Project

Profile

Help

Bug #3267

closed

Webroot claims that there is malware (W32.Malware.Gen) in Sourceforge .NET download file

Added by Anonymous over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Category:
Build and release
Sprint/Milestone:
-
Start date:
2017-06-13
Due date:
% Done:

0%

Estimated time:
Legacy ID:
Applies to branch:
9.8
Fix Committed on Branch:
Fixed in Maintenance Release:
Platforms:

Description

https://sourceforge.net/projects/saxon/files/Saxon-HE/9.7/SaxonHE9-7-0-18N-setup.exe/download

That file, along with the newer version that I uninstalled to try the one that I linked, are infected with malware. The newer version of the HE version of Saxon was detected as soon as installation started, but the older version was detected once I attempted to run a Querry.

Because of the infected files on sourceforge, I am unable to use the Saxon product that I need for a school assignment. Sourceforge is known more for it's malware now than it is for what can be downloaded, so maybe switch over to another site. I will never be a customer as long as the stuff is only available from that site.


Files

Untitled.png (317 KB) Untitled.png Anonymous, 2017-06-13 16:09
Untitled2.png (454 KB) Untitled2.png Anonymous, 2017-06-13 16:09
Untitled3.png (619 KB) Untitled3.png Anonymous, 2017-06-13 16:09
Untitled4.png (620 KB) Untitled4.png Anonymous, 2017-06-13 16:09
Untitled5.png (631 KB) Untitled5.png Anonymous, 2017-06-13 16:09
Untitled-1497363134.png (317 KB) Untitled-1497363134.png Anonymous, 2017-06-13 16:12
Untitled2-1497363134.png (454 KB) Untitled2-1497363134.png Anonymous, 2017-06-13 16:12
Untitled3-1497363134.png (619 KB) Untitled3-1497363134.png Anonymous, 2017-06-13 16:12
Untitled4-1497363134.png (620 KB) Untitled4-1497363134.png Anonymous, 2017-06-13 16:12
Untitled5-1497363134.png (631 KB) Untitled5-1497363134.png Anonymous, 2017-06-13 16:12
Actions #1

Updated by Michael Kay over 7 years ago

  • Project changed from SaxonC to Saxon
  • Subject changed from Malware to Malware in Sourceforge download file
  • Category set to Build and release
  • Assignee set to O'Neil Delpratt
Actions #2

Updated by Michael Kay over 7 years ago

We have checked the file and we do not believe there is anything wrong with it.

It is true that SourceForge acquired a bad reputation a couple of years ago for adding unwanted (but generally harmless) software to open source downloads. I understand that they have since ceased this practice unless the software owner positively opts into it in order to get revenue - which we have not done.

It is also true that the site is cluttered with advertisements for unrelated products that can easily mislead you into downloading the wrong thing, and this practice has damaged its reputation.

We have tested the .NET install script that you link to in your message and we believe it is clean and does not contain malware. If you believe otherwise, please be more precise about exactly what you did and what happened to make you think there was malware.

The behaviour you describe "The newer version of the HE version of Saxon was detected as soon as installation started, but the older version was detected once I attempted to run a Query." doesn't seem related to malware, but rather suggests some configuration problem in your installation. Again, please try to tell us more precisely what happened.

We are reluctant to move away from SourceForge because it's useful to maintain continuity; we cannot remove the many software releases that are currently on the site, and it would cause confusion if the newest releases were not available there. We also now distribute via Maven. For commercial versions of the software, of course, we use www.saxonica.com.

Actions #3

Updated by Greg Smith (dudealert86@outlook.com) over 7 years ago

I'll send screen a screen shot, it is a hidden file that webroot detects.


From: Saxonica Developer Community

Sent: Tuesday, June 13, 2017 7:34:39 AM

Subject: [Saxon - Bug #3267] Malware in Sourceforge download file

Actions #4

Updated by Greg Smith (dudealert86@outlook.com) over 7 years ago

Sorry that I am bad at describing things, I have aspergers and have to focus hard while I explain. It was not the Querry file that I tried either, it was the transform file. I am learning XML in one of my classes and needed to transform something for my assignment. It was in the bin folder, and both occurrences of the malware are in the transformation folder. My friend that does cyber security for some engineering company showed me how to hide files in a file by using the command prompt, I don't know how you would find it, but I am assuming that is how this is hidden in the transformation file. I doubt that it was rewritten from source to include it, and then reposted. I think it was hidden in it and then reposted.

Here are the images of what I see on my end.


From: Greg Smith

Sent: Tuesday, June 13, 2017 9:32:03 AM

To: Saxonica Developer Community

Subject: Re: [Saxon - Bug #3267] Malware in Sourceforge download file

I'll send screen a screen shot, it is a hidden file that webroot detects.


From: Saxonica Developer Community

Sent: Tuesday, June 13, 2017 7:34:39 AM

Subject: [Saxon - Bug #3267] Malware in Sourceforge download file

Actions #5

Updated by Greg Smith (dudealert86@outlook.com) over 7 years ago

Sorry that I am bad at describing things, I have aspergers and have to focus hard while I explain. It was not the Querry file that I tried either, it was the transform file. I am learning XML in one of my classes and needed to transform something for my assignment. It was in the bin folder, and both occurrences of the malware are in the bin folder, in the transform file. My friend that does cyber security for some engineering company showed me how to hide files in a file by using the command prompt, I don't know how you would find it, but I am assuming that is how this is hidden in the transformation file. I doubt that it was rewritten from source to include it, and then reposted. I think it was hidden in it and then reposted.

Here are the images of what I see on my end.


From: Greg Smith

Sent: Tuesday, June 13, 2017 10:09:18 AM

To: Saxonica Developer Community

Subject: Re: [Saxon - Bug #3267] Malware in Sourceforge download file

Sorry that I am bad at describing things, I have aspergers and have to focus hard while I explain. It was not the Querry file that I tried either, it was the transform file. I am learning XML in one of my classes and needed to transform something for my assignment. It was in the bin folder, and both occurrences of the malware are in the transformation folder. My friend that does cyber security for some engineering company showed me how to hide files in a file by using the command prompt, I don't know how you would find it, but I am assuming that is how this is hidden in the transformation file. I doubt that it was rewritten from source to include it, and then reposted. I think it was hidden in it and then reposted.

Here are the images of what I see on my end.


From: Greg Smith

Sent: Tuesday, June 13, 2017 9:32:03 AM

To: Saxonica Developer Community

Subject: Re: [Saxon - Bug #3267] Malware in Sourceforge download file

I'll send screen a screen shot, it is a hidden file that webroot detects.


From: Saxonica Developer Community

Sent: Tuesday, June 13, 2017 7:34:39 AM

Subject: [Saxon - Bug #3267] Malware in Sourceforge download file

Actions #6

Updated by Michael Kay over 7 years ago

Thanks for the screen shots. Webroot seems to have a lot of problems with false positives (i.e. detecting malware where none exists). We'll see if we can get them to look at it and either fix their detection or tell us what we need to do to avoid the false alarm.

Actions #7

Updated by Michael Kay over 7 years ago

  • Subject changed from Malware in Sourceforge download file to Webroot claims that there is malware (W32.Malware.Gen) in Sourceforge .NET download file
  • Status changed from New to In Progress
  • Priority changed from High to Normal
Actions #8

Updated by O'Neil Delpratt over 7 years ago

  • Status changed from In Progress to AwaitingInfo
  • Applies to branch 9.7 added

Response from webroot:

We have now reversed the determination and whitelisted the detected file. 

Not sure how long webroot will take to apply the whitelisting of the file, but please let us know when your problem has been resolved.

Actions #9

Updated by Greg Smith (dudealert86@outlook.com) over 7 years ago

Sourceforge did say that they would stop, but they said that before these were written. So I hope you're right about webroot being the problem. This is the first time that webroot has done this for software that I need. I'll let you know when it works.

http://seclists.org/nmap-dev/2015/q2/194

Sourceforge Hijacks the Nmap Sourceforge Accounthttp://seclists.org/nmap-dev/2015/q2/194

seclists.org

Hi Folks! You may have already read the recent news about Sourceforge.net hijacking the GIMP project account to distribute adware/malware. Previously GIMP used this ...

https://arstechnica.com/information-technology/2015/06/black-mirror-sourceforge-has-now-siezed-nmap-audit-tool-project/

[https://cdn.arstechnica.net/wp-content/uploads/2015/06/nmapgrab-640x465.jpg]https://arstechnica.com/information-technology/2015/06/black-mirror-sourceforge-has-now-siezed-nmap-audit-tool-project/

Black “mirror”: SourceForge has now taken over Nmap audit ...https://arstechnica.com/information-technology/2015/06/black-mirror-sourceforge-has-now-siezed-nmap-audit-tool-project/

arstechnica.com

What's yours is mine dept. — Black “mirror”: SourceForge has now taken over Nmap audit tool project [Updated] VLC developer also surprised to find project taken ...

https://blog.l0cal.com/2015/06/02/what-happened-to-sourceforge/

[https://s.gravatar.com/avatar/726d58202f463ab45f27de07733b7a33?s=128]https://blog.l0cal.com/2015/06/02/what-happened-to-sourceforge/

What happened to Sourceforge? · etix's weblog - l0cal.comhttps://blog.l0cal.com/2015/06/02/what-happened-to-sourceforge/

blog.l0cal.com

What happened to Sourceforge? Tue, Jun 2, 2015. Disclaimer: I’m a VLC developer, member of the board of VideoLAN and managing the infrastructure behind the ...


From: Saxonica Developer Community

Sent: Tuesday, June 13, 2017 10:19:58 AM

Subject: [Saxon - Bug #3267] Malware in Sourceforge download file

Actions #10

Updated by Michael Kay over 7 years ago

Thanks, we are well aware of widespread dissatisfaction with the commercialization of SourceForge, but that's nothing to do with the issue here. The report from Webroot here is a false positive on scanning our software for viruses, and would have happened whatever platform we used for distribution. Sourceforge are distributing the binary that we uploaded.

Actions #11

Updated by Greg Smith (dudealert86@outlook.com) over 7 years ago

I've got to admit, you're good lol I didn't expect webroot to respond so quickly to you. It works now, with no malware notification. Thank you.


From: Saxonica Developer Community

Sent: Tuesday, June 13, 2017 12:11 PM

Subject: [Saxon - Bug #3267] Webroot claims that there is malware (W32.Malware.Gen) in Sourceforge .NET download file

Actions #12

Updated by Michael Kay over 7 years ago

  • Status changed from AwaitingInfo to Resolved
  • Applies to branch 9.8 added
  • Applies to branch deleted (9.7)
Actions #13

Updated by Michael Kay over 7 years ago

  • Status changed from Resolved to Closed

Please register to edit this issue

Also available in: Atom PDF