Windows Defender detects Trojan:Win32/Wacatac.B!ml

[jkoenig134]

The old trojan from #32 ist gone. There´s now a new virus alert.

Virus-Total Detects these: https://www.virustotal.com/gui/file/865ac2546cd8019ed2774e3783dcc311d35ebf962f39fd085630186e7ffa008f/detection

Windows defender this one:

[jkoenig134]

@develar https://groups.google.com/forum/#!topic/golang-nuts/Au1FbtTZzbk says its about the ldflags.

[nicely]

YES! I also updated the old topic https://github.com/develar/app-builder/issues/32 by the way just tried electron-packager as an alternative do not have this kind of issue but we want to use electron-builder instead it's more advanced and promising but with this Trojan alerts it's impossible to distribute our app... @develar before the close the topic, please do not forget to test! it's taking only 10 seconds to scan files on virustotal not hard to do...

Updated to attach some screenshots... This time there are 3 files in app-builder-bin/win/ia32;

Ann all of them mentioned as TROJAN...

...

[jkoenig134]

@nicely The issue Was closed. I opened a new one to bring it back in mind.

[Mike-Dax]

To confirm, this happens with app-builder-bin@3.5.8 virus on Windows 10.0.18362.

[jrcharney]

Woke up this morning with a similar issue, only mine is a "Trojan:Win32/Fuery.C!cl".

I miss the old days where on google putting things into quotes meant you were grouping words together to define phrases and putting a plus and the beginning of the word/phase that search results must contain made finding things easy. So far there isn't any truthworthy source to tell me if this is a false-positive or not. Not even a StackOverflow question with a similar problem.

[jkoenig134]

@jrcharney Is it only the app-builder copy.exe for you or also the original file?

[jrcharney]

@jkoenig134 honestly, I don't have a definitive answer. I looked in the folder, and this is all I see. I changed the view to see if there were any hidden items and the same three files are shown.

[jkoenig134]

The copy file has been deleted by Windows Defender. What happens if you right click app-builder.exe and press check with windows defender?

[jrcharney]

Scan reports nothing on app-builder.exe

However, app-builder.exe.zip is a different story.

[jkoenig134]

The ZIP includes the copy file.

[jrcharney]

Should it have it?

[jkoenig134]

@develar Could you please provide a new version without the app-builder copy.exe and the app-builder.exe.zip files?

[jrcharney]

More viruses detected. Trojan:Win32/Wacatac.C!ml this time.

I refuse to develop an app that includes Malware in it!

Ditch the Zip! 😠

I am quarantining these files!

[jkoenig134]

@jrcharney if you are using this as part of a cordova electron app you could use the electron nightly version and put the cordova-electron dependency to the dev-dependencies. That does two things for you:

• lowers the app size.
• doesn´t package the malicious app to the build app.

That is our current workaround.

[jrcharney]

I am not familiar with cordova electron. I wasn't using a nightly build. I was using the stable version. This is pretty much the same version of the software I reported a few days ago and didn't get a response as to whether or not the Zip file should be part of app-builder.

[jkoenig134]

@jrcharney Calm down. I just suggest a workaround that doesn´t affect the integrity of your application. The "stable" version of cordova seems not be able to provide a working cordova-electron build.

[jrcharney]

"Calm down"? For what?

I believe I stated I have no knowledge about cordova, nor is it part of my electron app.

What I have done is I have scanned both the app-builder.exe and the app-builder.exe.zip.

app-builder.exe is clean, but app-builder.exe.zip is in quarantine, for obvious reasons.

This issue only effects the Windows 32 version of app-builder which is part of the app-builder-bin package, like it or not. (I'm using Windows 10 on a 64-bit system, and the zip file does not exist in the win/x64 folder, only in the win/ia32 folder.

Now, if there is a particular reason for why an ominous zip file is in a package that doesn't appear to be in a visible repository, I would certainly like to know. Was there a pull request that was somehow integrated into the package without thorough inspection? That seems like a certain possibility, and I'm certain the NPM and Github folks should know about this unwanted software injection that contains a Trojan.

Is it so hard for @develar to remove that file from that specific directory, or not?

[fedot]

@develar https://groups.google.com/forum/#!topic/golang-nuts/Au1FbtTZzbk says its about the ldflags.

It doesn not related to the flags, while the flags may affect some of the false positive detections, the case here is completely different, it looks like the binaries are something different from what can be built from the repo...

• With ldflags="-s -w" (and GOARCH=386): (6 engines detected this file) https://www.virustotal.com/gui/file/d839eb1a2ff1ed4e65489acbfeebac3093dfd26508692486e145b37c7876a496/detection
• With ldflags="" (and GOARCH=386): (5 engines detected this file) https://www.virustotal.com/gui/file/d254aabbf28dfa3487d639894e17be5cd3c893779f4a462b49e8821d01293330/detection
• app-builder.exe from published version (4.5.8): (9 engines detected this file) https://www.virustotal.com/gui/file/3466559bf800aea493140cf3849914dfb74aa19b97a5cf88b212eebf66941ae0/detection
• app-builder copy.exe from published version (4.5.8) (16 engines detected this file) https://www.virustotal.com/gui/file/865ac2546cd8019ed2774e3783dcc311d35ebf962f39fd085630186e7ffa008f/detection

[fedot]

Re-built the binary on a different machine using go 1.14.1: (1 engine warning) https://www.virustotal.com/gui/file/43b3beda011c638a9706d312dc212d11647d0d5d726b6793b14391c214147661/detection

go 1.14.2: (1 engine warning) https://www.virustotal.com/gui/file/2fa24a0e1fb9035c2bc88fcb5645c269cb6eb044f1c014f4ce69f84ade08f226/detection

[jkoenig134]

@develar when will you publish 3.5.9?

Edit: 3.5.9 is available and i can confirm, that the problem is solved.

[fedot]

How is it solved? The new published binary still have 4 engines warnings on virustotal even if ldfalgs weren't used. If I build the binary same way I'm getting 1 detection, which is worring...

[jkoenig134]

@fedot Windows Defender is silent. Thats enough for my needs.

[fedot]

👍 FYI, The recent defender definitions update clears also detection from the previous relese.

Few notes:

• I do not see any difference in false positive amount with or without ldflags="-s -w"
• Building on windows machine results in less false positives than building it in a container or linux machine

[develar]

How is it solved?

Each user now pays for it — size of 386 binary increased by 6MB. Compiler flag to remove unused symbols was unset for 386 due to MS Defender bug.

[develar]

@fedot Maybe you are right and I should build binary on Windows machine. Will check next time.