have the correct download from the correct location, and check the key so you know you have an intact download, but otherwise nothing to worry about. Just one more reason not to use Windows ;)

     
  • Cosmin Truta

    Cosmin Truta - 2013-11-04

    The archive optipng-0.7.4-win32.zip and the executable optipng.exe (version 0.7.4) have the following checksums:

    $ md5sum optipng-0.7.4-win32.zip optipng.exe
    adc47c6ccda9cdabfc269f27cfa6b7d2 optipng-0.7.4-win32.zip
    293e26924a274c6185a06226619d8e02
    optipng.exe

    $ sha1sum optipng-0.7.4-win32.zip optipng.exe
    1e176b0320c7a4ac67fa5103f8ad62e438ad05e8 optipng-0.7.4-win32.zip
    6e993ae03b1dd44e4aa22a9feab836e91e611e3c
    optipng.exe

    If either the MD5 or the SHA1 are mismatches, then the files on your system are infected from elsewhere. But if the checksums are matching, then, indeed (as Ian mentioned) it's a false positive, and that's possibly because of the UPX compression of the executable. Other false positives have also been reported in the past, due to UPX compression.

     
  • Cosmin Truta

    Cosmin Truta - 2013-11-04
    • status: open --> pending
     
  • Oliver Schneider

    I am working for an AV company and a cursory check of the binary at https://github.com/yeoman/node-optipng-bin/blob/master/vendor/win/optipng.exe (the only revision according to the history) does not indicate that this is malware. Yes, I used IDA, a disassembler, to actually look over a few potential indicators.

    Also, the file hash of the (UPX'd) binary matches the one from the project download area.

    # The one from the download area
    $ sha1sum optipng.exe
    6e993ae03b1dd44e4aa22a9feab836e91e611e3c *optipng.exe
    
    # The one from Github (above link)
    $ sha1sum optipng.ex_
    6e993ae03b1dd44e4aa22a9feab836e91e611e3c *optipng.ex_
    

    The download I used for verification:

    $ sha1sum optipng-0.7.4-win32.zip
    1e176b0320c7a4ac67fa5103f8ad62e438ad05e8 *optipng-0.7.4-win32.zip
    

    I would presume that this therefore was a false positive and likely has been fixed by Microsoft. If it hasn't, report it. Also @Cosmin, Microsoft is quite conservative with detections, so I wouldn't assume they detect it because you used UPX ;)

    // Oliver

     
  • Cosmin Truta

    Cosmin Truta - 2013-12-28

    Thanks, Oliver, for your analysis. Although I wouldn't flatly assume that UPX => false AV positive, I did, however, think that UPX messes up some information and might confuse AV software. This is based on what I had randomly read on random forums, not on actual knowledge.

    I am glad this is finally sorted out, thank you very much for that. I am closing the defect as "invalid".

     
  • Cosmin Truta

    Cosmin Truta - 2013-12-28
    • status: pending --> closed-invalid
    • assigned_to: Cosmin Truta
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks