[clamav-users] [clamav-virusdb] Signatures Published daily - 24065
Al Varnell
alvarnell at mac.com
Sat Nov 25 07:33:05 UTC 2017
I just uploaded an application which falsely shows two components to be infected with this new signature:
d075a7fb237c0f250d713ddfd53ef354:21313752:istatmenus6.0.zip
I have at least one other app with the same FP.
-Al-
On Fri, Nov 24, 2017 at 04:47 PM, Al Varnell wrote:
> That helps to explain the False Positives seen this week for that signature which caused the ClamXAV developer to immediately ignore that signature before distributing it.
>
> Although the new signature may well be related to a file created by this infector, it appears to be a separate file from the four identified by the hash signatures.
>
> -Al-
>
> On Fri, Nov 24, 2017 at 07:33 AM, Alain Zidouemba wrote:
>> They were replaced with:
>>
>> Osx.Malware.Proton-6377366-1
>>
>> - Alain
>>
>>
>> On Fri, Nov 24, 2017 at 7:08 AM, Al Varnell <alvarnell at mac.com <mailto:alvarnell at mac.com> <mailto:alvarnell at mac.com <mailto:alvarnell at mac.com>>> wrote:
>>
>>>> Begin forwarded message:
>>>>
>>>> From: noreply at sourcefire.com <mailto:noreply at sourcefire.com> <mailto:noreply at sourcefire.com <mailto:noreply at sourcefire.com>>
>>>> Subject: [clamav-virusdb] Signatures Published daily - 24065
>>>> Date: November 22, 2017 at 5:10:11 PM PST
>>>> To: clamav-virusdb at lists.clamav.net <mailto:clamav-virusdb at lists.clamav.net> <mailto:clamav-virusdb at lists.clamav.net <mailto:clamav-virusdb at lists.clamav.net>>
>>>>
>>>> Dropped Detection Signatures:
>>>>
>>>> * Osx.Trojan.Proton-6352640-0
>>>>
>>>> * Osx.Trojan.Proton-6352641-0
>>>>
>>>> * Osx.Trojan.Proton-6352642-0
>>>>
>>>> * Osx.Trojan.Proton-6352643-0
>>>
>>> I'm quite confused and concerned about why these are being dropped. All
>>> added in daily - 23973, 20 Oct.
>>>
>>>> $ sigtool -fOsx.Trojan.Proton-6352640-0
>>>> [daily.hsb] cc3297083ad89cabfd58d251cbbe3ca9:44592:Osx.Trojan.Proton-
>>> 6352640-0:73
>>>> $ sigtool -fOsx.Trojan.Proton-6352641-0
>>>> [daily.hsb] 5f145ed27ec88add379676729cbad15f:2056450:Osx.Trojan.Proton-
>>> 6352641-0:73
>>>> $ sigtool -fOsx.Trojan.Proton-6352642-0
>>>> [daily.hsb] 0ca749b61c7e76e6ec07c33aab01aab3:1175737:Osx.Trojan.Proton-
>>> 6352642-0:73
>>>> $ sigtool -fOsx.Trojan.Proton-6352643-0
>>>> [daily.hsb] ff80d97674e148687affd6a4e3ccf00a:44592:Osx.Trojan.Proton-
>>> 6352643-0:73
>>>
>>> Two of these are a perfect match for samples I personally have of the
>>> hijacked Elmedia Player that installed OSX.Proton.C as described in this
>>> Intego blog:
>>> <https://www.intego.com/mac-security-blog/osxproton- <https://www.intego.com/mac-security-blog/osxproton-> <https://www.intego.com/mac-security-blog/osxproton- <https://www.intego.com/mac-security-blog/osxproton->>
>>> malware-is-back-heres-what-mac-users-need-to-know/> and this Malwarebytes
>>> blog:
>>> <https://blog.malwarebytes.com/cybercrime/2017/10/mac- <https://blog.malwarebytes.com/cybercrime/2017/10/mac-> <https://blog.malwarebytes.com/cybercrime/2017/10/mac- <https://blog.malwarebytes.com/cybercrime/2017/10/mac->>
>>> malware-osx-proton-strikes-again/>, among others.
>>>
>>> They are all broadly detected on VirusTotal by 30 or more scanners.
>>>
>>> VirusTotal
>>>> <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b10 <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b10> <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b10 <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b10>>
>>> 5354888f63c60a3205ade6d467cc620dc5/analysis/>
>>>> <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bb <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bb> <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bb <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bb>>
>>> d34b1fb1b260a27f40b34718be3b71a3a7/analysis/>
>>>> <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d637 <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d637> <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d637 <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d637>>
>>> 7d39e304651bdd1281c7a7ff15b8f43cad/analysis/>
>>>> <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0 <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0> <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0 <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0>>
>>> b44905e0308bd3662a496a0701f2ec942d/analysis/>
>>>
>>> Can somebody explain why they are being dropped at this time?
>>>
>>> -Al-
>>> --
>>> Al Varnell
>>> Mountain View, CA
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> <mailto:clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>>
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> <mailto:clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>>
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> -Al-
-Al-
--
Al Varnell
Mountain View, CA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20171124/e8cd6535/attachment.bin>
More information about the clamav-users
mailing list