malware detected in Tor browser

[ghost]

i've scanned Tor browser on pi-apps with ClamTk and found that snowflake and obs4 contain Unix.Malware.kaiji-1000 chinese malware. I wonder if anyone else has identified this.

[github-actions]

Hello there 👋
Thanks for submitting your first issue to the Pi-Apps project! We'll try to get back to you as soon as possible.
In the meantime, we encourage you join our Discord server, where you can ask any questions you might have.

Please respond as soon as possible if a Pi-Apps maintainer requests more information from you. Stale issues will be closed after a lengthy period of time with no response.

[Botspot]

Can confirm.

pi@raspberrypi:~ $ clamscan /home/pi/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client
/home/pi/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client: Unix.Malware.Kaiji-10003916-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8668536
Engine version: 0.103.8
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 10.97 MB
Data read: 10.31 MB (ratio 1.06:1)
Time: 63.508 sec (1 m 3 s)
Start Date: 2023:06:07 18:56:37
End Date:   2023:06:07 18:57:40
pi@raspberrypi:~ $ clamscan /home/pi/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/obfs4proxy
/home/pi/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/obfs4proxy: Unix.Malware.Kaiji-10003916-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8668536
Engine version: 0.103.8
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 6.52 MB
Data read: 6.12 MB (ratio 1.06:1)
Time: 62.836 sec (1 m 2 s)
Start Date: 2023:06:07 18:58:51
End Date:   2023:06:07 18:59:54

Pi-Apps downloads tor-browser from sourceforge: https://sourceforge.net/projects/tor-browser-ports
These findings are concerning and I will try to scan some older versions to see if this has been added recently or if it was absent at some time in the past.

[Botspot]

At this time, I would like to avoid blaming the user on sourceforge for deliberately embedding malware in tor. The user seems legitimate and provides build instructions. It is possible that person's build server was compromised with Kaiji, or maybe clamscan has a false positive.

[Botspot]

I downloaded four different versions from the sourceforge.

Malware was found in:

• 11.5
• 11.0

Not found in:

• 10.5
• 10.5.10

It seems to be a false positive. As I was browsing stack overflow I spotted this: https://serverfault.com/questions/1132808/clamav-detected-kaiji-malware-on-ubuntu-instance

[Rak1ta]

And what does VirusTotal write to you about infected files?

[ghost]

looks like a false positive. ClamAV is the only one on virustotal to flag snowflake. Its not saying OBS4 is infected today.It did yesterday. I'll get a better AV. Sent from Proton Mail mobile

…

-------- Original Message --------

On 8 Jun 2023, 05:42, Rak1ta wrote: And what does VirusTotal write to you about infected files? — Reply to this email directly, [view it on GitHub](#2354 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/BANARIMKE64KQKXEBZHMHR3XKFJ2NANCNFSM6AAAAAAY6RFRK4). You are receiving this because you authored the thread.Message ID: ***@***.***>

[theofficialgman]

did this user create a github account just to make this issue and then delete it or did they get banned by github?

[Botspot]

did this user create a github account just to make this issue and then delete it or did they get banned by github?

Privacy-minded individuals commonly create a separate email account per app they use, closing any accounts they no longer use. This practice, when done right with Tor and adblocking, makes it virtually impossible for governmental cross-tracking, profiling, and identification.

I'm not too surprised this user deleted their account. Closing the issue.