Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#5689 closed defect (fixed)

tor-browser-2.2.35-9_en-US.exe infected?

Reported by: taylorkh Owned by: erinn
Priority: Very High Milestone: TorBrowserBundle 2.2.x-stable
Component: Company Version:
Severity: Keywords:
Cc: mikeperry, ioerror, arma, phobos Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Centurylink Online Security 9.01 (F-Secure bundled by Centurylink, my ISP) on Windows XP reports that the trojan Gen.Variant.Kazy.25958 is infecting tbb-firefox.exe from the latest bundle listed in the subject line. I verified the signature on the downloaded file per your instructions and it was OK. I Unzipped the bundle on another virtual machine without the F-Secure product and copied the files to my Linux machine. I scanned the files with Bitdefender for Unices 7.6-4 with the latest definitions. It also indicated the same infection in tbb-firefox.exe

Please advise if there is any additional information I can provide.

Child Tickets

Change History (15)

comment:1 Changed 7 years ago by Sebastian

Component: - Select a componentTor bundles/installation
Owner: set to erinn

Hrm. virustotal also gives the same warning, for only the f-secure scanner. I can't confirm any reports with any other scanners. The default assumption would be a false positive here

comment:2 Changed 7 years ago by helpinghand

Milestone: TorBrowserBundle 2.2.x-stable
Priority: normalcritical

Same here! My anti virus, same as f-secure, mcaffee detected it as

Gen:Variant.Kazy.25958 (Spy Hackorz)

and removed tbb-firefox.exe immediately from the archive. Tor cannot be used under this issue.

Please get it solved!

comment:3 Changed 7 years ago by taylorkh

I have scanned the offending file with Avast 120429-0 on Win XP and it shows CLEAN.
I have scanned the offending (Windows) file using ClamAV 0.96.5 on a Linux box and is shows CLEAN.

Ken

comment:4 in reply to:  3 Changed 7 years ago by helpinghand

Replying to taylorkh:

I have scanned the offending file with Avast 120429-0 on Win XP and it shows CLEAN.
I have scanned the offending (Windows) file using ClamAV 0.96.5 on a Linux box and is shows CLEAN.

Ken

Yes, but you should consider that not any free software is able to discover malware. Anti virus progerams differ a lot. It could also be a BUG but even tho it's causing problems and keep me from using it.

Another update is needed here.

comment:5 Changed 7 years ago by taylorkh

I agree that this needs to be resolved. I was just reporting additional data for what it might be worth. I have tested the offending file with the latest PAID versions of Spybot Search & Destroy, Xoftspy and Malwarebytes (at least I think they are all paid SW - not on my PC) and I did not find any indications of an issue.

An Internet search on Gen.Variant.Kazy.25958 seems to indicate that this is a somewhat common "hit" by a number of AV products. I did not get the impression that it represents an actual piece of malware.

That said... Is it possible to download the previous version of tor-browser? It may have issues but is it better than nothing? As to my situation, I am running tor-browser on Linux. The Windows issue which caused me to report this occurred on a test VMWare XP guest.

Ken

comment:6 Changed 7 years ago by erinn

We're looking into it. I've scanned the build machine and haven't discovered any viruses or malware, but I'm going to look further and see if I can track this down or build a version that doesn't trigger the virus scanners. I'm really sorry about this -- we are trying to figure out what's going on. Thanks a lot for all of the reports from different virus scanners too.

comment:7 Changed 7 years ago by Sebastian

Resolution: fixed
Status: newclosed

It appears F-Secure has issued an update for their virus definition database, alleviating the problem of wrong detection. Please upgrade your definition databases and only re-open if an up-to-date AV engine still detects this as malware. Thanks,all.

comment:8 Changed 7 years ago by mikeperry

Cc: mikeperry added
Resolution: fixed
Status: closedreopened

Did we get a reason from them? Also, it's just F-Secure that updated, right? That doesn't make this fixed. The reporter also mentioned bitdefender, and commenters mentioned mccaffee.

Also, has anyone tried scanning a bundle built on a different, fresh machine?

Also, why don't we keep fresh build images or snapshots at the very least? If #3688 is out of reach, we should at least be reverting to known clean snapshots before each build.

comment:9 Changed 7 years ago by taylorkh

I have verified that the latest definitions from F-Secure do NOT alert on tbb-firefox.exe. The tor bundle works fine on the Windows XP virtual machine where the original problem was observed. I have also scanned the unzipped tor bundle with Bitdefender using the latest definitions. Again it does NOT alert. I do not have access to McAfee. Perhaps someone else check with their latest definitions.

Ken

comment:10 in reply to:  8 ; Changed 7 years ago by Sebastian

Replying to mikeperry:

Did we get a reason from them? Also, it's just F-Secure that updated, right? That doesn't make this fixed. The reporter also mentioned bitdefender, and commenters mentioned mccaffee.

No, we didn't get a reason. This is fixed, I checked on virustotal and it comes up entirely clean for all scanners they test.

Also, has anyone tried scanning a bundle built on a different, fresh machine?

Yes, I tried that on the very first day, and that bundle came out clean (so much for reproducible builds)

Also, why don't we keep fresh build images or snapshots at the very least? If #3688 is out of reach, we should at least be reverting to known clean snapshots before each build.

I have no idea how the build machine setup works. Reverting to snapshots is silly when we need to keep track of security updates of dependencies, which happens way too frequently.

Please close this if you're satisfied now, and open a new bug for build-machine related things

comment:11 in reply to:  10 ; Changed 7 years ago by mikeperry

Cc: ioerror arma phobos added
Component: Tor bundles/installationCompany

Wow, I don't know about you guys, but this sounds like the malware on our build machines is what got the update :). How did all of the AV vendors sync up so fast? Are they usually that responsive?

And why did an independent build machine produce a clean build immediately, while they were still flagging our official bundles.

I'm not sure I want to close this.. I'm still left with more questions than answers. Does anyone know any staff/contact points at AV companies? We should at least attempt some minimal fact checking...

comment:12 Changed 7 years ago by helpinghand

I'm still having trouble getting the new tor browser bundle to run. It's not only f- secure that detects it as malware but also a few more AV scanner that does the same. I constantly receive updates on both engines (every 3 hours), depending on my settings, but haven't had any issues using tor on windows 7 x64 so far. Now, the tbb firefox.exe is removed from the folder and taken to the quarantine.

Still working with the last release and will have to do it unless there is a solution here for everybody on all platforms and AV programs. Could also be a misconfiguration on your last update.

comment:13 in reply to:  11 Changed 7 years ago by Sebastian

Resolution: fixed
Status: reopenedclosed

Replying to mikeperry:

Wow, I don't know about you guys, but this sounds like the malware on our build machines is what got the update :). How did all of the AV vendors sync up so fast? Are they usually that responsive?

I'm sorry that I have to dispel your paranoia, but it was _THE SAME FILE_ that got scanned again. At least I pointed it to the same file on our webserver, and virustotal got the same sha256 for it. Now, if you want to claim that probably virustotal got owned by the guys who owned our build machine, then... erm... yeah. whatever.

And why did an independent build machine produce a clean build immediately, while they were still flagging our official bundles.

Because the builds aren't deterministic. I tried a couple times more on my windows VM, and sometimes some of the AV software flags one part of the tbb as having random malware crap. Basically, AV heuristics are utter bullshit.

I'm not sure I want to close this.. I'm still left with more questions than answers. Does anyone know any staff/contact points at AV companies? We should at least attempt some minimal fact checking...

I hope what I wrote above convinced you. Next time please don't assume I'm taking the possibility of malware in our bundles lightly without actual evidence

comment:14 Changed 7 years ago by mikeperry

Sebastian: From my read of your statements in https://trac.torproject.org/projects/tor/ticket/5689#comment:10, it was not clear what TBB versions you actually tested. Remember, Linux and Mac are already on -10, so I assumed Windows had a -10 release too, and what you meant in comment 10 above was that -9 was reported infected, and this was now "fixed" because -10 was suddenly clean. Add that to your own builds coming up clean immediately, and I hope you can see why my immediate conclusion was "holy fuck, this is *not* solved and we have no idea what is actually going on."

I'm sorry you took my request for clarification as a personal insult. I was just trying to get to the bottom of this madness.

comment:15 Changed 7 years ago by erinn

Mike, I was really freaked out by the potential for our build machine to be compromised. As in, actually sick with nerves and having nightmares about it during this whole thing. I did due diligence by scanning the machine (both light and deep scans) and reading about the Kazy malware and manually digging through the registry to see if any of the signs were there. The scans didn't find anything and the manual investigation didn't find anything either. One of the problems I encountered was that it doesn't appear to be easy/possible to get free copies of the popular virus scanners in order to do full machine scans. I tried with F-Secure and also looked around on Bitdefender's terrible website. F-Secure never sent me the free download information and Bitdefender didn't have anything available that I could find. It is easy to submit executables to virustotal for scanning though, so I will be doing that from now on. (The latest -11 release comes up clean, FWIW.)

Currently we only have one Windows VM which is a problem when it comes to testing and/or building on known-clean machines. When we were in Seattle I got an extra two copies of Windows from David Molnar. Recently I asked Jake to send me the license information for one of them so we could get another VM going, but he wasn't going to be in Seattle for a month. I'll email him again and see if we can get another VM going for verification purposes.

Note: See TracTickets for help on using tickets.