[clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 24065

Al Varnell alvarnell at mac.com
Fri Nov 24 12:08:00 UTC 2017 

> Begin forwarded message:
> 
> From: noreply at sourcefire.com
> Subject: [clamav-virusdb] Signatures Published daily - 24065
> Date: November 22, 2017 at 5:10:11 PM PST
> To: clamav-virusdb at lists.clamav.net
> 
> Dropped Detection Signatures:
> 
>   * Osx.Trojan.Proton-6352640-0
> 
>   * Osx.Trojan.Proton-6352641-0
> 
>   * Osx.Trojan.Proton-6352642-0
> 
>   * Osx.Trojan.Proton-6352643-0

I'm quite confused and concerned about why these are being dropped. All added in daily - 23973, 20 Oct.

> $ sigtool -fOsx.Trojan.Proton-6352640-0
> [daily.hsb] cc3297083ad89cabfd58d251cbbe3ca9:44592:Osx.Trojan.Proton-6352640-0:73
> $ sigtool -fOsx.Trojan.Proton-6352641-0
> [daily.hsb] 5f145ed27ec88add379676729cbad15f:2056450:Osx.Trojan.Proton-6352641-0:73
> $ sigtool -fOsx.Trojan.Proton-6352642-0
> [daily.hsb] 0ca749b61c7e76e6ec07c33aab01aab3:1175737:Osx.Trojan.Proton-6352642-0:73
> $ sigtool -fOsx.Trojan.Proton-6352643-0
> [daily.hsb] ff80d97674e148687affd6a4e3ccf00a:44592:Osx.Trojan.Proton-6352643-0:73

Two of these are a perfect match for samples I personally have of the hijacked Elmedia Player that installed OSX.Proton.C as described in this Intego blog: 
<https://www.intego.com/mac-security-blog/osxproton-malware-is-back-heres-what-mac-users-need-to-know/> and this Malwarebytes blog: 
<https://blog.malwarebytes.com/cybercrime/2017/10/mac-malware-osx-proton-strikes-again/>, among others.

They are all broadly detected on VirusTotal by 30 or more scanners.

VirusTotal
> <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b105354888f63c60a3205ade6d467cc620dc5/analysis/>
> <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bbd34b1fb1b260a27f40b34718be3b71a3a7/analysis/>
> <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d6377d39e304651bdd1281c7a7ff15b8f43cad/analysis/>
> <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0b44905e0308bd3662a496a0701f2ec942d/analysis/>

Can somebody explain why they are being dropped at this time?

-Al-
-- 
Al Varnell
Mountain View, CA





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20171124/c3948c6f/attachment.bin>

More information about the clamav-users mailing list