New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

1.1.1 RC1 identified as malware on some systems #2405

Closed
dmoagx opened this Issue Feb 12, 2016 · 11 comments

Comments

Projects
None yet
6 participants
@dmoagx
Member

dmoagx commented Feb 12, 2016

Some twitter users report that 1.1.1 RC1 is identified as malware OSX.Genieo.D by OS X:
cbaqqqhwiaas5dc

@dmoagx

This comment has been minimized.

Show comment
Hide comment
@dmoagx

dmoagx Feb 12, 2016

Member

MD5 of the dmg file is e8f1dc43395df70e12d4b192cc518777 and was checked by users.

Virustotal shows 0 matches for the DMG and the binaries inside: https://www.virustotal.com/en/file/4b8fef6ce5dfb0bfc29c8fde0ddc32e2f42d79c919f44f66bd31fc217dfdb0c3/analysis/

Also according to reports of Genieo.D this is a standalone malware, and should not be embedded in another application.
So this is most likely a false positive.

Member

dmoagx commented Feb 12, 2016

MD5 of the dmg file is e8f1dc43395df70e12d4b192cc518777 and was checked by users.

Virustotal shows 0 matches for the DMG and the binaries inside: https://www.virustotal.com/en/file/4b8fef6ce5dfb0bfc29c8fde0ddc32e2f42d79c919f44f66bd31fc217dfdb0c3/analysis/

Also according to reports of Genieo.D this is a standalone malware, and should not be embedded in another application.
So this is most likely a false positive.

@dioobr

This comment has been minimized.

Show comment
Hide comment
@dioobr

dioobr Feb 12, 2016

Try compiling a previous version to verify that generates the same occurrence. If yes, probably something is wrong in your system.

dioobr commented Feb 12, 2016

Try compiling a previous version to verify that generates the same occurrence. If yes, probably something is wrong in your system.

@dmoagx

This comment has been minimized.

Show comment
Hide comment
@dmoagx

dmoagx Feb 12, 2016

Member

OK, I just installed a new Mac OS X 10.11.4 Beta and Sequel Pro works fine there.

Please open the file /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist and check for this value:

    <key>Version</key>
    <real>2073</real>

What does it say for you?

Also try the steps explained here to force an update: https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/

Member

dmoagx commented Feb 12, 2016

OK, I just installed a new Mac OS X 10.11.4 Beta and Sequel Pro works fine there.

Please open the file /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist and check for this value:

    <key>Version</key>
    <real>2073</real>

What does it say for you?

Also try the steps explained here to force an update: https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/

@dmoagx

This comment has been minimized.

Show comment
Hide comment
@dmoagx

dmoagx Feb 13, 2016

Member

Looking further, it seems Xprotect tries to match those two patterns:

4989C40F57C00F298580FEFFFF0F298570FEFFFF0F298560FEFFFF0F298550FEFFFF41B8100000004C89E7488BB540FEFFFF488D9550FEFFFF48

and

F20F59C1F20F5CD0F20F1155B80F28C2F20F1055D8F20F105DC8F20F58DAF20F59D1F20F5CDAF20F115DB00F28CB31FFBE0500000031D2

The first one actually matches with the Sequel Pro binary.

Member

dmoagx commented Feb 13, 2016

Looking further, it seems Xprotect tries to match those two patterns:

4989C40F57C00F298580FEFFFF0F298570FEFFFF0F298560FEFFFF0F298550FEFFFF41B8100000004C89E7488BB540FEFFFF488D9550FEFFFF48

and

F20F59C1F20F5CD0F20F1155B80F28C2F20F1055D8F20F105DC8F20F58DAF20F59D1F20F5CDAF20F115DB00F28CB31FFBE0500000031D2

The first one actually matches with the Sequel Pro binary.

@dmoagx

This comment has been minimized.

Show comment
Hide comment
@dmoagx

dmoagx Feb 13, 2016

Member

Looking with a disassembler the pattern is in the 64bit image, around here:

;================ B E G I N N I N G   O F   P R O C E D U R E ================
;                     -[SPUserManager tableViewSelectionDidChange:]:
;...
0000000100138f8a         mov        rdi, qword [ds:objc_cls_ref_NSPredicate]    ; argument "instance" for method _objc_msgSend
0000000100138f91         xor        eax, eax
0000000100138f93         mov        rsi, qword [ds:0x10022de10]                 ; @selector(predicateWithFormat:), argument "selector" for method _objc_msgSend
0000000100138f9a         lea        rdx, qword [ds:cfstring_displayName_like_cd____] ; @"displayName like[cd] %@"
0000000100138fa1         mov        rcx, r13
0000000100138fa4         call       rbx                                         ; _objc_msgSend
0000000100138fa6         mov        r12, rax
0000000100138fa9         mov        rdi, qword [ds:r14+r15]                     ; argument "instance" for method _objc_msgSend
0000000100138fad         mov        rsi, qword [ds:0x10022fb48]                 ; @selector(arrangedObjects), argument "selector" for method _objc_msgSend
0000000100138fb4         call       rbx                                         ; _objc_msgSend
0000000100138fb6         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend
0000000100138fb9         mov        rsi, qword [ds:0x10022de18]                 ; @selector(filteredArrayUsingPredicate:), argument "selector" for method _objc_msgSend
0000000100138fc0         mov        rdx, r12
0000000100138fc3         call       rbx                                         ; _objc_msgSend
;...
0000000100138fc5         mov        r12, rax ; <====================== {
0000000100138fc8         xorps      xmm0, xmm0
0000000100138fcb         movaps     xmmword [ss:rbp+var_180], xmm0
0000000100138fd2         movaps     xmmword [ss:rbp+var_190], xmm0
0000000100138fd9         movaps     xmmword [ss:rbp+var_1A0], xmm0
0000000100138fe0         movaps     xmmword [ss:rbp+var_1B0], xmm0
0000000100138fe7         mov        r8d, 0x10
0000000100138fed         mov        rdi, r12                                    ; argument "instance" for method _objc_msgSend
0000000100138ff0         mov        rsi, qword [ss:rbp+var_1C0]                 ; argument "selector" for method _objc_msgSend
0000000100138ff7         lea        rdx, qword [ss:rbp+var_1B0]
0000000100138ffe         lea        rcx, qword [ss:rbp+var_130] ; <====================== }
0000000100139005         call       rbx                                         ; _objc_msgSend
;...

which is this for loop:

NSPredicate *predicate = [NSPredicate predicateWithFormat:@"displayName like[cd] %@", displayName];
NSArray *previousObjects = [[availableController arrangedObjects] filteredArrayUsingPredicate:predicate];

for (NSDictionary *dict in previousObjects)
{
    [availableController removeObject:dict];
}
Member

dmoagx commented Feb 13, 2016

Looking with a disassembler the pattern is in the 64bit image, around here:

;================ B E G I N N I N G   O F   P R O C E D U R E ================
;                     -[SPUserManager tableViewSelectionDidChange:]:
;...
0000000100138f8a         mov        rdi, qword [ds:objc_cls_ref_NSPredicate]    ; argument "instance" for method _objc_msgSend
0000000100138f91         xor        eax, eax
0000000100138f93         mov        rsi, qword [ds:0x10022de10]                 ; @selector(predicateWithFormat:), argument "selector" for method _objc_msgSend
0000000100138f9a         lea        rdx, qword [ds:cfstring_displayName_like_cd____] ; @"displayName like[cd] %@"
0000000100138fa1         mov        rcx, r13
0000000100138fa4         call       rbx                                         ; _objc_msgSend
0000000100138fa6         mov        r12, rax
0000000100138fa9         mov        rdi, qword [ds:r14+r15]                     ; argument "instance" for method _objc_msgSend
0000000100138fad         mov        rsi, qword [ds:0x10022fb48]                 ; @selector(arrangedObjects), argument "selector" for method _objc_msgSend
0000000100138fb4         call       rbx                                         ; _objc_msgSend
0000000100138fb6         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend
0000000100138fb9         mov        rsi, qword [ds:0x10022de18]                 ; @selector(filteredArrayUsingPredicate:), argument "selector" for method _objc_msgSend
0000000100138fc0         mov        rdx, r12
0000000100138fc3         call       rbx                                         ; _objc_msgSend
;...
0000000100138fc5         mov        r12, rax ; <====================== {
0000000100138fc8         xorps      xmm0, xmm0
0000000100138fcb         movaps     xmmword [ss:rbp+var_180], xmm0
0000000100138fd2         movaps     xmmword [ss:rbp+var_190], xmm0
0000000100138fd9         movaps     xmmword [ss:rbp+var_1A0], xmm0
0000000100138fe0         movaps     xmmword [ss:rbp+var_1B0], xmm0
0000000100138fe7         mov        r8d, 0x10
0000000100138fed         mov        rdi, r12                                    ; argument "instance" for method _objc_msgSend
0000000100138ff0         mov        rsi, qword [ss:rbp+var_1C0]                 ; argument "selector" for method _objc_msgSend
0000000100138ff7         lea        rdx, qword [ss:rbp+var_1B0]
0000000100138ffe         lea        rcx, qword [ss:rbp+var_130] ; <====================== }
0000000100139005         call       rbx                                         ; _objc_msgSend
;...

which is this for loop:

NSPredicate *predicate = [NSPredicate predicateWithFormat:@"displayName like[cd] %@", displayName];
NSArray *previousObjects = [[availableController arrangedObjects] filteredArrayUsingPredicate:predicate];

for (NSDictionary *dict in previousObjects)
{
    [availableController removeObject:dict];
}
@dioobr

This comment has been minimized.

Show comment
Hide comment
@dioobr

dioobr Feb 13, 2016

XProtect.meta.plist on Lion 10.7.5

<key>Version</key>
<real>2075</real>

dioobr commented Feb 13, 2016

XProtect.meta.plist on Lion 10.7.5

<key>Version</key>
<real>2075</real>
@dmoagx

This comment has been minimized.

Show comment
Hide comment
@dmoagx

dmoagx Feb 13, 2016

Member

OK, please try this build:
https://github.com/sequelpro/sequelpro/releases/download/1.1.1-rc1/sequel-pro-1.1.1.RC1a.dmg

It's the same source as the previous build, but this time built with Xcode 7.2.1 (instead of 6.2)

Member

dmoagx commented Feb 13, 2016

OK, please try this build:
https://github.com/sequelpro/sequelpro/releases/download/1.1.1-rc1/sequel-pro-1.1.1.RC1a.dmg

It's the same source as the previous build, but this time built with Xcode 7.2.1 (instead of 6.2)

@dioobr

This comment has been minimized.

Show comment
Hide comment
@dioobr

dioobr Feb 13, 2016

Performed normally. No malware warning.

dioobr commented Feb 13, 2016

Performed normally. No malware warning.

@cochinet

This comment has been minimized.

Show comment
Hide comment
@cochinet

cochinet Feb 13, 2016

Performed normally. No malware warning.

Performed normally. No malware warning.

@jsoprano

This comment has been minimized.

Show comment
Hide comment
@jsoprano

jsoprano Feb 13, 2016

Tested RC1a and it performed normally. No malware warning.

Tested RC1a and it performed normally. No malware warning.

@jeffclay

This comment has been minimized.

Show comment
Hide comment
@jeffclay

jeffclay Feb 14, 2016

I had the same issue on a brand new system just purchased. Using the RC1a version given by dmoagx resolved the problem for me as well.

I had the same issue on a brand new system just purchased. Using the RC1a version given by dmoagx resolved the problem for me as well.

@dmoagx dmoagx removed the WaitingOnUser label Feb 20, 2016

@dmoagx dmoagx added this to the 1.1.1 milestone Feb 20, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment