[clamav-users] [clamav-virusdb] Signatures Published daily - 24065

Al Varnell alvarnell at mac.com
Sat Nov 25 00:47:56 UTC 2017 

That helps to explain the False Positives seen this week for that signature which caused the ClamXAV developer to immediately ignore that signature before distributing it.

Although the new signature may well be related to a file created by this infector, it appears to be a separate file from the four identified by the hash signatures.

-Al-

On Fri, Nov 24, 2017 at 07:33 AM, Alain Zidouemba wrote:
> They were replaced with:
> 
> Osx.Malware.Proton-6377366-1
> 
> - Alain
> 
> 
> On Fri, Nov 24, 2017 at 7:08 AM, Al Varnell <alvarnell at mac.com <mailto:alvarnell at mac.com>> wrote:
> 
>>> Begin forwarded message:
>>> 
>>> From: noreply at sourcefire.com <mailto:noreply at sourcefire.com>
>>> Subject: [clamav-virusdb] Signatures Published daily - 24065
>>> Date: November 22, 2017 at 5:10:11 PM PST
>>> To: clamav-virusdb at lists.clamav.net <mailto:clamav-virusdb at lists.clamav.net>
>>> 
>>> Dropped Detection Signatures:
>>> 
>>>  * Osx.Trojan.Proton-6352640-0
>>> 
>>>  * Osx.Trojan.Proton-6352641-0
>>> 
>>>  * Osx.Trojan.Proton-6352642-0
>>> 
>>>  * Osx.Trojan.Proton-6352643-0
>> 
>> I'm quite confused and concerned about why these are being dropped. All
>> added in daily - 23973, 20 Oct.
>> 
>>> $ sigtool -fOsx.Trojan.Proton-6352640-0
>>> [daily.hsb] cc3297083ad89cabfd58d251cbbe3ca9:44592:Osx.Trojan.Proton-
>> 6352640-0:73
>>> $ sigtool -fOsx.Trojan.Proton-6352641-0
>>> [daily.hsb] 5f145ed27ec88add379676729cbad15f:2056450:Osx.Trojan.Proton-
>> 6352641-0:73
>>> $ sigtool -fOsx.Trojan.Proton-6352642-0
>>> [daily.hsb] 0ca749b61c7e76e6ec07c33aab01aab3:1175737:Osx.Trojan.Proton-
>> 6352642-0:73
>>> $ sigtool -fOsx.Trojan.Proton-6352643-0
>>> [daily.hsb] ff80d97674e148687affd6a4e3ccf00a:44592:Osx.Trojan.Proton-
>> 6352643-0:73
>> 
>> Two of these are a perfect match for samples I personally have of the
>> hijacked Elmedia Player that installed OSX.Proton.C as described in this
>> Intego blog:
>> <https://www.intego.com/mac-security-blog/osxproton- <https://www.intego.com/mac-security-blog/osxproton->
>> malware-is-back-heres-what-mac-users-need-to-know/> and this Malwarebytes
>> blog:
>> <https://blog.malwarebytes.com/cybercrime/2017/10/mac- <https://blog.malwarebytes.com/cybercrime/2017/10/mac->
>> malware-osx-proton-strikes-again/>, among others.
>> 
>> They are all broadly detected on VirusTotal by 30 or more scanners.
>> 
>> VirusTotal
>>> <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b10 <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b10>
>> 5354888f63c60a3205ade6d467cc620dc5/analysis/>
>>> <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bb <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bb>
>> d34b1fb1b260a27f40b34718be3b71a3a7/analysis/>
>>> <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d637 <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d637>
>> 7d39e304651bdd1281c7a7ff15b8f43cad/analysis/>
>>> <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0 <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0>
>> b44905e0308bd3662a496a0701f2ec942d/analysis/>
>> 
>> Can somebody explain why they are being dropped at this time?
>> 
>> -Al-
>> --
>> Al Varnell
>> Mountain View, CA
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20171124/d82572e2/attachment.bin>

More information about the clamav-users mailing list