Trojan:Win32/Cloxer in brands.js

FortAwesome / Font-Awesome

The iconic SVG, font, and CSS toolkit

https://fontawesome.com

Other

73.7k stars 12.19k forks source link

Trojan:Win32/Cloxer in brands.js #18174

Closed mcwnuq closed 3 years ago

mcwnuq commented 3 years ago

containerfile: F:\Pobrane\fontawesome-free-5.15.4-web.zip

file: F:\Pobrane\fontawesome-free-5.15.4-web.zip->fontawesome-free-5.15.4-web/js/brands.js

webfile: F:\Pobrane\fontawesome-free-5.15.4-web.zip|https://use.fontawesome.com/releases/v5.15.4/fontawesome-free-5.15.4-web.zip|pid:24424,ProcessStart:132735880516459853

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aWin32%2fCloxer&threatid=2147726362

tagliala commented 3 years ago

Hi!

Thanks for being part of the Font Awesome Community and thanks for reporting this.

I can confirm, but I think this is a false positive

I've checked if there are differenced with brands.js hosted on the free repo at https://github.com/FortAwesome/Font-Awesome/blob/5.15.4/js/brands.js

and there is actually an unexpected difference, but it should be not the one triggering the antivirus because it is the same in other files (regular.js and solid.js)

downloaded vs repo

Let's assign @robmadole

charles-langley commented 3 years ago

I'm receiving the same threat alert from Windows Defender:

Detected: Trojan:Win32/Cloxer Date: 8/16/2021 11:21 AM Details: This program is dangerous and executes commands from an attacker. Affected items: file: ....\node_modules.staging\@fortawesome\fontawesome-free-f5ba74b6\js\brands.js

I should note as well that I've been playing with strapi.io for several iterations over the past 2 weeks, and today was the first time I received this trojan alert after installing packages.

tagliala commented 3 years ago

I should note as well that I've been playing with strapi.io for several iterations over the past 2 weeks, and today was the first time I received this trojan alert after installing packages.

I'm getting the same message and I don't know what strapi.io is 😅

Anyway, I've checked the source code and I've scanned the file with VirusTotal and the result is 0/89: https://www.virustotal.com/gui/url/9148b9cddb462d6b9d80efea73ffc8717b49ed815ac9bc1106ba052321753c9c/detection

My best guess is a false positive

robmadole commented 3 years ago

@mcwnuq @charles-langley this file is JavaScript and not executable. This is a false positive.

If you have any more information you can share with us I'd be happy to take a look. But most likely the fingerprinting for the file matches some signature for that virus.

tagliala commented 3 years ago

I've tried to run the scan again today and it is clean

Please try again