Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trojaner ALERT for JRuby 9.2.4.0 from repo1.maven.org #5478

Closed
dosimeta opened this Issue Nov 28, 2018 · 8 comments

Comments

Projects
None yet
4 participants
@dosimeta
Copy link

dosimeta commented Nov 28, 2018

Environment

  • JRuby version: 9.2.4.0
  • Operating system: macOS 10.14.1
  • AntiVirus: BitDefender 7.2.1.6
  • ruby installer: rvm 1.29.4

Expected Behavior

  • Installing a JRuby release must not raise warnings/alerts in security related monitoring
  • the command to install ruby in a terminal: rvm install jruby-9.2.4.0
  • setup of jruby environment successful and operational

Actual Behavior

  • BitDefender antivirus reports a Trojan.GenericKD.40744760 in jrubyw.exe and removed it from my filesystem.
  • As the file is a Windows wrapper executable to host a JVM, it is of no use on macOS and no harm is made on my system.

Remarks

Although, I am not affected during development, I will be unable to deploy this into a production environment at my clients. Any security related incident, will void the affected version from being deployable.

@dosimeta

This comment has been minimized.

Copy link
Author

dosimeta commented Nov 28, 2018

When scanning previous revisions of the file jrubyw.exe. The antivirus alerts since commit d96be72ffa. It is interesting that it does not alert when scanning jruby.exe

@ahorek

This comment has been minimized.

Copy link
Contributor

ahorek commented Nov 28, 2018

I hope it's a false positive, but previous versions of jrubyw.exe were clean

some details
https://www.virustotal.com/#/file/5a1b841f368f503b8f1e8752d66a20baab284e5b9b2fa3b8715204105ab09136/detection

obrazek

@headius

This comment has been minimized.

Copy link
Member

headius commented Nov 28, 2018

Looking into it. These binaries were built on a Windows 10 VM of mine that had nothing else installed except Chrome, Git, Java, and the Mingw toolchain. I would have expected both exe to get infected if this is real.

@headius

This comment has been minimized.

Copy link
Member

headius commented Nov 28, 2018

I am running a full system scan on my VM to see if some malware snuck in there. In the short term you can just delete jrubyw.exe. I'm not sure anyone uses it.

@headius

This comment has been minimized.

Copy link
Member

headius commented Nov 28, 2018

The investigation of my VM will take some time so I think we're going to err on the side of caution and have @enebo build new binaries and push a security release 9.2.4.1. Should be within 24h.

@headius

This comment has been minimized.

Copy link
Member

headius commented Nov 28, 2018

Yeah, I'm stumped. It seems like a false positive but there's too many failures on virustotal for me to be really comfortable. Here's my results...the only thing "infected" is the jrubyw.exe I built myself.

image

@enebo

This comment has been minimized.

Copy link
Member

enebo commented Nov 28, 2018

Something fishy must have happened (although it could still easily be a false positive) since when I build point release of launcher on my windows machine it does not generate these hits. The other thing I wonder about is why so many other AVs do not detect this? My machine did not detect it when I did testing. I now have switched to Bitdefender which is one of the ones which tested positive.

9.2.4.1 will be coming out soon. As @headius said we decided this is a little scary to assume it is a false positive at this point.

@enebo enebo added this to the JRuby 9.2.4.1 milestone Nov 28, 2018

@enebo

This comment has been minimized.

Copy link
Member

enebo commented Nov 28, 2018

updated binaries

@enebo enebo closed this Nov 28, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.