search

EmmyLua / IntelliJ-EmmyLua

Lua IDE/Debugger Plugin for IntelliJ IDEA
https://emmylua.github.io
Apache License 2.0
1.74k stars 291 forks source link

Malware "Trojan.Win32.Redline" in IDEA plugin (Virustotal analysis) #592

Open hazington opened 2 days ago

hazington commented 2 days ago

Environment(环境)

name version
EmmyLua version v1.4.14-IDEA242

What are the steps to reproduce this issue?(重现步骤?)

  1. Download: https://plugins.jetbrains.com/plugin/download?rel=true&updateId=581762
  2. Upload to Virustotal: https://www.virustotal.com/gui/file/6673011f7cc286bb3eee2148045426d8f3c1b2e8711780db28b9f3a22bd12915
  3. Check file

What happens?(出现什么问题?)

Trojan.Win32.Redline warning

What were you expecting to happen?(期望?)

No warnings

CppCXY commented 1 day ago

This is probably due to the EmmyLua remote debugger. We have removed the attach debugger from EmmyLua in 2020 due to virus reports. If you are concerned about virus issues, you can choose not to use the EmmyLua plugin. The source code of the EmmyLua debugger is fully open, and you can review the code yourself or compile the debugger. see: https://github.com/EmmyLua/EmmyLuaDebugger

hazington commented 1 day ago

This is probably due to the EmmyLua remote debugger. We have removed the attach debugger from EmmyLua in 2020 due to virus reports. If you are concerned about virus issues, you can choose not to use the EmmyLua plugin. The source code of the EmmyLua debugger is fully open, and you can review the code yourself or compile the debugger. see: https://github.com/EmmyLua/EmmyLuaDebugger

https://metadefender.com/results/hash/6673011F7CC286BB3EEE2148045426D8F3C1B2E8711780DB28B9F3A22BD12915

First of all: I always check the source code of extensions from unknown developers and also do a virus scan. It's the first time that virus scanners detected "likely malicious" behaviour, but this could be a false positive. This is why opened an issue in your repository to inform you and ask for details. By checking MetaDefender sandbox results, I noticed that it's marked as "likely malicious" mostly because of VM environment detection and the usage of Windows' socket API, which seems legit and necessary for the remote debugger functionality. Maybe you could release a "EmmyLua lite" version that only comes with static analysis and syntax highlighting without the remote debugger?

Btw: Open source doesn't necessarily mean that the extension was compiled from the source code.

CppCXY commented 1 day ago

First of all: I always check the source code of extensions from unknown developers and also do a virus scan. It's the first time that virus scanners detected "likely malicious" behaviour, but this could be a false positive. This is why opened an issue in your repository to inform you and ask for details. By checking MetaDefender sandbox results, I noticed that it's marked as "likely malicious" mostly because of VM environment detection and the usage of Windows' socket API, which seems legit and necessary for the remote debugger functionality. Maybe you could release a "EmmyLua lite" version that only comes with static analysis and syntax highlighting without the remote debugger?

Btw: Open source doesn't necessarily mean that the extension was compiled from the source code.

I actually can't decide on the release of this plugin, but if you want to use a plugin without the debugger, you can use Sumneko Lua, which is also a plugin I released.

hazington commented 1 day ago

@CppCXY

Thank you for your help. I'll consider your suggested extension.