Closed ithinkandicode closed 3 years ago
Zamiell
commented
3 years ago 1) the build is automatically generated on every commit, which you can see by inspecting ci.yml 2) i dont see any trojans in the latest few commits, so it does appear to be a false positive
jerbmega
commented
3 years ago PyInstaller (the library used to turn the program into an executable) tends to do this on some of the worse / more esoteric antivirus programs (and the four that detected it I have never heard of, which counts under that criteria). I think the other Python builders have a similar issue.
Do you get similar results with other PyInstaller programs?
OciXCrom
commented
3 years ago My Avast antivirus detected a Trojan as well in the latest 3.1.17 build.
P3rf3ctXZer0
commented
3 years ago Sometimes auto commits can be jacked if you are not sure, just go to a previous version until devs get it fixed. Windows defender also flagged it. So my guess based on history is it may be a man in the middle attack. Any easy way to check is to have the dev manually build the source and post it in releases. (Back in the day, forge was jacked by a man in the middle insert a 3rd party was intercepting commits. Microsoft itself was recently affected by a deployment breach. January 26th 2021.) Last clean version. https://github.com/Basement-Renovator/Basement-Renovator/releases/tag/3.1.16 I don't think the dev intentionally added malicious code, but I have been using pc since 95 all the way to 11, and I have no doubt since its sudden this not a false positive but rather a security breach in the commit.
Another pearl of wisdom is python scripts are easy to inject malicious code into, it's another reason why python is often targeted for malicious intent. C++ is a bit harder, but not by much. Also, false positives are far rarer unless you have some non-mainstream antivirus. I use esoteric apps all the time, and they don't get flagged. So It's not false. That just isn't possible.
Zamiell
commented
3 years ago 1) You can inspect the Python code in this repository to confirm that there is no malicious code / trojans. 2) You can inspect the ci.yml file to see how it is packaged into an exe file by GitHub/PyInstaller. 3) The chances of there being a trojan inserted by GitHub or PyInstaller is extremely low. 4) Thus, you can have a high degree of confidence that anything that VirusTotal or Avast reports is a false positive. 5) If you want to be extra safe against a trojan, then you can simply run Basement Renovator from source like all the developers do. Doing this is trivial if you have even the slightest amount of computer knowledge and is well documented.
Given this, I will close this issue now.
P3rf3ctXZer0
commented
3 years ago @Zamiell the huge fact that when it is running from code is not flagging, this definitely confirms a MITM attack.
jerbmega
commented
3 years ago That doesn't confirm anything, especially not with any degree of certainty. PyInstaller executables are known to trigger false positives from time to time. This is a years-old issue as PyInstaller has some behavior that matches the behavior of malicious executables (namely unpacking a built-in archive to a temporary directory and running the contents of that, as well as running everything through a built-in runtime which some AV can pick up as obfuscation) and is exacerbated by the fact that PyInstaller has been used to create malware in the past. The alternative is having everybody run from source, which some people are not comfortable with or do not completely understand the process of doing so.
GitHub Actions generates a build identically to how a dev would do it, no third party actions are used for the build process. Third party actions are used for the upload process, but the artifacts the uploader uploads are available under the Actions tab. If those trigger AV as well, then there's no MITM. I am equally willing to bet that a build generated yourself with the latest commit would also trigger AV.
jerbmega
commented
3 years ago I uploaded the latest build to VirusTotal and got nothing but the usual unknown AV providers flagging it. Microsoft Defender also did not throw a false positive. https://www.virustotal.com/gui/file-analysis/YzQzNWVjNDZhYjBmMjcxODg4NmZjM2Y2NzcwZGM5YzY6MTYyNzIxNzEyNA==/detection
Zamiell
commented
3 years ago this definitely confirms a MITM attack.
As jerb mentions above, a binary being flagged by Windows Defender is not sufficient to confirm a MITM attack, because Windows Defender uses algorithms that result in false positives. If you want to confirm the presence of a trojan, do what an actual security researcher would do: reverse the binary with IDA/Ghidra, detonate the binary with Cuckoo Sandbox, etc. In other words, find an actual IoC, like an IP address or a domain name that the trojan talks to, along with a description of how you found it.
Furthermore, your insinuation that Microsoft itself was breached, and that attackers are inserting trojans for projects via GitHub Actions, is paranoid and unhinged. The SonarWinds hack you refer to above would not allow this kind of thing to ever happen. It would be national news if Microsoft was breached in this manner. And if millions of software projects distributed through GitHub Actions were being bundled with trojans, you certainly wouldn't be the first one to notice.
VirusTotal reports that 4 security vendors flagged the latest build (3.1.15) as malicious.
https://www.virustotal.com/gui/file/187f537895ae42ce289ce7b82e684741e740a7cc8ba7f29a98f94b6460b4b324/detection
Trojan/Generic.ASMalwS.329AD80 Trojan.PSW.Python.cj Trojan.Win64.Agent.oa!s1 Trojan.Agent.Script.1081328
Are they false positives? Usually a report of 1/60 means a false positive, but 4/60 is more concerning