Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Defender detects Trojan:Win32/Wacatac.B!ml #33

Closed
jkoenig134 opened this issue Apr 30, 2020 · 25 comments
Closed

Windows Defender detects Trojan:Win32/Wacatac.B!ml #33

jkoenig134 opened this issue Apr 30, 2020 · 25 comments

Comments

@jkoenig134
Copy link

The old trojan from #32 ist gone. There´s now a new virus alert.

Virus-Total Detects these:
https://www.virustotal.com/gui/file/865ac2546cd8019ed2774e3783dcc311d35ebf962f39fd085630186e7ffa008f/detection

Windows defender this one:
virusalert
@jkoenig134
Copy link
Author

@develar https://groups.google.com/forum/#!topic/golang-nuts/Au1FbtTZzbk says its about the ldflags.

@nicely
Copy link

nicely commented May 1, 2020
edited
Loading

YES! I also updated the old topic #32 by the way just tried electron-packager as an alternative do not have this kind of issue but we want to use electron-builder instead it's more advanced and promising but with this Trojan alerts it's impossible to distribute our app... @develar before the close the topic, please do not forget to test! it's taking only 10 seconds to scan files on virustotal not hard to do...

Updated to attach some screenshots... This time there are 3 files in app-builder-bin/win/ia32;

Screen Shot 2020-05-01 at 00 25 39

Ann all of them mentioned as TROJAN...

Screen Shot 2020-05-01 at 00 24 31

...

@jkoenig134
Copy link
Author

@nicely The issue Was closed. I opened a new one to bring it back in mind.

@Mike-Dax
Copy link

Mike-Dax commented May 4, 2020

To confirm, this happens with [email protected] virus on Windows 10.0.18362.

@jrcharney
Copy link

Woke up this morning with a similar issue, only mine is a "Trojan:Win32/Fuery.C!cl".
image

I miss the old days where on google putting things into quotes meant you were grouping words together to define phrases and putting a plus and the beginning of the word/phase that search results must contain made finding things easy. So far there isn't any truthworthy source to tell me if this is a false-positive or not. Not even a StackOverflow question with a similar problem.

@jkoenig134
Copy link
Author

@jrcharney Is it only the app-builder copy.exe for you or also the original file?

@jrcharney
Copy link

jrcharney commented May 5, 2020
edited
Loading

@jkoenig134 honestly, I don't have a definitive answer. I looked in the folder, and this is all I see.
image
I changed the view to see if there were any hidden items and the same three files are shown.

@jkoenig134
Copy link
Author

The copy file has been deleted by Windows Defender. What happens if you right click app-builder.exe and press check with windows defender?

@jrcharney
Copy link

Scan reports nothing on app-builder.exe
image

However, app-builder.exe.zip is a different story.
image

@jkoenig134
Copy link
Author

The ZIP includes the copy file.

@jrcharney
Copy link

Should it have it?

@danikaze danikaze mentioned this issue May 6, 2020
Closed
@jkoenig134
Copy link
Author

@develar Could you please provide a new version without the app-builder copy.exe and the app-builder.exe.zip files?

@jrcharney
Copy link

More viruses detected.
Trojan:Win32/Wacatac.C!ml this time.

I refuse to develop an app that includes Malware in it!

Ditch the Zip! 😠

I am quarantining these files!

@jkoenig134
Copy link
Author

jkoenig134 commented May 10, 2020
edited
Loading

@jrcharney if you are using this as part of a cordova electron app you could use the electron nightly version and put the cordova-electron dependency to the dev-dependencies.
That does two things for you:

  • lowers the app size.
  • doesn´t package the malicious app to the build app.

That is our current workaround.

@jrcharney
Copy link

I am not familiar with cordova electron.
I wasn't using a nightly build. I was using the stable version. This is pretty much the same version of the software I reported a few days ago and didn't get a response as to whether or not the Zip file should be part of app-builder.

@jkoenig134
Copy link
Author

@jrcharney Calm down. I just suggest a workaround that doesn´t affect the integrity of your application. The "stable" version of cordova seems not be able to provide a working cordova-electron build.

@jrcharney
Copy link

"Calm down"? For what?

I believe I stated I have no knowledge about cordova, nor is it part of my electron app.

What I have done is I have scanned both the app-builder.exe and the app-builder.exe.zip.

app-builder.exe is clean, but app-builder.exe.zip is in quarantine, for obvious reasons.

This issue only effects the Windows 32 version of app-builder which is part of the app-builder-bin package, like it or not. (I'm using Windows 10 on a 64-bit system, and the zip file does not exist in the win/x64 folder, only in the win/ia32 folder.

Now, if there is a particular reason for why an ominous zip file is in a package that doesn't appear to be in a visible repository, I would certainly like to know. Was there a pull request that was somehow integrated into the package without thorough inspection? That seems like a certain possibility, and I'm certain the NPM and Github folks should know about this unwanted software injection that contains a Trojan.

Is it so hard for @develar to remove that file from that specific directory, or not?

@adam-lynch adam-lynch mentioned this issue May 11, 2020
Closed
@fedot
Copy link

fedot commented May 13, 2020
edited
Loading

@develar https://groups.google.com/forum/#!topic/golang-nuts/Au1FbtTZzbk says its about the ldflags.

It doesn not related to the flags, while the flags may affect some of the false positive detections, the case here is completely different, it looks like the binaries are something different from what can be built from the repo...

@fedot
Copy link

fedot commented May 13, 2020

Re-built the binary on a different machine using
go 1.14.1: (1 engine warning)
https://www.virustotal.com/gui/file/43b3beda011c638a9706d312dc212d11647d0d5d726b6793b14391c214147661/detection

go 1.14.2: (1 engine warning)
https://www.virustotal.com/gui/file/2fa24a0e1fb9035c2bc88fcb5645c269cb6eb044f1c014f4ce69f84ade08f226/detection

@jkoenig134
Copy link
Author

jkoenig134 commented May 14, 2020
edited
Loading

@develar when will you publish 3.5.9?

Edit: 3.5.9 is available and i can confirm, that the problem is solved.

@fedot
Copy link

fedot commented May 14, 2020

How is it solved? The new published binary still have 4 engines warnings on virustotal even if ldfalgs weren't used. If I build the binary same way I'm getting 1 detection, which is worring...

@jkoenig134
Copy link
Author

@fedot Windows Defender is silent. Thats enough for my needs.

@fedot
Copy link

fedot commented May 14, 2020

👍
FYI, The recent defender definitions update clears also detection from the previous relese.

Few notes:

  • I do not see any difference in false positive amount with or without ldflags="-s -w"
  • Building on windows machine results in less false positives than building it in a container or linux machine

@develar
Copy link
Owner

develar commented May 15, 2020

How is it solved?

Each user now pays for it — size of 386 binary increased by 6MB. Compiler flag to remove unused symbols was unset for 386 due to MS Defender bug.

@develar
Copy link
Owner

develar commented May 15, 2020

@fedot Maybe you are right and I should build binary on Windows machine. Will check next time.

This was referenced May 23, 2020
Closed
Closed
@github-actions github-actions bot mentioned this issue Mar 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(deploy): Release (alpha) fr34k8/app-builder
6 participants
@fedot @develar @jrcharney @nicely @Mike-Dax @jkoenig134