1.1.1 RC1 identified as malware on some systems #2405

Closed
dmoagx opened this Issue Feb 12, 2016 · 11 comments

Projects

None yet

6 participants

@dmoagx
Collaborator
dmoagx commented Feb 12, 2016

Some twitter users report that 1.1.1 RC1 is identified as malware OSX.Genieo.D by OS X:
cbaqqqhwiaas5dc

@dmoagx
Collaborator
dmoagx commented Feb 12, 2016

MD5 of the dmg file is e8f1dc43395df70e12d4b192cc518777 and was checked by users.

Virustotal shows 0 matches for the DMG and the binaries inside: https://www.virustotal.com/en/file/4b8fef6ce5dfb0bfc29c8fde0ddc32e2f42d79c919f44f66bd31fc217dfdb0c3/analysis/

Also according to reports of Genieo.D this is a standalone malware, and should not be embedded in another application.
So this is most likely a false positive.

@dioobr
dioobr commented Feb 12, 2016

Try compiling a previous version to verify that generates the same occurrence. If yes, probably something is wrong in your system.

@dmoagx
Collaborator
dmoagx commented Feb 12, 2016

OK, I just installed a new Mac OS X 10.11.4 Beta and Sequel Pro works fine there.

Please open the file /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist and check for this value:

    <key>Version</key>
    <real>2073</real>

What does it say for you?

Also try the steps explained here to force an update: https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/

@dmoagx
Collaborator
dmoagx commented Feb 13, 2016

Looking further, it seems Xprotect tries to match those two patterns:

4989C40F57C00F298580FEFFFF0F298570FEFFFF0F298560FEFFFF0F298550FEFFFF41B8100000004C89E7488BB540FEFFFF488D9550FEFFFF48

and

F20F59C1F20F5CD0F20F1155B80F28C2F20F1055D8F20F105DC8F20F58DAF20F59D1F20F5CDAF20F115DB00F28CB31FFBE0500000031D2

The first one actually matches with the Sequel Pro binary.

@dmoagx
Collaborator
dmoagx commented Feb 13, 2016

Looking with a disassembler the pattern is in the 64bit image, around here:

;================ B E G I N N I N G   O F   P R O C E D U R E ================
;                     -[SPUserManager tableViewSelectionDidChange:]:
;...
0000000100138f8a         mov        rdi, qword [ds:objc_cls_ref_NSPredicate]    ; argument "instance" for method _objc_msgSend
0000000100138f91         xor        eax, eax
0000000100138f93         mov        rsi, qword [ds:0x10022de10]                 ; @selector(predicateWithFormat:), argument "selector" for method _objc_msgSend
0000000100138f9a         lea        rdx, qword [ds:cfstring_displayName_like_cd____] ; @"displayName like[cd] %@"
0000000100138fa1         mov        rcx, r13
0000000100138fa4         call       rbx                                         ; _objc_msgSend
0000000100138fa6         mov        r12, rax
0000000100138fa9         mov        rdi, qword [ds:r14+r15]                     ; argument "instance" for method _objc_msgSend
0000000100138fad         mov        rsi, qword [ds:0x10022fb48]                 ; @selector(arrangedObjects), argument "selector" for method _objc_msgSend
0000000100138fb4         call       rbx                                         ; _objc_msgSend
0000000100138fb6         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend
0000000100138fb9         mov        rsi, qword [ds:0x10022de18]                 ; @selector(filteredArrayUsingPredicate:), argument "selector" for method _objc_msgSend
0000000100138fc0         mov        rdx, r12
0000000100138fc3         call       rbx                                         ; _objc_msgSend
;...
0000000100138fc5         mov        r12, rax ; <====================== {
0000000100138fc8         xorps      xmm0, xmm0
0000000100138fcb         movaps     xmmword [ss:rbp+var_180], xmm0
0000000100138fd2         movaps     xmmword [ss:rbp+var_190], xmm0
0000000100138fd9         movaps     xmmword [ss:rbp+var_1A0], xmm0
0000000100138fe0         movaps     xmmword [ss:rbp+var_1B0], xmm0
0000000100138fe7         mov        r8d, 0x10
0000000100138fed         mov        rdi, r12                                    ; argument "instance" for method _objc_msgSend
0000000100138ff0         mov        rsi, qword [ss:rbp+var_1C0]                 ; argument "selector" for method _objc_msgSend
0000000100138ff7         lea        rdx, qword [ss:rbp+var_1B0]
0000000100138ffe         lea        rcx, qword [ss:rbp+var_130] ; <====================== }
0000000100139005         call       rbx                                         ; _objc_msgSend
;...

which is this for loop:

NSPredicate *predicate = [NSPredicate predicateWithFormat:@"displayName like[cd] %@", displayName];
NSArray *previousObjects = [[availableController arrangedObjects] filteredArrayUsingPredicate:predicate];

for (NSDictionary *dict in previousObjects)
{
    [availableController removeObject:dict];
}
@dioobr
dioobr commented Feb 13, 2016

XProtect.meta.plist on Lion 10.7.5

<key>Version</key>
<real>2075</real>
@dmoagx
Collaborator
dmoagx commented Feb 13, 2016

OK, please try this build:
https://github.com/sequelpro/sequelpro/releases/download/1.1.1-rc1/sequel-pro-1.1.1.RC1a.dmg

It's the same source as the previous build, but this time built with Xcode 7.2.1 (instead of 6.2)

@dioobr
dioobr commented Feb 13, 2016

Performed normally. No malware warning.

@cochinet

Performed normally. No malware warning.

@jsoprano

Tested RC1a and it performed normally. No malware warning.

@jeffclay

I had the same issue on a brand new system just purchased. Using the RC1a version given by dmoagx resolved the problem for me as well.

@dmoagx dmoagx removed the WaitingOnUser label Feb 20, 2016
@dmoagx dmoagx added this to the 1.1.1 milestone Feb 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment