Anti-Virus detects Malicious code

[wixaw]

INFO FROM GHOSTERY:

This is false-positive. We are looking for a solution.

---

Hello, We have security alert with our plugin today, what's happening?

 Security alert: Malicious code found in file. The file was quarantined.
From: xxx 2024-06-14 12:06:42 +02:00
Details: Malicious code found in file C:\Users\xxxx\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping14192_461896876\node_modules\@cliqz\adblocker\dist\esm\src\codebooks\cosmetic-selector.js.
Infection: Trojan-Downloader:JS/Locky.D
Action: The file was quarantined.
File hash: c883d63e1f3cbc7879ec9b61ba553250347279c7
Accessor path: C:\Program Files\Google\Chrome\Application\chrome.exe
Accessor hash: c97cdf54791461f07088762995f8419e44422729
Access operation: Close
File size: 4.73 KB
Created: N/A
Modified: N/A
Downloaded from: N/A
Container path: N/A

Security alert: Malicious code found in file. The file was quarantined.
From: xxx 2024-06-14 12:06:42 +02:00
Details: Malicious code found in file C:\Users\xxx\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping14192_461896876\node_modules\@cliqz\adblocker\dist\esm\src\codebooks\raw-cosmetic.js.
Infection: Trojan-Downloader:JS/Locky.D
Action: The file was quarantined.
File hash: 70ce94e63a06695e0365fc058dfce5872c3fa237
Accessor path: C:\Program Files\Google\Chrome\Application\chrome.exe
Accessor hash: c97cdf54791461f07088762995f8419e44422729
Access operation: Close
File size: 3.33 KB
Created: N/A
Modified: N/A
Downloaded from: N/A
Container path: N/A

Security alert: Malicious code found in file. The file was blocked.
From: xxxx, 2024-06-14 12:06:43 +02:00
Details: Malicious code found in file C:\Users\xxx\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping14192_1122083957\node_modules\@cliqz\adblocker\dist\esm\src\codebooks\raw-cosmetic.js.
Infection: Trojan-Downloader:JS/Locky.D
Action: The file was blocked.
File hash: 70ce94e63a06695e0365fc058dfce5872c3fa237
Accessor path: C:\Program Files\Google\Chrome\Application\chrome.exe
Accessor hash: c97cdf54791461f07088762995f8419e44422729
Access operation: Close
File size: 3.33 KB
Created: N/A
Modified: N/A
Downloaded from: N/A
Container path: N/A

Security alert: Malicious code found in file. The file was blocked.
From: xxxx, 2024-06-14 12:06:43 +02:00
Details: Malicious code found in file C:\Users\xxxx\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping14192_1122083957\node_modules\@cliqz\adblocker\dist\esm\src\codebooks\cosmetic-selector.js.
Infection: Trojan-Downloader:JS/Locky.D
Action: The file was blocked.
File hash: c883d63e1f3cbc7879ec9b61ba553250347279c7
Accessor path: C:\Program Files\Google\Chrome\Application\chrome.exe
Accessor hash: c97cdf54791461f07088762995f8419e44422729
Access operation: Close
File size: 4.73 KB
Created: N/A
Modified: N/A
Downloaded from: N/A
Container path: N/A

Security alert: Malicious code found in file. The file was quarantined.
From: xxxx, 2024-06-14 12:08:17 +02:00
Details: Malicious code found in file C:\Users\xxx\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij\10.3.7_0\node_modules\@cliqz\adblocker\dist\esm\src\codebooks\cosmetic-selector.js.
Infection: Trojan-Downloader:JS/Locky.D
Action: The file was quarantined.
File hash: c883d63e1f3cbc7879ec9b61ba553250347279c7
Accessor path: C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
Accessor hash:
Access operation: Open for reading
File size: 4.73 KB
Created: 2024 Jun 14 12:08
Modified: 1980 Jan 1 01:00
Downloaded from: N/A
Container path: N/A

Security alert: Malicious code found in file. The file was quarantined.
From: xxxx 2024-06-14 12:08:17 +02:00
Details: Malicious code found in file C:\Users\xxxx\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij\10.3.7_0\node_modules\@cliqz\adblocker\dist\esm\src\codebooks\raw-cosmetic.js.
Infection: Trojan-Downloader:JS/Locky.D
Action: The file was quarantined.
File hash: 70ce94e63a06695e0365fc058dfce5872c3fa237
Accessor path: C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
Accessor hash:
Access operation: Open for reading
File size: 3.33 KB
Created: 2024 Jun 14 12:08
Modified: 1980 Jan 1 01:00
Downloaded from: N/A
Container path: N/A

Security alert: Malicious code found in file. The file was blocked.
From: xxxx 2024-06-14 12:08:19 +02:00
Details: Malicious code found in file C:\Users\xxxx\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping2756_388181674\node_modules\@cliqz\adblocker\dist\esm\src\codebooks\raw-cosmetic.js.
Infection: Trojan-Downloader:JS/Locky.D
Action: The file was blocked.
File hash: 70ce94e63a06695e0365fc058dfce5872c3fa237
Accessor path: C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
Accessor hash: 25d013e3b393d3f9f44c09616167e2a0dba39462
Access operation: Close
File size: 3.33 KB
Created: N/A
Modified: N/A
Downloaded from: N/A
Container path: N/A

Security alert: Malicious code found in file. The file was blocked.
From: xxxx, 2024-06-14 12:08:19 +02:00
Details: Malicious code found in file C:\Users\xxxx\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping2756_388181674\node_modules\@cliqz\adblocker\dist\esm\src\codebooks\cosmetic-selector.js.
Infection: Trojan-Downloader:JS/Locky.D
Action: The file was blocked.
File hash: c883d63e1f3cbc7879ec9b61ba553250347279c7
Accessor path: C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
Accessor hash:
Access operation: Close
File size: 4.73 KB
Created: N/A
Modified: N/A
Downloaded from: N/A
Container path: N/A 

We have F-secure

[wixaw]

the problem must be in this file ( https://github.com/ghostery/adblocker/blob/master/packages/adblocker/src/codebooks/cosmetic-selector.ts ), and may be a false positive, but the antivirus blocks the extension for our users :/

[philipp-classen]

I'm looking into it. It also affect other people and has been reported here: https://www.reddit.com/r/Ghostery/comments/1df3h0y/ghostery_and_lockyd/

However, I cannot reproduce it myself. I tried a free F-Secure online scan in a Windows VM and also meta scanners like here https://www.virustotal.com/gui/url/7b4e6c533297251e71f1b4a547423ffc15902117e5b87913b4609f556b1d72a5?nocache=1

For now, I reported the file to F-Secure since I think it is a false-positive. We will also have a new Chrome update coming soon to push adblock list updates.

(Note: since we are on Manifest V3 now, block list updates need full releases, so we will have a much higher frequency of releases than in the past.)

[wixaw]

You uploaded 10.3.6 and not 10.3.7. Virustotal detect trojan with last version : https://www.virustotal.com/gui/file/b316c82e462a6224d38ecc48043507a77d53f8cd30f559925adea00ac1b8752c

[chrmod]

When submitting a single file (coming from the exact same .zip) nothing is detected https://www.virustotal.com/gui/file/f2b338a834e59cb70b6810b57df4925986597f4118a1b64397d1fe0e13eb9af3/detection

Inspecting the file also indicates no problem. This is clearly false-positive.

Do you know what we can do in this case? We see increased number of users reporting anti-virus problems.

[philipp-classen]

@wixaw Thank you, you are right. There is also still VBA32 and Xcitium, which also triggered on an Edge update in the past.

Perhaps the compression codebook for filter lists in https://github.com/ghostery/adblocker/blob/master/packages/adblocker/src/codebooks/cosmetic-selector.ts triggers it, but malware might use similar techniques for obfuscation.

The upcoming release is 10.3.8, but it changes only block lists. So, I assume it should still trigger it.

[philipp-classen]

This is the scan for the upcoming release (10.3.8 for Chrome): https://www.virustotal.com/gui/url-analysis/u-0e14496bb8f31fdb4509fbfc7b40cbce0f1dc6e093f55336a9599992eea32ffc-1718371469

Currently, it still passes. Perhaps that solves the problem. It still looks like a false-positive.

[philipp-classen]

When submitting a single file (coming from the exact same .zip) nothing is detected https://www.virustotal.com/gui/file/f2b338a834e59cb70b6810b57df4925986597f4118a1b64397d1fe0e13eb9af3/detection

Inspecting the file also indicates no problem. This is clearly false-positive.

Do you know what we can do in this case? We see increased number of users reporting anti-virus problems.

The best that I can see is to report the files to the antivirus vendors, so they can inspect it and tweak their rules.

They have to use heuristics for detection, which will never be perfect. Here it looks like the dictionary that is used for compressing adblocker filter rules triggers it. Ghostery 10 has also been only recently released to Edge and Chrome, which have much more users than Opera. It could be that we have more issues at the moment, because of the new code base (Manifest V3 rewrite) and that it is now widely distributed.

[philipp-classen]

Closing it, based on the feedback that is no longer triggering the antivirus heuristics.