Trojan alert

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Trojan alert

tringate
I run regions on OSgrid and today I discovered an asset was loaded into my asset cache which failed Microsoft virus scan.  It was put in quarantine, the file was on my Linux server which runs the my regions.

Others may wish to purge this asset as well.  Maybe OSgrid should be removing this asset if it indeed has this Trojan contained in it.

Trojan:Script/Foretype.A!ml
Quarantined
2/23/2019 5:44 AM
Trojan
This program is dangerous and executes commands from an attacker.
Affected items:
file: \\BANDIT1\var\assetcache-master\8d1\8d184c53-6321-4347-955d-de53e88643a0

_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Trojan alert

Asaff Belfer
Can you tell if it is actually a .exe file?

Asaff


On Sun, Feb 24, 2019 at 3:56 AM <[hidden email]> wrote:

> I run regions on OSgrid and today I discovered an asset was loaded into my
> asset cache which failed Microsoft virus scan.  It was put in quarantine,
> the file was on my Linux server which runs the my regions.
>
> Others may wish to purge this asset as well.  Maybe OSgrid should be
> removing this asset if it indeed has this Trojan contained in it.
>
> Trojan:Script/Foretype.A!ml
> Quarantined
> 2/23/2019 5:44 AM
> Trojan
> This program is dangerous and executes commands from an attacker.
> Affected items:
> file:
> \\BANDIT1\var\assetcache-master\8d1\8d184c53-6321-4347-955d-de53e88643a0
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
>
_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Trojan alert

Ethan Gardener
In reply to this post by tringate
On Sun, Feb 24, 2019, at 1:56 AM, [hidden email] wrote:

> I run regions on OSgrid and today I discovered an asset was loaded into
> my asset cache which failed Microsoft virus scan.  It was put in
> quarantine, the file was on my Linux server which runs the my regions.
>
> Others may wish to purge this asset as well.  Maybe OSgrid should be
> removing this asset if it indeed has this Trojan contained in it.
>
> Trojan:Script/Foretype.A!ml
> Quarantined
> 2/23/2019 5:44 AM
> Trojan
> This program is dangerous and executes commands from an attacker.
> Affected items:
> file: \\BANDIT1\var\assetcache-master\8d1\8d184c53-6321-4347-955d-de53e88643a0

The other day, I tried to install (on Windows 7) an ordinary, relatively well-known Forth interpreter, Win32Forth.  Windows Defender was all, "THIS IS MONSTER TROJAN! I CRUSH MONSTER NOW!"  Not in those exact words, of course, ;) but that was the impression I got.  Either some real trojan has incorporated Win32Forth's kernel, or a common Forth interpreting technique has become widely used in malware.  

False positives such as these have been known since the first virus scanners.  No malware scanner can truly know what the code will do, it can only match patterns; code fragments.  Microsoft especially have a corporate culture of presenting their guesses and mistakes as certainty and fact, perhaps as much as Linden Labs, but it's not necessarily true.  (There's a horrible/hilarious story about a Microsoft rep arguing publicly and very determinedly at a conference that Microsoft's version of the ksh program was standards compliant.  Eventually, someone pointed out that the guy he was arguing with was the author of the original ksh!  The company may have got a bit better, I'm not sure, but the very nature of malware scanning tends to false certainties.)

There's also a matter of "how much is the data worth?"  I chose not to bother fighting the virus scanner over Win32Forth because I don't need it, I have 4 more powerful Forths already installed.  In the case of this asset, it could be someone's hard work on a texture or mesh which just happens to match some fragment of trojan code when encoded for asset storage.  If that seems unlikely, consider how many assets there are.  Or, it could be a genuine trojan copybotted from Second Life. :)

Anyway, you could answer Asaff's question (more or less) by running the file command in Linux.  It looks at file contents to determine what type it is.  It can be fooled too, but that's rather rare these days.  
_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Trojan alert

tringate
In reply to this post by Asaff Belfer
Unfortunately I deleted the file that windows tucked away and it was removed
from windows when it placed it in quarantine.  the reason windows scans all
of my master cache is because I on my desktop so when I need to use my
standalone local opensim to try something or build something, everything is
already present in cache.  I do not need to access the internet at all to
retrieve it.  This is the first time it ever flagged anything from opensim
which got my attention.

Whatever it is, it was not reloaded by any resident as it is not back in the
master cache either.



-----Original Message-----
From: Asaff Belfer
Sent: Sunday, February 24, 2019 1:22 AM
To: [hidden email]
Subject: Re: [Opensim-users] Trojan alert

Can you tell if it is actually a .exe file?

Asaff


On Sun, Feb 24, 2019 at 3:56 AM <[hidden email]> wrote:

> I run regions on OSgrid and today I discovered an asset was loaded into my
> asset cache which failed Microsoft virus scan.  It was put in quarantine,
> the file was on my Linux server which runs the my regions.
>
> Others may wish to purge this asset as well.  Maybe OSgrid should be
> removing this asset if it indeed has this Trojan contained in it.
>
> Trojan:Script/Foretype.A!ml
> Quarantined
> 2/23/2019 5:44 AM
> Trojan
> This program is dangerous and executes commands from an attacker.
> Affected items:
> file:
> \\BANDIT1\var\assetcache-master\8d1\8d184c53-6321-4347-955d-de53e88643a0
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
>
_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users 

_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users