Author Topic: JS: Cryptonight [Trj] Found  (Read 35923 times)

0 Members and 1 Guest are viewing this topic.

Offline drake145

  • Jr. Member
  • **
  • Posts: 45
JS: Cryptonight [Trj] Found
« on: November 25, 2017, 06:04:43 PM »
Hi all,

After running a scan on my MacBook Pro it found a Trojan (name on the subject line).
The path it was found it is as follows:
/private/var/db/uuidtext/7B/BC8EE8D09234D99DD8B85A99E46C64.
Below is a short summary of what happened:
-After the Trojan was found, I moved the file to quarantine and checked the forums to see if it might be a false positive.
-Upon not seeing anything, I deleted the file.
-I ran a scan with Malwarebytes, several times, and found nothing.
-After restarting, I ran the scan again, with avast, it found the file again with the same path. I also noticed the scan took longer.

Can anyone please confirm if you are also seeing this file being detected?
If no one else is seeing this, how should I proceed?
I have submitted the file to the virus lab from quarantine.

I appreciate any help.

Avast version:13.1
Virus definitions: 17112406
« Last Edit: December 02, 2017, 02:03:28 PM by drake145 »

Offline drake145

  • Jr. Member
  • **
  • Posts: 45
Re: JS: Cryptonight [Trj] Found
« Reply #1 on: November 25, 2017, 08:20:16 PM »
OK, so I ran another scan again, and it found the infection again with the same path.

I also notice that, once more, the scan took longer.

original: 1h 17min
2nd: 1h 28 min
3rd: 1h 30 min

I am suspecting that it is either a false positive, or there is some other malware in my system that neither Avast nor Malwarebytes can detect.

Update 2:
It looks like Avast auto-updated to version: 17112500
I also found that I cannot auto-update Avast at this time (after 17112500), since it gives me an error advising that "An error Occurred During the Updating." I have included a screenshot.

Update 3:
I went to, and scanned the specific file folder, and it did not find anything.
I restarted my mac, and the update issue mentioned in Update 2 was not solved.
I scanned the folder once more, and sure enough, it found the infection. So it seems to return only after a restart.

Update 4:
I uninstalled and reinstalled avast, and the error that I described in updates 2 and 3 is gone. However, the trojan once again showed up when I scanned the folder directly. Scanning the folder again turned up nothing, but I suspect it will return once I perform a restart.

« Last Edit: November 26, 2017, 03:43:49 AM by drake145 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37491
  • Not a avast user
Re: JS: Cryptonight [Trj] Found
« Reply #2 on: November 25, 2017, 11:04:24 PM »
Upload and scan file at www.virustotal.com    post link to scan result here


Offline drake145

  • Jr. Member
  • **
  • Posts: 45
« Last Edit: November 26, 2017, 03:26:38 AM by drake145 »

REDACTED

  • Guest
Re: JS: Cryptonight [Trj] Found
« Reply #4 on: November 26, 2017, 12:20:41 PM »
Same thing happened to me, (I nearly died) I researched the virus and found this page: https://superuser.com/questions/1271760/avast-on-macos-high-sierra-claims-it-has-caught-the-windows-only-cryptonight-v

Offline drake145

  • Jr. Member
  • **
  • Posts: 45
Re: JS: Cryptonight [Trj] Found
« Reply #5 on: November 26, 2017, 12:54:51 PM »
Frostbird,

Thanks for the link.

Based on the posts in the link, it looks like we will need to wait for Avast to issue an update that can discriminate between the macOS generated file and the windows malware.

Does anyone know how long it takes for the virus lab to analyze files sent to them?
« Last Edit: November 26, 2017, 01:02:12 PM by drake145 »

REDACTED

  • Guest
Re: JS: Cryptonight [Trj] Found
« Reply #6 on: November 26, 2017, 09:14:14 PM »
I had the same problem, avast picking up the same /private/var/db/uuidtext/7B/BC8EE8D09234D99DD8B85A99E46C64. I checked out the file and it had a ton of windows specific filepaths, which is odd... this being a mac and all.  And, interestingly enough, I noticed there was a lot of text at the bottom of the file that was reversed, so I reversed the text and there was a lot of profanity in it.  A few examples:
Code: [Select]
Fpt_Fuck_AllInOne_UploadA and
Code: [Select]
KeysStealerBearshareStartuser_browserstotalfuckshitsteam_fuckkeyftp_ and
Code: [Select]
FuckTheKeyExampleAppDarthVader  I'm not much of a security guy, just thought it was interesting?  :)

REDACTED

  • Guest
Re: JS: Cryptonight [Trj] Found
« Reply #7 on: November 27, 2017, 01:26:58 AM »
I had the same problem on Mac OS 10.12.6. .Went to apple store . They looked in the hidden library folder, could not find a virus and recommended another anti malware program though they did not know of  this specific problem with Avast
« Last Edit: November 27, 2017, 02:20:01 AM by danton2 »

REDACTED

  • Guest
Re: JS: Cryptonight [Trj] Found
« Reply #8 on: November 27, 2017, 04:33:27 AM »
Hey, I have come up with the same problem. Has this matter gotten anywhere?

So the very same story after restarting my MacBook, avast finds the malware again.

Are we any smarter with the fact that this is just and avast-bug, or an actual malware that avast can't get rid of?

Offline Jiří Šembera

  • Avast team
  • Jr. Member
  • *
  • Posts: 46
  • Developer/Malware Analyst, former VPS maintainer
Re: JS: Cryptonight [Trj] Found
« Reply #9 on: November 27, 2017, 08:59:33 AM »
Hello everyone,

I can confirm this is a false positive. The superuser.com post describes the issue quite well - MacOS seems to have accidentally created a file that contains fragments of malicious cryptocurrency miner which also happen to trigger one of our detections. One thing the article is not right about is that this is a Windows-specific malware.  It is a Javascript-based one designed to run in browsers with HTML5 support. That means it can run on any platform that has a compatible web browser.

I'll fix the detection and post an update on when it gets released.

@uuuuuhhhh: I'd recommend running a full scan on your computer (and if it does not find anything, try Malwarebytes or some other scanner just to be sure). The snippets you posted look very suspicious and since the detected file is part of system logging database it may indicate that your computer is infected.


Jiri

Offline drake145

  • Jr. Member
  • **
  • Posts: 45
Re: JS: Cryptonight [Trj] Found
« Reply #10 on: November 27, 2017, 01:47:59 PM »
Hi Jiri,

thanks for the response.

REDACTED

  • Guest
Re: JS: Cryptonight [Trj] Found
« Reply #11 on: November 27, 2017, 02:29:32 PM »
I have the same rude text in the file as uuuuuhhhh. I have run a Malwarebytes scan and it picks up nothing. I am no cybersecurity expert but I suspect the other users may have the same rude text in the file?

Offline drake145

  • Jr. Member
  • **
  • Posts: 45
Re: JS: Cryptonight [Trj] Found
« Reply #12 on: November 27, 2017, 02:37:58 PM »
I went to the very bottom of the text file and I don't see that reverse text.

Can you post a screenshot of it?

Offline Radek Brich

  • Developer (Linux AV, Mac AV)
  • Moderator
  • Jr. Member
  • *
  • Posts: 53
Re: JS: Cryptonight [Trj] Found
« Reply #13 on: November 27, 2017, 03:08:31 PM »
Hello, I'll just add a bit more information.

The file is created by MacOS system, it's actually part of "cpu usage" diagnostic report. The report is created because Avast uses the CPU heavily during the scan.

The UUID (7BBC8EE8-D092-34D9-9DD8-B85A99E46C64) identifies a library which is a part of Avast detections DB (algo.so). The content of the
file is debugging information extracted from the library. Unfortunately, this seems to contain a string which is in return detected by Avast as a malware.

(The "rude" texts are probably just names of malware.)

Offline Jiří Šembera

  • Avast team
  • Jr. Member
  • *
  • Posts: 46
  • Developer/Malware Analyst, former VPS maintainer
Re: JS: Cryptonight [Trj] Found
« Reply #14 on: November 28, 2017, 01:02:32 PM »
Hello everyone,

as Radek mentioned in the previous post the issue was not as straightforward as fixing a faulty detection because the issue was in leaking some stirngs that may trigger a detection. I've fixed that and once the changes pass QA they will get released (as VPS update, probably tomorrow or on Thursday).

You may need to purge the logs as advised in the superuser.com post.

If the issue still persists with Friday's VPS and logs purged, please let me know. Thanks!


Jiri