Windows Defender identifies V2.18.2 as a trojan

[the1glorfindel]

[theonlypwner]

I notice that many anti-virus scanners detect the ACR v2.18.2 Windows client executable as a virus. When I download the release, I see Windows Defender detects it as TrojanDropper:Win32/OverJoiner!rfn. It's either a lot of false positives, or GitHub's hosted runner environment was compromised.

Unlike previous releases, where I compiled the binaries manually, the v2.18.2 executables were compiled in GitHub Actions (https://github.com/acreloaded/acr/actions/runs/470292606). GitHub's machines run the workflow file and generate the release.

I have submitted a support request to GitHub about the potential security issue. Until this is resolved, I recommend compiling the source code yourself.

I just compiled my own executable (acr_client.zip), and Windows Defender shows it as clean. It seems like there are some false positives, but not like 50% detecting it as a virus: https://www.virustotal.com/gui/file/225b98ffa65d1387350bc6928db695be05f6e0156a9b3fdcf058e4de84fc8391

[Duckrinium]

Installed through choco, detected as Trojan but different name.

I just compiled my own executable (acr_client.zip), and Windows Defender shows it as clean.

This one detects as Ymacco.AA22, I guess it's GitHub.

[dillfrescott]

I'm currently running a hybrid analysis on it. Avast blocked it. Firefox blocked it, and nearly half of the virus total results marked it as malicious. Something isn't right here...

I haven't tried to compile it myself though.

[dillfrescott]

Here are the results of the Hybrid Analysis:

https://www.hybrid-analysis.com/sample/805a2d3969af315f4c47c9299b565dc44ba2f6493509b79b83d139ce4a8d4ca8/615764121f4402747a1d8907

[Manerr]

Hello, I donwloaded yesterday ACR, without reading that issue sadly Defender warned me, ( TrojanDropper:Win32/OverJoiner!rfn ) , and I deleted manually all the files. Do you think I risk something, I'm a bit worried about my PC ... And my internet accounts thus
Any suggestion or help , thanks in advance :/

[theonlypwner]

As mentioned before, compile ACR yourself if you do not trust the executables created by GitHub's machines.

It is possible that there is something in the ACR code that anti-virus software does not like. For example, bugs that cause memory overreads or corruption would possibly trigger detections. If we can find and fix those issues, it would help to resolve this.

I don't have time to investigate right now, but if someone finds and reports what's causing the detections, I can make the fixes and release a new version.

[kabeeki]

Could this possibly be related to it using registry keys and services for the server?

Hybrid analysis says that it imports suspicious APIs , namely RegCloseKey StartServiceCtrlDispatcherA RegOpenKeyExA GetDriveTypeW GetFileAttributesA UnhandledExceptionFilter WriteFile GetModuleFileNameW IsDebuggerPresent LoadLibraryExW CreateThread ExitThread TerminateProcess

Some of which I don't see why assualtcube uses, like the registry related ones. Maybe they are for saving the resolution and game settings?

Hope this helps, Levi

[theonlypwner]

@kabeeki AssaultCube and AssaultCube Reloaded both read the registry:

https://github.com/acreloaded/acr/blob/v2.18.2/source/src/stream.cpp#L147-L170

https://github.com/assaultcube/AC/blob/v1.3.0.2/source/src/stream.cpp#L151-L174

AC and ACR use the registry to substitute ?MYDOCUMENTS? with the My Documents folder path. Also, ACR uses the registry to read MachineGuid to get a unique machine ID.

[AZeed18]

After running it, I later received an email from https://haveibeenpwned.com, that my data was exposed in an info stealer combo

These builds are not the only suspect but I thought it is worth mentioning this

[theonlypwner]

After running it, I later received an email from https://haveibeenpwned.com, that my data was exposed in an info stealer combo

These builds are not the only suspect but I thought it is worth mentioning this

@AZeed18 how much time passed between the time when you ran it and when the data breach was exposed?

The code to produce the builds is all open-source in this repo, available for everyone to inspect, and GitHub runs the code to build ACR. The question becomes whether you trust GitHub. If you don't, compile it by yourself.

[AZeed18]

Around a week, could it be an attack on GitHub? it might be just a false positive

The game works fine when excluded from AV

Anyways, it is not the only suspect

[theonlypwner]

@AZeed18 It probably takes more than 1 week for a data breach to be discovered, processed, and posted to haveibeenpwned.com.

An attack on GitHub is possible, but unlikely. A false positive is more likely.