Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Malware found in the jenkins.exe #280

Closed
clarancedriver opened this issue Apr 24, 2018 · 5 comments
Closed

Malware found in the jenkins.exe #280

clarancedriver opened this issue Apr 24, 2018 · 5 comments
Assignees
@wchen-r7

Comments

@clarancedriver
Copy link

Issue Description

Please check the General Issues section in the wiki before you submit the issue.
If you didn't find your issue mentioned, please give a thorough description of the issue you're seeing.
Also, please be sure to include any troubleshooting steps that you've already attempted.

Host System

  • OS: windows
  • Packer Version: 1.2.2
  • Vagrant Version: 1.9.1
  • VirtualBox Version: 5.1.34

Command Output

Copy the relevant command output here.
If it's long, either post to a gist and add the link here, or isolate the error lines.
Trojan:Win32/Bitrep.B found when cloning repo. resources\jenkins\jenkins.exe
@todb-r7
Copy link

todb-r7 commented May 8, 2018

Say @wchen-r7 , did you trojan jenkins.exe 2 years ago?

@clarancedriver , this has got to be a false positive from Windows Defender. In any event, if you're worried about it, don't run jenkins.exe.

@todb-r7
Copy link

todb-r7 commented May 8, 2018

Hi @clarancedriver , talked to @wchen-r7 and team, and they do not admit to trojaning this binary. I happen to believe them. In any event, it looks like the plan now is to rebuild this binary and hopefully this false positive will get alleviated.

If you have any other information -- namely, proof beyond a Windows Defender hit -- that indicates this is, indeed, malware, then I would love to see it. A cursory googling though implies that WD tags all kinds of things as Win32/Bitrep.B, so whatever they're using for a heuristic doesn't seem 100% reliable.

@wchen-r7
Copy link
Contributor

wchen-r7 commented May 8, 2018

@clarancedriver Hi, sorry for the scare. It's a false positive. We used a 3rd party tool to create Jenskins.exe as a Windows service, and it looks like Windows Defender's cloud protection doesn't like the way it's packaged.

We actually can't remember the name of the 3rd party tool we used anymore, but after some quick reversing, we can tell it's a custom .Net application that has a Powershell "ScriptRunner" component, with the ps1 file also embedded in there. The embedded ps1 file is Base64'd and zipped. When you extract that, you will see that it's actually executing this command:

java -jar "C:\Program Files\jenkins\jenkins.war" --httpPort=8484

So this EXE is harmless.

However, I submitted this false positive to Microsoft anyway, and hope they will correct that soon:

screen shot 2018-05-08 at 11 50 11 am

We will probably rebuild this EXE from scratch so that it doesn't appear to be malicious.

@wchen-r7
Copy link
Contributor

wchen-r7 commented May 11, 2018
edited
Loading

@clarancedriver Microsoft got back to me about the false positive. It should be good for now.

screen shot 2018-05-10 at 9 17 48 pm

@jmartin-tech
Copy link
Contributor

Closing since acknowledged by vendor as a false positive.

@jmartin-tech jmartin-tech mentioned this issue Dec 11, 2018
Closed
@bcoles bcoles mentioned this issue Apr 17, 2019
Closed
@bcoles bcoles mentioned this issue Nov 14, 2019
Closed
@jmartin-tech jmartin-tech mentioned this issue Jan 15, 2020
Closed
@tehtw tehtw mentioned this issue Nov 16, 2020
Closed
@jmartin-tech jmartin-tech mentioned this issue Jun 15, 2021
Closed
@bcoles bcoles mentioned this issue Oct 18, 2022
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@wchen-r7 wchen-r7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@todb-r7 @wchen-r7 @jmartin-tech @clarancedriver