Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JS/CoinMiner Trojan inside uBlock #698

Closed
3 of 15 tasks
mynameisoz opened this issue Aug 9, 2019 · 6 comments
Closed
3 of 15 tasks

JS/CoinMiner Trojan inside uBlock #698

mynameisoz opened this issue Aug 9, 2019 · 6 comments
Labels
duplicate This issue or pull request already exists

Comments

@mynameisoz
Copy link

mynameisoz commented Aug 9, 2019

Prerequisites

  • I verified that this is not a filter issue
  • This is not a support issue or a question
  • I performed a cursory search of the issue tracker to avoid opening a duplicate issue
    • Your issue may already be reported.
  • I tried to reproduce the issue when...
    • uBlock Origin is the only extension
    • uBlock Origin with default lists/settings
    • using a new, unmodified browser profile
  • I am running the latest version of uBlock Origin
  • I checked the documentation to understand that the issue I report is not a normal behavior

Description

[Description of the bug or feature]

A specific URL where the issue occurs

[A specific URL is MANDATORY for issue happening on a web page, even if it happens "everywhere"]

Steps to Reproduce

  1. [First Step]
  2. [Second Step]
  3. [and so on...]

Expected behavior:

[What you expected to happen]

Actual behavior:

[What actually happened]

Hi,
After clean installed system I was scanning computer by Clam AntiVirus: Scanner v. 0.101.3.
This is a part what Clam found:

  • /Users/Shared/Quarantine/935D012FCDD57AD92F8C852F3231D9BFA301BB22: Js.Coinminer.Generic-7104549-0 FOUND
  • /Users/Shared/Quarantine/935D012FCDD57AD92F8C852F3231D9BFA301BB22: moved to '/Users/Shared/Quarantine//935D012FCDD57AD92F8C852F3231D9BFA301BB22.001'
  • /Users/Shared/Quarantine/EEAE673CA89CBB96C4317D74D231BFED2F137906: Js.Coinminer.Generic-7104549-0 FOUND
  • /Users/Shared/Quarantine/EEAE673CA89CBB96C4317D74D231BFED2F137906: moved to '/Users/Shared/Quarantine//EEAE673CA89CBB96C4317D74D231BFED2F137906.001'
  • /Users/Shared/Quarantine/Quarantine.txt: OK
  • /Users/Shared/Quarantine/uBlock0@raymondhill.net.xpi: Js.Coinminer.Generic-7104549-0 FOUND
  • /Users/Shared/Quarantine/uBlock0@raymondhill.net.xpi: moved to '/Users/Shared/Quarantine//uBlock0@raymondhill.net.xpi.001'

It looks like inside is JS/CoinMiner, which is a really Trojan Horse.

My systemdetails:

  • uBlock Origin version: 1.21.2
  • Browser Name and version: Firefox 68.0.1
  • Operating System and version: OS X El Capitan 10.11.6
@gwarser
Copy link

gwarser commented Aug 9, 2019

Clean, 0/71:
https://www.virustotal.com/gui/url/a18d50d0891032e95eeb1ecc8e6a2f37a4ad5f8ccc634b0a90595efdd0797b6b/detection

Do this Clam AntiVirus provide more information? Your log only shows files moved from quarantine to quarantine.

Try reporting to Clam as false positive.

@gwarser
Copy link

gwarser commented Aug 9, 2019

Clam is known to remove uBO: https://github.com/gorhill/uBlock/wiki/Software-known-to-have-uninstalled-uBlock-Origin


Probably triggered by URL from one of embedded filter lists:

gorhill/uBlock#2315 (comment)

@gwarser gwarser closed this as completed Aug 9, 2019
@gwarser gwarser added the external issue involving an external factor label Aug 9, 2019
@uBlock-user uBlock-user added the invalid not a uBlock issue label Aug 9, 2019
@uBlock-user
Copy link
Contributor

False positive as usual.

@uBlock-user uBlock-user added duplicate This issue or pull request already exists and removed external issue involving an external factor invalid not a uBlock issue labels Aug 9, 2019
@uBlock-user
Copy link
Contributor

Duplicate of gorhill/uBlock#2315

@uBlock-user uBlock-user marked this as a duplicate of gorhill/uBlock#2315 Aug 9, 2019
@mynameisoz
Copy link
Author

Clean, 0/71:
https://www.virustotal.com/gui/url/a18d50d0891032e95eeb1ecc8e6a2f37a4ad5f8ccc634b0a90595efdd0797b6b/detection

Do this Clam AntiVirus provide more information? Your log only shows files moved from quarantine to quarantine.

Try reporting to Clam as false positive.

Yes I've done this before. My afraid is that is inside Coin Miner or this is just coincident with the same name.

@gwarser
Copy link

gwarser commented Aug 9, 2019

This filter list is packed inside uBO extension: https://github.com/uBlockOrigin/uAssets/blob/master/filters/resource-abuse.txt

This list contains filters which match addresses of coin miners, and is used to block them.

It seems ClamAV is not smart enough to understand this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
duplicate This issue or pull request already exists
Projects
None yet
Development

No branches or pull requests

3 participants