JS/CoinMiner Trojan inside uBlock

[mynameisoz]

Prerequisites

• I verified that this is not a filter issue
  • Filter issues MUST be reported at filter issue tracker
• This is not a support issue or a question
  • Support issues and questions are handled at /r/uBlockOrigin
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • Your issue may already be reported.
• I tried to reproduce the issue when...
  • uBlock Origin is the only extension
  • uBlock Origin with default lists/settings
  • using a new, unmodified browser profile
• I am running the latest version of uBlock Origin
• I checked the documentation to understand that the issue I report is not a normal behavior

Description

[Description of the bug or feature]

A specific URL where the issue occurs

[A specific URL is MANDATORY for issue happening on a web page, even if it happens "everywhere"]

Steps to Reproduce

1. [First Step]
2. [Second Step]
3. [and so on...]

Expected behavior:

[What you expected to happen]

Actual behavior:

[What actually happened]

Hi,
After clean installed system I was scanning computer by Clam AntiVirus: Scanner v. 0.101.3.
This is a part what Clam found:

• /Users/Shared/Quarantine/935D012FCDD57AD92F8C852F3231D9BFA301BB22: Js.Coinminer.Generic-7104549-0 FOUND
• /Users/Shared/Quarantine/935D012FCDD57AD92F8C852F3231D9BFA301BB22: moved to '/Users/Shared/Quarantine//935D012FCDD57AD92F8C852F3231D9BFA301BB22.001'
• /Users/Shared/Quarantine/EEAE673CA89CBB96C4317D74D231BFED2F137906: Js.Coinminer.Generic-7104549-0 FOUND
• /Users/Shared/Quarantine/EEAE673CA89CBB96C4317D74D231BFED2F137906: moved to '/Users/Shared/Quarantine//EEAE673CA89CBB96C4317D74D231BFED2F137906.001'
• /Users/Shared/Quarantine/Quarantine.txt: OK
• /Users/Shared/Quarantine/uBlock0@raymondhill.net.xpi: Js.Coinminer.Generic-7104549-0 FOUND
• /Users/Shared/Quarantine/uBlock0@raymondhill.net.xpi: moved to '/Users/Shared/Quarantine//uBlock0@raymondhill.net.xpi.001'

It looks like inside is JS/CoinMiner, which is a really Trojan Horse.

My systemdetails:

• uBlock Origin version: 1.21.2
• Browser Name and version: Firefox 68.0.1
• Operating System and version: OS X El Capitan 10.11.6

[gwarser]

Clean, 0/71:
https://www.virustotal.com/gui/url/a18d50d0891032e95eeb1ecc8e6a2f37a4ad5f8ccc634b0a90595efdd0797b6b/detection

Do this Clam AntiVirus provide more information? Your log only shows files moved from quarantine to quarantine.

Try reporting to Clam as false positive.

[gwarser]

Clam is known to remove uBO: https://github.com/gorhill/uBlock/wiki/Software-known-to-have-uninstalled-uBlock-Origin

---

Probably triggered by URL from one of embedded filter lists:

gorhill/uBlock#2315 (comment)

[uBlock-user]

False positive as usual.

[uBlock-user]

Duplicate of gorhill/uBlock#2315

[mynameisoz]

Clean, 0/71:
https://www.virustotal.com/gui/url/a18d50d0891032e95eeb1ecc8e6a2f37a4ad5f8ccc634b0a90595efdd0797b6b/detection

Do this Clam AntiVirus provide more information? Your log only shows files moved from quarantine to quarantine.

Try reporting to Clam as false positive.

Yes I've done this before. My afraid is that is inside Coin Miner or this is just coincident with the same name.

[gwarser]

This filter list is packed inside uBO extension: https://github.com/uBlockOrigin/uAssets/blob/master/filters/resource-abuse.txt

This list contains filters which match addresses of coin miners, and is used to block them.

It seems ClamAV is not smart enough to understand this.